mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 13:23:36 +00:00
Acrolinx Enhancement Effort
This commit is contained in:
Siddarth Mandalika
@ -89,12 +89,12 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure
|
||||
Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
|
||||
services, and an attacker who already has that level of access could configure the service to run by using the System account.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to log on to a service application.
|
||||
We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to sign in to a service application.
|
||||
|
||||
### Potential impact
|
||||
|
||||
|
||||
@ -62,11 +62,11 @@ The following table lists the actual and effective default policy values for the
|
||||
|
||||
This section describes features, tools, and guidance to help you manage this policy.
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
A restart of the device isn't required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
If you apply this policy setting to the Everyone group, no one will be able to log on locally.
|
||||
If you apply this policy setting to the Everyone group, no one will be able to sign in locally.
|
||||
|
||||
### Group Policy
|
||||
|
||||
@ -87,15 +87,15 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights.
|
||||
Any account with the ability to sign in locally could be used to sign in at the console of the device. If this user right isn't restricted to legitimate users who must sign in to the console of the device, unauthorized users might download and run malicious software that elevates their user rights.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
|
||||
Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to other accounts that are required by those components.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected.
|
||||
If you assign the **Deny log on locally** user right to other accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on devices that are configured with the Web Server role. You should confirm that delegated activities aren't adversely affected.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server.
|
||||
This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It's possible for a user to establish a Remote Desktop connection to a particular server, but not be able to sign in to the console of that server.
|
||||
|
||||
Constant: SeDenyRemoteInteractiveLogonRight
|
||||
|
||||
@ -38,7 +38,7 @@ Constant: SeDenyRemoteInteractiveLogonRight
|
||||
|
||||
### Best practices
|
||||
|
||||
- To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group.
|
||||
- To control who can open a Remote Desktop connection and sign in to the device, add the user account to or remove user accounts from the Remote Desktop Users group.
|
||||
|
||||
### Location
|
||||
|
||||
@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values for the
|
||||
|
||||
This section describes features, tools, and guidance to help you manage this policy.
|
||||
|
||||
A restart of the computer is not required for this policy setting to be effective.
|
||||
A restart of the computer isn't required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
@ -86,15 +86,15 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights.
|
||||
Any account with the right to sign in through Remote Desktop Services could be used to sign in to the remote console of the device. If this user right isn't restricted to legitimate users who need to sign in to the console of the computer, malicious users might download and run software that elevates their user rights.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components.
|
||||
Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to other accounts that are required by those components.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected.
|
||||
If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right can't connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks aren't negatively affected.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Devices Allow undock without having to log on (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting.
|
||||
title: Devices Allow undock without having to sign in (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting.
|
||||
ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
@ -18,7 +18,7 @@ ms.date: 04/19/2017
|
||||
ms.technology: windows-sec
|
||||
---
|
||||
|
||||
# Devices: Allow undock without having to log on
|
||||
# Devices: Allow undock without having to sign in
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
@ -27,11 +27,11 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
|
||||
This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must sign in to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
|
||||
|
||||
>**Note:** Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
|
||||
|
||||
Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
|
||||
Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that don't have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -41,7 +41,7 @@ Enabling this policy setting means that anyone with physical access to a device
|
||||
|
||||
### Best practices
|
||||
|
||||
It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems.
|
||||
It's advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to sign in to the local console before they can undock their systems.
|
||||
|
||||
### Location
|
||||
|
||||
@ -66,7 +66,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -81,7 +81,7 @@ If this policy setting is enabled, anyone with physical access to portable compu
|
||||
Disable the **Devices: Allow undock without having to log on** setting.
|
||||
### Potential impact
|
||||
|
||||
Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact.
|
||||
Users who have docked their device must sign in to the local console before they can undock their computers. For devices that don't have docking stations, this policy setting has no impact.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ Users can move removable disks to a different device where they have administrat
|
||||
|
||||
### Best practices
|
||||
|
||||
- It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media.
|
||||
- It's advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media.
|
||||
|
||||
### Location
|
||||
|
||||
@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
|
||||
@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver.
|
||||
|
||||
This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added.
|
||||
This setting has no impact if you've configured a trusted path for downloading drivers. If trusted paths are being used, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver isn't installed and the network printer isn't added.
|
||||
|
||||
Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers.
|
||||
Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this idea isn't suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers.
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -41,7 +41,7 @@ Although it might be appropriate in some organizations to allow users to install
|
||||
|
||||
### Best practices
|
||||
|
||||
- It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer.
|
||||
- It's advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting doesn't affect a user's ability to add a local printer.
|
||||
|
||||
> [!NOTE]
|
||||
> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
|
||||
@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
|
||||
@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network.
|
||||
|
||||
The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data.
|
||||
The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives aren't automatically made available as network shared drives; you must deliberately choose to share the drive. This setting to share is important when administrators are installing software or copying data from a CD-ROM, and they don't want network users to be able to execute the applications or view the data.
|
||||
|
||||
If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users.
|
||||
If this policy setting is enabled, users who connect to the server over the network won't be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting isn't suitable for a system that serves as a CD jukebox for network users.
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -75,14 +75,14 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
|
||||
A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
|
||||
applications from removable media on the server.
|
||||
|
||||
### Countermeasure
|
||||
Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting.
|
||||
|
||||
### Potential impact
|
||||
Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users.
|
||||
Users who connect to the server over the network can't use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service can't access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting wouldn't be suitable for a computer that serves as a CD jukebox for network users.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network.
|
||||
|
||||
The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data.
|
||||
The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives aren't automatically made available as network shared drives; you must deliberately choose to share the drive. This setting to share becomes important when you're installing software or copying data from a floppy disk and they don't want network users to be able to execute the applications or view the data.
|
||||
|
||||
If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server.
|
||||
If this policy setting is enabled, users who connect to the server over the network won't be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server.
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -66,7 +66,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -74,7 +74,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server.
|
||||
A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives aren't automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -82,7 +82,7 @@ Enable the **Devices: Restrict floppy access to locally logged-on user only** se
|
||||
|
||||
### Potential impact
|
||||
|
||||
Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail.
|
||||
Users who connect to the server over the network can't use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service can't access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -27,13 +27,13 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account.
|
||||
This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators through the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account.
|
||||
|
||||
>**Note:** This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
|
||||
|
||||
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
|
||||
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is, the Local System account. This synchronization with the local account means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
|
||||
|
||||
The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
|
||||
The impact of enabling this policy setting should be small for most organizations. Users, including those users in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Command-line tools
|
||||
|
||||
@ -88,7 +88,7 @@ Disable the **Domain controller: Allow server operators to schedule tasks** sett
|
||||
|
||||
### Potential impact
|
||||
|
||||
The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job.
|
||||
The impact should be small for most organizations. Users (including those users in the Server Operators group) can still create jobs through the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -29,9 +29,9 @@ This article describes the best practices, location, values, and security consid
|
||||
|
||||
This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.
|
||||
|
||||
Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult.
|
||||
Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult.
|
||||
|
||||
This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636).
|
||||
This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/636).
|
||||
|
||||
If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
|
||||
|
||||
@ -39,13 +39,13 @@ If signing is required, then LDAP simple binds not using SSL are rejected (LDAP
|
||||
|
||||
### Possible values
|
||||
|
||||
- None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it.
|
||||
- None. Data signatures aren't required to bind with the server. If the client computer requests data signing, the server supports it.
|
||||
- Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.
|
||||
- Not defined.
|
||||
|
||||
### Best practices
|
||||
|
||||
- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers.
|
||||
- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that don't support LDAP signing will be unable to execute LDAP queries against the domain controllers.
|
||||
|
||||
### Location
|
||||
|
||||
@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult.
|
||||
Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -86,7 +86,7 @@ Configure the **Domain controller: LDAP server signing requirements** setting to
|
||||
|
||||
### Potential impact
|
||||
|
||||
Client devices that do not support LDAP signing cannot run LDAP queries against the domain controllers.
|
||||
Client devices that don't support LDAP signing can't run LDAP queries against the domain controllers.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ This policy setting enables or disables blocking a domain controller from accept
|
||||
|
||||
### Possible values
|
||||
|
||||
- **Enabled** When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
|
||||
- **Enabled** When enabled, this setting doesn't allow a domain controller to accept any changes to a machine account's password.
|
||||
|
||||
- **Disabled** When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
|
||||
|
||||
@ -38,7 +38,7 @@ This policy setting enables or disables blocking a domain controller from accept
|
||||
|
||||
### Best practices
|
||||
|
||||
- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain.
|
||||
- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This prevention, in turn, leaves those passwords susceptible to attack. Ensure that this setting conforms to your overall security policy for the domain.
|
||||
|
||||
### Location
|
||||
|
||||
@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack.
|
||||
If you enable this policy setting on all domain controllers in a domain, domain members can't change their machine account passwords, and those passwords are more susceptible to attack.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -86,7 +86,7 @@ Disable the **Domain controller: Refuse machine account password changes** setti
|
||||
|
||||
### Potential impact
|
||||
|
||||
None. This is the default configuration.
|
||||
None. This non-impact state is the default configuration.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -27,30 +27,29 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
## Reference
|
||||
|
||||
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is
|
||||
transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
|
||||
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Sign-in information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
|
||||
|
||||
The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
|
||||
The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
|
||||
|
||||
- Domain member: Digitally encrypt or sign secure channel data (always)
|
||||
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
|
||||
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
|
||||
|
||||
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
|
||||
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data.
|
||||
|
||||
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains.
|
||||
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains.
|
||||
|
||||
To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data.
|
||||
|
||||
Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting.
|
||||
|
||||
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
When a device joins a domain, a machine account is created. After being connected to the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
|
||||
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure
|
||||
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
|
||||
channel traffic.
|
||||
|
||||
- Disabled
|
||||
@ -92,7 +91,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Group Policy
|
||||
|
||||
@ -104,8 +103,8 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
|
||||
sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
|
||||
sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -117,7 +116,7 @@ Select one of the following settings as appropriate for your environment to conf
|
||||
|
||||
### Potential impact
|
||||
|
||||
Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
|
||||
Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they're sent to the domain controller.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -27,31 +27,31 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
## Reference
|
||||
|
||||
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over
|
||||
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
|
||||
the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
|
||||
|
||||
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
|
||||
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
|
||||
|
||||
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
|
||||
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
|
||||
|
||||
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
|
||||
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data.
|
||||
|
||||
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
|
||||
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
|
||||
|
||||
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
|
||||
|
||||
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
|
||||
The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted.
|
||||
The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only sign-in information that is transmitted over the secure channel will be encrypted.
|
||||
|
||||
- Disabled
|
||||
|
||||
The domain member will not attempt to negotiate secure channel encryption.
|
||||
The domain member won't attempt to negotiate secure channel encryption.
|
||||
|
||||
>**Note:** If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
|
||||
|
||||
@ -86,11 +86,11 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Distribution of this policy through Group Policy does not override the Local Security Policy setting.
|
||||
Distribution of this policy through Group Policy doesn't override the Local Security Policy setting.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -98,7 +98,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -110,7 +110,7 @@ Select one of the following settings as appropriate for your environment to conf
|
||||
|
||||
### Potential impact
|
||||
|
||||
Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller.
|
||||
Digital signing of the secure channel is a good idea because it protects domain credentials as they're sent to the domain controller.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -27,30 +27,30 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
## Reference
|
||||
|
||||
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the
|
||||
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
|
||||
secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
|
||||
|
||||
The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
|
||||
The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
|
||||
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
|
||||
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
|
||||
- Domain member: Digitally sign secure channel data (when possible)
|
||||
|
||||
Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
|
||||
Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data.
|
||||
|
||||
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
|
||||
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
|
||||
|
||||
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
|
||||
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
|
||||
### Possible values
|
||||
|
||||
- Enabled
|
||||
|
||||
The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
|
||||
The domain member will request to sign all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit.
|
||||
|
||||
- Disabled
|
||||
|
||||
Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled.
|
||||
Signing won't be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled.
|
||||
|
||||
- Not defined
|
||||
|
||||
@ -84,11 +84,11 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Group Policy
|
||||
|
||||
Distribution of this policy through Group Policy does not override the Local Security Policy setting.
|
||||
Distribution of this policy through Group Policy doesn't override the Local Security Policy setting.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -96,7 +96,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -108,7 +108,7 @@ Because these policies are closely related and useful depending on your environm
|
||||
|
||||
### Potential impact
|
||||
|
||||
Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
|
||||
Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they're sent to the domain controller.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -39,12 +39,12 @@ Verify that the **Domain member: Disable machine account password changes** opti
|
||||
|
||||
### Best practices
|
||||
|
||||
1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
|
||||
2. Do not use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices do not have to be rejoined to the domain.
|
||||
3. You may want to consider using this policy setting in specific environments, such as the following:
|
||||
1. Don't enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it's established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
|
||||
2. Don't use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices don't have to be rejoined to the domain.
|
||||
3. You may want to consider using this policy setting in specific environments, such as the following ones:
|
||||
|
||||
- Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
|
||||
- Embedded devices that do not have write access to the OS volume.
|
||||
- Embedded devices that don't have write access to the OS volume.
|
||||
|
||||
In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command:
|
||||
|
||||
@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
### Vulnerability
|
||||
|
||||
By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
|
||||
that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
|
||||
that can't automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -94,7 +94,7 @@ Verify that the **Domain member: Disable machine account password changes** sett
|
||||
|
||||
### Potential impact
|
||||
|
||||
None. This is the default configuration.
|
||||
None. This non-impact state is the default configuration.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
Reference in New Issue
Block a user