From 75f4a11d13bc3666633990f3fae5fdcf9c4a461c Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Wed, 29 Jun 2016 15:48:33 -0700 Subject: [PATCH] removd or replaced old links, made sm chgs --- .../keep-secure/active-directory-accounts.md | 18 +++----- .../active-directory-security-groups.md | 42 +++++++------------ windows/keep-secure/dynamic-access-control.md | 12 +----- windows/keep-secure/local-accounts.md | 20 +++------ windows/keep-secure/service-accounts.md | 2 +- windows/keep-secure/special-identities.md | 17 ++------ 6 files changed, 33 insertions(+), 78 deletions(-) diff --git a/windows/keep-secure/active-directory-accounts.md b/windows/keep-secure/active-directory-accounts.md index 6594344d4d..a2e70e8f58 100644 --- a/windows/keep-secure/active-directory-accounts.md +++ b/windows/keep-secure/active-directory-accounts.md @@ -68,7 +68,7 @@ In Active Directory, default local accounts are used by administrators to manage Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md). -On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals Technical Overview](security-principals.md). +On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md). A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below. @@ -571,7 +571,7 @@ If the administrators in your environment can sign in locally to managed servers - **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections. -- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker Overview](http://technet.microsoft.com/library/hh831440.aspx). +- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md). The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings. @@ -584,7 +584,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s 2. Create computer accounts for the new workstations. - > **Note**  You might have to delegate permissions to join the domain by using [KB 932455](http://support.microsoft.com/kb/932455) if the account that joins the workstations to the domain does not already have permissions to join computers to the domain. + > **Note**  You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx). ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif) @@ -846,14 +846,6 @@ In addition, installed applications and management agents on domain controllers ## See also +- [Security Principals](security-principals.md) -[Security Principals Technical Overview](security-principals.md) - - -  - -  - - - - +- [Access Control Overview](access-control.md) diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/keep-secure/active-directory-security-groups.md index 195b7371a2..630308945a 100644 --- a/windows/keep-secure/active-directory-security-groups.md +++ b/windows/keep-secure/active-directory-security-groups.md @@ -986,7 +986,7 @@ This security group has not changed since Windows Server 2008. Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group). -For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/en-us/library/hh831734.aspx). +For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/library/hh831734.aspx). This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. @@ -1302,7 +1302,7 @@ This security group has not changed since Windows Server 2008. Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. -For information about other means to secure the DNS server service, see [Securing the DNS Server Service](http://technet.microsoft.com/library/cc731367.aspx). +For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx). This security group has not changed since Windows Server 2008. @@ -1742,7 +1742,7 @@ Members of this group are Read-Only Domain Controllers in the enterprise. Except Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it. -For more information, see [AD DS: Read-Only Domain Controllers](http://technet.microsoft.com/library/cc732801.aspx). +For more information, see [What Is an RODC?](https://technet.microsoft.com/library/cc771030.aspx). The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). @@ -1866,7 +1866,7 @@ This security group has not changed since Windows Server 2008. This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator. -For information about other features you can use with this security group, see [Group Policy Planning and Deployment Guide](http://technet.microsoft.com/library/cc754948.aspx). +For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx). The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). @@ -2525,7 +2525,7 @@ This group has no default members. Because members of this group can load and un The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). -This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assigning Delegated Print Administrator and Printer Permission Settings in Windows Server 2008 R2](http://technet.microsoft.com/library/ee524015(WS.10).aspx). +This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](https://technet.microsoft.com/library/jj190062(v=ws.11).aspx). @@ -2602,7 +2602,7 @@ Depending on the account’s domain functional level, members of the Protected U The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). -This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](https://technet.microsoft.com/en-us/library/dn466518.aspx). +This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](https://technet.microsoft.com/library/dn466518.aspx). The following table specifies the properties of the Protected Users group. @@ -2724,7 +2724,7 @@ This security group has not changed since Windows Server 2008. Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. -For information about Remote Desktop Services, see [Remote Desktop Services Design Guide](http://technet.microsoft.com/library/gg750997.aspx). +For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx). This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. @@ -2844,7 +2844,7 @@ This security group was introduced in Windows Server 2012, and it has not chang Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. -For information about RemoteApp programs, see [Overview of RemoteApp](http://technet.microsoft.com/library/cc755055.aspx) +For more information, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx). This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. @@ -2978,7 +2978,7 @@ Because administration of a Read-only domain controller can be delegated to a do - Read-only Domain Name System (DNS) -For information about deploying a Read-only domain controller, see [Read-Only Domain Controllers Step-by-Step Guide](http://technet.microsoft.com/library/cc772234.aspx). +For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx). This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. @@ -3041,7 +3041,7 @@ Members of the Remote Management Users group can access WMI resources over manag The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands. -For more information, see [WS-Management Protocol (Windows)](http://msdn.microsoft.com/library/aa384470.aspx) and [About WMI (Windows)](http://msdn.microsoft.com/library/aa384642.aspx). +For more information, see [What's New in MI?](https://msdn.microsoft.com/library/jj819828(v=vs.85).aspx) and [About WMI](http://msdn.microsoft.com/library/aa384642.aspx). This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. @@ -3105,9 +3105,10 @@ Computers that are members of the Replicator group support file replication in a **Important**   In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers. -However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows).](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx) +However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see: -  +- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx) +- [DFS Namespaces and DFS Replication Overview](https://technet.microsoft.com/library/jj127250(v=ws.11).aspx) This security group has not changed since Windows Server 2008. @@ -3581,21 +3582,10 @@ This security group was introduced in Windows Server 2012, and it has not chang
-  - ## See also +- [Security Principals](security-principals.md) -[Security Principals Technical Overview](security-principals.md) - - -[Special Identities](special-identities.md) - - -  - -  - - - +- [Special Identities](special-identities.md) +- [Access Control Overview](access-control.md) diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/keep-secure/dynamic-access-control.md index c3cdcb2c32..195f566716 100644 --- a/windows/keep-secure/dynamic-access-control.md +++ b/windows/keep-secure/dynamic-access-control.md @@ -134,14 +134,6 @@ If claims are transformed when they leave a forest, all domain controllers in th A file server running Windows Server 2012 or Windows Server 2012 R2 must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server. -## Additional resource - -[Access control overview](access-control.md) - -  - -  - - - +## See also +- [Access control overview](access-control.md) diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md index 3507e2b4cb..8497689ccc 100644 --- a/windows/keep-secure/local-accounts.md +++ b/windows/keep-secure/local-accounts.md @@ -48,7 +48,7 @@ This topic describes the following: - [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords) -For information about security principals, see [Security Principals Technical Overview](security-principals.md). +For information about security principals, see [Security Principals](security-principals.md). ## Default local user accounts @@ -99,7 +99,7 @@ As a security best practice, use your local (non-Administrator) account to sign In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers. -In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx) and [Group Policy](http://technet.microsoft.com/windowsserver/bb310732.aspx). +In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx). **Note**   Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic. @@ -141,7 +141,7 @@ The security identifiers (SIDs) that pertain to the default HelpAssistant accoun For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. -In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default. For more information about remote desktop connections for those client operating systems designated in the **Applies To** list at the beginning of this topic, see [Enable Remote Desktop](http://technet.microsoft.com/library/dd744299.aspx). +In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default. ## Default local system accounts @@ -200,7 +200,7 @@ In addition, UAC can require administrators to specifically approve applications For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration. -For summary information about UAC, see [User Account Control](http://technet.microsoft.com/library/cc731416.aspx). For detailed information about special conditions when you use UAC, see [User Account Control](http://technet.microsoft.com/library/cc772207.aspx). +For more information about UAC, see [User Account Control](user-account-control-overview.md). The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access. @@ -498,16 +498,8 @@ Passwords can be randomized by: The following resources provide additional information about technologies that are related to local accounts. -- [Security Principals Technical Overview](security-principals.md) +- [Security Principals](security-principals.md) -- [Security Identifiers Technical Overview](security-identifiers.md) +- [Security Identifiers](security-identifiers.md) - [Access Control Overview](access-control.md) - -  - -  - - - - diff --git a/windows/keep-secure/service-accounts.md b/windows/keep-secure/service-accounts.md index 76eb1d041b..e326562c98 100644 --- a/windows/keep-secure/service-accounts.md +++ b/windows/keep-secure/service-accounts.md @@ -106,4 +106,4 @@ The following table provides links to additional resources that are related to s |---------------|-------------| | **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)
[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) | | **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) | -| **Related technologies** | [Security Principals Technical Overview](security-principals.md)
[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) | \ No newline at end of file +| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) | \ No newline at end of file diff --git a/windows/keep-secure/special-identities.md b/windows/keep-secure/special-identities.md index 69c4ad8674..2e3aa71e3e 100644 --- a/windows/keep-secure/special-identities.md +++ b/windows/keep-secure/special-identities.md @@ -1002,21 +1002,10 @@ Any user accessing the system through Terminal Services has the Terminal Server -  - ## See also +- [Active Directory Security Groups](active-directory-security-groups.md) -[Active Directory Security Groups](active-directory-security-groups.md) - - -[Security Principals Technical Overview](security-principals.md) - - -  - -  - - - +- [Security Principals](security-principals.md) +- [Access Control Overview](access-control.md) \ No newline at end of file