From 8260d535de2858544e6cae3c5ef8c919c25a04ef Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 4 Dec 2019 15:45:32 -0500 Subject: [PATCH] fixed missing headlines in 4 items --- .../client-management/img-boot-sequence.md | 6 ++--- .../additional-mitigations.md | 22 +++++++++---------- .../machineactionsnote.md | 2 ++ .../microsoft-defender-atp/prerelease.md | 2 ++ 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md index e0d86a8a23..dbcd186131 100644 --- a/windows/client-management/img-boot-sequence.md +++ b/windows/client-management/img-boot-sequence.md @@ -1,6 +1,6 @@ --- -description: A full-sized view of the boot sequence flowchart. title: Boot sequence flowchart +description: A full-sized view of the boot sequence flowchart. ms.date: 11/16/2018 ms.reviewer: manager: dansimp @@ -10,8 +10,8 @@ ms.topic: article ms.prod: w10 --- +# Boot sequence flowchart + Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
- ![Full-sized boot sequence flowchart](images/boot-sequence.png) - diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 63a6a403c2..d42dc24268 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -16,15 +16,15 @@ ms.date: 08/17/2017 ms.reviewer: --- -## Additional mitigations +# Additional mitigations Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust. -### Restricting domain users to specific domain-joined devices +## Restricting domain users to specific domain-joined devices Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. -#### Kerberos armoring +### Kerberos armoring Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. @@ -34,7 +34,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, - All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. - All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. -#### Protecting domain-joined device secrets +### Protecting domain-joined device secrets Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. @@ -46,7 +46,7 @@ Domain-joined device certificate authentication has the following requirements: - Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. - A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. -##### Deploying domain-joined device certificates +#### Deploying domain-joined device certificates To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. @@ -78,7 +78,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication > [!NOTE] > You must restart the device after enrolling the machine authentication certificate.   -##### How a certificate issuance policy can be used for access control +#### How a certificate issuance policy can be used for access control Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897(v=ws.10).aspx) on TechNet. @@ -100,7 +100,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` -#### Restricting user sign on +### Restricting user sign on So we now have completed the following: @@ -129,17 +129,17 @@ Authentication policies have the following requirements: > [!NOTE] > When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. -##### Discovering authentication failures due to authentication policies +#### Discovering authentication failures due to authentication policies To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx). -### Appendix: Scripts +## Appendix: Scripts Here is a list of scripts mentioned in this topic. -#### Get the available issuance policies on the certificate authority +### Get the available issuance policies on the certificate authority Save this script file as get-IssuancePolicy.ps1. @@ -330,7 +330,7 @@ write-host "There are no issuance policies which are not mapped to groups" > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.   -#### Link an issuance policy to a group +### Link an issuance policy to a group Save the script file as set-IssuancePolicyToGroupLink.ps1. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md index 551174a844..e414790f9e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineactionsnote.md @@ -10,5 +10,7 @@ ms.prod: w10 title: Note --- +# Perform a Machine Action via the Microsoft Defender ATP API + >[!Note] > This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md index eb022df5f7..da7e3816d2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prerelease.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prerelease.md @@ -10,5 +10,7 @@ ms.prod: w10 title: "Prerelease" --- +# Microsoft Defender ATP Pre-release Disclaimer + > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.