mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 21:37:22 +00:00
fixed missing headlines in 4 items
This commit is contained in:
martyav
parent
0b711d9f63
commit
8260d535de
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
description: A full-sized view of the boot sequence flowchart.
|
|
||||||
title: Boot sequence flowchart
|
title: Boot sequence flowchart
|
||||||
|
description: A full-sized view of the boot sequence flowchart.
|
||||||
ms.date: 11/16/2018
|
ms.date: 11/16/2018
|
||||||
ms.reviewer:
|
ms.reviewer:
|
||||||
manager: dansimp
|
manager: dansimp
|
||||||
@ -10,8 +10,8 @@ ms.topic: article
|
|||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Boot sequence flowchart
|
||||||
|
|
||||||
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
|
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -16,15 +16,15 @@ ms.date: 08/17/2017
|
|||||||
ms.reviewer:
|
ms.reviewer:
|
||||||
---
|
---
|
||||||
|
|
||||||
## Additional mitigations
|
# Additional mitigations
|
||||||
|
|
||||||
Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
|
Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
|
||||||
|
|
||||||
### Restricting domain users to specific domain-joined devices
|
## Restricting domain users to specific domain-joined devices
|
||||||
|
|
||||||
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
|
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
|
||||||
|
|
||||||
#### Kerberos armoring
|
### Kerberos armoring
|
||||||
|
|
||||||
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
|
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
|
||||||
|
|
||||||
@ -34,7 +34,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
|
|||||||
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
|
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
|
||||||
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
|
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
|
||||||
|
|
||||||
#### Protecting domain-joined device secrets
|
### Protecting domain-joined device secrets
|
||||||
|
|
||||||
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
|
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
|
||||||
|
|
||||||
@ -46,7 +46,7 @@ Domain-joined device certificate authentication has the following requirements:
|
|||||||
- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
|
- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
|
||||||
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
|
- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
|
||||||
|
|
||||||
##### Deploying domain-joined device certificates
|
#### Deploying domain-joined device certificates
|
||||||
|
|
||||||
To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
|
To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
|
||||||
|
|
||||||
@ -78,7 +78,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> You must restart the device after enrolling the machine authentication certificate.
|
> You must restart the device after enrolling the machine authentication certificate.
|
||||||
|
|
||||||
##### How a certificate issuance policy can be used for access control
|
#### How a certificate issuance policy can be used for access control
|
||||||
|
|
||||||
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897(v=ws.10).aspx) on TechNet.
|
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897(v=ws.10).aspx) on TechNet.
|
||||||
|
|
||||||
@ -100,7 +100,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
|
|||||||
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"<name of issuance policy>" –groupOU:"<Name of OU to create>" –groupName:”<name of Universal security group to create>"
|
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"<name of issuance policy>" –groupOU:"<Name of OU to create>" –groupName:”<name of Universal security group to create>"
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Restricting user sign on
|
### Restricting user sign on
|
||||||
|
|
||||||
So we now have completed the following:
|
So we now have completed the following:
|
||||||
|
|
||||||
@ -129,17 +129,17 @@ Authentication policies have the following requirements:
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
|
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
|
||||||
|
|
||||||
##### Discovering authentication failures due to authentication policies
|
#### Discovering authentication failures due to authentication policies
|
||||||
|
|
||||||
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
|
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
|
||||||
|
|
||||||
To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx).
|
To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx).
|
||||||
|
|
||||||
### Appendix: Scripts
|
## Appendix: Scripts
|
||||||
|
|
||||||
Here is a list of scripts mentioned in this topic.
|
Here is a list of scripts mentioned in this topic.
|
||||||
|
|
||||||
#### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
|
### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
|
||||||
|
|
||||||
Save this script file as get-IssuancePolicy.ps1.
|
Save this script file as get-IssuancePolicy.ps1.
|
||||||
|
|
||||||
@ -330,7 +330,7 @@ write-host "There are no issuance policies which are not mapped to groups"
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
|
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
|
||||||
|
|
||||||
#### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
|
### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
|
||||||
|
|
||||||
Save the script file as set-IssuancePolicyToGroupLink.ps1.
|
Save the script file as set-IssuancePolicyToGroupLink.ps1.
|
||||||
|
|
||||||
|
|||||||
@ -10,5 +10,7 @@ ms.prod: w10
|
|||||||
title: Note
|
title: Note
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Perform a Machine Action via the Microsoft Defender ATP API
|
||||||
|
|
||||||
>[!Note]
|
>[!Note]
|
||||||
> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.
|
> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.
|
||||||
|
|||||||
@ -10,5 +10,7 @@ ms.prod: w10
|
|||||||
title: "Prerelease"
|
title: "Prerelease"
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Microsoft Defender ATP Pre-release Disclaimer
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user