From 52a05f027d0741116c7275b3aebe94f4e5063c7c Mon Sep 17 00:00:00 2001 From: anaharris-ms <61602255+anaharris-ms@users.noreply.github.com> Date: Wed, 28 Jun 2023 11:08:25 -0400 Subject: [PATCH 1/5] edit --- ...man-protocol-over-ikev2-vpn-connections.md | 58 ++++++++++++++++--- 1 file changed, 50 insertions(+), 8 deletions(-) diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 834f56a321..809b88492a 100644 --- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,19 +1,25 @@ --- -title: How to configure Diffie Hellman protocol over IKEv2 VPN connections -description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. -ms.date: 09/23/2021 +title: How to configure cryptographic settings for IKEv2 VPN connections +description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections. +ms.date: 06/28/2023 ms.topic: how-to --- -# How to configure Diffie Hellman protocol over IKEv2 VPN connections +# How to configure cryptographic settings for IKEv2 VPN connections -In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges. +In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are: + +- Encryption Algorithm : DES3 +- Integrity, Hash Algorithm : SHA1 +- Diffie Hellman Group (Key Size): DH2 + +These settings aren't secure for IKE exchanges. To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets. ## VPN server -For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration. +For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. These settings are effective for all IKEv2 VPN connections. ```powershell Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy @@ -30,7 +36,43 @@ Set-VpnServerIPsecConfiguration -CustomPolicy For VPN client, you need to configure each VPN connection. For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection: - ```powershell Set-VpnConnectionIPsecConfiguration -ConnectionName -``` \ No newline at end of file +``` + +## IKEv2 Crypto Settings Example + +The following commands configure the IKEv2 cryptographic settings to: + +- Encryption Algorithm : AES128 +- Integrity, Hash Algorithm : SHA256 +- Diffie Hellman Group (Key Size): DH14 + +### IKEv2 VPN Server + +```powershell +Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000 +restart-service RemoteAccess -PassThru +``` + +If you need to switch back to the default IKEv2 settings, use this command: + +```powershell +Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault +restart-service RemoteAccess -PassThru +``` + +### IKEv2 VPN Client + +```powershell +Set-VpnConnectionIPsecConfiguration -ConnectionName -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force +``` + +If you need to switch back to the default IKEv2 settings, use this command: + +```powershell +Set-VpnConnectionIPsecConfiguration -ConnectionName -RevertToDefault -Force +``` + +> [!TIP] +> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command. \ No newline at end of file From 9f04afe6e310725baa8af6fbec86bfdc4b84e343 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:18:38 -0400 Subject: [PATCH 2/5] Changed Microsoft Recommended Block list article --- .openpublishing.redirection.windows-security.json | 5 +++++ .../windows-defender-application-control/TOC.yml | 2 +- ...lock-rules.md => applications-that-can-bypass-wdac.md} | 8 ++++---- 3 files changed, 10 insertions(+), 5 deletions(-) rename windows/security/application-security/application-control/windows-defender-application-control/design/{microsoft-recommended-block-rules.md => applications-that-can-bypass-wdac.md} (99%) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 998d8fad5e..b1fdc02d36 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -80,6 +80,11 @@ "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines", "redirect_document_id": false }, + { + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md", + "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", + "redirect_document_id": false + }, { "source_path": "windows/security/apps.md", "redirect_url": "/windows/security/application-security", diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index 70c937a286..4db0c9a48f 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -55,7 +55,7 @@ href: design/create-wdac-policy-using-reference-computer.md - name: Create a WDAC deny list policy href: design/create-wdac-deny-policy.md - - name: Microsoft recommended block rules + - name: Applications that can bypass WDAC and how to block them href: design/microsoft-recommended-block-rules.md - name: Microsoft recommended driver block rules href: design/microsoft-recommended-driver-block-rules.md diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md similarity index 99% rename from windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md rename to windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md index ebc63fd06e..bcce7c5578 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md @@ -1,15 +1,15 @@ --- -title: Microsoft recommended block rules +title: Applications that can bypass WDAC and how to block them description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. ms.localizationpriority: medium ms.date: 06/14/2023 ms.topic: reference --- -# Microsoft recommended block rules +# Applications that can bypass WDAC and how to block them ->[!NOTE] ->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md). +> [!NOTE] +> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md). Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC. From f21715f6176866edcccc2590e775f7e2b0f7dbf8 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:21:51 -0400 Subject: [PATCH 3/5] Update TOC --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index 4db0c9a48f..3815f2af27 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -56,7 +56,7 @@ - name: Create a WDAC deny list policy href: design/create-wdac-deny-policy.md - name: Applications that can bypass WDAC and how to block them - href: design/microsoft-recommended-block-rules.md + href: design/applications-that-can-bypass-wdac.md - name: Microsoft recommended driver block rules href: design/microsoft-recommended-driver-block-rules.md - name: Use the WDAC Wizard tool From 5af2f032a7d5e8c84d24ccf5dd58e64d319330fe Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:25:34 -0400 Subject: [PATCH 4/5] Fix redirect --- .openpublishing.redirection.windows-security.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index b1fdc02d36..7347d35cb3 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -81,7 +81,7 @@ "redirect_document_id": false }, { - "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md", + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md", "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac", "redirect_document_id": false }, From 874ec6b210c75d39136bb382034ec26e73f3f63f Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 1 Aug 2023 10:27:33 -0400 Subject: [PATCH 5/5] Fix links --- .../windows-defender-application-control/index.yml | 4 ++-- .../windows-defender-application-control/wdac.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/index.yml b/windows/security/application-security/application-control/windows-defender-application-control/index.yml index 116b217e84..1b1d46e536 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/index.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/index.yml @@ -33,8 +33,8 @@ landingContent: links: - text: Using code signing to simplify application control url: deployment/use-code-signing-for-better-control-and-protection.md - - text: Microsoft's Recommended Blocklist - url: design/microsoft-recommended-block-rules.md + - text: Applications that can bypass WDAC and how to block them + url: design/applications-that-can-bypass-wdac.md - text: Microsoft's Recommended Driver Blocklist url: design/microsoft-recommended-driver-block-rules.md - text: Example WDAC policies diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md index dee33405bb..7ee7a13013 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md @@ -47,7 +47,7 @@ Smart App Control is only available on clean installation of Windows 11 version ### Smart App Control Enforced Blocks -Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: +Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: - Infdefaultinstall.exe - Microsoft.Build.dll