deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

remove broken link

Browse Source
This commit is contained in:
Aaron Czechowski 2024-02-05 09:10:02 -08:00
parent 48ef2b748a
commit 83ac12a51a
3 changed files with 77 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
View File

@ -7,7 +7,7 @@ ms.collection:
- tier3
- must-keep
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.topic: article
@ -21,13 +21,11 @@ ms.technology: itpro-configure
Microsoft User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. The combination of UE-V and App-V support for Office enables the same experience on virtualized instances of Office from any UE-V-enabled device or virtualized desktop.
To synchronize Office applications settings, you can download Office templates from the [User Experience Virtualization (UE-V) Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V). This resource provides Microsoft-authored UE-V settings location templates and community-developed settings location templates.
## Microsoft Office support in UE-V
UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
These templates help synchronize users Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience aren't included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
These templates help synchronize users' Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience aren't included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
## Synchronized Office Settings

21
windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
View File

@ -7,7 +7,7 @@ ms.collection:
- tier3
- must-keep
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.topic: article
@ -31,7 +31,7 @@ Use the UE-V template generator to monitor, discover, and capture the locations
## Standard and non-standard settings locations
The UE-V template generator helps you identify where applications search for settings files and registry settings that applications use to store settings information. The generator discovers settings only in locations that are accessible to a standard user. Settings that are stored in other locations are excluded.
The UE-V template generator helps you identify where applications search for settings files and registry settings that applications use to store settings information. The generator discovers settings only in locations that are accessible to a standard user. Settings that are stored in other locations are excluded.
Discovered settings are grouped into two categories: **Standard** and **Non-standard**. Standard settings are recommended for synchronization, and UE-V can readily capture and apply them. Non-standard settings can potentially synchronize settings but, because of the rules that UE-V uses, these settings might not consistently or dependably synchronize settings. These settings might depend on temporary files, result in unreliable synchronization, or might not be useful. These settings locations are presented in the UE-V template generator. You can choose to include or exclude them on a case-by-case basis.
@ -101,7 +101,7 @@ Use the UE-V template generator to edit settings location templates. When the re
> [!NOTE]
> A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template.
2. Open the settings location template file with an XML editor.
3. Edit the settings location template file. All changes must conform to the UE-V schema file that is defined in [SettingsLocationTempate.xsd](uev-application-template-schema-reference.md). By default, a copy of the .xsd file is located in \\ProgramData\\Microsoft\\UEV\\Templates.
@ -132,21 +132,6 @@ To validate a UE-V settings location template with the UE-V template generator:
After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise.
## Next steps
## <a href="" id="share"></a>Share settings location templates with the Template Gallery
The [User Experience Virtualization Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V) enables administrators to share their UE-V settings location templates. Upload your settings location templates to the gallery for other users to use, and download templates that other users have created.
Before you share a settings location template on the UE-V template gallery, ensure it doesn't contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company.
- Template Author Name Specify a general, non-identifying name for the template author name or exclude this data from the template.
- Template Author Email Specify a general, non-identifying template author email or exclude this data from the template.
Before you deploy any settings location template that you've downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment.
## Related topics
[Administering UE-V](uev-administering-uev.md)

139
windows/security/threat-protection/auditing/event-4913.md
View File

@ -1,5 +1,5 @@
---
title: 4913(S) Central Access Policy on the object was changed.
title: 4913(S) Central Access Policy on the object was changed
description: Describes security event 4913(S) Central Access Policy on the object was changed.
ms.pagetype: security
ms.mktglfcycl: deploy
@ -7,14 +7,13 @@ ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# 4913(S): Central Access Policy on the object was changed.
# 4913(S): Central Access Policy on the object was changed
<img src="images/event-4913.png" alt="Event 4913 illustration" width="648" height="557" hspace="10" align="left" />
@ -24,44 +23,45 @@ ms.topic: reference
This event generates when a [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on a file system object is changed.
This event always generates, regardless of the objects [SACL](/windows/win32/secauthz/access-control-lists) settings.
This event always generates, regardless of the object's [SACL](/windows/win32/secauthz/access-control-lists) settings.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4913</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-09T23:40:43.118758100Z" />
<EventRecordID>1183666</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4913</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-09T23:40:43.118758100Z" />
<EventRecordID>1183666</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x37901</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
<Data Name="HandleId">0x3d4</Data>
<Data Name="OldSd">S:AI</Data>
<Data Name="NewSd">S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)</Data>
<Data Name="ProcessId">0x884</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x37901</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Audit Files\\HBI Data.txt</Data>
<Data Name="HandleId">0x3d4</Data>
<Data Name="OldSd">S:AI</Data>
<Data Name="NewSd">S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)</Data>
<Data Name="ProcessId">0x884</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
```
@ -82,7 +82,7 @@ This event always generates, regardless of the objects [SACL](/windows/win32/
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -90,17 +90,17 @@ This event always generates, regardless of the objects [SACL](/windows/win32/
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows-server/identity/ad-ds/manage/understand-security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Object**:
- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
- **Object Server** \[Type = UnicodeString\]: has "**Security**" value for this event.
- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **“File”** for this event.
- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **"File"** for this event.
The following table contains the list of the most common **Object Types**:
@ -118,7 +118,7 @@ This event always generates, regardless of the objects [SACL](/windows/win32/
<!-- -->
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "[4663](event-4663.md)(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0".
**Process:**
@ -128,7 +128,7 @@ This event always generates, regardless of the objects [SACL](/windows/win32/
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID** field.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
@ -136,29 +136,30 @@ This event always generates, regardless of the objects [SACL](/windows/win32/
- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name, you need to do the following steps:
SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is "**S-1-17-1442530252-1178042555-1247349694-2318402534**". To resolve this SID to the real Central Access Policy name, you need to do the following steps:
1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container.
1. Find Central Access Policy Active Directory object in: "CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX" Active Directory container.
2. Open objects “**Properties**”.
2. Open object's "**Properties**".
3. Find “**msAuthz-CentralAccessPolicyID**” attribute.
3. Find "**msAuthz-CentralAccessPolicyID**" attribute.
4. Convert hexadecimal value to SID (string). Here you can see more information about how to perform this action: <https://social.technet.microsoft.com/Forums/scriptcenter/en-US/11585f2c-ed0d-4c2b-a2b6-ef2aa07b3745/how-to-convert-sid>.
4. Convert hexadecimal value to SID (string).
<img src="images/adsi-edit.png" alt="ADSI Edit illustration" width="763" height="454" hspace=10" align="left" />
> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example "**S:AI**".
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> [!NOTE]
> The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>
> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
>
> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
>
> `*O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)`
>
> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
> See the list of possible values in the table below:
| Value | Description | Value | Description |
@ -193,13 +194,13 @@ Example: D:(A;;FA;;;WD)
- entry\_type:
“D” - DACL
"D" - DACL
“S” - SACL
"S" - SACL
- inheritance\_flags:
"P - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"P" - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set.
@ -231,7 +232,7 @@ Example: D:(A;;FA;;;WD)
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesnt apply to this object, but may affect children via inheritance.
"IO" - INHERITANCE ONLY: ace doesn't apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
@ -262,24 +263,26 @@ Example: D:(A;;FA;;;WD)
- inherit\_object\_guid: N/A
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
For more information about SDDL syntax, see these articles:
- [2.5.1.1 Syntax](/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070)
- [ACCESS_MASK](/windows/win32/secauthz/access-mask)
## Security Monitoring Recommendations
For 4913(S): Central Access Policy on the object was changed.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
- If you need to monitor events related to specific Windows object types ("**Object Type**"), for example **File** or **Key**, monitor this event for the corresponding "**Object Type**."
- If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the “**Object Name**” that corresponds to the file or folder.
- If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the "**Object Name**" that corresponds to the file or folder.
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
- You can monitor to see if “**Process Name**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if "**Process Name**" isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in “**New Security Descriptor**” to see if it matches the expected policy.
- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in "**New Security Descriptor**" to see if it matches the expected policy.