Merge branch 'master' into ado5549056-round5

2025-06-20 04:43:37 +00:00 · 2022-01-05 10:42:27 -05:00
parent 007dd4a30f 10e0c87b79
commit 86f16bfdec
29 changed files with 348 additions and 87 deletions
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@ -20,6 +20,7 @@ ms.date: 02/28/2019
 # Local Accounts

 **Applies to**
+-   Windows 11
 -   Windows 10
 -   Windows Server 2019
 -   Windows Server 2016
@ -74,7 +75,7 @@ The Administrator account has full control of the files, directories, services,

 The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.

-In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation.  
+From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation.  

 **Account group membership**

--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs.
 | S-1-5 | NT Authority | A SID that represents an identifier authority. |
 | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|

-The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
+The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list.

 | Identifier Authority | Value | SID String Prefix |
 | - | - | - |
@ -174,6 +174,8 @@ The following table lists the predefined identifier authority constants. The fir
 | SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
 | SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
 | SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
+| SECURITY_NT_AUTHORITY | 5 | S-1-5 |
+| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 |

 The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.

@ -256,14 +258,6 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 | S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
 | S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
 | S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
-| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.|
-| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.|
-| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.|
-| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.|
-| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.|
-| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.|
-| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.|
-| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.|

 The following RIDs are relative to each domain.

--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@ -2,6 +2,7 @@
 title: Special Identities (Windows 10)
 description: Special Identities
 ms.prod: m365-security
+ms.technology: windows-sec
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@ -12,14 +13,14 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 10/12/2021
+ms.date: 12/21/2021
 ms.reviewer: 
 ---

 # Special Identities

 **Applies to**
-   Windows Server 2016
+-   Windows Server 2016 or later

 This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.

@ -97,6 +98,18 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights|None|

+## Attested Key Property
+
+
+A SID that means the key trust object had the attestation property.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-6 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Authenticated Users


@ -109,6 +122,18 @@ Any user who accesses the system through a sign-in process has the Authenticated
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<br>  [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege<br>  [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|

+## Authentication Authority Asserted Identity
+
+
+A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-1 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Batch


@ -121,6 +146,18 @@ Any user or process that accesses the system as a batch job (or through the batc
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| none|

+## Console Logon
+
+
+A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-2-1 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Creator Group


@ -197,6 +234,18 @@ Membership is controlled by the operating system.
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</br> [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|

+## Fresh Public Key Identity
+
+
+A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-3 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Interactive


@ -209,6 +258,30 @@ Any user who is logged on to the local system has the Interactive identity. This
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| None|

+## IUSR
+
+
+Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-17 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
+## Key Trust
+
+
+A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-4 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Local Service


@ -234,6 +307,18 @@ This is a service account that is used by the operating system. The LocalSystem
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights|None|

+## MFA Key Property
+
+
+A SID that means the key trust object had the multifactor authentication (MFA) property.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-5 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Network

 This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
@ -279,6 +364,18 @@ This group implicitly includes all users who are logged on to the system through
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| None |

+## Owner Rights
+
+
+A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-3-4 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Principal Self


@ -291,6 +388,18 @@ This identity is a placeholder in an ACE on a user, group, or computer object in
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| None |

+## Proxy
+
+
+Identifies a SECURITY_NT_AUTHORITY Proxy.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-8 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Remote Interactive Logon


@ -338,6 +447,18 @@ Any service that accesses the system has the Service identity. This identity gro
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege<br> [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege<br>|

+## Service Asserted Identity
+
+
+A SID that means the client's identity is asserted by a service.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-2 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Terminal Server User


--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@ -14,15 +14,15 @@ ms.collection:
  - M365-identity-device-management
  - highpri
 ms.topic: article
-ms.date: 12/16/2021
+ms.date: 12/27/2021
 ---

 # Windows Defender Credential Guard: Requirements

 ## Applies to

- Windows 11 Professional and Enterprise
- Windows 10 Professional and Enterprise
+- Windows 11
+- Windows 10
 - Windows Server 2019
 - Windows Server 2016

@ -105,7 +105,7 @@ The following tables describe baseline protections, plus protections for improve
 |Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
-|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
+|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|

 > [!IMPORTANT]
 > Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@ -69,7 +69,7 @@ Key trust deployments do not need client issued certificates for on-premises aut
 The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller).

 * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder.
-* The certificate Subject section should contain the directory path of the server object (the distinguished name).
+* Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name).
 * The certificate Key Usage section must contain Digital Signature and Key Encipherment.
 * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
 * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
@ -167,4 +167,4 @@ For federated and non-federated environments, start with **Configure Windows Hel
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)