deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'public' into repo_sync_working_branch

Browse Source
This commit is contained in:
Jeff Borsecnik 2020-03-12 12:01:56 -07:00 committed by GitHub
commit 9bafcd88ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 329 additions and 415 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
windows/client-management/mdm/policy-csp-update.md
View File

@ -1204,19 +1204,19 @@ The following list shows the supported values:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1233,8 +1233,8 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1275,19 +1275,19 @@ Default value is 7.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1304,7 +1304,8 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Added in Windows 10, version 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1345,19 +1346,19 @@ Default value is 7.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1374,7 +1375,9 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
Added in Windows 10, version 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1415,19 +1418,19 @@ Default value is 2.
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
@ -1444,7 +1447,8 @@ Default value is 2.
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
Added in Windows 10, version 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
<!--/Description-->

7
windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
View File

@ -18,11 +18,14 @@ ms.topic: article
# Use VAMT in Windows PowerShell
The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
**To install PowerShell 3.0**
- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=218356).
**To install the Windows Assessment and Deployment Kit**
**To install the Windows Assessment and Deployment Kit**
- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
**To prepare the VAMT PowerShell environment**
**To prepare the VAMT PowerShell environment**
- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
**Important**

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -25,7 +25,7 @@ ms.reviewer:
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.

6
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -23,10 +23,8 @@ ms.reviewer:
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Azure AD joined device (Cloud and Hybrid deployments)
* Hybrid Azure AD joined (Hybrid deployments)
* Domain Joined (on-premises deployments)
* Windows 10, version 1709
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -285,7 +285,7 @@ A TPM implements controls that meet the specification described by the Trusted C
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.

328
windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
View File

@ -20,7 +20,8 @@ ms.date: 04/19/2017
# Administer security policy settings
**Applies to**
- Windows 10
- Windows 10
This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
@ -30,90 +31,46 @@ Security settings policies are rules that you can configure on a device, or mult
Security settings can control:
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a users or groups actions in the event log.
- Membership in a group.
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a user's or group's actions in the event log.
- Membership in a group.
For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md).
To manage security configurations for multiple computers, you can use one of the following options:
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>Whats changed in how settings are administered?
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>What's changed in how settings are administered
Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Tool or feature</th>
<th align="left">Description and use</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="#bkmk-secpol" data-raw-source="[Security Policy snap-in](#bkmk-secpol)">Security Policy snap-in</a></p></td>
<td align="left"><p>Secpol.msc</p>
<p>MMC snap-in designed to manage only security policy settings.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-secedit" data-raw-source="[Security editor command line tool](#bkmk-secedit)">Security editor command line tool</a></p></td>
<td align="left"><p>Secedit.exe</p>
<p>Configures and analyzes system security by comparing your current configuration to specified security templates.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="#bkmk-scm" data-raw-source="[Security Compliance Manager](#bkmk-scm)">Security Compliance Manager</a></p></td>
<td align="left"><p>Tool download</p>
<p>A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-scw" data-raw-source="[Security Configuration Wizard](#bkmk-scw)">Security Configuration Wizard</a></p></td>
<td align="left"><p>Scw.exe</p>
<p>SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="#bkmk-scmtool" data-raw-source="[Security Configuration Manager tool](#bkmk-scmtool)">Security Configuration Manager tool</a></p></td>
<td align="left"><p>This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-grouppolicy" data-raw-source="[Group Policy](#bkmk-grouppolicy)">Group Policy</a></p></td>
<td align="left"><p>Gpmc.msc and Gpedit.msc</p>
<p>The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Software Restriction Policies</p>
<p>See <a href="https://technet.microsoft.com/library/hh994606.aspx" data-raw-source="[Administer Software Restriction Policies](https://technet.microsoft.com/library/hh994606.aspx)">Administer Software Restriction Policies</a>.</p></td>
<td align="left"><p>Gpedit.msc</p>
<p>Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.</p></td>
</tr>
<tr class="even">
<td align="left"><p>AppLocker</p>
<p>See <a href="/windows/device-security/applocker/administer-applocker" data-raw-source="[Administer AppLocker](/windows/device-security/applocker/administer-applocker)">Administer AppLocker</a>.</p></td>
<td align="left"><p>Gpedit.msc</p>
<p>Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.</p></td>
</tr>
</tbody>
</table>
|Tool or feature |Description and use |
|---------|---------|
|[Security Policy snap-in](#using-the-local-security-policy-snap-in)|Secpol.msc <br> MMC snap-in designed to manage only security policy settings.|
|[Security editor command line tool](#using-the-secedit-command-line-tool) |Secedit.exe <br> Configures and analyzes system security by comparing your current configuration to specified security templates.|
|[Security Compliance Manager](#using-the-security-compliance-manager)|Tool download <br> A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.|
|[Security Configuration Wizard](#using-the-security-configuration-wizard)|Scw.exe <br> SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.|
|[Security Configuration Manager tool](#working-with-the-security-configuration-manager)|This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.|
|[Group Policy](#working-with-group-policy-tools)|Gpmc.msc and Gpedit.msc <br> The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.|
|Software Restriction Policies <br> See [Administer Software Restriction Policies](https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/administer-software-restriction-policies)|Gpedit.msc <br> Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.|
|Administer AppLocker <br> See [Administer AppLocker](/windows/device-security/applocker/administer-applocker)|Gpedit.msc <br> Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.|
## <a href="" id="bkmk-secpol"></a>Using the Local Security Policy snap-in
The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
- Account Policies
- Local Policies
- Windows Firewall with Advanced Security
- Network List Manager Policies
- Public Key Policies
- Software Restriction Policies
- Application Control Policies
- IP Security Policies on Local Computer
- Advanced Audit Policy Configuration
- Account Policies
- Local Policies
- Windows Firewall with Advanced Security
- Network List Manager Policies
- Public Key Policies
- Software Restriction Policies
- Application Control Policies
- IP Security Policies on Local Computer
- Advanced Audit Policy Configuration
Policies set locally might be overwritten if the computer is joined to the domain.
@ -123,12 +80,12 @@ The Local Security Policy snap-in is part of the Security Configuration Manager
The secedit command-line tool works with security templates and provides six primary functions:
- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
- The **Analyze** parameter compares the servers security configuration with the selected template.
- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
- The **Export** parameter allows you to export the settings from a database into a security settings template.
- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
- The **Generate Rollback** parameter saves the servers current security settings into a security template so it can be used to restore most of the servers security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
- The **Analyze** parameter compares the server's security configuration with the selected template.
- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
- The **Export** parameter allows you to export the settings from a database into a security settings template.
- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
## <a href="" id="bkmk-scm"></a>Using the Security Compliance Manager
@ -136,10 +93,10 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
**To administer security policies by using the Security Compliance Manager**
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
2. Read the relevant security baseline documentation that is included in this tool.
3. Download and import the relevant security baselines. The installation process steps you through baseline selection.
4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
1. Read the relevant security baseline documentation that is included in this tool.
1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
## <a href="" id="bkmk-scw"></a>Using the Security Configuration Wizard
@ -155,62 +112,36 @@ The following are considerations for using SCW:
- SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
- All apps that use the IP protocol and ports must be running on the server when you run SCW.
- In some cases, you must be connected to the Internet to use the links in the SCW help.
> **Note** The SCW is available only on Windows Server and only applicable to server installations.
> [!NOTE]
> The SCW is available only on Windows Server and only applicable to server installations.
The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
- Create a security policy that can be applied to any server on your network.
- Edit an existing security policy.
- Apply an existing security policy.
- Roll back the last applied security policy.
- Create a security policy that can be applied to any server on your network.
- Edit an existing security policy.
- Apply an existing security policy.
- Roll back the last applied security policy.
The Security Policy Wizard configures services and network security based on the servers role, as well as configures auditing and registry settings.
The Security Policy Wizard configures services and network security based on the server's role, as well as configures auditing and registry settings.
For more information about SCW, including procedures, see [Security Configuration Wizard](https://technet.microsoft.com/library/cc754997.aspx).
For more information about SCW, including procedures, see [Security Configuration Wizard](https://docs.microsoft.com/previous-versions/orphan-topics/ws.11/cc754997(v=ws.11)).
## <a href="" id="bkmk-scmtool"></a>Working with the Security Configuration Manager
The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://technet.microsoft.com/library/cc758219(WS.10).aspx).
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc758219(v=ws.10)).
The following table lists the features of the Security Configuration Manager.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Security Configuration Manager tools</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="#bkmk-seccfgana" data-raw-source="[Security Configuration and Analysis](#bkmk-seccfgana)">Security Configuration and Analysis</a></p></td>
<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-sectmpl" data-raw-source="[Security templates](#bkmk-sectmpl)">Security templates</a></p></td>
<td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="#bkmk-secextensions" data-raw-source="[Security Settings extension to Group Policy](#bkmk-secextensions)">Security Settings extension to Group Policy</a></p></td>
<td align="left"><p>Edits individual security settings on a domain, site, or organizational unit.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="#bkmk-localsecpol" data-raw-source="[Local Security Policy](#bkmk-localsecpol)">Local Security Policy</a></p></td>
<td align="left"><p>Edits individual security settings on your local computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Secedit</p></td>
<td align="left"><p>Automates security configuration tasks at a command prompt.</p></td>
</tr>
</tbody>
</table>
|Security Configuration Manager tools |Description |
|---------|---------|
|[Security Configuration and Analysis](#security-configuration-and-analysis) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
|[Security templates](#security-templates) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
|[Security Settings extension to Group Policy](#security-settings-extension-to-group-policy) |Edits individual security settings on a domain, site, or organizational unit.|
|[Local Security Policy](#local-security-policy)|Edits individual security settings on your local computer.|
|Secedit |Automates security configuration tasks at a command prompt.|
### <a href="" id="bkmk-seccfgana"></a>Security Configuration and Analysis
Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security.
@ -238,19 +169,19 @@ To apply a security template to your local device, you can use Security Configur
Security templates can be used to define:
- Account Policies
- Password Policy
- Account Lockout Policy
- Kerberos Policy
- Local Policies
- Audit Policy
- User Rights Assignment
- Security Options
- Event Log: Application, system, and security Event Log settings
- Restricted Groups: Membership of security-sensitive groups
- System Services: Startup and permissions for system services
- Registry: Permissions for registry keys
- File System: Permissions for folders and files
- Account Policies
- Password Policy
- Account Lockout Policy
- Kerberos Policy
- Local Policies
- Audit Policy
- User Rights Assignment
- Security Options
- Event Log: Application, system, and security Event Log settings
- Restricted Groups: Membership of security-sensitive groups
- System Services: Startup and permissions for system services
- Registry: Permissions for registry keys
- File System: Permissions for folders and files
Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template.
@ -260,15 +191,15 @@ Organizational units, domains, and sites are linked to Group Policy Objects. The
Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control:
- How users are authenticated to a network or device
- What resources users are authorized to use.
- Whether or not a user's or group's actions are recorded in the event log.
- Group membership.
- How users are authenticated to a network or device
- What resources users are authorized to use.
- Whether or not a user's or group's actions are recorded in the event log.
- Group membership.
You can change the security configuration on multiple computers in two ways:
- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
- Change a few select settings with security settings.
- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
- Change a few select settings with security settings.
### <a href="" id="bkmk-localsecpol"></a>Local Security Policy
@ -276,59 +207,61 @@ A security policy is a combination of security settings that affect the security
With the local security policy, you can control:
- Who accesses your device.
- What resources users are authorized to use on your device.
- Whether or not a users or group's actions are recorded in the event log.
- Who accesses your device.
- What resources users are authorized to use on your device.
- Whether or not a user's or group's actions are recorded in the event log.
If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence.
1. Organizational unit policy
2. Domain policy
3. Site policy
4. Local computer policy
1. Organizational unit policy
1. Domain policy
1. Site policy
1. Local computer policy
If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts.
### Using the Security Configuration Manager
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784762(v=ws.10)). This section contains information in this topic about:
- [Applying security settings](#bkmk-applysecsettings)
- [Importing and exporting security templates](#bkmk-impexpsectmpl)
- [Analyzing security and viewing results](#bkmk-anasecviewresults)
- [Resolving security discrepancies](#bkmk-resolvesecdiffs)
- [Automating security configuration tasks](#bkmk-autoseccfgtasks)
- [Applying security settings](#applying-security-settings)
- [Importing and exporting security templates](#importing-and-exporting-security-templates)
- [Analyzing security and viewing results](#analyzing-security-and-viewing-results)
- [Resolving security discrepancies](#resolving-security-discrepancies)
- [Automating security configuration tasks](#automating-security-configuration-tasks)
### <a href="" id="bkmk-applysecsettings"></a>Applying security settings
Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object:
- When a device is restarted, the settings on that device will be refreshed.
- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
- When a device is restarted, the settings on that device will be refreshed.
- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
**Precedence of a policy when more than one policy is applied to a computer**
For security settings that are defined by more than one policy, the following order of precedence is observed:
1. Organizational Unit Policy
2. Domain Policy
3. Site Policy
4. Local computer Policy
1. Organizational Unit Policy
1. Domain Policy
1. Site Policy
1. Local computer Policy
For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
> **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order.
> [!NOTE]
> Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
**Persistence in security settings**
Security settings may still persist even if a setting is no longer defined in the policy that originally applied it.
Persistence in security settings occurs when:
- The setting has not been previously defined for the device.
- The setting is for a registry object.
- The setting is for a file system object.
- The setting has not been previously defined for the device.
- The setting is for a registry object.
- The setting is for a file system object.
All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing."
@ -350,42 +283,14 @@ Security Configuration and Analysis performs security analysis by comparing the
Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Visual flag</th>
<th align="left">Meaning</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Red X</p></td>
<td align="left"><p>The entry is defined in the analysis database and on the system, but the security setting values do not match.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Green check mark</p></td>
<td align="left"><p>The entry is defined in the analysis database and on the system and the setting values match.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Question mark</p></td>
<td align="left"><p>The entry is not defined in the analysis database and, therefore, was not analyzed.</p>
<p>If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Exclamation point</p></td>
<td align="left"><p>This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>No highlight</p></td>
<td align="left"><p>The item is not defined in the analysis database or on the system.</p></td>
</tr>
</tbody>
</table>
|Visual flag |Meaning |
|---------|---------|
|Red X |The entry is defined in the analysis database and on the system, but the security setting values do not match.|
|Green check mark |The entry is defined in the analysis database and on the system and the setting values match.|
|Question mark |The entry is not defined in the analysis database and, therefore, was not analyzed. <br> If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.|
|Exclamation point |This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.|
|No highlight |The item is not defined in the analysis database or on the system.|
If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template.
@ -394,11 +299,12 @@ To avoid continued flagging of settings that you have investigated and determine
You can resolve discrepancies between analysis database and system settings by:
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### <a href="" id="bkmk-autoseccfgtasks"></a>Automating security configuration tasks

321
windows/security/threat-protection/security-policy-settings/security-policy-settings.md
View File

@ -20,7 +20,8 @@ ms.date: 04/19/2017
# Security policy settings
**Applies to**
- Windows 10
- Windows 10
This reference topic describes the common scenarios, architecture, and processes for security settings.
@ -28,43 +29,43 @@ Security policy settings are rules that administrators configure on a computer o
Security settings can control:
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a users or groups actions in the event log.
- Membership in a group.
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a user's or group's actions in the event log.
- Membership in a group.
To manage security configurations for multiple devices, you can use one of the following options:
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security.
For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md).
The Security Settings extension of the Local Group Policy Editor includes the following types of security policies:
- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies:
- **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
- **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
- **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
- **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts.
- **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts.
- **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement.
- **Local Policies.** These policies apply to a computer and include the following types of policy settings:
- **Local Policies.** These policies apply to a computer and include the following types of policy settings:
- **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
>**Note:**  For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
- **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
- **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
- **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under
Local Policies.
> [!NOTE]
> For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
- **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
- **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network.
- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings.
- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site.
- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files.
- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
## Policy-based security settings management
@ -80,72 +81,72 @@ As part of your security strategy, you can create GPOs with security settings po
You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO.
Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the templates security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random
offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template's security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
> [!NOTE]
> These refresh settings vary between versions of the operating system and can be configured.
>**Note:**  These refresh settings vary between versions of the operating system and can be configured.
By using Group Policybased security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
### Dependencies on other operating system technologies
For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies:
- **Active Directory Domain Services (AD DS)**
- **Active Directory Domain Services (AD DS)**
The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon.
- **Group Policy**
- **Group Policy**
The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security.
- **Domain Name System (DNS)**
- **Domain Name System (DNS)**
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses.
- **Winlogon**
- **Winlogon**
A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers.
- **Setup**
- **Setup**
Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server.
- **Security Accounts Manager (SAM)**
- **Security Accounts Manager (SAM)**
A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
- **Local Security Authority (LSA)**
- **Local Security Authority (LSA)**
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
- **Windows Management Instrumentation (WMI)**
- **Windows Management Instrumentation (WMI)**
A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers.
- **Resultant Set of Policy (RSoP)**
- **Resultant Set of Policy (RSoP)**
An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device.
- **Service Control Manager (SCM)**
- **Service Control Manager (SCM)**
Used for configuration of service startup modes and security.
Used for configuration of service startup modes and security.
- **Registry**
- **Registry**
Used for configuration of registry values and security.
Used for configuration of registry values and security.
- **File system**
- **File system**
Used for configuration of security.
Used for configuration of security.
- **File system conversions**
- **File system conversions**
Security is set when an administrator converts a file system from FAT to NTFS.
Security is set when an administrator converts a file system from FAT to NTFS.
- **Microsoft Management Console (MMC)**
- **Microsoft Management Console (MMC)**
The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in.
### Security settings policies and Group Policy
@ -153,25 +154,25 @@ The Security Settings extension of the Local Group Policy Editor is part of the
The following diagram shows Security Settings and related features.
**Security Settings Policies and Related Features**
#### Security Settings Policies and Related Features
![components related to security policies](images/secpol-components.gif)
- **Scesrv.dll**
- **Scesrv.dll**
Provides the core security engine functionality.
Provides the core security engine functionality.
- **Scecli.dll**
- **Scecli.dll**
Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP).
- **Wsecedit.dll**
- **Wsecedit.dll**
The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface.
- **Gpedit.dll**
- **Gpedit.dll**
The Local Group Policy Editor MMC snap-in.
The Local Group Policy Editor MMC snap-in.
## <a href="" id="w2k3tr-gpssp-how-ebls"></a>Security Settings extension architecture
@ -185,57 +186,56 @@ The security settings configuration and analysis tools include a security config
The following list describes these primary features of the security configuration engine and other Security Settingsrelated features.
- **scesrv.dll**
- **scesrv.dll**
This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation.
Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry.
Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not.
Communication between parts of the Security Settings extension occurs by using the following methods:
Communication between parts of the Security Settings extension occurs by using the following methods:
- Component Object Model (COM) calls
- Local Remote Procedure Call (LRPC)
- Lightweight Directory Access Protocol (LDAP)
- Active Directory Service Interfaces (ADSI)
- Server Message Block (SMB)
- Win32 APIs
- Windows Management Instrumentation (WMI) calls
- Component Object Model (COM) calls
- Local Remote Procedure Call (LRPC)
- Lightweight Directory Access Protocol (LDAP)
- Active Directory Service Interfaces (ADSI)
- Server Message Block (SMB)
- Win32 APIs
- Windows Management Instrumentation (WMI) calls
On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
Scesrv.dll also performs configuration and analysis operations.
On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs.
Scesrv.dll also performs configuration and analysis operations.
- **Scecli.dll**
- **Scecli.dll**
This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files.
The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll.
Scecli.dll implements the client-side extension for Group Policy.
Scecli.dll implements the client-side extension for Group Policy.
Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device.
Scecli.dll logs application of security policy into WMI (RSoP).
Scecli.dll logs application of security policy into WMI (RSoP).
Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA.
- **Wsecedit.dll**
- **Wsecedit.dll**
The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO.
- **Secedit.sdb**
- **Secedit.sdb**
This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes.
- **User databases**
- **User databases**
A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security.
- **.Inf Templates**
- **.Inf Templates**
These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into
the system database during policy propagation.
These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation.
## <a href="" id="w2k3tr-gpssp-how-hjxe"></a>Security settings policy processes and interactions
@ -245,39 +245,39 @@ For a domain-joined device, where Group Policy is administered, security setting
When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence:
1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start.
1. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors:
- Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
- The location of the device in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
- Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory.
- The location of the device in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
5. The user presses CTRL+ALT+DEL to log on.
6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
1. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed.
1. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior.
1. The user presses CTRL+ALT+DEL to log on.
1. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect.
1. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors:
- Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
- Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
- The location of the user in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
- Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory.
- Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting.
- The location of the user in Active Directory.
- Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done.
8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
9. Logon scripts run. Group Policybased logon scripts are hidden and asynchronous by default. The user object script runs last.
10. The operating system user interface that is prescribed by Group Policy appears.
1. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed.
1. Logon scripts run. Group Policybased logon scripts are hidden and asynchronous by default. The user object script runs last.
1. The operating system user interface that is prescribed by Group Policy appears.
### Group Policy Objects storage
A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations:
- **Group Policy containers in Active Directory.**
- **Group Policy containers in Active Directory.**
The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings.
- **Group Policy templates in a domains system volume folder (SYSVOL).**
- **Group Policy templates in a domain's system volume folder (SYSVOL).**
The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder.
The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the \<domain\>\\Policies subfolder.
The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO.
@ -285,21 +285,21 @@ The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GP
Group Policy settings are processed in the following order:
1. **Local Group Policy Object.**
1. **Local Group Policy Object.**
Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally.
2. **Site.**
1. **Site.**
Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify.
3. **Domain.**
1. **Domain.**
Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy.
4. **Organizational units.**
1. **Organizational units.**
Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed.
At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify.
@ -311,34 +311,34 @@ This is the default processing order and administrators can specify exceptions t
In the context of Group Policy processing, security settings policy is processed in the following order.
1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply.
1. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension.
1. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller.
1. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the "Group Policy processing order" section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged.
This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs.
**Multiple GPOs and Merging of Security Policy**
**Multiple GPOs and Merging of Security Policy**
![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif)
![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif)
5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
6. The security settings policies are applied to devices.
1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
1. The security settings policies are applied to devices.
The following figure illustrates the security settings policy processing.
**Security Settings Policy Processing**
![process and interactions of security policy settin](images/secpol-processes.gif)
![process and interactions of security policy settings](images/secpol-processes.gif)
### Merging of security policies on domain controllers
Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged:
- Network Security: Force logoff when logon hours expire
- Accounts: Administrator account status
- Accounts: Guest account status
- Accounts: Rename administrator account
- Accounts: Rename guest account
- Network Security: Force logoff when logon hours expire
- Accounts: Administrator account status
- Accounts: Guest account status
- Accounts: Rename administrator account
- Accounts: Rename guest account
Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO.
@ -350,9 +350,9 @@ If an application is installed on a primary domain controller (PDC) with operati
After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances:
- When a device is restarted.
- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
- When a device is restarted.
- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable.
- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed.
### Persistence of security settings policy
@ -360,12 +360,12 @@ Security settings can persist even if a setting is no longer defined in the poli
Security settings might persist in the following cases:
- The setting has not been previously defined for the device.
- The setting is for a registry security object.
- The settings are for a file system security object.
- The setting has not been previously defined for the device.
- The setting is for a registry security object.
- The settings are for a file system security object.
All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
This behavior is sometimes referred to as “tattooing.”
All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is.
This behavior is sometimes referred to as "tattooing".
Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.
@ -377,8 +377,9 @@ Both Apply Group Policy and Read permissions are required to have the settings f
By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU.
**Note:**  Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
> [!NOTE]
> Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
### Migration of GPOs containing security settings
In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings.
@ -387,12 +388,12 @@ Data for a single GPO is stored in multiple locations and in various formats; so
The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another.
- User rights assignment
- Restricted groups
- Services
- File system
- Registry
- The GPO DACL, if you choose to preserve it during a copy operation
- User rights assignment
- Restricted groups
- Services
- File system
- Registry
- The GPO DACL, if you choose to preserve it during a copy operation
To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs.
@ -400,6 +401,6 @@ To ensure that data is copied correctly, you can use Group Policy Management Con
| Topic | Description |
| - | - |
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|

34
windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
View File

@ -14,14 +14,13 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 08/17/2017
---
# Basic Firewall Policy Design
**Applies to**
- Windows 10
- Windows Server 2016
- Windows 10
- Windows Server 2016
Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
@ -31,19 +30,20 @@ Traffic can be blocked or permitted based on the characteristics of each network
Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization.
- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization.
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
>**Caution:**  Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
> [!CAUTION]
> Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later.
@ -55,20 +55,22 @@ An organization typically uses this design as a first step toward a more compreh
After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
>**Important:**  If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
> [!IMPORTANT]
> If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
For more information about this design:
- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md)
> [!div class="nextstepaction"]
> [Domain Isolation Policy Design](domain-isolation-policy-design.md)