mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 19:33:37 +00:00
Merged PR 14945: master
This commit is contained in:
Joey Caparas
@ -95,6 +95,7 @@ This policy setting controls whether the elevation request prompt is displayed o
|
||||
|
||||
- **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
|
||||
- **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
|
||||
|
||||
## User Account Control: Virtualize file and registry write failures to per-user locations
|
||||
|
||||
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.
|
||||
|
||||
@ -10,7 +10,7 @@ ms.author: pashort
|
||||
manager: elizapo
|
||||
ms.reviewer:
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 01/26/2019
|
||||
ms.date: 03/21/2019
|
||||
---
|
||||
|
||||
# VPN and conditional access
|
||||
@ -32,11 +32,7 @@ Conditional Access Platform components used for Device Compliance include the fo
|
||||
|
||||
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
|
||||
|
||||
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used.
|
||||
|
||||
Additional details regarding the Azure AD issued short-lived certificate:
|
||||
- The default lifetime is 60 minutes and is configurable
|
||||
- When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
|
||||
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
|
||||
|
||||
- [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
|
||||
|
||||
|
||||
@ -73,8 +73,8 @@
|
||||
|
||||
|
||||
#### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
##### [Threat analytics](windows-defender-atp/threat-analytics.md)
|
||||
###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
#### [Threat analytics](windows-defender-atp/threat-analytics.md)
|
||||
|
||||
#### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)
|
||||
##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
|
||||
###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -48,15 +48,17 @@ To learn more about supply chain attacks, read this blog post called [attack inc
|
||||
|
||||
### For software vendors and developers
|
||||
|
||||
* Take steps to ensure your apps are not compromised.
|
||||
|
||||
* Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems.
|
||||
* Maintain a highly secure build and update infrastructure.
|
||||
* Immediately apply security patches for OS and software.
|
||||
|
||||
* Implement mandatory integrity controls to ensure only trusted tools run.
|
||||
* Require multi-factor authentication for admins.
|
||||
|
||||
* Build secure software update processes as part of the software development lifecycle.
|
||||
* Build secure software updaters as part of the software development lifecycle.
|
||||
* Require SSL for update channels and implement certificate pinning.
|
||||
* Sign everything, including configuration files, scripts, XML files, and packages.
|
||||
* Check for digital signatures, and don’t let the software updater accept generic input and commands.
|
||||
|
||||
* Develop an incident response process for supply chain attacks.
|
||||
* Disclose supply chain incidents and notify customers with accurate and timely information
|
||||
|
||||
For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).
|
||||
@ -15,12 +15,12 @@ ms.topic: conceptual
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
# Network security: Configure encryption types allowed for Kerberos Win7 only
|
||||
# Network security: Configure encryption types allowed for Kerberos
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting.
|
||||
Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
@ -67,9 +67,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
|
||||
| Default domain policy| Not defined|
|
||||
| Default domain controller policy| Not defined|
|
||||
| Stand-alone server default settings | Not defined|
|
||||
| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.|
|
||||
| Member server effective default settings | None of these encryption types that are available in this policy are allowed.|
|
||||
| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|
|
||||
| Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.|
|
||||
| Member server effective default settings | The default OS setting applies, DES suites are not supported by default.|
|
||||
| Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.|
|
||||
|
||||
## Security considerations
|
||||
|
||||
|
||||
@ -171,7 +171,7 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t
|
||||
|
||||
|
||||
8. Change **Assignment type=Required**.
|
||||
9. Click **Included Groups**. Select M**ake this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
|
||||
9. Click **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
|
||||
|
||||
|
||||
|
||||
@ -473,17 +473,17 @@ Or, from a command line:
|
||||
|
||||
## Known issues
|
||||
- Microsoft Defender ATP is not yet optimized for performance or disk space.
|
||||
- Centrally managed uninstall using Intune/JAMF is still in development. To uninstall (as a workaround an uninstall action has to be completed on each client device).
|
||||
- Centrally managed uninstall using Intune/JAMF is still in development. To uninstall (as a workaround) an uninstall action has to be completed on each client device).
|
||||
- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only.
|
||||
- Full Windows Defender ATP integration is not yet available
|
||||
- Not localized yet
|
||||
- There might be accessibility issues
|
||||
|
||||
### Installation issues
|
||||
If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact xplatpreviewsupport@microsoft.com for support on onboarding issues.
|
||||
If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact _**xplatpreviewsupport@microsoft.com**_ for support on onboarding issues.
|
||||
|
||||
|
||||
For feedback on the preview, contact: mdatpfeedback@microsoft.com.
|
||||
For feedback on the preview, contact: _**mdatpfeedback@microsoft.com**_.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -70,8 +70,8 @@
|
||||
|
||||
|
||||
### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
#### [Threat analytics](threat-analytics.md)
|
||||
#### [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
### [Threat analytics](threat-analytics.md)
|
||||
|
||||
|
||||
|
||||
### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -14,7 +14,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 30/07/2018
|
||||
---
|
||||
|
||||
# Supported Windows Defender ATP query APIs
|
||||
|
||||
@ -67,7 +67,15 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
|
||||
|
||||
1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
|
||||
|
||||
2. Select **Create a supression rule**.
|
||||
2. Select **Create a suppression rule**.
|
||||
|
||||
You can create a suppression rule based on the following attributes:
|
||||
|
||||
* File hash
|
||||
* File name - wild card supported
|
||||
* File path - wild card supported
|
||||
* IP
|
||||
* URL - wild card supported
|
||||
|
||||
3. Select the **Trigerring IOC**.
|
||||
|
||||
|
||||
@ -14,7 +14,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 30/07/2018
|
||||
---
|
||||
|
||||
# Create custom reports using Power BI (app authentication)
|
||||
|
||||
@ -14,7 +14,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 30/07/2018
|
||||
---
|
||||
|
||||
# Create custom reports using Power BI (user authentication)
|
||||
|
||||
@ -14,7 +14,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 30/07/2018
|
||||
---
|
||||
|
||||
# Advanced Hunting using Python
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
---
|
||||
title: Threat analytics for Spectre and Meltdown
|
||||
description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
|
||||
keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 09/03/2018
|
||||
---
|
||||
|
||||
# Threat analytics for Spectre and Meltdown
|
||||
**Applies to:**
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization.
|
||||
|
||||
[Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs.
|
||||
|
||||
Mitigating these vulnerabilities involves a complex multivendor update. It requires updates to Windows and Microsoft browsers using the [January 2018 Security Updates from Microsoft](https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99) and updates to processor microcode using fixes released by OEM and CPU vendors.
|
||||
|
||||
## Prerequisites
|
||||
Note the following requirements and limitations of the charts and what you might be able to do to improve visibility of the mitigation status of machines in your network:
|
||||
|
||||
- Only active machines running Windows 10 are checked for OS mitigations.
|
||||
- When checking for microcode mitgations, Windows Defender ATP currently checks for updates applicable to Intel CPU processors only.
|
||||
- To determine microcode mitigation status, machines must enable Windows Defender Antivirus and update to Security intelligence version 1.259.1545.0 or above.
|
||||
- To be covered under the overall mitigation status, machines must have both OS and microcode mitigation information.
|
||||
|
||||
## Assess organizational risk with Threat analytics
|
||||
|
||||
Threat analytics helps you continually assess and control risk exposure to Spectre and Meltdown. Use the charts to quickly identify machines for the presence or absence of the following mitigations:
|
||||
|
||||
- **OS mitigation**: Identifies machines that have installed the January 2018 Security Updates from Microsoft and have not explicitly disabled any of the OS mitigations provided with these updates
|
||||
- **Microcode mitigation**: Identifies machines that have installed the necessary microcode updates or those that do not require them
|
||||
- **Overall mitigation status**: Identifies the completeness by which machines have mitigated against the Spectre and Meltdown exploits
|
||||
|
||||
|
||||
To access Threat analytics, from the navigation pane select **Dashboards** > **Threat analytics**.
|
||||
|
||||
Click a section of each chart to get a list of the machines in the corresponding mitigation status.
|
||||
|
||||
## Related topics
|
||||
- [Threat analytics](threat-analytics.md)
|
||||
- [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
|
||||
|
||||
## Requirements
|
||||
|
||||
Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection.
|
||||
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
|
||||
|
||||
Windows 10 version | Windows Defender Antivirus
|
||||
- | -
|
||||
|
||||
@ -36,7 +36,7 @@ There are four steps to troubleshooting these problems:
|
||||
Attack surface reduction rules will only work on devices with the following conditions:
|
||||
|
||||
>[!div class="checklist"]
|
||||
> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
|
||||
> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
|
||||
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
|
||||
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
|
||||
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
|
||||
|
||||
@ -60,7 +60,7 @@ This section covers requirements for each feature in Windows Defender EG.
|
||||
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
|
||||
| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
|
||||
| Exploit protection |  |  |  |  |
|
||||
| Attack surface reduction rules |  |  |  |  |
|
||||
| Attack surface reduction rules |  |  |  |  |
|
||||
| Network protection |  |  |  |  |
|
||||
| Controlled folder access |  |  |  |  |
|
||||
|
||||
|
||||
Reference in New Issue
Block a user