deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-7714784-wincomdocs-hub-page

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-06-20 07:46:21 -04:00
commit a1f0cb7982
4 changed files with 57 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
windows/client-management/mdm/vpnv2-csp.md
View File

@ -1090,7 +1090,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
<!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
<!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Description-End -->
<!-- Device-{ProfileName}-DeviceCompliance-Sso-Eku-Editable-Begin -->
@ -1222,7 +1222,7 @@ First, it automatically becomes an always on profile.
Second, it doesn't require the presence or logging in of any user to the machine in order for it to connect.
Third, no other Device Tunnel profile maybe be present on the same machine.
Third, no other Device Tunnel profile may be present on the same machine.
A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
<!-- Device-{ProfileName}-DeviceTunnel-Description-End -->
@ -1587,7 +1587,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
<!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
<!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-End -->
<!-- Device-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Editable-Begin -->
@ -1792,7 +1792,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- Device-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- Device-{ProfileName}-EdpModeId-Description-End -->
<!-- Device-{ProfileName}-EdpModeId-Editable-Begin -->
@ -2768,8 +2768,10 @@ Required for native profiles. Type of tunneling protocol used.
<!-- Device-{ProfileName}-NativeProfile-NativeProtocolType-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
> [!NOTE]
> For a Device Tunnel, use IKEv2 only.
> For a User Tunnel, any value is allowed.
> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
<!-- Device-{ProfileName}-NativeProfile-NativeProtocolType-Editable-End -->
<!-- Device-{ProfileName}-NativeProfile-NativeProtocolType-DFProperties-Begin -->
@ -2899,8 +2901,10 @@ List of inbox VPN protocols in priority order.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> [!NOTE]
> For a User Tunnel up to 4 VPN protocols are supported.
> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-End -->
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-DFProperties-Begin -->
@ -3032,7 +3036,7 @@ Default 168, max 500000.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-End -->
<!-- Device-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-DFProperties-Begin -->
@ -3115,7 +3119,7 @@ Type of routing policy.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- Device-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- Device-{ProfileName}-NativeProfile-Servers-Editable-Begin -->
@ -5383,7 +5387,7 @@ Nodes under SSO can be used to choose a certificate different from the VPN Authe
<!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication.
Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
<!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Description-End -->
<!-- User-{ProfileName}-DeviceCompliance-Sso-Eku-Editable-Begin -->
@ -5823,7 +5827,7 @@ Boolean to determine whether this domain name rule will trigger the VPN.
<!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-Begin -->
<!-- Description-Source-DDF -->
Comma Seperated list of IP addresses for the DNS Servers to use for the domain name.
Comma Separated list of IP addresses for the DNS Servers to use for the domain name.
<!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Description-End -->
<!-- User-{ProfileName}-DomainNameInformationList-{dniRowId}-DnsServers-Editable-Begin -->
@ -6028,7 +6032,7 @@ Web Proxy Server IP address if you are redirecting traffic through your intranet
<!-- User-{ProfileName}-EdpModeId-Description-Begin -->
<!-- Description-Source-DDF -->
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
<!-- User-{ProfileName}-EdpModeId-Description-End -->
<!-- User-{ProfileName}-EdpModeId-Editable-Begin -->
@ -7004,8 +7008,10 @@ Required for native profiles. Type of tunneling protocol used.
<!-- User-{ProfileName}-NativeProfile-NativeProtocolType-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Using NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
> [!NOTE]
> For a Device Tunnel, use IKEv2 only.
> For a User Tunnel, any value is allowed.
> Using ProtocolList as value in NativeProtocolType requires additional configuration of the NativeProfile/ProtocolList parameter.
<!-- User-{ProfileName}-NativeProfile-NativeProtocolType-Editable-End -->
<!-- User-{ProfileName}-NativeProfile-NativeProtocolType-DFProperties-Begin -->
@ -7135,8 +7141,10 @@ List of inbox VPN protocols in priority order.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Up to 4 VPN protocols are supported. A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> [!NOTE]
> For a User Tunnel up to 4 VPN protocols are supported.
> A separate entry is needed for every VPN protocol. For a sample format, see [Examples](#examples).
> For a Device tunnel, we recommend using IKEv2 in NativeProtocolType instead of ProtocolList.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-Editable-End -->
<!-- User-{ProfileName}-NativeProfile-ProtocolList-NativeProtocolList-DFProperties-Begin -->
@ -7268,7 +7276,7 @@ Default 168, max 500000.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
RetryTimeInHours specifies the length of time Windows tries to use the last succesful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
RetryTimeInHours specifies the length of time Windows tries to use the last successful protocol when making a new connection. Setting this value to 0 disables remembering the last successful protocol.
<!-- User-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-Editable-End -->
<!-- User-{ProfileName}-NativeProfile-ProtocolList-RetryTimeInHours-DFProperties-Begin -->
@ -7351,7 +7359,7 @@ Type of routing policy.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-Begin -->
<!-- Description-Source-DDF -->
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
<!-- User-{ProfileName}-NativeProfile-Servers-Description-End -->
<!-- User-{ProfileName}-NativeProfile-Servers-Editable-Begin -->

18
windows/security/breadcrumb/toc.yml
View File

@ -1,18 +0,0 @@
items:
- name: Docs
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows/
topicHref: /windows/resources/
items:
- name: Security
tocHref: /windows-server/security/credentials-protection-and-management/
topicHref: /windows/security/
- name: Security
tocHref: /windows-server/identity/laps/
topicHref: /windows/security/
- name: Security
tocHref: /azure/active-directory/authentication/
topicHref: /windows/security/

4
windows/security/context/context.yml
View File

@ -1,4 +0,0 @@
### YamlMime: ContextObject
brand: windows
breadcrumb_path: ../breadcrumb/toc.yml
toc_rel: ../toc.yml

30
windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
View File

@ -143,6 +143,36 @@ In general, to maintain maximum security, admins should only push firewall excep
> [!NOTE]
> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s).
## Understand Group Policy Processing
The Windows Firewall settings configured via group policy are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset of 0 to 30 minutes.
When Windows Firewall checks the registry for any configuration changes, the *Windows Filtering Platform (WFP)* performs the following actions:
- Reads all firewall rules and settings
- Applies any new filters
- Removes the old filters
> [!NOTE]
> The actions are triggered regardless if there's a configuration change. During the process, IPsec connections are disconnected.
Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing`. The *Process even if the Group Policy objects have not changed* option updates and reapplies the policies even if the policies have not changed. This option is disabled by default.
If you enable the option *Process even if the Group Policy objects have not changed*, the WFP filters get reapplied during every background refresh. In case you have ten group policies, the WFP filters get reapplied ten times during the refresh interval. If an error happens during policy processing, the applied settings may be incomplete, resulting in issues like:
- Windows Defender Firewall blocks inbound or outbound traffic allowed by group policies
- Local Firewall settings are applied instead of group policy settings
- IPsec connections cannot establish
The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller.
To avoid the issue, leave the policy `Computer Configuration > Administrative Templates > System > Group Policy > Configure registry policy processing` to the default value of *Not Configured* or, if already configured, configure it *Disabled*.
> [!IMPORTANT]
> The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change.
>
> If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**.
## Know how to use "shields up" mode for active attacks
An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.