From d6f0696d8a70d559187932a38ccc7ed82faf24d3 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 11 Mar 2019 12:07:23 -0700 Subject: [PATCH 01/51] fixing table --- .../applocker/requirements-to-use-applocker.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 97d032f8b6..40e43e69f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 03/11/2019 --- # Requirements to use AppLocker @@ -31,14 +31,15 @@ To use AppLocker, you need: - For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules. - Devices running a supported operating system to enforce the AppLocker rules that you create. ->**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). +>[!NOTE] +>You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).   ## Operating system requirements The following table show the on which operating systems AppLocker features are supported. | Version | Can be configured | Can be enforced | Available rules | Notes | -| - | - | - | - | - | +|---|---|---|---|---| | Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | | Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | | Windows 8.1 Pro| Yes| No| N/A|| From 60d592e73539ef26b9ccb8115c243518b404fef3 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 11 Mar 2019 12:35:03 -0700 Subject: [PATCH 02/51] fixing table --- .../applocker/requirements-to-use-applocker.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 40e43e69f7..b237377624 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -36,7 +36,12 @@ To use AppLocker, you need:   ## Operating system requirements -The following table show the on which operating systems AppLocker features are supported. +The following table shows AppLocker features supported by different versions of Windows. + +| Version | Can be configured | Can be enforced | Available rules | Notes | +|---|---|---|---|---| +| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | + | Version | Can be configured | Can be enforced | Available rules | Notes | |---|---|---|---|---| From 74eb898c4e50abb216f4c8c2b26e6d486e0d631b Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 11 Mar 2019 15:06:15 -0700 Subject: [PATCH 03/51] fixing table --- .../applocker/requirements-to-use-applocker.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index b237377624..9d9daa45dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -38,11 +38,6 @@ To use AppLocker, you need: The following table shows AppLocker features supported by different versions of Windows. -| Version | Can be configured | Can be enforced | Available rules | Notes | -|---|---|---|---|---| -| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | - - | Version | Can be configured | Can be enforced | Available rules | Notes | |---|---|---|---|---| | Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | @@ -51,6 +46,12 @@ The following table shows AppLocker features supported by different versions of | Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | | Windows RT 8.1| No| No| N/A|| | Windows 8 Pro| Yes| No| N/A|| + + + + +| Version | Can be configured | Can be enforced | Available rules | Notes | +|---|---|---|---|---| | Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL|| | Windows RT| No| No| N/A| | | Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| From 41359995c5549d61a1d3f1356a9f0fa6da294ace Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 11 Mar 2019 15:08:09 -0700 Subject: [PATCH 04/51] fixing table --- .../applocker/requirements-to-use-applocker.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 9d9daa45dd..16a77a7d05 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -62,8 +62,7 @@ The following table shows AppLocker features supported by different versions of | Windows 7 Enterprise| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| | Windows 7 Professional| Yes| No| Executable
Windows Installer
Script
DLL| No AppLocker rules are enforced.|   - -AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems. +Previous versions of Windows can use Software Restriction Policies. ## See also - [Administer AppLocker](administer-applocker.md) From d138859da00c198106ee027c43cfaffb2930192f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 11 Mar 2019 15:28:56 -0700 Subject: [PATCH 05/51] new topic --- ...were-not-recommending-fips-mode-anymore.md | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md diff --git a/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md new file mode 100644 index 0000000000..3212c63026 --- /dev/null +++ b/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md @@ -0,0 +1,46 @@ +--- +title: Why We’re Not Recommending "FIPS Mode" Anymore +description: This topic explains why Microsoft changed from recommending FIPS mode be enabled to Not Defined. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: aaronmar +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 03/11/2019 +--- + +# Why We’re Not Recommending “FIPS Mode” Anymore + +**Applies to** + - Windows 10 + - Windows Server + +In [the latest review of the official Microsoft security baselines](https://blogs.technet.microsoft.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx) for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” +In our previous guidance we had recommended a setting of “Enabled”, primarily to align with US Federal government recommendations. In our updated guidance, the recommendation is “Not Defined”, meaning that we leave the decision to customers. Many people will correctly see this as a significant change, and it deserves explanation. +The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation. A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data. Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes. +What FIPS mode does +Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. An example is Schannel, which is the system component that provides SSL and TLS to applications. When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to KB 245030 and this blog post.) +Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms. (More on this later, under “Why FIPS mode is particularly onerous.”) +A more complete listing of the effects of enabling FIPS mode can be found in KB 811833. +What FIPS mode does not do +Beyond the effects described above, FIPS mode is merely advisory to applications. Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. For example, a Win32 application – or third party disk encryption software – written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled. +Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate. There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values. The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards. +Why FIPS mode is particularly onerous +Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. +For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated. By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations. Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation. And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately. +Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster. +Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the relatively new standard for password-based key derivation functions, this is no longer a problem with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. +Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards. +Is Microsoft contradicting government regulations? +Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode. + +References: +FIPS 140 Evaluation +http://technet.microsoft.com/en-us/library/cc750357.aspx +"System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows +http://support.microsoft.com/kb/811833 \ No newline at end of file From 7fe06cc7650ccbe513cb0b6662a10ffa042ac63d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 11 Mar 2019 15:56:05 -0700 Subject: [PATCH 06/51] added new file for baslines --- windows/security/threat-protection/TOC.md | 8 +- .../get-support-for-security-baselines.md | 0 .../security-compliance-toolkit-10.md | 0 ...were-not-recommending-fips-mode-anymore.md | 78 +++++++++++++++++++ .../windows-security-baselines.md | 0 5 files changed, 83 insertions(+), 3 deletions(-) rename windows/security/threat-protection/{ => windows-security-baselines}/get-support-for-security-baselines.md (100%) rename windows/security/threat-protection/{ => windows-security-baselines}/security-compliance-toolkit-10.md (100%) create mode 100644 windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md rename windows/security/threat-protection/{ => windows-security-baselines}/windows-security-baselines.md (100%) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 177a70d01a..bf4d93e534 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1010,9 +1010,11 @@ ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) -### [Windows security baselines](windows-security-baselines.md) -#### [Security Compliance Toolkit](security-compliance-toolkit-10.md) -#### [Get support](get-support-for-security-baselines.md) +### [Windows security baselines](windows-security-baselines/windows-security-baselines.md) +#### [Security Compliance Toolkit](windows-security-baselines/security-compliance-toolkit-10.md) +#### [Get support](windows-security-baselines/get-support-for-security-baselines.md) +####Windows Security Blog Posts +##### [Why We’re Not Recommending "FIPS Mode" Anymore]((windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-baselines/get-support-for-security-baselines.md similarity index 100% rename from windows/security/threat-protection/get-support-for-security-baselines.md rename to windows/security/threat-protection/windows-security-baselines/get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-baselines/security-compliance-toolkit-10.md similarity index 100% rename from windows/security/threat-protection/security-compliance-toolkit-10.md rename to windows/security/threat-protection/windows-security-baselines/security-compliance-toolkit-10.md diff --git a/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md new file mode 100644 index 0000000000..0ffa299ff9 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md @@ -0,0 +1,78 @@ +--- +title: Why We’re Not Recommending "FIPS Mode" Anymore +description: This topic explains why Microsoft changed from recommending FIPS mode be enabled to Not Defined. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: aaronmar +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 03/11/2019 +--- + +# Why We’re Not Recommending “FIPS Mode” Anymore + +**Applies to** + - Windows 10 + - Windows Server + +In [the latest review of the official Microsoft security baselines](https://blogs.technet.microsoft.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx) for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” +In our previous guidance we had recommended a setting of “Enabled”, primarily to align with US Federal government recommendations. +In our updated guidance, the recommendation is “Not Defined”, meaning that we leave the decision to customers. +Many people will correctly see this as a significant change, and it deserves explanation. + +The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. +An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation. +A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data. +Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes. + +## What FIPS mode does +Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. +An example is Schannel, which is the system component that provides SSL and TLS to applications. +When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. +Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. +(Note that the same results can be achieved without FIPS mode by configuring Schannel according to [KB 245030](http://support.microsoft.com/kb/245030) and [this blog post](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx).) + +Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms. +(More on this [later](#why-fips-mode-is-particularly-onerous).) + +A more complete listing of the effects of enabling FIPS mode can be found in [KB 811833](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx). + +## What FIPS mode does not do +Beyond the effects described above, FIPS mode is merely advisory to applications. +Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. +For example, a Win32 application−or third party disk encryption software−written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled. + +Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate. +There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values. +The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards. + +## Why FIPS mode is particularly onerous +Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. +If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. +The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. + +For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. +The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated. +By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations. +Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation. +And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately. + +Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster. + +Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the relatively new standard for password-based key derivation functions, this is no longer a problem with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. + +Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards. + +## Is Microsoft contradicting government regulations? +Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. +Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off−our recommendation is that it’s each customer’s decision to make. +Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode. + +References: +- [FIPS 140 Evaluation](https://docs.microsoft.com/windows/security/threat-protection/fips-140-validation) +- ["System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows](https://support.microsoft.com/help/811833/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashi) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines.md rename to windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md From d4cfd584b5f9d273d275c622e8b1f859a81bfe00 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 11 Mar 2019 16:01:42 -0700 Subject: [PATCH 07/51] fixed table --- .../applocker/requirements-to-use-applocker.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 16a77a7d05..69566aa89f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -46,12 +46,6 @@ The following table shows AppLocker features supported by different versions of | Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | | Windows RT 8.1| No| No| N/A|| | Windows 8 Pro| Yes| No| N/A|| - - - - -| Version | Can be configured | Can be enforced | Available rules | Notes | -|---|---|---|---|---| | Windows 8 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL|| | Windows RT| No| No| N/A| | | Windows Server 2008 R2 Standard| Yes| Yes| Executable
Windows Installer
Script
DLL| Packaged app rules will not be enforced.| From 6dbe62ed49ffe0572fe662fadb38f4b334eefd7c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 15 Mar 2019 14:33:50 -0700 Subject: [PATCH 08/51] edits --- ...were-not-recommending-fips-mode-anymore.md | 68 +++++++++++++------ ...were-not-recommending-fips-mode-anymore.md | 4 +- 2 files changed, 50 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md index 3212c63026..dde671c924 100644 --- a/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md +++ b/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/11/2019 +ms.date: 03/15/2019 --- # Why We’re Not Recommending “FIPS Mode” Anymore @@ -22,25 +22,53 @@ ms.date: 03/11/2019 In [the latest review of the official Microsoft security baselines](https://blogs.technet.microsoft.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx) for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” In our previous guidance we had recommended a setting of “Enabled”, primarily to align with US Federal government recommendations. In our updated guidance, the recommendation is “Not Defined”, meaning that we leave the decision to customers. Many people will correctly see this as a significant change, and it deserves explanation. -The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation. A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data. Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes. -What FIPS mode does -Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. An example is Schannel, which is the system component that provides SSL and TLS to applications. When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to KB 245030 and this blog post.) -Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms. (More on this later, under “Why FIPS mode is particularly onerous.”) -A more complete listing of the effects of enabling FIPS mode can be found in KB 811833. -What FIPS mode does not do -Beyond the effects described above, FIPS mode is merely advisory to applications. Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. For example, a Win32 application – or third party disk encryption software – written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled. -Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate. There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values. The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards. -Why FIPS mode is particularly onerous -Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. -For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated. By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations. Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation. And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately. + +The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. +An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation. +A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data. +Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes. + +## What FIPS mode does +Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. +An example is Schannel, which is the system component that provides SSL and TLS to applications. +When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. +Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to [KB 245030](http://support.microsoft.com/kb/245030) and [this blog post](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx).) +Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms. (More on this [later](#why-fips-mode-is-particularly-onerous)). +A more complete listing of the effects of enabling FIPS mode can be found in [KB 811833](http://support.microsoft.com/kb/811833). + +## What FIPS mode does not do +Beyond the effects described above, FIPS mode is merely advisory to applications. +Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. +For example, a Win32 application – or third party disk encryption software – written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled. + +Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate. +There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values. +The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards. + +## Why FIPS mode is particularly onerous +Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. +If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. +The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. + +For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. +The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated. +By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations. +Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation. +And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately. + Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster. -Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the relatively new standard for password-based key derivation functions, this is no longer a problem with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. +Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. +That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. +Using the newer standard for password-based key derivation functions, this is no longer a problem beginning with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. + Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards. -Is Microsoft contradicting government regulations? -Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode. + +## Is Microsoft contradicting government regulations? +Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. +Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. +Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode. -References: -FIPS 140 Evaluation -http://technet.microsoft.com/en-us/library/cc750357.aspx -"System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows -http://support.microsoft.com/kb/811833 \ No newline at end of file +## References + +- [FIPS 140 Evaluation](http://technet.microsoft.com/library/cc750357.aspx) +- ["System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows](http://support.microsoft.com/kb/811833) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md index 0ffa299ff9..ba67ceadae 100644 --- a/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md +++ b/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/11/2019 +ms.date: 03/15/2019 --- # Why We’re Not Recommending “FIPS Mode” Anymore @@ -64,7 +64,7 @@ And so if an application tries to use this class and FIPS mode is enabled, the F Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster. -Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the relatively new standard for password-based key derivation functions, this is no longer a problem with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. +Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. Using the newer standard for password-based key derivation functions, this is no longer a problem beginning with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards. From 6e95083c74fdbb6265f5a725eca1844271f82220 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 15 Mar 2019 14:53:04 -0700 Subject: [PATCH 09/51] added new topic --- ...were-not-recommending-fips-mode-anymore.md | 74 ------------------ ...ng-with-well-known-and-proven-solutions.md | 77 +++++++++++++++++++ 2 files changed, 77 insertions(+), 74 deletions(-) delete mode 100644 windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md create mode 100644 windows/security/threat-protection/windows-security-baselines/sticking-with-well-known-and-proven-solutions.md diff --git a/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md deleted file mode 100644 index dde671c924..0000000000 --- a/windows/security/threat-protection/why-were-not-recommending-fips-mode-anymore.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Why We’re Not Recommending "FIPS Mode" Anymore -description: This topic explains why Microsoft changed from recommending FIPS mode be enabled to Not Defined. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: aaronmar -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/15/2019 ---- - -# Why We’re Not Recommending “FIPS Mode” Anymore - -**Applies to** - - Windows 10 - - Windows Server - -In [the latest review of the official Microsoft security baselines](https://blogs.technet.microsoft.com/b/secguide/archive/2014/04/07/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx) for all versions of Windows client and Windows Server, we decided to remove our earlier recommendation to enable “FIPS mode”, or more precisely, the security option called “System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” -In our previous guidance we had recommended a setting of “Enabled”, primarily to align with US Federal government recommendations. In our updated guidance, the recommendation is “Not Defined”, meaning that we leave the decision to customers. Many people will correctly see this as a significant change, and it deserves explanation. - -The United States Federal Information Processing Standard (FIPS) 140 standard defines cryptographic algorithms approved for use by US Federal government computer systems for the protection of sensitive data. -An implementation of an approved cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed National Institute of Standards and Technology (NIST) validation. -A particular implementation of an algorithm that has not been submitted cannot be considered FIPS-compliant even if it produces identical data as a validated implementation of the same algorithm. Note that the requirement to use approved and validated algorithms applies only to the protection of sensitive data. -Systems and applications are always free to use weak or non-validated cryptographic implementations for non-security purposes, such as in a hash table for indexing and lookup purposes. - -## What FIPS mode does -Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. -An example is Schannel, which is the system component that provides SSL and TLS to applications. -When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. -Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to [KB 245030](http://support.microsoft.com/kb/245030) and [this blog post](https://blogs.technet.microsoft.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx).) -Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms. (More on this [later](#why-fips-mode-is-particularly-onerous)). -A more complete listing of the effects of enabling FIPS mode can be found in [KB 811833](http://support.microsoft.com/kb/811833). - -## What FIPS mode does not do -Beyond the effects described above, FIPS mode is merely advisory to applications. -Applications that do not check or choose to ignore the registry setting associated with FIPS mode and that are not dependent on the subsystems described earlier will continue to work exactly as they had with FIPS mode disabled. -For example, a Win32 application – or third party disk encryption software – written in C++ that uses the very weak and non-FIPS-approved DES encryption algorithm exposed by the CryptoAPI will behave exactly the same whether FIPS mode is enabled. - -Further, FIPS mode does not and cannot ensure that applications even use encryption at all when appropriate. -There is nothing Windows can do to prevent an application from saving plaintext passwords or other sensitive data in unprotected files or registry values. -The bottom line here is that just because a software product works when FIPS mode is enabled does not mean that it adheres to government standards. - -## Why FIPS mode is particularly onerous -Perhaps the biggest problems incurred by enabling FIPS mode involve applications that use the .NET Framework. -If FIPS mode is enabled, the .NET Framework disallows the use of all non-validated cryptographic classes. -The problem here is that the Framework offers multiple implementations of most algorithms, and not all of them have been submitted for validation, even though they are similar or identical to implementations that have been approved. - -For example, the .NET Framework currently provides three implementations of the SHA256 hashing algorithm: SHA256Cng, SHA256CryptoServiceProvider, and SHA256Managed. -The first two use “platform invoke” (a.k.a., “p/invoke”) to use Windows’ underlying implementations, which are FIPS-validated. -By contrast, SHA256Managed, like all the other crypto classes ending with “Managed”, is implemented strictly in .NET managed code and doesn’t use the underlying platform implementations. -Although it is an acceptably strong hashing algorithm for most uses, the Managed implementations have never been submitted to NIST for validation. -And so if an application tries to use this class and FIPS mode is enabled, the Framework will raise an exception and not allow the class to be used; this exception will almost always cause the application to fail, if not terminate immediately. - -Compounding the problem is that in most cases the Managed implementations of the various cryptographic algorithms have been available much longer than their Cng and CryptoServiceProvider counterparts, and on top of that, the Managed implementations tend to be significantly faster. -Another significant problem with FIPS mode is that until very recently there was no NIST-approved way to derive an encryption key from a password. -That blocked use of the Bitlocker Drive Encryption feature that stored a computer’s 48-character recovery password to Active Directory. -Using the newer standard for password-based key derivation functions, this is no longer a problem beginning with Windows 8.1 and Windows Server 2012 R2, but it remains a problem for older versions of Windows. - -Finally, the .NET Framework’s enforcement of FIPS mode cannot tell whether any particular use of a cryptographic class is not for security purposes and thus not in violation of standards. - -## Is Microsoft contradicting government regulations? -Government regulations may continue to mandate that FIPS mode be enabled on government computers running Windows. -Our updated recommendations do not contradict or conflict with government guidance: we’re not telling customers to turn it off – our recommendation is that it’s each customer’s decision to make. -Our updated guidance reflects our belief there is not a compelling reason for our customers that are not subject to government regulations to enable FIPS mode. - -## References - -- [FIPS 140 Evaluation](http://technet.microsoft.com/library/cc750357.aspx) -- ["System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows](http://support.microsoft.com/kb/811833) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-baselines/sticking-with-well-known-and-proven-solutions.md b/windows/security/threat-protection/windows-security-baselines/sticking-with-well-known-and-proven-solutions.md new file mode 100644 index 0000000000..dac5c6d54c --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/sticking-with-well-known-and-proven-solutions.md @@ -0,0 +1,77 @@ +--- +title: Sticking with Well-Known and Proven Solutions +description: Using proven enterprise management technologies instead of creating and maintaining your own will increase flexibility and reduce costs. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: aaronmar +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 03/15/2019 +--- + +# Sticking with Well-Known and Proven Solutions + +**Applies to** + - Windows 10 + - Windows Server + +I work with a lot of customers, and there are some problems I see over and over. +One problem that I've seen and been thinking about a lot lately is the way that a number of customers paint themselves into a corner through excessive customization of their environment. +Lately I've been making the case that they would be much better off by sticking with defaults or broadly known and well-tested configurations, and with proven enterprise solutions over home-grown tools. + +First, let me make it clear that these situations generally haven't arisen from anyone's bad decisions. +They were reasonable choices and possibly the best options available when the decisions were first made. +However, desktop and application deployment, enterprise management and security guidance have evolved and matured rapidly over the past several years. +We know a lot today that we didn't ten years ago. +If your organization (like many others) is planning to migrate to Windows 10, this is a perfect opportunity to revisit those decisions. +I liken it to moving to a new house after living in the old one for ten years. +You can pack all your old dusty, broken and ill-fitting possessions into boxes, ship them to the new house, then unpack the boxes and figure out where to fit all the clutter. +Or you can take advantage of the opportunity to get rid of detritus and enjoy the new place. + +What kinds of customizations am I talking about? +They include but are certainly not limited to home-grown software for deploying applications and monitoring desktop configuration, enforcing non-standard file and folder locations or renaming those folders, enabling unnecessary and low-value security options, reverse-engineering and then depending on or even modifying undocumented registry data, and modifying the permissions of operating system files, folders and registry keys. + +These customizations usually turn out to be expensive. +They limit flexibility, increase the cost and complexity of managing the environment, and cause strange unexpected behaviors including patch failures. +Have you had any of these issues in your environment? + +- Every piece of software to be deployed needs custom and time-consuming repackaging that is unique to your environment. +- Your custom management solutions don't work on Windows 10. +- The apps you purchase don't work the way they should without additional customization. +- Ramp-up time for new personnel takes longer than it should because they need to learn all the idiosyncrasies of your configuration. +- Bugs occur that wouldn't occur in a default or industry-standard configuration, and it takes a long time for techs to diagnose because they don't know about the quirks or realize their impact. +- You have home-grown tools or scripts that have an admin password embedded in them. (This is always a bad security risk. **Always.**) +- Your security experts don't think they're doing their job unless they put their own personal stamp on your security configuration, as if they get paid by the tweak. +- If the guy who manages your app deployment gets hit by a truck, you'll probably go out of business. +- The guy who owns the custom code insists that all commercial alternatives suck and won't work in your environment. (Perhaps you've had the sense that his ego and reality mutually agreed to separate a while ago.) + +Sometimes you need to write your own software, particularly for line-of-business (LOB) purposes. +But there is a vanishingly small need for any business to write or maintain its own desktop management or application deployment software. +Unlike proven enterprise solutions, home-grown software tends to take dependencies on platform-specific features such as hardcoded file paths or undocumented system behaviors and to use undocumented and unsupported interfaces and registry data, which makes it hard to move to a new platform or even a standard configuration of your existing platform. +They also tend not to meet the performance and scale characteristics or upgrade paths of proven products from a product group with robust testing and support organizations behind them. + +Consider the US Government Configuration Baseline (USGCB). +It includes a large set of security settings which is supposed to be mandated across the entire US Federal government. +If you apply them, you're applying the same settings that lots of other groups have tested and worked with. +Setting-specific issues will generally be well-known. +Now consider the problem that one of my customers ran into just the other day. +Along with a whole raft of other non-standard security settings, their security organization had applied the IE security option, "Do not save encrypted pages to disk," which prevents content that arrived over a secure HTTPS channel from being written to disk. +On the face of it, doesn't that sound like a good idea? +Sure! +Enable that policy! +After the new policies had been in production for a while, all of a sudden people panicked. +It was payday, and the paystub web site was showing a blank page where it was supposed to display the user's paystub as a PDF document. +Naturally, fixing this high-visibility issue was immediately assigned as the top priority to a group of tech experts who had to set aside other high priority tasks. +Now, there are USGCB settings that are known to interfere with Adobe Acrobat Reader integration with Internet Explorer, and this is where I focused my attention. +That turned out to be a dead end. +A colleague of mine eventually took to disabling bunches of settings at a time to try to narrow down the issue, until he finally traced it to "Do not save encrypted pages to disk." +Because this setting is not mandated or used by the FDCC, USGCB, or any Department of Defense configurations, the symptom and root cause was not one with which we were familiar, nor would it be one that I would expect most other people would think to focus on if they had not run into the problem themselves. +Oh and guess what? +It turns out that years ago this setting was specifically excluded from the earliest revisions of the US Air Force Standard Desktop Configuration (the ancestor of the FDCC) because of problems just like this. + +Bottom line: if you stick with the Windows defaults wherever possible or industry-standard configurations such as the Microsoft Windows security guidance or the USGCB, and use proven enterprise management technologies instead of creating and maintaining your own, you will increase flexibility, reduce costs, and be better able to focus on your organization's real mission. \ No newline at end of file From 9e78649302afe4830cb247aab6aea38fcf51036f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 15 Mar 2019 14:53:18 -0700 Subject: [PATCH 10/51] addede new topic --- windows/security/threat-protection/TOC.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index bf4d93e534..5d76fbbc35 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1014,7 +1014,9 @@ #### [Security Compliance Toolkit](windows-security-baselines/security-compliance-toolkit-10.md) #### [Get support](windows-security-baselines/get-support-for-security-baselines.md) ####Windows Security Blog Posts -##### [Why We’re Not Recommending "FIPS Mode" Anymore]((windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) +##### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) +##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) + ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) From 0c1f50c33497547aa0a579cbb6dbc2a394dbe048 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 15 Mar 2019 15:24:43 -0700 Subject: [PATCH 11/51] new topic --- windows/security/threat-protection/TOC.md | 1 + .../configuring-account-lockout.md | 100 ++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 windows/security/threat-protection/windows-security-baselines/configuring-account-lockout.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 5d76fbbc35..df40332709 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1016,6 +1016,7 @@ ####Windows Security Blog Posts ##### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) ##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) +##### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/windows-security-baselines/configuring-account-lockout.md b/windows/security/threat-protection/windows-security-baselines/configuring-account-lockout.md new file mode 100644 index 0000000000..3c6b559a54 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/configuring-account-lockout.md @@ -0,0 +1,100 @@ +--- +title: Configuring Account Lockout +description: Covers the issues and tradeoffs of enabling account lockout and how tightly to enforce it. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: aaronmar +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 03/15/2019 +--- + +# Configuring Account Lockout + +**Applies to** + - Windows 10 + - Windows Server + + We can recommend an ideal configuration for most of the settings in our security guidance. + For example, the “Debug programs” privilege should be granted to Administrators and to no one else. + For account lockout, however, there is no “one size fits all” setting, but there’s a lot of heated discussion whenever anyone tries to pick one. + Ultimately, each organization must determine what best meets their own needs. + This blog post tries to help by discussing the issues and tradeoffs of enabling account lockout and how tightly to enforce it. + We had to pick _something_ for the baseline, so we discuss the settings we selected and why we changed them from what we had selected for other recent baselines. + Again, though, this is one where you should take a close look at the threats and tradeoffs for your own environment before applying the settings we picked. + +## The Basics of Account Lockout + +The purpose of account lockout is to make it harder for password-guessing attacks to succeed. +If account lockout is not configured, an attacker can automate an attempt to log on with different user accounts, trying common passwords as well as every possible combination of eight or fewer characters in a very short amount of time, until one finally works. +When account lockout is configured, Windows locks the account after a certain number of failed logon attempts, and blocks further logon attempts even if the correct password is supplied. + +Windows account lockout can be configured with these three settings: + +- _Account lockout threshold_: the number of failed logon attempts that trigger account lockout. If set to 0, account lockout is disabled and accounts are never locked out. +- _Account lockout duration_: the number of minutes that an account remains locked out before it’s automatically unlocked. If set to 0, the account remains locked out until an administrator explicitly unlocks it. +- _Reset account lockout counter after_: the number of minutes after a failed logon attempt before the bad-logon counter is reset to 0. The counter is also reset after a successful logon. + +## Account Lockout Tradeoffs + +While account lockout can help prevent intrusion, it can also expose your organization to accidental lockouts as well as to denial of service attacks. + +Not every bad logon attempt reflects an attempt to gain unauthorized access. +Users sometimes forget their passwords. +Also, applications, particularly those that use saved passwords, are often unaware of a password change and continue to use the old password, sometimes automatically retrying the same password many times in a short amount of time. +This becomes increasingly true as users have more devices such as phones and tablets that log on to get email or other corpnet access. +If the account lockout threshold is set too low, you are likely to see a lot of accidental lockouts. +In addition to users not being able to perform their work, lockouts can lead to expensive helpdesk calls, especially when administrator intervention is required to unlock the account. +Finding the root cause of accidental lockouts can be time-consuming as well. +It’s therefore good to set a threshold that avoids accidental lockouts, while not setting the threshold so high that attackers are given too much opportunity to succeed. +Setting the lockout duration to a “reasonable” non-zero value can also reduce helpdesk calls. +The combination of threshold, lockout duration and reset settings determines how many guesses attackers get per day; ideally you slow them down to the point that it becomes impractical or at least not worthwhile for them to pursue this type of attack. + +At the same time, whenever account lockout is configured at all it is easy for an attacker to conduct a denial of service attack and deliberately lock out accounts. +It doesn’t matter whether you set the threshold to 5 or 50 – an automated attack can perform that many deliberately failed logon attempts on a large number of accounts very quickly and lock them out. +If the lockout duration is short, an attacker can still maintain a sustained attack, locking out accounts as soon as they become unlocked. +If the lockout duration is indefinite (0), then this can be a crippling attack. + +## Reducing or Eliminating the Need for Account Lockout + +If you employ other mitigations against password-guessing attacks, you can afford to set a higher lockout threshold or even disable account lockout altogether. +Some of these mitigations are: + +- Proactively monitor for failed logon events and have a robust response mechanism in place when password-guessing is detected. +- Configure “Smart card required for interactive logon” (SCRIL), and do not manually set a password for the account after doing so. When SCRIL is configured, the account’s password hash is replaced with a random value, making a password logon effectively impossible. When SCRIL is configured, therefore, account lockout should be disabled to prevent denial of service. +- Require long passwords. The entire set of eight-character passwords can be tested in a short amount of time. Windows policies allow you to set a minimum length of 14 characters, which is the setting we recommend. You can set a minimum password length greater than 14 characters by using [fine-grained password polices](https://docs.microsoft.com/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-#fine_grained_pswd_policy_mgmt). Passwords can be up to 256 characters + +## Baseline Selections + +As we said at the outset, there is no single account lockout configuration that works for all organizations. +Our recommendation regarding account lockout is to consider the tradeoffs and pick what’s right for your situation. +However, our security guidance includes GPOs and security templates that you can apply directly, and it’s not possible to set the account lockout threshold in them to “do the right thing”. So we have to pick something. + +The settings in our baselines are intended for large audiences. +We recognize that many organizations will apply these settings without reading the fine print or considering the nuances and tradeoffs. +We have to try to find the right balance between security and “break everything” that will work reasonably well for most organizations. + +As of Oct 15, 2015, we have selected a threshold of 10 bad attempts, a 15 minute lockout duration, and counter reset after 15 minutes. +That threshold value is a change from the Windows 8.1/Windows Server 2012 R2 beta guidance as well as from past baselines. + +The threshold we published with the Windows 7/Windows Server 2008 R2 guidance was 50 bad attempts. +With the 15 minute duration and 15 minute counter reset, that gave attackers up to 200 guesses per hour. +For Windows 8/Windows Server 2012, we had changed it to 5, after much discussion with the external security community, including the Center for Internet Security (CIS), the US National Security Agency (NSA), the US Defense Information Systems Agency (DISA) and others. The thinking at that point was that a typical user is unlikely to mistype their password five times unless they really don’t remember it, in which case they’ll probably need to call the helpdesk anyway. +We have increased that threshold to 10 because our support engineers have seen many accidental lockouts, particularly with the increase in devices per user. +Increasing the threshold to 10 should reduce the number of accidental lockouts, while at the same time not giving attackers 200 guesses per hour again. + +## Account Lockout Technical Errata + +The public documentation may not be clear about these points, and they are worth knowing: + +An attempted logon using either of an account’s two most recent previous passwords will not succeed, but will not increment the bad-logon counter either. +In other words, repeated use of a saved password will trigger account lockout only after the third password change. + +Failed attempts to unlock a workstation can cause account lockout even if the “Interactive logon: Require Domain Controller authentication to unlock workstation” security option is disabled. +Windows doesn’t need to contact a DC for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a DC in case you had changed your password from another machine. +It’s actually easy to lock out an account on a locked workstation in seconds just by pressing Ctrl+Alt+Del and then holding down the Enter key. \ No newline at end of file From 0b4c8edbfe02b5b561ebe689e6d277c6a33a02bb Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 15 Mar 2019 15:34:08 -0700 Subject: [PATCH 12/51] new post --- windows/security/threat-protection/TOC.md | 1 + .../blocking-remote-use-of-local-accounts.md | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 windows/security/threat-protection/windows-security-baselines/blocking-remote-use-of-local-accounts.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index df40332709..f189975947 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1017,6 +1017,7 @@ ##### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) ##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) ##### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) +##### [Blocking Remote Use of Local Accounts](windows-security-baselines/blocking-remote-use-of-local-accounts.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/windows-security-baselines/blocking-remote-use-of-local-accounts.md b/windows/security/threat-protection/windows-security-baselines/blocking-remote-use-of-local-accounts.md new file mode 100644 index 0000000000..42298233a6 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/blocking-remote-use-of-local-accounts.md @@ -0,0 +1,74 @@ +--- +title: Blocking Remote Use of Local Accounts +description: Covers the issues and tradeoffs of enabling account lockout and how tightly to enforce it. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: aaronmar +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 03/15/2019 +--- + +# Blocking Remote Use of Local Accounts + +**Applies to** + - Windows 10 + - Windows Server + +The use of local accounts for remote access in Active Directory environments is problematic for a number of reasons. +By far, the biggest problem is that when an administrative local account has the same user name and password on multiple machines, an attacker with administrative rights on one machine can easily obtain the account’s password hash from the local Security Accounts Manager (SAM) database and use it to gain administrative rights over the other machines using “pass the hash” techniques. + +Our latest security guidance responds to these problems by taking advantage of new Windows features to block remote logons by local accounts. +Windows 8.1 and Windows Server 2012 R2 introduced two new security identifiers (SIDs), which are also defined on Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 after installing [KB 2871997](http://support.microsoft.com/kb/2871997): + +- S-1-5-113: NT AUTHORITY\Local account +- S-1-5-114: NT AUTHORITY\Local account and member of Administrators group + +The former SID is added to the user’s access token at the time of logon if the user account being authenticated is a local account. +The latter SID is also added to the token if the local account is a member of the BUILTIN\Administrators group. +These SIDs can grant or deny access to all local accounts or all administrative local accounts – for example, in User Rights Assignments to “Deny access to this computer from the network” and “Deny log on through Remote Desktop Services”, as we recommend in our latest security guidance. +Prior to the definition of these SIDs, you would have had to explicitly name each local account to be restricted to achieve the same effect. + +In the initial release of the Windows 8.1 and Windows Server 2012 R2 guidance, we denied network and remote desktop logon to “Local account” (S-1-5-113) for all Windows client and server configurations, which blocks all remote access for all local accounts. + +We have since discovered that Failover Clustering relies on a non-administrative local account (CLIUSR) for cluster node management and that blocking its network logon access causes cluster services to fail. +Because the CLIUSR account is not a member of the Administrators group, replacing S-1-5-113 with S-1-5-114 in the “Deny access to this computer from the network” setting allows cluster services to work correctly while still providing protection against “pass the hash” types of attacks by denying network logon to administrative local accounts. + +While we could keep the guidance as it is and add a “special case” footnote for failover cluster scenarios, we will instead opt to simplify deployments and change the Windows Server 2012 R2 Member Server baseline as follows: + +Policy Path + + +Computer Configuration\Windows Settings\Local Policies\User Rights Assignment + + +Policy Name + + +Deny access to this computer from the network + + +Original Value + + +Guests, Local account (*) + + +New Value + + +Guests, Local account and member of Administrators group (*) + +The guidance also recommends adding Domain Admins and Enterprise Admins to these restrictions except on domain controllers and dedicated admin workstations. +DA and EA are domain-specific and can’t be specified in generic GPO baselines. + +Note that this change applies only to the Member Server baseline and that the restriction on remote desktop logon is not being changed. +Organizations can still choose to deny network access to “Local account” for non-clustered servers. + +Note also that the restrictions on local accounts are intended for Active Directory domain-joined systems. +Non-joined, workgroup Windows computers cannot authenticate domain accounts, so if you apply restrictions against remote use of local accounts on these systems, you will be able to log on only at the console. \ No newline at end of file From 0b386277dcf5ac922471f275672e9a14e7b9f762 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 15 Mar 2019 16:09:10 -0700 Subject: [PATCH 13/51] new topic --- windows/security/threat-protection/TOC.md | 1 + ...ing-the-untrusted-font-blocking-setting.md | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 windows/security/threat-protection/windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f189975947..9699b0be4c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1018,6 +1018,7 @@ ##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) ##### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) ##### [Blocking Remote Use of Local Accounts](windows-security-baselines/blocking-remote-use-of-local-accounts.md) +##### [Dropping the “Untrusted Font Blocking” setting](windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md b/windows/security/threat-protection/windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md new file mode 100644 index 0000000000..a96127eea1 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md @@ -0,0 +1,24 @@ +--- +title: Dropping the “Untrusted Font Blocking” setting +description: Windows 10 includes additional mitigations that make this setting less important, and it breaks several legitimate scenarios unnecessarily. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: aaronmar +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 03/15/2019 +--- + +# Dropping the “Untrusted Font Blocking” setting + +**Applies to** + - Windows 10 + - Windows Server + + + From b628952b70e43c2e7e65c29f855cedd9dcccb88a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 5 Apr 2019 15:03:33 -0700 Subject: [PATCH 14/51] added files --- windows/security/threat-protection/TOC.md | 17 +++++++----- .../images/seccon-framework.png | Bin 0 -> 125416 bytes .../security-control-classification.png | Bin 0 -> 12204 bytes ...urity-control-deployment-methodologies.png | Bin 0 -> 21811 bytes .../windows-security-baselines/TOC.md | 15 ++++++++++ .../seccon-3-enterprise-VIP-security.md | 24 ++++++++++++++++ .../seccon-4-enterprise-high-security.md | 24 ++++++++++++++++ .../seccon-5-enterprise-security.md | 24 ++++++++++++++++ .../windows-security-baselines.md | 9 +++--- .../windows-security-compliance.md | 23 ++++++++++++++++ ...indows-security-configuration-framework.md | 26 ++++++++++++++++++ 11 files changed, 150 insertions(+), 12 deletions(-) create mode 100644 windows/security/threat-protection/images/seccon-framework.png create mode 100644 windows/security/threat-protection/images/security-control-classification.png create mode 100644 windows/security/threat-protection/images/security-control-deployment-methodologies.png create mode 100644 windows/security/threat-protection/windows-security-baselines/TOC.md create mode 100644 windows/security/threat-protection/windows-security-baselines/seccon-3-enterprise-VIP-security.md create mode 100644 windows/security/threat-protection/windows-security-baselines/seccon-4-enterprise-high-security.md create mode 100644 windows/security/threat-protection/windows-security-baselines/seccon-5-enterprise-security.md create mode 100644 windows/security/threat-protection/windows-security-baselines/windows-security-compliance.md create mode 100644 windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 09f8f4921f..d60b30950a 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1022,13 +1022,16 @@ ### [Windows security baselines](windows-security-baselines/windows-security-baselines.md) #### [Security Compliance Toolkit](windows-security-baselines/security-compliance-toolkit-10.md) #### [Get support](windows-security-baselines/get-support-for-security-baselines.md) -####Windows Security Blog Posts -##### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) -##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) -##### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) -##### [Blocking Remote Use of Local Accounts](windows-security-baselines/blocking-remote-use-of-local-accounts.md) -##### [Dropping the “Untrusted Font Blocking” setting](windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md) - +### [Windows SECCON framework](windows-security-baselines/windows-security-configuration-framework.md) +#### [SECCON 5 enterprise security](windows-security-baselines/seccon-5-enterprise-security.md) +#### [SECCON 4 enterprise high security](windows-security-baselines/seccon-4-high-enterprise-security.md) +#### [SECCON 3 enterprise VIP security](windows-security-baselines/seccon-3-vip-enterprise-security.md) +###Windows Security Blog Posts +#### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) +#### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) +#### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) +#### [Blocking Remote Use of Local Accounts](windows-security-baselines/blocking-remote-use-of-local-accounts.md) +#### [Dropping the “Untrusted Font Blocking” setting](windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png new file mode 100644 index 0000000000000000000000000000000000000000..5a1c8ce2ad996437920b2a7384fa5a1f31326c70 GIT binary patch literal 125416 zcmeFac~p~E*Efu{Y88dn36-g89S{MP3WhMW&Vqo7f{alS(VIyLB#ene6-RJDB0@k# zpvn*i2|^%2QKBG;Kp{*?M1%+l2@oIzNb;U50i?+Ne9!l;Z+(BkT3uDVu4|vY&mMkz zpL6!PcED!Of_W?EDJdx}*td7*AtfbMxRTP3Za>WizZps^iUR+efjqQlyHX}iqXYcq zN6$a4|5Q@Sj#3^uJ`4PP?%BPLNF}AEYoPyT>^t;Zw~~@9dEd@I4+pvNBo>jaWka*Q z=@^>Ii`jG78y3U5jd*XIF3s>%VeP$e;nnb!EBNJ`Hl1HM$Gzn2>5|Qq6H#Rrg`JNJ z>rY(61~5M^(a3jtz7}Sp8i!P6ODHmdtZ4=y3V!JOV)nf-fc|tWgLUmH^z&kWz^Wgh z-zX`W&T(8@MTY)#KCiG&b*KEN@i&uSM&C}jwDI0)1oZDEPOjWJtK>gE3-MQ>Ux6R` zpWnWo*+26a=;w}+j?H%RkW5MG<&Mn=iG|EUNr``(?%*m?Q92Kg7T(`@C(NRc;Y*Sk zbgfoWV*M6RsGg~GKL1*~uHyYu;QfoQRg{$auZuUV=P4;2Fi0d6KFXS@^hdEj`RUjO$Z3V9<$n)d`D>!NTim}8KPG0*m{Fs7LzYj6Ch~{u92aLaFr|`a9 zmG)Ws;a)LN8(~7ac5bqbh7wy1y8ExnSlejLPFxvx+KV^ENrzd*aqNgo- z+I6p5HSN0pFJp9;afBa+8)+e}#bYI@q!BT_pAh{;+?Q98C=p@=k!(q`=0!#$XL*!3+1HRQn zOFArtlTahtNvN&vWW;6&eopTa4h?bQhgy9ubp7-pNfC`#hSN5{b3<{0nh!l557&|R zBHzkB2PZMG84L@-NZ^0_nqL6T8o^COc1GpTBCg&Pb(U%&9&iV!V!i1g^0~o zh{3)*D_M~pLsPZKtBV=!6KF$+Cv&uy*4ukQ{8gVjOd`8e$e#kwTVI_7*LbguDS@d7 zs%6%qUJinJ?$F$R4!@7n9~$>t#=00wG6WD^^v`GLWN+V`?mH6JEMZ_m#~%wnZRy-pRcvs7MK~>SOh_advbMC8-!_)}i)s=dwjA65-Kd^0>mLMrz6PH-+3{L$FAOFwn6AZz6$w0OZfF70Rdho=j_qRMFz0%@ndUY!Z@ z462K38YT)gY0o6U-1X0d3uDeBER5*vU2J1*56^+;aue}xbh%uAeC_=|^6gOOBfWO$ zGud^qR=Ge&T5#Ico6+Hw%aQxIarr-v3}pvP*9?)x>*2W$3N&2*qF`S3jzw0FoOR#` zn!t^}QKOjZdP=`CGaN4&I%Uy*R~q>b5_cW}H;P(N(P;(|9aH==@EHT-k`obYWB$lL zgd&GYI%uz}LYqC>t9kP28F1I{5bQNW&mGKj7uIK`v+Pi(2(QH(%#IniZ+N3(`0U5R z$2r2y#r8MyXs!=khfShVeY~j;-E(Ek{|puz9z>l=os5f}0|$EuMid0oxj~%#GbX%X zX>1y=Xdsa0zmCJ`wM8d%>Ho8YdaCtvc8+1_5jpZFc6PU<8VPGzn;hgZ2t zOgszk3BB4k{z?h)HqzJ91(KYoY0Q^l4X0^fbOpOshMmsL5jHYlHTZahq2~;7t$Xgd zo}&%1#q%I7a^1Gex_o&~evZ&;<;ak~-WG>_=q_%2n+=VyrdaBYew?|@$XPAwKEC1E zq_m`Dsit#`4f-&c?E1p^xGg&xg8R86?II$jg1&|Bn!t^$tcXJ1PqTs;lBXc`Puwf2 zJ0gK*sb*9Z=om)h9Vj%Bg(-?`=~Ybm*#+(GX8z$wroPTMy?Bzf6NbB%T)!2EAKo6+ z_b|6Ge`kC;29Mi)Iq4T9v#p@L-t?)DcDO(z8sCsMnh5qSPvU*h|7%To!TybJGYfdl zYOj+R@wLTkKA!|5l)ggxI&n2Fe|qRHyiE-6D@Gm|(+8nbjEx8|WcI1^vj#Lf!n1|s zcbB$UT`20UH?2I9sRDG(ZnDi}1Q#zGwna;OMEt=@`s(EJK6VWQ#2Tr8D(kc87->B` zHIeZA=LC!tQG*)f=i_`9lIxWGzCluU!OaGZs#)5e0FLw+Hx zA>2p*MjGR!wwK4jd;)+PxfvsB-vSw(Go1 zGb0OBs;ElDwgtLUF3i${m9@PQkScUj@OAH8i$S8A4Xn~zy4{mr}%n61QDpT(- z(c4D5#-$RYYi_9qLu7Bl3+qz2fo-!}0TAb1R&G#6$;x7mPO+%6|CT25&T`9FdDQkZ z-j(P>U=~L6>1xlLIfii#b~nvZIPnx)`U0}7ZEH1yhDeoRWvd>**8YD%OYQ+`-1N#) z2#GeX=w-U+Qe-S_*Mo#b_fyaZ0S0)!;jdIqd<|+_N@B2gXuqtOl6DTeuIuX>!G?C< zV|eP{+3H{JCZIz+!X-oWJObKJXIn9%GNmgq;3^qAyDI8A?}N(ZoY<(XP7^hp(}DIQ zS@|IDn#qFon6!f^a+*>Y;rd;!X47-5gsc=M9?|lXIx;A1%pr`hhd_O zW$9dmr)#$K7W%lB7Sg>SZJFugtL(qer}I9zDar!J?DUPLKZGNU%;vD|9vl2Eb-s;1 zdVPU%vfsu!T3fArYz!P~*k4fL#q7xijydn`knw$V1hx4=Uw`QJSGBuF;B08(LXRlQ z3%AYPfl(3#ejf_JAi1AHH}uV_#VY3jS9bhy->tWe1w~H&#qQ4iL)E?ret2*O98(9P zH1Vh`rI+9RK>Z#WW4rlf;Z-bW_$F||3YVSh%RHWM5T~{0dJ3V#DhJ11@(ET>%WaMo zWo)p_6nUpf`-gw%=7@rX^uh~)_Di_zL7{3?L3ZlUr1APSO@*wl{J`RJW|21@T0?Q zgSRno*HV26bbwp?%&H2_xq{!BY%|jl)?BxF4X?N|ZlwFOLSDQE>!r3IB)ETBmC@KY zDf6Yn3%qpU6jbV$(DKp(@_y4mFt(w<6v4H+en-Hjl;6@KvgtnbPQ^`zKx$)?iC^^Y)lkw(^h+P*O#UR zDLKN*A9}7^rU3Y#0l&IV@A|9!>+h+?ODRbV9>d&(Gn;Tu6`EzJ#%XjWJ*@C_u>aEo zg@+r&_7-UCH8sFd0zjH0b6Y0MW z6IXq8u|JF=pIi6Y%8CA;dC(ZV-nNPb=SSXWh{COY2_C689T}weV^7A4Umh8koBhot zC)xHt;w!F~(~S8$!}f6`W6J)C^K2S5h$t`1< z?mKecPbRq9XuMzZwU-p-9za?BsOOE(=WaO*hGSOs)@KL9X2~Q&d0zurmXHHelrQ%t zZZ4;J*B$+HAY<3Zg7g$#SgXw&iR)DdyG_gz6X(TIUdu088M24Pf*_@BrhD z`ht69^Kv8t^CujOH(=QL{GCPh_>`Fnjtg$k5}ERM{WRiI?-)M}9R?ujyV&isO!p!U zYutFI?hs1q(}(_K#q=-%_Q~4dPRH!wG{-k_>at-{bELF&#<$peC41G^5p)v%l%5C2 zk17LE*Q>x|Cb#HFS%M^zRshSVXSgFr!rMovGa*=_C>MLbJ^D)kpHyX&7n38bcl{7k zSkd)9h(2>MrPhYkBj zx^{ngHq5CrL7@FJWDN=%G`bmWsAgc3nZz?iF}Qh4tUw%F5}nPKZQ6ne=h+A@aiT)n z>NWHN=_1viCgcFuyA3i3kG2(Dfy6^#*l%RMHrZpfEUGaTWMeBsWM87mOEL7Tan$x( zheR&2^XDgrn)I{Mqko?BU*N&XCbdJf^JTC%YkeTSUqQAd z?7mi(+3L0rZ*Sbw)qzL3y0|!JL*C}#514<<&7S)FvR3nS#3yl*8_Z~r6|;k)M(E#N zI@@hFGv@5w^}f^wgvMv-|Vq!xfhwnh^h=`dB#J7RU`s`HU$6U z-Bw>_ltn9zi25(jj=H1_@ZrtwFyb@tVgKt4M(7v$XBS1KF(NAqSl@@+jUJp|3}f8m z8cR$J5M^AhS+C0Hq~z{v)LJiUyNduyLlwZk3rwqg$a?9*#fW_gc}gy;N37=RfDvDJ zN5+T>R)&O66($#y)7;DEr2+q|l1Pc}Cm>HEQsOB$64)P4Zw|BUC~U9SAl>UXofQD( zXo|$}QjYLJ_Uq2JQim2HE=L*|$*YJK8dM3@SLj`_)p2EL#JQt$5>n4+egh-A(Rg?F z%eAFC80jHm7VRuzEfqO3a>{pcX=-$)S7c>2e5CT=9}bfZC7Gw8uA8n!z6pk=mu}dM zd*8zy6jwH{AEg7#WWIc4a^Fkb(-3?(>~RLy=8R7j7}*dsGINQ5^;&S|SS@oEKEIEiH>vq5P;5b@lt7csejLbOq*q<+H>n?W}0z{5@x22SxF+m!m1gdg` z`;+V2fk3ji>K~@zlQi4{y%R2R`c4fNfDG+l`Om3a3L;NDII))5l|IMu?p`i`$HVu) ziaP5@OoD9ut|U5-E5mZ#Cn>U^s|m98TQ65%Ii>T~ykuz|j98XjUVz4x>PA(zzEiL4 zK~CjDGmdib7jSxTZOjN~=!&eek>6Q#IWW`rmiwA7o$hJUdhdQut8vWgoK1tzG;l_l zhYbdWmPpaWU2O&s#evKRXIXCJ|O6Nhq>CvaXD;`wP!1r67it0uswcV*I?k8(Qe zw%Kn_IO|=j6_+9PhO)(pxo@Qt7mQ~k98pboD?;ZGNhW^B@oCPjN9P8=&OQ=4M&PpW zNJztripyGBc52Oe+|J zP45J5UVHZ#-pi%+YrMLt@fI*LJW?U)~q>&gCV`Xe2Cb?)Wr zhFe9VCrzt!!0es7)v;{eJ*mcDbh@>Cc(g=|q19F zyG~pw=n({|xw(f?+Zx@&8?#|3Pi`pj!Z#l{)l1TdAhJ`?tsYIBS5*HQz#%?E&@dZ{ zx})WglRSgxqL>ZI`i>}-{5?+e#`33W2u~A~impp*z5FdmF5_>FE;SB8$wQ4Vtw8zy zA)po!P41UHs%r^`n(&r*Quhif|D{W4Iy47-?{K=&cr75VY+h`*f|yo=R+{cT0AnLw z#H_a>Y%VHs1#g&+zHzmVFqK$NzPKG+*+yk+xjc2r;+guVax0=NsB}d6(z=4`t&y67 zK<>j3??_XNwv47fznRAtr*}o|y)8|1)O6G~!lRlyhI(7l2E|qlz(@+qvRjLNUG1VO z?{HF!0^t*4=iRF9?X@ezB~`o1-qYL@@e-4f$dmqQ^y0+H$xRElSQBMtyd>N%R z5q&kDUMcLnO_qLL)pi0*A>38e^lO;h>)y{i#|t93GX8Nl48!!+bv*)hDK{J7Teetm z`mWyX`FIfoTexdt^}{C|0}o}c3wH%IQuI8~+RSKA0-GZzhrd3lD(r0?mf!TJbR-Rq z5&nI*(;s|d6;DhW<&soJvaI*p2BdqInQUQKB}6<1bQP&p#x(&7E-&|rqBcC!cR*?B zzD~eilY4t)o>x)YUy>{CNS+GAb;xjunQX}fB{pxr{aQ!buu_U4%;WLA)Otn8ct%#4dsb%S>u%?$%It8Xej5g)d=q_;@qgygi%ZoyWPa)~_P7o3D9MOl z!Aw6Z!0*w9;00duInCvhUf+gDp5u-1XepqJ|H*m*GQ?mW$6^lMwR(5ma<}=er7LRA zElz&EX{63wSeBR}Mc)P>_bM?h#}NMWq`fconTe#!l;TwavX6g8L$?-$(mA0p>iq z_vI;l8NirrrYN<>Khmm&M>qHR5~2^4id>I>qoP%u6tKlZPDPH`RU>*xA9tTQ6hb~Y zzu4H=>e*@msc=;X1XolO^LX($nFm8Uji##F$B8Qan8Djyf>?5e3AN0M0&|yHaJ%?G z0}OUkvg3#QZ1%TWLVK}{2)A9YL3a*ud(I29ojY&`3c_kRY8&9|BC@f2AN3B0e)BL! zg5FGcWb~2MNL&J#UAEoD@TY+D%FDc6<+S%6Jne;lk4O_H=PZeWnvI(d+28u$I*Ev& z0pq6+Ux%AO2hs*!dCM}K33ZE?Tm#M4)bD8oSijkA5XHX*n8;(ZZ|H9U7V}-2 zQoJop#Q2My530%75uYp7$vHxwa+=67lV>`_>Y&q}^=d1B%j4WMFyb?>!}_z~*g@2P ze|Xe$sNsZzu7#_pc0&oD0#m>`jE^$+Fe>u003W|WmaR0|T{zu3dt6v13K&kY`& zCSsP22dDmPyt6oJ7Nk(}skWjHK0g$1#lWwPHrk^DXA>_6Zh%vFvq;#g9epEz^zAv+ z5Ucs!nqvi>*+ZS1%(0L?*Y_<0B?&tenGVp&7f@hlM<@F?LEl%bAtK0~k=kpc6J*k7 zg)f(b=d2sV=2kKIdk9P+#xADZ2YBVN`luf*b*{(l9pUGYH-XrkkEZ4buOho8#pR;O zX$T1|^?w~dOd0yzzHE%OUl4QH?6ffKSa=xVehf_QF1L@j3gNE|!8?Ka1wd-$w4^fW zj0=rEi^7LHBM&~%pIoH0wLnu5vS(5Ww~d;3iShSiURcwW3K|otgGpEGxu9%bzxKDR zOk57hTd{Io!7e>pDp|xsyUKPJa*o~~%3Zw_HDs`X*7Q|0t z=1TZLC66D6Jrf&3l9_153A+(5(i4!Bn}{TkzytYk>dj5((8FJZ64^`-&TktxuG@+| z1$h@a@}%rw;McvlZQCIRHMrdkV&Vd@!lV1NMW}tIB?oCxbRhna&~xpO+f*s2Uw<;E z;?2UZ>x7FfQ|(X*^w||O5YJqw?eA6;V%>^$3&&mkKnA%lEcWORl9LJBI|9mS!iHlF z1)YNrx%C>3J48LTq$d!B9$kbaHC79cpP1X13!9hhmwkERIX`7?vr9ukFZBF;#_b}M zgFLI95cY%t|FNP+TwC*z-o8GX{C3nHjU7;#rsQ@LBTzwd;9rOGS~+eKZVRYQ<~&>T zQO$6P<+`Tr*Iwpd4)o39xdet)26{)PKgRX|y}t1E2f`E{JZK&}Y=apkrsFavxt!*u z|5e4u9pA&efiMsni7Evxf-_wHPV-iI!s$orwLJH2p}@99l3FeFiggPDj;yHtBLAaN z-EwyEVE-0BqyT%BllB~bhaTiD?XBsL%Pl(O@-5@(fF7$Px8IB#B|Ec;eqnFr^0_{c&F+40?$ zWvT}7b$$)Izj^V%HM&Vl-wJxGze} z=_;$ymErpWR|XX12%VG*3#`+HaqLodg!u^z)a!tvY+V=s`XL%Z+7+c`1fEdvEGqg71@l#<$+Y+hRz3^sGr4PKQ5RUADSmhKWCH(amLgmWi6n`C1z3vV`W6}|my`&R&h^Ogo6 zPgaZAVUI#_?^ z+o+#2&%8!?o%6mzh~0^fgR~J^^F5!I-Fpgqd1DCX_^TY@(Ld2X9@W_->Qpz3uZ^$S9yjmFjHBvtUwqf(acuYjB{`6 zf3ytp{iCL1lu_j91WEx;A0_p8)*g8&AXsqjW63)_l`FW){93P}OPKTaECdl03xITA z%V5KtqYbd-y87|@J)lH+Igk~q@xk{Ct<{cymH7pFV_ooOm&qm*dx&*&qdm%IH-{={ zl_%y!qHPbDfKY1lFQoU`Fnc%K-V-m!^dZbByU6jVd}!9nCOf~4tR7EI8ylI(p;gG) zZE32I%asXS>P(FLWYhfgu}Ua*xY=hC9^5uA?CQrC`Ka+%ky@)2mpAETN9*50FH zZ0xj%S5`F1rKs)t5zn!yzZF$^eLE^>&S{8(!aQvKDm*wR(*uUyZT$yw@BEaJuNV0) z=-0j>-u8=gO5uN41UYY4o>0nJ?hih{&ONziPv&D#)_|dm+xDmha0(ZpYTR?5+}32x z7<$#T(CH_zGfHXpgi!-YW!nrSDHpnP9|Wx9l~GSwuY?!Qd@-dh!~qT#TM~i?HLv;A zzX4I_a`c&9t?&;hHQoRy_?SzIGRBka?mi<|l$K7ko3II9qP>8w#JmPY7S_J#f;1%n1B=6|nl%==W-esg?`Q}E{fewxjR6U=F z!QS~4@idlN60|UTKC44Y=Dsr4>32--a=}IB5C|!$iTU@(9Kn2Vuy0`J8!mmuc zT_Y}snqSqI)4v*gpJ1oCsrm?h}o>h3$^4B(VuEV+1d{(il8#22@KtukTB;X0vV z>edF%7N6@ioCQ>VpIbw$WVA?LqYhq-amIno8j<2*Rrza>i8EorJ9R?6)r*t8C0BuG zC{C?_1Eoou0NZ!?K6P<&_H`}fHIrZ#v*ivC21@#0eo5v5lUU%v-2)0;NWKUtrUR6A zZ`x$9pRpl7^AT@EznF2lnhsVX7eZR0oE-iTm*eN1^j`jsJJ;GTY%c<2gx|qYx^H^3 zlY_VG4&cs<)z2m_S(0F!O><7>*{)#?4)gD`j7?&Oik|&C@(7GMF+~LJ+)zj;S6w&1 zZizGF0C4Dn+0CB2E^`1DvDX>4yJjpUhbD_|MJAj3ZTQIoM3AP`j&Ml3M*RgT+uzG4 zI}j|1I-_UuGg7*X?tr!Jw7xa0uc7T{Z$>7w)RkYWg5vkUnGpF_&WS=g1qSR44Om>q zJRh2-W9oMjZ_H^Hv=^Hf%Mm%jlYPD=;nj>M0>{?? z%%nw!>-Ah=qX~WFs_cI_*0WmXfT%G10t=|3HcU=)7l2*EWYguCE*18Od2eW57^Nz*-ZyQv|caY9@W(CgYK-j z*TUd;OC#=xpA&;fcXN>b+{iZu7Ph%}`M(1%U3my~>9ufJeHX`=!fpixQS7EqQODpQ zCd?d73a{HC62MLwSADQSo5VAChNxZY=K!{c`7-akMEf4C#-CWk4NHzT3vGcFvrbpR zg1N(Ho%I@$IWwQgK=4-?J=-R)bQy8~!L7R_!{7v9MY>8jGi^P5T|R$rGu(J%hfVgi zK=PsTgyQaaH@_EO_1~Cd#@WblWPV7-mU|0Cg8L#1ZCk)82RP!a8PFE~wRv&jgMHJak}cIb5IdQ^lj= zxtBlYMdL%0Ea*qNn9sdjtGSxCJq%xvS(K6%s%lg-IP1Fxywr79_46B+MwuGc9-?~zcQ0~&FYfi%>M}NUAcGN1cM$UdCow< zKms!(`uf30C5>Q33GIDjk5*hQ*iU*d$Iw|#z9kAd5>R~>hGzEs9467*UH&Nix$8j3ku=W>tYt7R;(ThhU-w|+mtQGJRinzbM} zwl@*i+u3ppT_3JPiCpTN+Pn{K?ZI)|)zQa)JqT63D1{ZA#9?bls=>qh|LCC8dj>WS z>fp2m!(#0aZ&s1|z^~)6w*E@desNE7QAkj$CJIqbNV?plgRXY9YbbCyXi`ktBn7En zw;ftMf~0hKGRsW-*q2S(BDb>4XIr%OwvZELkE!jIq~offo~!ajezfqIZZG8|3+G_q zSJc{NCGOwdf-1)cfINp^JcR412@&YsOspYVgh>n7gSo!P!M3o=LkU~SsQCj!+XMTG z^Rz;|Qxa2y2z%x7beOn}F#QCrt0Lw5@0wVo^s}6oS)}@42f;vlJi(?B1WCEy%qy&G z8L$6x=hsj#v%dQM7PdWZcV4XZ@FeO(+pdV~4D8&@?^~-@A$9xO7*+aSL)-hg<~awP zlAZ*FppTn|3v`Oh6tdi1CvJTECA2O`xU8r>fJ2u7)y%6N06Q(eudw>OJQ4|=JQ)f_ z4`muyMBU$kwLuJbQQ8=H_LJ`Mz0f)dtL@4e`-Wg#409lu)Zer=2%mc4JLXl;479Q{z4#mGzV3Kv-i$Q0rYOkjRY0HzCv8tU_btAy0qpF#8+oI9t9q={OKl-k z463zAJ!1`a+__F%m&(=J!XZCCR#=!LtX*B#|C!dy1ErvS)LnxQZ|&D>jtUNFC=hif z+Cff9Zab;OWucyH)%Ne1mz=w{_|?h~f%DivPvTSe=;hdk5ahhQBlyN7#fE^c=axy+1B6#woowzOt9ln3S!e>O1P%u6Q0Y#`A`rX z710ZQIF?8AE4;^ds-P7U3R_oO7NT*UAVifKSOjqDhKB@+g{^S|fhVu!Aa_COvF1C) z26p=w`WH0VLF<@#G5AmkK0S#MS34h)R4zqVnB7mdAz(4B8Jk%@{$9J&1R2}KO4-v*zvG} z<{+SS(Xja&7SRLMKA&8~<=tqosI)*NCx#Nc1_>VJG=el1EdI+JHl|d5HQ|P^ISvwmF&_epop@$#<{@Y=nO8yL2PVv%*Q}(i( za-PB&u2=JOXygZG!|`z#egmX9qmDPi1!H(2=v)@)R5bo7kdXsJXp9C$VEIQZFb}?c#KN5R zva4O6p$=Qp z5;MrW5l2c_HN7asN3HRl$uQhZo8K&wh>V*e--FT}Mmv&Ekw>V^2_QVz2b6~e3D3Mk z23J)s6GdMo*dtKVbT+EP)2)W6>~j(?!6&Gq`NPuTI3McCXE{iU>K^$Zeum&kT&>y( z&W5-IThaZih@wNh_%$61_->xnek9@k8{rKoBo0Y{#QTsMpur-2z>Us$ZPOzt4 z=1ZqSA+8qa(KD7TJhtmbs_bU8?XWE2DJLGYpYCU`&%FI&fw@mUmssHY%rueMf#?XP zpi>1Ht0s6*MhqZD9*k#++Ba`I>OK^#aVg73u@FZhcd7vWjMT<_rD6Nt)}Y z{LKmmZHHtDeRNnd$57}Fh4raPcax4Mz{)={8hsO`>ltDEVbM$Ar*04JM~MiB5MCoo*Qmn#NA|9sIxSJ2>4Nc)B<6 zbQ9?5CeYK}zNfo=caH8C0L|>D)2r$9YC64|POqlZtLgM=I=zygf}6g2WqLh&dOdo2 zJ$iaQdU`#2dOiC8hxO=gd-)9`(l0?pCPiG8nF7|4Wf*#YpiQbRp^37mkELX#GkOL? zhJC`D|2tA_UYUZx`j33RS1Oy`D@MKP4s~{l69>J*o<#atzN#Oxhj~?h%`OLD~+SS9b9GL&C)p z{3F{ll~wc~K5id7^C0`t!}C~91>;PNOIE#08iL(X@q+cqQ|W;fva3KHF)mcZJO25pVwC-~yzuyrPl-OG#|u zWztJNK zQGTtWIjGS+&ZddN4p(&ZJA54bImIv!Za!0Q{LCTfL3!*jb`B?xT`bNR`kV{?5h*|1 zTwhcp4p}R{0?B=H1Es7zpuNo197CR+d=k$W!=&dl&pPdCSe|f5aTF*>MWPumayzSq zG%aW{+>|(WoGzHan?J%32?}e}dct1r36E`JCR_;p3v}94@@72d($La-HB*U|SLMgl zl(CXNEcWoMPgO{GxVNkIl$D2Pkfq`v<}oTbfmxHial2{Sj>e_97uK(RW*vAowo{&_ z3%ZKxvnkw2c<~M7{l45pa%BF35QcYyLwDsO)C%1LKwOH_2=gjMCVEL(*Z z4Sar#4&*2C=G*Eh_Q-oD-W6)90NKJ=nM!xYrZP4YJn?m8*CzHaCKz!h>Bpv@KjlIv ze9!lD1?|mW6G7L&DR~^`4mIs}+%kb+%d1HQad(AbDtpkuvpdH*^9P)*!VxN8`SnuJ z%=fMd7k-gXU0U5|Us~yuTDqg0mNr34&4LD9@xwr}c8cTSN=--@P=|>0mnD)Rk}2Y| zk4m@W*xYG=x%2D}e|Slz_Tk)q|G_Qw#F83i=+ytwRH-jb&zZ*f-_Y!G{**}r$E{m* z6#GrjcfrWI%E})&LD%!)e-Or$6Qc_+r4_^pKS*)JGg$zEEB3-6A7jYrsDfa zlWIWSbpI_#qVFA&2{;x$u9%>IaY1ouk1KjE(d>^g*1%D+E1K|vIHVy*(CVXNnkb*N z+HD#n{>a}k!mU%>~Y%*jmB$#dDJ~Wddy>UKzj*Z zm5ARy^3%G@p1(pD5-A;JJ?7ddyBm11BcDQ?(Uog2FwmJd9WHzq5I(L*_K%*$!r z(TXESB?If>7Pns;-X04`i48!D3~_`dco^PFFxLoHc6-v!0ja+)0s2J8bb)38kVEJ0A0UV7601MG+!>U zT^fER?^QRD+!`2 zEy2)X5GB*PdQ&PIYdxF*Lfx2mAfE2|PRD}(lpxN|ADG*1I!474Q1NaMU8i{=Er)+=b|~?c zQ~Dikie_H-Z68UT(s+z1de}YY!PmY;mM+IvlWaB@^u}+wtx*#al8R=EN3Qq9<2Y*# z*l{}vBowtTcjxe|AeHfHb8J{{#Cwta1nINB!8iMv{$Tgt0^90bRlHPKWU~P z_p!M}oSB6g8&EDZAn!a6j@PpS1AWA)qMCCuCxcyI^VA;I4C%ibx)2WaHdA`QTndhZ z{cmQ&s7<2EEwBesb=+Coa&wRfUvqrpk~l9{aOT%ZAdRmJoLe`ahZyq!-oOJaa0ZuH zbnkMaGkQ#%J1Xd@Qa=4vNDOLli<@DVg3 z*x7%i)ubqWDX9}6G_>Ad;sL~wM}U|XVR5mIP2 z^jX-*9}IJPPn^*xm&41ZrB?q%4m6;ZYrkowk-POI6Q+a9v!p7Z3*NSf>JU10kmLCJ zj8~KDOXo2m?3WASDKDNStU{kn_!5%OIolN#L#$onv^q;yE&xAb+g%|z#XSWAGGt2v zCD!fDV(2Kh13IO#19T9nPf{Qg=j`W`Y=pzg5%%<=BB_S@nKY`ElxVkXk^%O=f4>T}-6Z)-S@t%ibeg-v)8yi~Y;?1(uyp_z4D zubdYCUR+cI{{=z5iEZC=7VTM2kURY9$J|IxX45&Um_6l07=VeONSBheOLBGO{YA2T zL8CzK)%?PVoP$^*es&`tcX=M2&!2BQem&z-fB~*lf}XjAz#$V%qU%13)>TLX7@xv* zj-&yMDPF#UHnkEMP!R;myLfmxP03(X?hP%aRPOow*As~w+M~=hmiQtz9u7jGJ->NM ztt(Cl+uxPmM0u0a0ft za)P7Dpeup&}ex$YJs|+P?xi)9H$LWH*A0Aq$;X!lelETS7 z)$8y0Vf^}rtFVPN#;=BFm_Akz_k!YEwa%pn%_N9TmXezExd2lF&?m(|>|5jL$iCnKDklZamQH< zInE>xj=^F)yEC5X`qG*c!&(=DJr=6aXy?!d@!dLy=E~r`4a<+_Pp;0ud%+bb>=QIi z56|=TQSbE%@?IN_-KB%iyoMa+O=SOlkE=cH^p~JWwst*vjQa*i!Is{~t6IJg1^>gu zGlSJptD&e-pA9s@07SkrFDbZG>lkx#$%eN#Ek~G0K}SFl^nfCQwuLu6iXO>^7yI=T z0*Cue-|h)F>w5m~zwNC+)q5OI@s0pdC-;(asryTOQK-8o^|ZDAFG#+cp<4?_XuB zPWDMl+Q-8-Xn|axbzH}xDtNbQAqm`5YC9+`Ns&VbIPrOoa7_m1X96;MO6%GItZTGl zbz=yihM$c+F`bbH1b`?%jNZ21?Hws7zgWft6#%PlR>{D>>C!zscX7mKCkFD^$FxWJ zwQ3ND-DHS1OeyU>xj8}tc%rQ<`lq@h)>A3k@VSxxA*&As z09tnw6lQG&1NY2memeDmZ4nTGWdnIUKqzWhpBh|j9AQa!kpE)Z6%zJ6_{@A^plKSd z6MLpClBHfBJxYE9a4f@Gsyz?ag6XXL&U<2BfCn%murQ1Bo}-!cF9Pi8vl%1q=n#uA z5L}O86veFbsYqJ+@>@Xl%*W*oNS}WPYG*r)Qi*3LP}OopC1iXViJfwSKg+LE#yv0u zx#uU@V&M_6gEgp#09}OK;zL{91~A_Qn!)>9TBBL(!m!6`#w5NnH!#G-Ti8v-sT)8@rrQx&VjSZ_mt5eO^ftyYvwlUhkRk2V_v ziKdR3aRD&nO`k`0nG$FngMlNg5|l!Z>xy{I&;J{bPsStSXyL#;Pv=*Jd02mzXvp|m zKB7eb8n9k@1=0?6C48&~n+UE}Ra&i&C=+(Z13ep7Xs{Q!TJVKF3|!ebKizq9^`Lk# z!?6cMrEzIK1vf-L_MwePcA$S^Sv4#_y;4y(>%K{&PRU<8H^>cN(^By%{DSqUYvuzp zEoSWiY2TDy!T`e6;6gPBSH~;N#`J@Mg{vnq7%5#7L{OXHCFsD%294kJBo}D=Ft{Hr z?g$6)(I0+%gz6bjEhzAN;cGWN^`njN9&$=Cf8 z)W}HK7%zSXpDpOef&eLQllKl&N&ua)yY0tvX(R}-pJoGuv{eyPi$O;=_FHk#RfM2r z%BZ^NTb^`Sp_uI~*~gOuq_Dva7z*}ZiV2b+`m5m|n#LQ}pzq^n_->OJBsh8k=Mkq6 z;!)7HC+8w*8+dw(D82|v5f`*K15dC_aUJW&I(aJew~?n*`WXI~!1(C|FMAVwB>!J( zX$)+LpwJIqUXD=wPhdn|^II4w!+o!m_|r#FQlW_dbFp^Gy-{k_PzZfwLA3i;W0D!gfQI#j={y)KpPOvgB3#E<-w^{i;tL+Kh+3rS%GvmvK`{Q%?CD3v{Xlfl?9=Zq!whjS{kf4EA2bhhV$xf6Y2x#S!LyD%EO){BO)~Ufo7^ zgHzW4Vw=3mUm3`E_C`tpK zWn7yBXdW!KiL8vT z0Jn;W;AFT3)m+OMA>S7y?~A_JQ%L*(4X)M;?XC zQ%@P{6Sxe1Ln;SlM6F${{-%y#aEmti&sen+_{dgQ@k2Q8M$0< zDNgQq<+*`U9e@i{+vD#J^L96`WJ z0D8O>rSu;k>7a01kTqK>8Zi>YFRJ~gi+S-B&lD1Z@ zm7zsJX4>Mo6_HjdvV&DbK?oQKGYQrztrTgcg0fNvP%E+_0YZYJMvEj2B|r#a2qBOG zBoH9$Iafj~TJV2=o;S~nM_)-G*SXGbkMH@NI)@XAJMH+#V{jh`R*`iFCC{S{uI#^e~k9Hrlr14%Fp-_uO7^Lf?Le4op&akr+63>Y_5j`0ZX>EaDR%{niJ)J_v-N z@tEvR*D=B35hz$#TWhe z9k~2gY1didjp?Q)h3fZEW>>n@2*;ajEab6NCY-@-rgl25Ppam0T&Yke8K3@37YIvei=+4b z6aJZ@>&PKJdDjhX92z*}#@J4_W*AVi-4djrH|rxjivlU24RqGJ7#xqJG1yFqp;HiA_LRkJi=UIxT`qo`=h zN^0zoUUP`fYj(7md8%XDo0tp)f<7zdQxoau2}f0JAvaj3?#&VO%<$Y@T!AAgqzCfn z8p(r5*R0HszL?!I7#Yv1iv@wh0+RQ4tqdbiZ@5*)U;ZxWE5>ht6i%VtaT|k{zSoz6Ge`MsTKhOYd2PF7vH!Rj|xG^yYojBEdmpi z=qNEJ^R1NC{s%N~V?Q&Io=5N%;q^nyZ02m-CPbAI$!-EFP%}p)JQd)EyR5=i zF3enZCE=nfEGAtcPHw8vC)6~urluEN@dB<=*AB*_UhLnO3g~_}#4iz8z*wjr1wK!T ziXNI|ZMLwHn%e4|(QXq3ZL<@oB*UsW4$g5b#=VB@(ptXHBuOr(TO)J?pb`ak-&MuI z+a1^t(y21(8hqw~S(*nG7r-xyze}ulBC>ziH8}iRsPx^gjS1Q%qo5_*dLy?mDo5So zWpyC{t`@P#!yNFX6qNEI+HSwS1XB=^%CxG46!lo^TJc9p`7cMTW)G8%Yi5>acnH=uxDLBMV@CFENtM8cT`pPTRYMi z>(n?v@D6bkc`OAs%OOMJOs&sB`kE7bJqsmVL^IF54t3MSIPA8e8 z5;rzxo-?&pZDtd&)%a$`(j6c{&$uDqaZ`F4P?Bv!)*I~H9e>-hivj`@!-N4~qD?_5 z4D!4O%Pyq;3Jj1(86za!C6rvxM6ugiEVmp~OHkd~83nQb$L73xII53TYdc3@%$qH? zsDf3DFU0-U+fk|#QtlwQV4LAI+7A0fyLSY%_jKvWi;aVw?p8%-S<6BXEUY|N1Gsxj zCCh&Svy6c&3k$?4as`1;@hZr2WuN;;eCx37j=wwWMxn$_g7{4Esy4`z7sva5?PdZI zh#JTcD;!DKp2>wB|Aksbi=5*mx>cWVk(P7DP-E=7Qq>x|rTHeJhF#PwpwBVFJ&qn2 zWiy7$$~q&~8vI%|fR|WfiuzU)&j}b~SXe03WL&^7TnXTASnG%tS~ZJT{5q>HDFP&I z(e-Z=5#2u$?co2AHbLg!F%8eWvp%rr3oRv6AWELAABm=i^c||M?Qw(=H-X%KiGLN4 z!3NNXfTDn>1%01>3XF~WlTvg&B}x_r@8_;11#5I9st;IUw9^fxGMBZJXt#OpdSRjl zdWthWajI(3suvz+0;md0inbrAERBPAE$cbHus^#1`Ln~$6~m*vBvi~&+$;x|0S=CF zTR_-0gb4)Ug4XVb!G)0>9o9BFZeZlD#!XW|?XOaib)0poE##!wmZV?j0swjon1T<> z`0=@vC_B#ha^qRvRjYY-rRh(Fs99isX0EW1ZU=B(V##sN^e>IH<&#PkS9P%YP>Nn68#2q62vHoRO zKucULmP(UiuvngyNf?OYS=GxHca<-!g%%BTOUZ;Y@$HLC!VntQ5y~7)L8Lf+rRLmQ z#2RDp0z9aS3IZW%uX}p7*$y41`>euKR|0vk=5?awliVpBjA*g&t{O_k`>~3)5Y9u| zTO_PTNUVpM$TfHaMIceOoy6V+;#F-ZN75&j^H1GfeFc<X7so z_7#3CR~o+j>2j6jMi? z!{2H52Z#0-Ap88vS?_(ssQ(C;g&`JpjCgIH6+VI`GNf`3XkjG8By}@}AJJ?!lZWoTM+U=Enz>#SCF&AUOE*g>#4jFH~LY zDh{%u`qfWzdnmA|g^fzvFnZwnW2ta-0wHtdD8;?bM67grStb$g+$&((R^{Zgrbih9 zM0b9Ftq-149Wpg_#@kI}%GUuyFkNtZs^2A^l{CkJg#m7={!~5Wo<+qkrE94!#enyU zZ7d%mgW$)o2ZGEj5J!7qg_soQ24uA_Gra*u?}Z`GSE#(}5{PqZE(h8lGV$6r~^qFA#0JJ1-=SiLG>ry})=&Q?j* zK!Mo8YnfSzC=s$E5Lq9r=>oOv^HMlzg+{1HDyRDy{hVO|2)j6wuda95)IrDMMKVMJ z>m8azEGZk>ev{?!mUJ0}C!gPkco0(9gKVO(xE&R*>=tzImKu?kXja@j35gnm6{+Uu z?K$~4#LtxSn4wAFN!}6ybe_g9*FZ!qiTm&gf%$7F6NF=*F1&16Ba5M{sN|y9RwQcO zjK)|LJT0PbQx(K08pv~vAGpvl#;PW98|@)uQy4*;S>}X*yqF?ANqI8Zc)Mh1IeFnt zlHPXqiB(E$C`EOD&93xq|N3qkh?sjrihiE!MT+_Hi-5n$($Z2^0e;)8hhUI~I#lvd^@TEfQ>?+BQ~udA>~MJWkly3|?tXg%@6y8O7~8vo)pl-Hf!RBG@;tt z9ge7-Qf4YTRCg>GzI8snXTMj^-DF#|Ev?%EG*N$SHpWd zh<5cMpjrxL50xO6rDhpnfJumEjm(Ml>b%zKHB46q>N3I*TEX!HwVx}Epj5J(oN@T1 zm7dVBZq>p|v9AXAPLBZF&4&9Qn%!Ekm`0#cuNYxkb!+DCtNZJ;95efR>CUauUrF1Q(xFOJ^4tZ3tXqlpD9o5*QK*wvO7K8R1hx2~ zN|5=C2DJ!8t&0DM;B`wDUQ{-zsp^U@+s03=>eBZ&n`Ps3wS=aJ)$8HOZ->eZ=4eD% zgI>)ko9Fv5iBn402x#4F@>#zI`j>8r1bDTJmDraxm>+@oLAG=Y1Q?p%OZN!Xx!z^` zkXnND{Xd*t`lyUKCgP;ApZ!ocXT#Q_EsXE~cC5Cjg9iJk>v~vbsb$j>AgtXrd4iEC z%A)=27gYNmRiwK7wKzUmW9VUN&{0KT=vPA(OL-0P2$atLz@qrhky?<~IT5j+rSJCY zxEgmA#!T^8tYgYyCMX) zPr8nTf|)IB-;LE7V9#a=4;>Frc(7S*6|QtZR`v-ArHTt*a05_OI=$Bwb7)* z>R4|}x;pJdR+!a{ob#DWRZw03{N!U`AYHT#7ug-4reBDPWcYVCmQHVKOm4>NkbYQD za1-2^G7J|SPXwzu&#nd)45-JvC#4qb4J3i=$UhlOU9Bzu?-VG$E>oC5(rT@XECOykD?sJ8rN+1Qb_BeeCSB2!u`oqX6IkYB_7hOLi-LQU zY7&{vGEi|s7MiKOWY;8nP7c~rxE5+BRED)YGH1I-!-18ajihA-K#8-Y`s~R=_C()? z!N@Qw?D)dF{iYLVt2`UlN{M9kRGtaYNGs_&5`R)T9mWBX(3pU;b}l>FIB)ZuZOy8b zb)bgT_M$Le2DCU_fQe|hp49MrzewZu&U#Qn~Oe34ro+#&y6=mfSnxN!CI-Dugs=M8SMsJkIL zNweHsk(?e%m{F%e%Gx;zVnU*@c(dWRUhTquu)7xppc1eIxO;%J-ro3I6Hvy1{(VFD<96P;I($xA2(Qmf{L?h5&Z+o1HDsj}m3E^2FZbo|y9$ znwaZ~S3hcH8y1k(V4bFon6OfI`bfa(Oo%O3#qVgv1P>I#zO(k7!J^F_km@~HSoO|> zZp1!~WVn^_3zmY_UTk9zEAe!AK#;5lb0+ddOm!Pjm9mQ)QIpuCgca;vFo>%w7UcIM zmRpa+5#x+FR>k`lTBOFMlH5`!d>8ypymkX9uz{#hyVmPs&@jZq+90&n{E3YJm4LvH zX1&1n271u10f8RBXqxUYTsbGr+0=~%ly_;`i#!SRfqVUGUCRzx1^YG#xzH}Yd(AG? z)_-;AW$@fgjUB$_iE%$`YFGdLb4{sn^hSN5&#|kW8`!%+gLPc%vumG~T6W#2GRQ_c zM93moz1YPbw-$D4M}YqOXo_P`P3>-fm6m;E>$s*N{fJ){kY+HWx^@gazVD^SXI?eP zwnjJrh#lC4&%(Rd0)oRrO}rJ9mi_Fb272+T*^bvSJ$?4zHJ?*ge+N6fqty(e7v_B2 z7l8ii;#b#C|F2&Bv+c+n;G}N9D66?Q(8Kl=QikLjWz(&@v#{M<1;qT3CMVtBSX#E` z*c_=pC|;7$2w=#eh92N#ghrR4H@1UHDeh*uEW5X)Iz4R*2W87afBCsaf%A@cc&-2@ zKj}A3OYX~)#K&nq;M3La;HGpd1n94%n)3b>37Tb{pv7uqHp8M@qoi zSo~+J0WRbv!(x3Rlkv?Ra_rC~h#P40diT6=V z(GRQtT9QPEr7Uc8my)42Tc$qT@gZ@Asrv$wQlT`s3&Cpqr(a_2BT#5@auFV?zSA?g zNC*wwm_LiIONioJRDIqBTE@kW|Lf~-?#}nzl$o6|noNfw7FN!mLLB1}%G+TzlcGLg zTW4!_|28cG!&8-z`#3b$eURR(IXoucwjIz20S-XV-#38$6oOc*`j+Gg#e`Fp3yRQH zY}Im0VEBvu=K2ono>AMJ?7T`mXx7&`EG$Pq#Z&Gbd#AU;}v#XWlxeXHKJtYCi( zU`#J@qD`o9B0fHzXMiyPh>nF*&odAoKItlUB>+EUa7V3X39M()V_l2C=u(e60avxD zebrVqzNz3vLBZS1uKsV3hoM`4uSC#@D-wY3O$NIDYFqPSk;r`DxkhZm2k%GdlHa^$?ct$(O4QgQW%?lcfk2DapvtjjyVBRLdS=N%CJqvRL0cANy!x|_!o)rkm z8#M7lonUU{ui_I2PCt1Hsw|cNL_abR{dnAJ;|!C5W%Y&O77k6rhS97gIY$9#{48r} z+aI$`pGzv$$=Xw`5T3079GKO#1CW5NTWVb_qgueXA`Jc>p$ieMhC=$nT~Rb-!G=r`7YA7Al>X(!c8>gVK{_ z^Y5S?)v)C1tq{yuh|b7MYgi#@;+F3qT*F)b-z;pQnlDqHRY65Q?7W+p&4WI*tnjVQ z9-Tb%?1dEpNv+3KfE@A5_}h`>0z1EO%q}UMxI_0P;tfF>WiXE{k?2HQ#3_?%r!ZDs zwbn0V+e$499?L3KiN^spq%L}4Ndo=u_$i#+u%`_RutWkt26cJhB~j`T`trQ9t!qGL z`)qDn?(v(#b&S02GFvuB4w!3|5&}>(_P8w~fQVmK(PMnZf#JYb~H3=y$t+pV_!K zb!HRA1?IOfBf9c6MMP{-GZPe=$ng0Wah9Fhns=?y94u0yT?7XfY3speB$s-ggaD)= zi@#a8f=Ai|ab&diAm!QWQ0T}J0HzTE`dEu5_K(4^K*lGxZ9O@Y{KIO_@N(jd!V3{3 z4omck`eROhULysN;?dFt0>&cD zaHrmZ&{8>CqYKKR=Ra%*ZMOYx00HYU5{%4QWYZI!tJHDJ~UA#$z@TJl}6hKJtBmTSUr($vERR? zEn#3&+Lxg3_Gw}55Ffmil{T@0%G#!E**189xaB79ozRsDK?~}Cu>m0^X+5V#k;q_g zkgq;}3ei|Rly&hL{j_aYmO5L6g+c)9S$JXH_;PH2HY&!EQ(>4bTQcDkhDexrf%GW? zMy;A~_Ug&6H3IS)+)dxfj_G!QM-#GXJ>02gwXM$bt*T!}TNe85d;)VmEgL?a#tm;l zSJX~kM}NO{ZRlaGg2e#^ySLVlhHm{1iZXOx!$glH00h2O#Hki|J6BvI@@z6sHdl?b zg#RpDSsXhbjbkt!(P*7_Yr)DL{_Ye0Ap#Nc6UMT@wAGbndW)Tf*@3WW|{{7X3>n%W^s zB=Qs`D~p&pWmA1Vq*^hATSR}gt04`oObB9%1lb_2< zVNbS7`_B?epgwi9D#3dmSL2c6Z19y8%g#5}(LSPPHMMd2TNMKLi_j>{O>2o9L5nes zkIirscbxnlK#|QC4#k4Ep6;0D0Jxk!0TsPSdX%Uby)#YKWlq$x*kWQ(eYU2F(u0}P zoib&7z=>sAH~^&A1SbO8D z@FKEFcZwipuQOd$4m`PQPuqMZB=7pvR^K+)yb`HWqH0U!Umh z`N=ZBga3B*9yxo{vt2_>s@XVp5+l(m7T41MA2?@!CC?^VxH&9S%LE)?f&m}oC^ty! zia-k6vS0vH=e56zFF&g269ZibC>`NqvTrwWhpH)`F{W4=ssW?E;vF)~>A;%3(I(y&_NRLpF-PSv}Rti=7)@oIq zi`MGNN`ch_03Xfoax31E8&!ztSO3oV6fHH zw%&L41j)m4Y#OTHOa+|kyMxgr!b_&Gb9SHNa1vmM+XMs9uenjUX-Ygg9zC_ zEgO`r8Wt|j25;q*io*aPndwJe?#m?*kR1onzwZhpdCzA9J^wBhqh}sGrv(g!)aG-_ z-Y!HPYB~DzMWZn26r%dfhZ2&9Q_|0`+#*^0AKXYI@#FJ7!7FR}2rosN9y!}h?KroS z!JEWs8Jz+#8dS5uzT#h_YH8Vqzd>J{Zv!QK^8QTUcyfa5MXBTD|3oIBY(hPPqj$to z+?6{fT=j8|mza|hz#Zri_8(o+1!kve>Uf8Nby!ly{{@J}YcScm4RkbSYIN(44RsFl zaUDE3pkr-c|65&P=7Q$I;H<*=C6=7;f%#iF7;d{)Dz*o3Ow^73MP0Y&^WYv!J%4I+ zA`*v|AJcM=0^mLdPvVpQ&sRPy0=@R&=GBkpGhehX9?7ksxX##U?kRx(?VY#Vfz01n z2L=-UT2R~6VpBa#8a@(t3i|sOH@#3eBBXF)GazQuuTgqaJ7jJV2Y|>&3+AW7)kG9} zY0!&|sS5;6SEddAPbp(f*0S(ZT_N|lCOwFGg>CuifXu|usGm}nd0N^^MarK|`DMy~d%3JS`p9PLM<)RlQSO;3{z@BKv4GF{!4vZktnr$&F*J1~ql__h0K+(z z6OJaN&m$l1J)=z_)*Yp=z>ZU9Hah9rOfruAzZlTVF|sNab_OSB?n~zNWM-Xtd%h*^ zTRRXMA@uo+hu8j34=n6VfT-cA~1o!P9dPH>j| zFS`kS$^u7d@D9rQ!DP%1+}W}vfjwTD91M&N*A&RZGG|a$-68Pm#yjSSeA<9f))^bE z#)+0T&|xq`b&VF*WB>BG)E>uE-8h^Nt{d+wwnpU3loCNBs-O0D)9mpl*wY40t5R6s zKQ0cf<;c4%LZl6il-ku-wBS@_AqY=lVQTCx3`Sr1@<|HeGaBCD4-S?$Nti(;__erBwY0wY|P}PJD56r^xM~d-7lZwTXdz3{p;UzZgd~hCzQnlJ6W7a$? z6acgV>shRJQLwCyFCQQKX4vprYLw#o*qG5Z*@J#R>W}fmQ;5!6BQ%aIBDg2D!!Fh zCm0nEQjcuY5g2UCftSx8!4hUOE13EQDS#;ipUir9RYyp9Id~RGyKOz&7Qy_pUOx2- zgH605Qs9$WO;DDxPMieKvh9tJEG^K1)$Mp$h5++4whp}NY(o{M#eRWf5X~)MYJcRt z>EUCZ;345JpT5>y1gd$}**+t<=|TfZnPG(9$c04XNAa`A&|QiBVD9Ri^K5`dntCjF z)p1P+6nvtoU`hz=-OdmP001F106gU3&o3X7)=a>kD|z4(jg=Wf)Fh`t8~_Q=#s*s$ z?3Y(W`VE5tQ)a6mZy5YWgEc5DU~JxK@Ea5T#zd>I&UgjP;Ki?CF@P85}N4vrd0W+7X79c zJv&Gh#LRD+4R5+h|G)1hP4E2=O#LqmvCXx)1p046u5BUwztBL!%GJO{-lSKhgZQ4%=kEi?$g0A#Iq1`v{t57;@pjPR(xOO0HHC5Yej z?KA+EH$~w$Md3G{clF)#Z#wS~p7RZ~;tjOo|C?~uBNH4^0>=bYK7Wk>+5izOD(w#(K1rE@W+!||(I3iGL}+pC|^mULZz1$h*#Iih`Z>Le1(9jnm54eK(cO`>kkOr&z!@q6&n*X_kc0B!}TZA#KopONrp%0=?eY)K})DXKOG>G^!9=F2O zj(Tc{B)v1;&Kd4s9P0iu)~pi%;8Mkn^er`NROKIF)Xx?h4u5%>1}=Ce4ZvjY$Cp_? zd4bG5o0eT=w+4cg(;!)h!l7$lVI^AbfgT7&z~_?MosORDZA{q(RHmOfZzvf zkmukX?b`;Ksz{(+d_BCvLM|Fjkpyn8J&YaWO?yh$31TZa_J|mBsXHujbl}|Gdg4LJk^>Mvx%hhvzHJfa ztM*cKu1l=n0ZL~aezWdf>rs*wZ=w^iw1_2+R(kyQvNDz*?Wp=Y{O)ujIMO*gZlDQh z)aSG%TsS!MTSzcBJC8hcwYt4>9E;>{E@QJxS@utXGgEosjG9185!?)Ky19o^o3HG+j&1%+;v1o zOoC6nwAf8$IsXa!Kk3={3wW!i7WErsTXjqJfP-`s;U!M7emA(XrEo^?%jxdCRx*gB{#%|VJqwV%ol!$NfV(2~K(F6gaET-9UU? z1CDXEt$!h8ayOhQ4R z+k&R!QCS(TtSGisr-A)Vf_~xA$EFUYyZwmiWAc)NFJnVb&`QxO)T^k^Ktb|#9*9ij zV>PN6G80q)vHs^Yvd9$@={9hHF30x2Pu z;!}2t(`ekE67*=6NyXG|ZkH8_y(ihvxlVlmpxDa7blV=?vkD6XW|@DQiRZc^Rs&F} zTmM!m^_DfGnSc$@$cJVo(3j4@&VfTW{=Qn+ximi@Q220rdUhPc%$_Kp?De*mm5#|0 z!SGI8pLb2KqguJYV1=z4J*UbUR+$Y;V$+_qtP6e~8Mk^KtueJ@0(f?@xjF;=(k?AK z7z}dqNY^;H6OT*94Qd&ANjpfBrDzLsV-70Hv7t9|)W<|{mVgQf`%U4c%dEQ&Ikw_2 zEX?1^Q$;<^NLy;QAoByW8|axtLJd0~#qJ%E_ODeIDVdXSN(75ICUT(JH_+iVA+g3X zNwnUBt;6_`8Jg!&v5+8>I4Q95(XI07=I+T984Hmji=I$TPWi--U__3X%ps}OQ+fE| zVG*q3sVEYtrgB-zHL7m( zlQO+A`>1WK4k7Cy%OwvnIxKn}O zO?AiX@ESsW2JRRfVN9rN?M#2CwKe{fo40YxoZj8jFw@0va1@aF4}P zoZy+6kf-AT(FnRQj%XJ+CKhl{-EC+1SaZ)I-~0WAW27$p zV6gZe_ryi!y8Y0#xB&U?9~GwqsrlHe;#C`To}A zdLCCc&^9{r`FCb$Y6NwupXIZpzCe4SOEoyk8*4a53ce|8ve;qBJiJapNlMEJjCQ#9 zf!3&)9O<}Pv$dfV-NN@y;N)NR_vb}4g@0^CrufWM4cUVE8w3YtT}xQBk(2I2-qywv z54#ATU;<%Ox~J%8%ZuU-zKmmxz10fbU7PA`LzftY|6R3D{4MO~7^JeR>0pHT0SUMF zi%yUDLdli!ffna-v;V07AA2-eV@`8X4 z8#V)-?oflMQHT)T-M_}9XLBN0W$=E)TIK)zv=^4b6XO`yVcFqs?nkfX8=F767$zJS zB_&lUF2yK0=zIkJ`f;ALg{vsY9X}?d`S$lQk4}phnp9v(?MEt_=Jx#yuu$vjL{KUxI1@6NBj^KpJ9aPq7#71v>n53%ow;~VI1_79ILh@OeWt^AG$T}0%t zQUK_{!Cjl23O01FX~G3jXue0UGw*vg(8Uy!Bk#=mH{jh&NGUh|@{Z0yb;MktMHi^7 zMnbOnTKGO0WvV=V8 z=Y^p}TvI%*oXjL!rjqF`k$}A>YKQxNFL67fY{=0314pqqeU&1FuH#^qPAPwD>Jm3C zI*~F_T^+$4XW7MlJarRokmK#>>ZB{avF~t`D$X5OV^JjucR9^*b4Fqcv1a;?Q7au> z^Pd^#gI6=M@1_`N_~YaDDo8CmU2J)1=5jVVT>Q`1vW*0H@Yg@93`RW|PA4Y9nK&C1#cNvT*~ zwC4(R9lEYv6TKxpJ2A~%1!Y8S0#{={A9{QY?{rQ8R~4yVL55>=h0=UyipeeJF&PiSa z-N`v!L3|kMdTJ?7_|(}s9c^ZZLXt#^qjuN=3x&LW36pDpzMbxuf*`~RtCtyOi)oop zjX5Q{477uA%~?j{w__PYxya21<*h}@;FfvW#DCnhhxy`ufa10*4?1tHFe|+1yOT{R zPN?3i!e)k!AT7)aDCNJ{jtU;6#%GSp{15EA$34~)$o0#sJ+@k26~Mi_iz}bnpxCO9 zpS<7B>~KzMdoWUvj=QsCwqu{tB}Oms;b)Wxq%5xXE(S?|J%- zLXo5tUy(VG?q?RR8%~tDm#m1HA?urkPI6{qV`~-Y(NjDs>VSz;azw?hRC`w^=W9Ge zS9oiGzpXO=ZVO{4QIRF_zVOh#a7ao>gJ;rcTO~ekF{wWVaNkR+Im_^U5V@1_%(=E) zZU;O_tezjaL!#3g+&@Ji1h=S;E^#yVF5L7=mTnr?5tFHkRhgAA%-*G9ao>tZdymRx z7r`YQa?<^n56nB4>Q*84NmUO5xZJcL8R~{|>dB=cnnZpR)Mj|(bd!-=cOP^?lYj_E zdDEN$5F5>?@(FhFtEwcK$S75GE4Y{RgUpK}VJkYRqMx!WI*qnge(G9uXwD3G`+Le9 zxG~a55gh#V`q&qcy_^jU11#)NVx)+=ezIywACiE4YA+w#pv3OU)#6G~=|_eTd*f~p4%F4dG#>DslEJSo9E+~izRC69TX;4s0*I>d(Fszi2U zL-&^Bapx)6sa#rYP}o*$wo;#(CL95;#M?T_U^NL2A)`uNm}C5dr>gJxMqoESj87Uh zO|hHm_tpZFbt!PQOR3`9KWG_6bIMs3Wsbz}s$GeeJ64jz z;P+VB{y$Ir8cHN}e=2u>p61LnTot=~yEHhg!zQ|b6@g_qazw4+7Yao?8;LH6HPMA} z70#_GMMPz!<=v6D+MugM&TVfu$$wsuZot1DP^~n)L2ziOQ^fLr6>@ZwqBA9&VCsi4 zPY!aL-WTaJ_RL%rSTc}!PEJj*g4((>saqxq&g54sFNcb%b}>qllFl|~B1Hs(eUwmg{G+ zcjmY2%Bn~3K>RP`G~!;BO37WSGR{-^b#awSN*E!QVIq#mY!=0wZsdx-mF#ehKQvUhMn%M2>)*i5qEMD(HqI-d}%*8wjss&A&uj;t&ilR2tUjwUOU%6(;pKgu2eD_ z56%(fB^GvpzGSkjofOc%(a@~W@#ttcwfrd-+&;Bb>3CaloOg{TZO|`Dc8VoWIG3s3 zF0xZC?c17S9pm$bqq6P#d$fV!l$v463NvFSoZ*&<98qTm1wmO%&-WxfLEZ z0_r{7wg~toF6HOwp~_%N?UYUP*eb90O{(>eQcI#w8=4+T1Tme>bnmKU8_MI4*@U}S z$>SAP<=^4yV~##kYtB?aC!LQhxwnK~-=G`YD{`JtJ$zRo|BPY!uDh9j&Z=rczHjw? znNx+-!r|eynl{8k`SGCi*ky3k%)}5kapz%6p7{4QWq;aBiVG)6=lxQ7hBUGXL86=6 zT%=zmiQai{q)RcigF#8=Pp`o`I5DDzv!quH7)XoiZdyxrkyipD{PCrzLSD&0#;duD zZCW-BznMR3{Zz==g;0^feOAC4-=O>~Juy`Mxu`!$_pzaU+i10`9d~RpXL_$p5na$5Nx;zi1rA~X z&Co1{7~i#>X&q*oiMJg80g@)Ia|AUSZv19`)4dY{>;9Y|P=GA|AVVk}8tA+>@)tS9 z!u(U@s7L*XW8`a|rJbK)sJ0)~{H#-AmM~W)>9gig;8StrLFwT6!jUTOkshg!1Q zGu}oL?*Mz|Ifr%cq-E#(opIz;zIu%XkKCw&|=6HV_Mady7THBE6X`81YydI+5|(sgd? z+CWRNec@=OMZC+!aNgKY%k8sMeC7D^j})Fm)V(|8sC7R|w<^AulrgT#r{j)qs+v@w zzo|wZS?7mxNik!7@Jf~VJay4@-)>VKeG5Be>2sUWcDl#+4sqd;|4l-P){^KDbwYX4 zEYv;6XXDlI?)Zx;m%{N?fH;TA$B%oy@7MlM3BXdm;*p{C_p76$JEkwKXPlv79=<=) zk#yV1D?UzC7ugn{I)Qeka^qJ{-b!OCM)9g7?(M&iLR=rqxEioG`Uu4G**3(s^5@Yd z84u_;z=RSD&++AO@0p4c=Yl|sLcP^fgRCS6jwgSl1lz*?Z^!v&p-K*Dm#`geP;p(4yK!={5K-oHG85u*#EEf;#&mjCIb-x z&6D-4xoCFiRf~5o9c=fr1APH)V@Wr-=7oA!hj9b+TEduOukV!LVQm_dom4~(-K!i< ziM!T79}{ok{KJ5<(EzTq!G+Z5tC8})p(;T6ylP|>S`-+MKWK=n2`?Iml=h7jd0(Q= z^!p8!qUHALbp3^f_+d=K*Zy`bpsnPkwVkBg7L>KHf-LNAnqZnf)@sI6FagSmQSSq> zZMGiT4X!UlTep$;UBgDn^&{Bcs{f=1GGdfV4e|+b`+L!cOTLL;k!oS*Dj}UOR8^r) zf+0#==+c8DkCz(k*<&{1QXHS5n=Waw*p0AjYg#P4LbHDmDfjQO;nzHmAxGF)+v=4$ zy6#D*IMT5`(sDleCQ4Z=VQ~rj74mZo-`M0|eD9e=^u~?MN8D0CT%|!fh?1ERol~f! z9Lz~erBz=NWta4`c$3WrQHg1|e3GkKk*s+MXP?#_m93O}t|})(>aQNYaU!szfo_P` z<%_6mi+JT@90LbI%W-+geM4-L@Y^YScT=IBnc_e=!OKs2Lzi+HlE}gBD=Eh}PL*vr z5i>`~%by2ulc-Cq6w0Ak8qQnt)H$>H(!E`r>v11ArhJ%GiO15Nobz7I8e zJ`NhocJGH3So8@M>aAvm{%WtFwQ&w9l{8LPB<~vthS=DO-d1Vn?3XI*efMU{W>8_+}s&`ynlD z&8q?4;|6+v`X$}oPxwz7=quUz-;h3&jay3|I#XNKTTF@eBo0o2AdX2szBG-PiLDVY zhSJg5L}a~%T?%ra`HxA(mOy$U2w(SJ=QnVgj4Tuf&=8>!eF5x@eze+ytoG;*1-Fvv zf&%x83I+6i-+kuGP4CgG`S#7&cUGAGO_8jqb#kU^Nc^eK%%3|Pf%o`OdU9x@Ie1(^ z*CATJRGa`qpt_Qunc3-^-gcBWlAqD1Fax&?j@+;r%cVttMog+P=f)_-L7D-NZkz!3 z;w)E}itgUiKL?4kENhd&PlRpA&(=;=KHVw>Mo3=ivE1)@srV-r{C!Gy;V1~6xalS` zFO9`;GrqAmm$qvAB;(=l3{HgsC(#eRUAN)(j>@M$z0wkQ_QT}(Z#wNC9>FI*KTyT* z;+IU)eSDJBarsq{G{bd@ddsNI)xG_Nv5ofP!13T}RI1s}s-r*8ak7`vvp0HNF!nHB zD>JKdGqw(SC!me>f4nq;4Z9x zzS0@u){FY9Kd8T!JPP0jrhQ+JLLS)QY3qRgZKjXA#p_C;$8wX}&v3ikfE-L;p?kg$ zk1dpOh=j2Bj6&77W;kyz{xZ64oKv?r-1ck=Ub))L;AeEYxkDu>CEa|(o%-)@j^aryTsOYZOdi9(*;33vG$)dM;-|OgbB7`B3lv9r1L+w-+fw5YtW)9X4jw=<@XVJ5T)8(e_IaQD13d4F!zxSNjrR#&y zD+<0q>$DS(Rgzs@;G*U#VmJ_WS;pJc_ok_!5cEYy3%a%6vYCL`u}6z>Fn4!14>+*i zhqPZhk{j^MaD}Niy^3$_$NT`|Nq*jt>Yn$40+rw5*p4;^-NC)(0vCiUL-S+0K?Kek$!A(9LPRrixci1IG)a*&z zI=Z6U)rx0p=1{Mm*zfV@Eo!7Snettu^{+V>3?zCrQ-O>~UdvI5hed5lZ>jiP($CI5 zn4CTjdL=(=IrfIgO%}nSD=a0KfWi5+ntn?~-etwZp;`sx@+P@Y1x@xCD8{oK;+Z9~ z44DJ7B;fQbMu+Lq)3m5T2d6``rw(T_nY7dbxV!T`7tpQJ$ z`B^)47bSUPLQjP^&;uQ#oahQLP7xvei@CSD2#DWdHvK-J;tFj;N?+ZOitLE-ubQf2 z!Dj|JX`r0x7`1n%xlVM))59dz+;3*X@ZeGtx5mX$Q&%?N9CB*1{3be`@j0dr_3Ar_ zJ+7ZwQk`VbTS?pecui!sq3L9DIIrbK0M{1WtdZyk3IHMJ5Cl-m+(ku*#xisEn9oq3 zx5(E1Tv+z(>r>P&W5u*1v9n)stduL-CvtP8g9@~L<+fLm1fVB+CG<#C&va-PC?Bt^ zT?!0tDj3LVC??U!?&>+Fj45&HlYd+!Xk#by3^2=bL=Uq;vAsF?51{*3BRXQXro=r7 z9$bSG0YdQog)&lOd*_TT=q+%Nt`?l#_)UQ_bxxhQd=~?wo2xhtUb?>!I59 zzew1_I!*Atuy)3(KP@ONje#|(f57^ii$5`48T7b1*Ye^>DzN|3hh$|X50fX~9psS- zl?V+^3}uGXaJp#onUBJsoW2vlEsz8^Gule|#x;`g6}1QITl9q+VikVzR2{QIOY4bC zVmC;!!r<8{Pk8%4Y53-dD%JF^UXy^PSU(A7fG0G~A%+VvmC8a2KtJRF6cJo^5$4<`t z?G5*t9vI4VrDC&#wC2pn>Mvy0q4k&5z=3V7{+;oSpBsoxR&;?Yy|`dqARF18H#ycp z*Q^!%$tO(l?^4;`q>=ddeWSWRRy3K{Zm8s0SvxVDXHehHic61jzru0i(|D6s5D3Ht zmC_ozUJ3jmv`MR3p`JYlNsR)xU1xOECJP(z?qw3YkI2avn2cc)DJz8+JCdHG5BKwm z_5(e1ZR-_)L>@*Y-PU19Ie3hWiVHq24URx6%QA8~i+V%8BjenqBs?~?kci_=kJ6lV z8BptA8yP_eo6OVU+v6#%MIo&d6{X->#(~E{X}D!S62Bdr@nrWOplv00FUpi~KPTtB z;--&6ZBiEKLs@@J1vfD%T&R^U)S}CsC@+(mKaH^UqwT1Gi}a6UZx}>vH0aL%d%X}e zP-v!C3HyqYuMO}Xb#ba!Fx7H-??>l~!=GiN6Q$f`hrJ-#Y$`=(#{oECi^cFo&saz9 zc6J|*NTT~i@Cn0)S<4JF*BP3KHl{kXMR0B;T0amQ{49)WB;0VPrQLqjCj$`2ej=&* z7p@(#I+p`qZpQEKDHT%zG$M*q?Ia9o7~H)hdVzR9lpdf+!dQwu)9zkRdaWA_hccMiN$n3#l@q ztjGvd5Ks{UVT2GM6$%joiGUKqiVz?o8DJm*Ldbg<_G#_&zF+?z{tsWnx$kpd_cedl zIB(l;q@Df#IO+Ebm;ShZ{mk~un}2$=uGy@4C}&XZgAU@s^D6{$uCjEU_(@!c&jawA z(YmH$9od#q1@cj6g!y!`csTA|m}0h$nJ^^g_O2F@4r^ai$S=Y}ZGeAT(ncrUd`BX) z1D)vl543{0_o$uz8SeI5h^GlGkK0E5zgLb%-6g(X$v0SDH6ex;(sTZK<;Y6og;T!j1k_ZgYXPPtxlo=oG& zp7r@(K#UXe=F@&#{`;jO!Tk1@v8tC(vq&d9My}L6*T#pDCiP_EbYT-yR%;PHr_JZ2 z6mTsL2p`u`Wm~W8?7-h_+)|m(gXH;y7(<-Wn6(45>F6k$WOx!isBRXWE1quc65&&j z_CuVduZ=fxojuO?-bhcyF^XLwo3R%rs`SG;3fMzksJT8UQaGl;XLL?l911%y1{Pq> zH-)1$+%K7InE;n-WSyiYfNm@KfjC)A(3Th<8I1Yt=ug6M8sW&35Q z^r4D(r+@j7UU~*ODtclr;rSk+voX}a^0~HD{OX>hSjn5V|NllNGH~c-Yl<;c=uElI z6%`6EFTQAoBAYnxgNwMF?gYc>x~Kv5M|V0GwKaLiL2Y!6D@xA&^*v*NmrybvNs&97 zQ8MfDr#C3a3~t60H{o(HwnlA#iUi9naz|9G4?JbvM(4iKEv=3&vG%B&aTm=t{8^9# zM;;bYLFI{lMG@VG1%&J zF9mLOy^RhN)bkd#otOAV+z9vQl7e)S&j38;v6n#V)WO`f#c$!_Oz(xR1xwcj&%RKL zqKwOEjeX01UAp;-dw=rU&}WCxx2vjI=nzuZXZtJ&$R)tx`ej4luP`1z4&=bRqpe}w zTkX{k2ZliZq~J3pXSOUD@`qocu%W*Xp#GrZp!Za-Wh3A9NDI*sVgB-Jd@H}cX_-gq z_}bsgzR=SG>1rP(g_;hW;Sj1+3QqdfsO-<)TW5(uILtVU77p}_K? zH(1wU`oxJSU63;+Dy$`wIdn0`>$}cHtCP!rk6llx|NK$ju7nuF4~&o|9lOV9^x3w` z=?}EF*8m48o0K+s`(23=1_Ru4N>mISoe%K(6E{f5z};}cu{YP|3GjNufVxG3;cPQh zvOcMJ$|bXJmB7P`&o(N6UL_Mm5f|c%GeBDz9z~henjofj_jo$gzOZ3#vb2(?HC� zi7443IsL@TjFPNpxF>FADGw;ps=34>QM&o>NJ;l-g&Bs^&BBXjd;1E5dJKBE6bp2- z$@!sOBT3DV?v~>m-gl(o{L@%j*r#8RZps4{7GC{gLa~zf-i7#;j&6BmeW~`kuXSXJ z^=+?=W3Z2eavyF$zL@^a5$fY}wWp3Tn#3XrzX9Y_AgdIkw>OAqe$JzA38>0-@HkA_ zwsrZ>FTFGF{zn?PLprXCwDHJ{cr4n%vq5?&deLlpF1-}EHXN5d5g8->;q}2x==wDk zI5={}C(Ajao(8F#$@=g?#2w~v?^21^27>?$S`H+E`T?o_8_BBTi-(WkXCkpR;S)zA ze(_cVqf0MGTQg-;x|$E)>AZ>$o5gXIS**6CUIgYrdq)a!F~@1C^0c?g~U`CO+20{^DnNW1{E8 znMSI?gNUTAu)uOk+1>vtn&g^HopnKBM+X6VDQc0WA5!P^TgLjQNAS{Z)HgRl#=?Mq zGMNXYW5;!3ZI%F#$hg!&RD>09st^3|X(s9}=gJFQrli{9=gm#?7nHXne%F9;MOT!a z;p^X)2nwU7yM%VFgV>@`!9_@|s=-pNj$TyP$1VOclzPjC(mEAabg#zRs*Na? zgAd)(h~2(Fx*5p3UX_l6q;VU<<87l2yrbJhQNNI?CdS%&m#6U-Y`x zeMyZreRW?Z^zMqiJWP9c;upZ2AyRSHw_&f0C$UgaBvp?=d?axSPHc8&45* zw9#V_w$Sw$R8_@4jOISwTcxg)vwN#feHMNfpfR*!+%&X5xTOZN7#8G&SgMLzFc0Sy zwC^dR1&Mdb+>lx1E;#DOijKp^x2q>dKNissuy%6 z8f(VBbO_yn&gl15+D`DLnIUPPALISBBBnP0F?G^1I3TL@rA3mq4L{4fT6lXt(^TU) zjBD6N531UUsp_v-sD7Eykq5I`9KK~<0QegVVp?5~Ih+~rV+GH2lKcj36ZYSf+rEZd zQyHI6sIayLr!i&TZc7HumTv$mYBAW0JJIaQaEP>Br62gX7sZVLHoq%*BPtjJFB9o9 zdI!K*sxa=hY1P||?Y}Tyre80v6EM0z$S*(~2cPq@KP(DFQ_{j_PMhwBhv<68;NJcs&$ zhR8tZ%cSnFmeofNv{gwZ=|m*d4oF*6YJwyh+_JCh| zVLo{yQ};4g;JNsIuS~M5pL?+7#RsUKUa&1tMpZ!TptoA56A7u=yHo17iyox~qtlkk zs~}#%r&>dw4&bgbl*Ie3ZtGd4pvHBbS)}%oG@QEAQpokPKP|iynuNKBavoH9o7qpx z_PY_gQVhO0RjL##?_K-~l#jp&uvY3xvFxs1JuNU-{4_6l z7A*!W!(oa7U`mn*@CQhXJrq%ZC)(5QY{$^Kqk!W|jkSCqS6Ql_?v8dI0xB0#J^@r= z_rp`ttGOA{b~PG3&U+Yh7-4P2AfcW;xm2I~4?C{>3r1Z(Uvj?(6dir{E_p(XmqmC@ z%xaWOPKM$i@dmQ0RJ#!o31ZezJ8FCcPyUq^=j}By2fSM{voinhN?3VW3HJaYz*5Gd zu^v}mkXyi2pyRJ>PlhAk^JgvJ$F6_Vy-nC>`2I3Fw`bDt{5YRR?Ua;;lpc(B!Ne8} zS0E>Cdg=-*CUe@|(0z)8$*cxXg1TB;+eCT1_~`)p7-#1#{~gP!`bc$6Fr?|;hPzW!wGkQ9TcLG_e$*bJf%9 z1(-9mrTHLO|63`8Or41iVuny*Tnn^n00VpC#Zk|e4W0gG9gCm*>Fy-YRH_$zhnb)#2i%%5V@#Acg$)F-OcVLR z9_n38`i?94%O?R8(Zvi~i1h4|>+2E5t*YTI zd03sZ5?X5s%^_0olyFFg2+N7#~7KEB;+O8=MDD26@hdoVW3~X!BGO z@^%3Cgb84mLi0iE$#2n64Gq|2=EAn%N;UXx4lAgrlGn+^-0^k~jhi-|JXWPDn?6(g)!AHtw!YuLJ`!ln{<|b9@4L+^vdwz-UH~?l(h$!fQD|Pu}Z#4h3 zDfP{LQ9CXejqZgyB}tyP&bpP!Ja^PP7r*mxoHvMrYfc(=DVg$=nk7C(6@8}0q z)4qXmFI|!LXl}^uW_!#*<`Gr*ytDN{MRKR&Ixv#V)J>E$^WK@hRf=84KQ@mEG@~XO z-F=MjwcRU-<-$$%Hr-J+^S$~V;E^C55T5r7sBd|k;r4L6D(87+!ketgFget8sOU-% z#i44b*rsAU-0w&=#O=RG3*!*}H#bj&030ofJpE2#o-c7_)War_7f8tQ$vw4$1X1pw zs2y}nF@Oa4xB2rIR=q;*L+6uv0Fw?Dx0dD?STp*FR=r1u7 zCDBi~FUOpJd3dCOfqhr}SR_euk6&QMF`WRi>ECw)8ach)Y$_M+SDyL{BKZl3R6C#X z7U$$$jENQvt^?{Ru`m1kfRrMuN%IS-C3c1Sv)MiQed36;Y6pI!*pWpdJ`1l4h7_kg z?+(oyYbsG#j`w%p)91}jFg`np34#SoEO@~}LS1%3+&_0j=;!nH{HW*Ms*1DiaKjjJ z>JbSC3dVE?FUiyo%+(C(P@|rVi+7*#&LUgSK7R}|E7=oQ=uOl3FWe}CjA^`z0782_ z8WQF_h-IUNYTbs7Fx%d`8R>;xMXpjW=(tSyUgiyav}oxePjaK6$V^H$wRo+q6jb>S z3TqqOpzDCtqvi9@fEvHW=@XKN>09-q8pjKO+DwyfM^%6x*AFz7{)68>z%p zcPv)LvN5hS>Rzd%&8UW+{E%ikU^=t`B&&)b>f7fp-_tCWs*o(cKiHNr?Fnk}?HKd{ zY+16fZ93_7AKKJ^>G+8f+2i@%P_0kh?y{p62u1c{7g&Bozo6kU9vmaFmede}`wZk0 z78Lb#<>{6s-&bfZhH1}{zT)BDRZ$~F6=nQ_Sj`RnKw+ZDvfQ6J5K`A#g`hsPYMhw#A8x)OuV>h zDZWF}Tsg4h@-El+;gY|t41StTj7asomV%@L* z0xaLUX@S0QUq!vwR?UWn0dDZx4{P9#Y}0wfSG~Xq2a=Y9w$Ij;o&D6P1ec`ZZs@Jb z$J)cIIOW<8TxWvi9nO99SDK(Nt^y|vJiQ!tuUqG`{}c4#vl^#1`X5Rk8DV+VRg``0 zhmVYH@kJ``vm?L>i9al}C@|^jyAJ#ctavgLHnaCfP2SqYuUN0OhgZ?(wI4Y1X;&W% zn>^0_tc|{I_j$yf{uKrFKX$t6_5V3LtvgOy72b8{16N;W-MX>0tAB?dJXHXE7^n@9 zw3Owq3jtHg{^=mDTbH_fC6fa@w07mdI%@*9)ED5m{4u7pCX{1Z%O7L1{gjvgw>dDm z^nYakAH#+GPt^XWWd5gKw{HE2Jp9kF0Ot1pZzi?!gSTWR*8)T7c^zgTpD&2|T73f~ zWwrWYcP`Ra2z=qw@r;G@kh~c935ileFU{1Nk7N2HP-W^wsd;1A?p0TKoj({XrhFlP zabkgO@WT78Q^KlO{0d4=v;zGR5WYmo9p9y1fVafNI@=zQcC7y2b=#FdVBiUt6Ia}A zX3>I)y%kr9soR50PvsW9J@m)ZPm`V3mC(E#G$_Xe+!3U}2eB$q#l5nTMFIo9{#wojbzKfsZ5?EBn8Qk&sRjv^Sg0K_IOiF)O<8I06fGADp*Txc7d`_Dmw$)29(lR3HOlWOV~lWKWCzqgaKBW0YN z+%(6Gy?ldC^EXjv<$8;1HK88^0EsFPBYCya+dnXWjWLZ}`Sp7MSBd!}(H`NGM7hLd5J0V{Y0%wz=;V@^(jkHTP|~1h{BZ&n0LX zWe<4evEO;oP&G`&doRyg!QRN|^>(&|R#h)JUa#c%+#INo*S^QLGXRH)i2RMR0SKV~ zk$QVOj+$i)Ors>@vGa@=4)>|XpbGER zK)oiwR*?f02s{>&ioNb~&W1!N!nnUc(L-Z6473YDPmo-ksJg>gj~`%VfDV65QnKw3 z4PIWI#(rUOJ@IM9-5(k)Y##p!0%|#Qf!*U*vKG73$Y=ax^fe|Kel4s5yaTsS+*&Qfoai9H2>C)&;%|uxs-QyY}LX^+0lI&@>|rkSaD% zp$24&`r2*NaHf;h?9(-YACJQ#mwFQZ%+xxOL!O-Uq|xyUWU#PcW&i_sNp+n}mVV>x z->PnO-T%nPvj~B+z(^w(;|Y`Nt&>S)My-gq{Fbrs*Qbz|QUw#2ETZQb3wfd@XE|6` z)NKBBmdZ-tBn_*Fafi5r-BR0vw^#|$;d~vIAmX&nUBD2GEZ;X^%z&$F`ryfnd470} zQzbxAq4{Y{(D%+JXsbyj@Y0(h8hryu^V$(qqRb%sE5ORzCz%^#vqX*l38v7C74U^%PTnjQ+h@McREF5w$KL?C7;!kHm&9_@) z*t3W36+*ho-!ASK|J2*Q#sZW2Aa-e#CMXU+eGbiEfdl7c+zckJA!n(dLykddV$~>< z-l^wEsopQ<&;5sJ{aBqQb8{*NukBo|ulWtsl10MyOxQP1KjPuYwlm1z(Kej>{eh_R z8B_koxX_6yY1+yftR<@PUzImO0Oe||cie(AM9+LkeK=p*U>IxOWvPCGiB`mKEj_-h zuxl=0wZG!#aE*;=Z!lEYmJxbId6Yhgk{)9V_s7fBJb!@P_|%L9(w!-z!01A8lw_s@ zGcCb&vh5`EMDJn8&eV;Oi;TEI!8zWovWyi|SO#sQORtGwT%kNIH+KmDu4e?IIVt^} z@R@Xx8q%+o6}op=njyoatw!X*8*(;K4llj`+_Dj(LVSD~C}x1vBs6@v7^?djCjHQ1 zc>S}NJ6fasP&rEJEGbj=ut8q72j-yvqnQ&whWGj-?uI%6sF5*2&EowApgie8j7>W} z=~-H_e3t?Ag%N@Q<3@$^1p}LQEX`*P@~1!F%|wVOiskwaI6g__|l z0unD;5iiT3DkFaU1e3bazw83^PmeMWQe?@bc+pwZ#5~B-LH{&MMGRY2X@Gc`49<41`hKX>BSp+E-c9Zx(El~Fc-R9S@rxY1 z(BKr>U+p$sYXFAM8HZ3(aisl!8K})Lt~*v|pL5-Jp{3_h&zwldBoItYqI!%l6&EC} z0*tx&s%}fy*~eV{r%bo8_XF@*u5uog4Fc+b>=0k=`t6hQh_{8&BI$HH^ZTlM^kty1 z7yGxX?1pgxOALMWeM_!R0q^V@fLf#I_28fusp-Q-5=c>5X{W>qVg7F8A5CMp%N}ZS zO(ap^X6ajV5awIj`u8i^a!G#OcB)sSv2pBtLFlZ*a=yn6Kh^`VuGrrhaR;@6zY=-V zCSifqn@p~oZsBx4EWPJJ8`&ERYV{aZS=MNx) zQp1&+H?cJ^wk;6oGfG0WiO6%)Wyt^B1n7Yd^@#3w4QA^Z*i@zGNLPel%xd6F_lLQ= zQ(+!c^N)`F>ja~1FRKK1%(NYfxbX@-#X!G*jrD8^prrZCQee+j27{C)48-ims99K_ zFGO$I{qTi^e(f&Vk)0W(-!#Dm1hBxaa1d<+1j8&;sy zIGH_SsHk5L6tnEQMT3JroRI7^R}m6f_q1lgRD=$+USs!zZ`%&1QB@7e@c|+oWET~S30~r$mPx0`}WCqxdzc@ZS!RXSS`42`X_T;yGl~?(e`~V#aR$Kko-H{aL9vFX)ON z-GtTx2~!A05Ji};+iEdxlWN5L^QgJ2QyWL?ztUip)jVt`#m@ld58L1%)`Iy4CIU@e zmp=N`4Uc%y2i$hV=G((5?Njqk>BUW-hs8FE^&I}eOM>I!F9HJWOtg*Fu_|Epv(T`@ z;~x2CD4Kw@DeC{Ks6v3=A$2kpFkU$^(q*^1hOXWn!)FLgWfCerPZ%&v6%1!pn#<>> z2J9B_ltr#YFp)I_bkY$g$~^A$KV~bjWjoCql>VU&A{5#3lBh`e3CV}kj%Gj|UxXYl zm>A>^OG=G_wzR5J88fH5)*Q|D@!*nr2qNwvhXLfrq#<(7%Kmx*oEf${1=B!`T~3|( zp@w3@1)4G@w9C9xm@jes(c&t0_{apYnZXyw{D-V4lH*UrQz}Ryj2p}XIt7MA4sMdl z9L3gPnG_E$lrKf!;7i_*nSyO$wU+ zAitTb(t2Vca%OIy{4Co7GVVV=hrfka*VA`C&3IGn%Hvu00V%*j=G1*HCkZs>EGEKp z;h0n8nf@v$r85%N62gG>E>)QogndH{3+?Rza$*HkJ*`UULY0NY+hHp5iU8#7j%c{) zT_Q=&0TD3*FIg{UId>AWAt$dexUKud;@mbxTWW0fXjSy$PLE-CyV9hbV%v_3+!Jm+ z4sJqhWsX;Qtvqr;XzS;Z-jGzK)(w|ThGZ_uxh;ow-KkIYk}^L;4-Dnc^dF0`!AuCZ ztD)qk$|$~{sv@3SGnAiQmlL;xI`Aroifl99<6n;k!=;zyRV7T!;J?hkvI0tMYeX&a za`c_H=L{Filj19Ykz{cmSG8YnS<5d;!#ZHxBkP+QUN4*o->jbt zC3An8h~U?z0W-?A7i35DLMKag1IoKaaL9pRqJ9Gen$u-aOpYLO#uVgKHo%% zUsvS0^m3rbpp4DjiEV$#Fj2dgR8+Z?(!XC64NrPARRhUR36KinILx8Kz@I=%C%(|L ze*4^L%>aM+aCm8K-1E&g4t#MBW@2)fV1f?o=}i-o=rw9Njbh zIiq+6l>+0&-mPwRHAQAzBerPKzRiYpg-elV`qJs*U6 z9@~E?u{oH8+G?Te#eGcG2D6E)jOLaaoB#Rjftwam^+o5^JZkFUj6+qP6)EYn-@4BA0rfA=2sv6jFBA80|PSevg z7^50s$>ajwg9vz;jBdEDfoGs=@FwE9wgxNgWOY#P5}o}fDc@Lwn_@=UxVpMfVd?l! zyf-F;Hp3o-4Xpu8I8EQU zYD)pl-Mu%_>Zx(Mbibdg;tP1)gO=K!2Kdte$$no??-JDbYtN*r3K+MNXB^AJ2xA7a z{uLfrjc=)zYI%$c%46H6`cmNA=o)c}7jMTL@ADT%h>bYmokUgHw&qN*dOS z(wN6qO~1Iv`vy*RznmE%_q1L1K*#5fp{cX6h(Y((3yRH}-RiKH`C zoEUHiKMm)*z1xU!l=gWq%At9y%f#4rGu;`r2Dg(RQWV88MtgxdTTHVf_WMRO-#2 zIVU39IdW97+-;`U!Mexq8N?0JU}lcK92PQrwv+Vus# zs&U|ovw&&-LcU9uHi+9&MUjdJ!rbB1h*F0Y_wzdvu%p)Mj!oPsQ-}SVN87676)>2% z3lD7~kH>6aac@+xv4l&wuDsKxsn))!25{JG9^n@Cl#?}4S0}38`ssTo46m+Z3{(Et4+^di`>bd5jmc zVB8?I%66JX_+3vs)Ohh|o#L7g=EBF@~_ z+sNZOhGG!(&(~Z$v3?>vd{>ggG4m}*s*UvZgdwy;8$^*Ze|KE^X)bR4O^f?ePRDZC zSNq!$&!*6Ogw~V7V>a$+rjJ-nQf+OmB@z$y%~odUO?E;RMOiN zn?JmpT?X;Nvu3^3!w4&=dz9{|xWHN#@`V_-76n{8s|{jjxFLT@Qg~oDe=xFvq|prN zgd_ZpWoSPWYqW50!pw_iGqmya`U?MQ$T8jcqS+`bXq1tY9||Zr3+=ylA;ee@B#pai zCCNBDT<=_q+tN=~C$_`IcsVe!)Ya-7G+r(0{ebzm{1d3XVqQac5aTi~sZfD{jZUm; zqeq$bgaXBg5vQP8ZWJSL(&OJc!Zt1!OiD(kO}f>7bl!*i5WP6mozNDS!Oe2F-xQxS z;jj3@`@on&B6X&KRzW*U3%}>Nct$N>nDwn*sR4EiZA7*J-cmhyVnGhz?S`<|1B86) z7VxDOyzPW}icYWOi$l?Rk2qohRZo%)IA2XaUnx!P!#>HUqEpk2Ns5nWRrH9^agxw_ zfv-~1y?26?FN_FlWj<6hY~vB&l{g#1oAPuWkRk;gDBDjpgq_)%Rs1hr*Hf@AELw%* z6_AyBsd~!lJwGhvJZK+;`(p1@(9X;UxZKy9el)Xq%>l-R4(Sq~FM^K{dD#yBrX*SL zpz1@;p(ml#%e_z6zz_*AFIJPNX7y*MI{AH7TuxrSl8&UV5lJT4$T5Nb*%p|g~eJHQPO229YYo|9#p`s}MAX1-uU zsa=qhU-(5+YoawYQV{<~XAJ1285anei)ea!F^Xg9s^B9J*h9stok@JF6c)OrAgZ6IBGb$+1k6-|@Ni*dRu#BDc z!5(O6Ax;_@<$tfZIG%ncaJQb;GfMknjxiq9))&$mkiwGw+BIU_FR(X9hMzw9GRyVUOms!tn~bhYB{#);C%(CNk9eSGyK`LL z?E8&Ri)hemzJotP5Uqr~L*|9y{agk7M0|yqnBUN=iURvi`{x>lpEI`pLuN{tirQZp zo@kt|qQ|*EGeR`$u@c+|7d^>F;f$E^#mb*5!hp=$ln+I9?OMAH(sYy!Ncn+*uFcI% z`8dNtPj^O%R80^C#h~5T>kCGlqjW%ccFgA;ElT3Gw1u-v7a73$rb^4yE2ff)SYxUH zC(zSzzRFsnW&z&{^Bqi-QrE7VV~`9iZmJYY(^jjXjB$(nR63G6{B=O`>B*v59Lg-( zKK}{CTV+GB1b4h5q@ZfGq;TNrSFk}yYp`Eu#VI>di{U=6>BFw>Payk<`b7)m@goLc z-+K-5)yP0sBQfLZQw=@uFc$bg#Sj^&A%~$MY!%wBJ_ld|LxWLQFob0Dms4ubnjcyW zTO1n5x^R5acTr6}O&U7ZXlnUKFxrs#DkEaBUZc6+nYC>^VRqxj6hD$Wae9CmdC@P# zSX$e~jHlIS$VTmv^(A(FiF>Ng*@ya$ocAH?x)PP}A+v_a=;t^ckOAu`e6s3s9esAC z=o2Le#!BTV;d`N>Aq zv)QFDcdyosNiXDIt2>#<^>9Aez9WE{w(fv+n~_3%3eEMHImu9*xo_+WES76-AjA%I z)|`}~_Nq|`+fWFeyE>NXgg|$+@mDVxKf= zmLB5HSeLV3J@C@=Z<0r@q~*a4j1c|`c=%x*fPgHpCFUN;~R{%lPr*@SI3b#l?1{fM+{(a=)`NU8}_s#8V}h*6VyNjz&2IwICXzO4FlTtx0Lgp=VD5Wp?eS}LW`rcXv7Pt6~KB0L?;J4*UL?1QQ1 zA~6nQg4J!hJ*o^YrOyK?=#?#?za{`};?d|Vo8lFp6k{knNAvWp;}gkQAoyA&f*w7y&`n|3$U3X`XOUqNpT>`P$17{27Dm2`9U%>r}lk4u&3V6U9($hWS zVLcH5zEvd+tl_Cl_7s-`BkLzs^mJSoj^zhXuCT}7{{<(UgKE#P^wGHnu zoL#z!od@dmN=vkS{BGj-uYs#`U$?$`d9)Ci2bG)|#LyYrJq z|AAQiQa@OEXpCfA(go*}-!-_|qdNxQ%3ATo@5)Il$>a|IWz~fKXbZz%4mv-EIOuQ2npQ09<9aNYQA_=O zYOeEUK+nlt-L12Go?M6wJhW7=vA!2_SH5p-`85qp)b6Awbe~UzWh-nHTBl=Gy2qO% z{walzAj9}4JgnMx4b;;ZutF}r>}!|&lMi*Kdg_{{GH0{3cjEP|=~|^e%pY9s&pRP< z?wcl!r}w+pwHVXd`6qyAp8(@3_3M&eH_*i^l85_dW6X*J7S{+ewxD8AJHSx8t!4Ii z57yncpNout4q=>)sjzZ2bVHPeXS!qHoUD9aHc_0!#k(!9n$Uo>rMi{!1}xx&C@P$;Ne6m=ka7>Z@I>nZwTBf2c{cGaO<~I5c+U*DJ9w@G^g>$4wlyd)EX*oy>qz--@rVHc+`@r%= z;*MBmIP{5~{uXL*s5*O&-tP>2Z0nGXR0qUOlFv(js>yZ}!Vj+ng;FIY%@mSl!#jM-yGd9c%Xu=D49)E3~O$`myanjWof)yAd!vr24EE3&>Uj;HzGfmbC*r&(-^)w0kXkP1XhZ zw!JKl|5Lrh0NDbgDl~VGFg%whr3m$A9B%P0HYcBq(Er+gR;^QZ1jjViQr=_-*Bw zug1Esc1DaH8?8P=vG3&g>qPLgTK9Yhm(YN#nJ~l;ySO`~=4>ln2ov4Y&f1>Xnp$9_R7hU{prsHSf%Zpod=r1Q3qu+P@Twc~ z9F9=E*n3qKU&vd0FRIjw(aX)H>wa}~P9GP<62b(8Wa?f_Kh4QdC3NCq5!IzjZ^t+T5Y1=-bwL z;T}_Cyi~ZUqz#Z1Er>WFZ1Rmu%d5Tsz`HPF->NzH(U0_YWX;=*DO7W=9-#!^;P4y`4XcFfA1@{dmU}X*`Y^Pr#2%K^eZpr`VVW= z)3KGf-0p_ChdJ`S#B<61`XFdidCyhV?wzM|eV-}Uvr1OL>$pbGi_6n?FnKq}tz91l zow;GSkdyqg_-WZdxF8IeCWTK=J*k{%`3T+*c0RAC$~>bO*L*wT41*jw@0%UP$9}k9 z-Q*oPR8%Q6FG`DS4MYasZyzIK^ zGqbVJSnzmvDYHG#OHfsk+%r63CFJ!5VUoMx(9xs@3w!Tug5lWk050r5Zx&0-DG#jQ zMce5{wm3O?t(<(j!vF7=<_WVZO&P0em!xiAk4@dw1e8PV^K}`>c73Q{bq(cS%DEI` zoah^vrM8Y1_?4y}zeV`Av?Dsws zpo5GmIV!W zkX^v{Y@ zH|Xprw6;{fVs$Uonu0$WKCM~5G$7_5?LASJZJZaja~zngb=b300t~<6cY0&r(>glM zs}EO*g^vMmys}-#w8t$C2NxE>sVT)fK8c>!eF2pbqmmRV517Vm=s)`nF=Qm~{ld>v zSAdwOv@$^Kf$%IJ0J4APb3dk4t3Yn8;V14pbp6eQgqy<)Be1(wV?a{OsKFNh!!Bw{ zHYGm52YNX>+#Tve$-Wi<<689>wh-J)*dt>N(&4$cDUN->M}<}`%e&b14{q+em1YabMwLSCS_@dZjS#+yea8|^0 zXt#OwJ88|vkCMRw)LBx8-lkKq7E@TmJE{5-bg@?hc{2$DsO7F><2_o=*8(rlf!Ri! zLy4&FJmgd_=?XR*ss+Nf@|kV)s~Ri7{!`c37iTld<$F}k(V8NeZN|+>9_XjjrH`+x zcqWuoCJi66++AS15IG%Af1na~aN>sTW@uCi-;F%Fm`UoVe586R&hOKzqtEsMgDlwR z2FKcK%mhpThcc!J2*<|Xw@&kFZTI3%N53EjND}#Dv*svn1Rw%p;h-Nww z3lHIz9x(3FRGbBDoRC!lb#xN|Ri^pWoZou5$1u~<)hg2sktF-6OJ|H6c)GPeT)PpB zQ!}@=@ExI^zM{+N0W9~ffc)>c_iEed2U2m$24vQPWx?2}X(aFNWmMn@UEp|Vtz_|- z4IsHLrRVny0cgO1x29tp)Ah{-u$D(18y~ik0xByZZu^Kf58_Vsk6oZp#;kfCQ~_Rl ze;EA;c=o=y8NFMApClPrZ@>U!)KYfef>SdIMkOnCO`si0_qv&CH>r1!pQF_*0^720 zj&vDvc7rs3O~0D|PI{%pyT&G?vQHnMGyeSSt{Pz7{r$##2S%sOh5HSc0M-92#slSg z%nBG-8$FZ&7=cbh{HTiqqVU0|S*@2*U(B!ivz>0Vetf+TM>9KHs>i<#D*%W?il=&=RMegP!JR6F8z zWDsZJuQ(8hm!s0P4xUE3m)dVz^e;>JQQP^ng+nOvMvlF|sYbfeLHF%W(6Jt^qBqs^ znu)XB?O|?iI|Ir+tgC&YSI~NgDUX?1pi_Y*yy(sUpz%Y8JhC2B^BeO!&K|dbdJ~g} zR zB+IlS##R>;xky7=+`+`U8-L79O=yAe)zynncxJXW^;P z!cpOM@~xZGr`zZbz{tZrm~*8s)dPgPIA1f@su@>#TLiNz@TXzg=x|tzv4*@4asJ@a zFRTbFnqf%dGJ(P&p&Cn<-I+U2RIgSzZtxsyEA_H7a(HisB)&FH#TgjrzTWS^sf~Cs zcN?hR0b_A+PO{GQ>HgZ5ouQz=tm89+2uIst5{LXH@m{ob8&$)ytt(9X5ic7mc8riD zYjiY(4`O5UXHATWQ;;a~DeCc{iE1E2t`DK!{0|*fH*U;k+@e}qHq4+VDrWnsJ2bWI zl}a4$>SzIKBBh`(9eiP^{^aod_h4ISU5-l{Cc{0vwAQ0r5_?9c;j%j{otb-Jqk3-V zMYijTDg19rSz)i3tP z0H$^L$$$}^22(&`N^wNiQ*vKmmHhM(s4}3`Gf2GjNo+rQ_|Wde;Zsth$<3=%MKOl4 zf4oa7Bwd_&t$Ljc6axMMFRM=m9u@fQ4r3v2kvnz9~vGnaoh$b z@>&~3t)cqEdrO#qzTdONIWdJYH75GEh8SAAVKm`bCP32K_IFY-;=eNG_OEHRTHnQX z#|f9r%-{XEd&h~Uu-2h^;%Cbqo(IeHZrkFE5BW097$m&LBY$}ui5I0>+ofm4?-t`t z^|v#$EVMxe-=>E-?5~a@^Ua_&`Yg~K&>z02WwcDDEqVK5$`&uH*WUG(+N=@S!RwKs zO8Ucm==B`!KlSbMYic9rXZtR-)jAY(m(4YF9%(rFO$;zQ5>N*Epg7B=U*|i`9YsmA z1Ah&9nSRDQYjzq;iVt-87UK3~(RZA?bmnfAkKaMvU-w(z>*HqkCz<{q_TD_4&Gh>p zH;d^^wbkiV(@|yGnJ(5$YwX)}U$nGUrM9$HR3o+^wj|xuOjUG2YM(A>t+gd0k+hVw zf(%MZLXZ+f5(E+1eh*zf?@qlxpYPwlYg{fD51#vZ&VBB4pZj&rc^$*$g{6m6vzYs9 z4V%&z=ty~?zj_m2vq}cayOPfvQ=hj0$s{%#p+I)(n#H7!(|L~&(V*VPKUG&AlT3sG ztf1{vI$kXSb?OPUXe&RoYgx@c#`f%q0|2A1pRy!{^f-HM* z(N|iGRwx^}ntp39r)0&nMQEiCJUk~+RTDk^`TZpHfY9D1*$DsVzsksZxvdXXbD5ib zxT>iE;)%e&HN~^K$FX_tRmv z6ETZ)nx$Fi?Y}QdE*E{X4zM3pc58LJ(e6zF6ivEL%Btby%L~L`dzrzm*OCqof%Iu` zlaE%Uu-w=$A+yc%BqMq5!4T3wFK=j-(mg2T?9K|(*p?R>L!AreIhWR|;T!`OfK zD>_%YyM^y23gj#U`mz3}QO-&*YK}Ef@fAGiL1*h2)D-hc*Par zm-bzhyk-$4R_raCJE7qP#Fv(}!AadN4`IkB@?{aeAB_lcvK-Dk;U62{m;B>`7p)4= z4rge@f*v2c1KA>yf$h-RcI18t#|jA-@s<+PHTsOJpuGL5VitMZS>AK~qtV8D8Vqv;+i-M6! z3&Yv0TpH=Rck!&0b|4LTUJw~t^_ld4A8viw;nO?fP_6r}peIPT!U#m{n4Y)#^?){6 zDysf#moGp=C>c4D7DXyHtFgBjfA$_Qd-@2$0{}%yc@qyKD2Z;qIe5QZ^kv!_Y1nBq zV=s{TH;tjv)?C4FwTe~Ew>5{9sXl|6v_Jw%Crj5j2`}1@*q)#Memd5suDZ)0W?ZNI zM8P%x_$^~kH=(#W>oz?xD9nsijDuGjy#j886eOt{Oy0pMFQge`nIES2p|Q{K1*@RY z_|S-tSQ)^IVjPwKdh5`$BZL~TzC+(k)P0XX5l7F)TxiKc14(598(*BWa4?SBj5^`= zQ!l*R0`KS*-fht>Ez27}qW=!RJld;Uwa?;LpmyuXK*Z4}zqt?cbHLHEHEG=KhEdlu z9-i10)>YoYsE2iKlgG!8#Av$3njjsM8>BvgIY)Gnuu`{is|0M6>XOFhS=8C? z--cM8=>SKln#qmlw4tUh%0lkD{rTmuk-ns@K3tc!^|cts3AU*&zuxve#9VOP((6H^ z$OycCSnXAzJteJ@J~c>(mhQC25wsF_W1Y;FC&D9>~EXvN#NVM$HZxq>8UzA zZl`MmZASWwW)7q5I|XxV9P*;(yQ<8e)9QEws~)E*XWg!q0BFKg9X}xpiRF%Gk-CRg+5IM)GH z2Pa`fU)-y9`8GUd`u!Y0Qwib)7wIztRJ~Ej&sK=o^Qz4w7<~NNwc(7|pm0g(#Fi!o zp?s#D+nS1(vH*qL)otFB7eD#kEN7IMUJrX8A=OBo4kV9TAJ_Ao>DhK83+bB-aNdo} z@B&>}{Fu~55ZJqAU#|(<-4mr#^J4uFCLx!eWz#y}Y_9E=`X|&tdP4ZHZPxnc(WmN; z?6yqkd;f9s0Qk8bvdgpJ)*H1PsITN{d0Z(0q8h2vdtIB-H*{9( z2Sj8$-M_isC}#iV&>&z%znTM>SC`Y%X14b#>loyxZ!|HJbvv4R<<%~^}_G61j% zBp+R)U9Mloq7LWeCMl)f?VwX2FP$qxdDi=ey14xSS>f96rPEx~I-zdL>DkOL0q;G+ z=j=@99RTBKjDMu+RWPAdLcJ*mNAnYI6sPU*`fYz2QfUGg1MuMFivszMisJe4fhA8& zfz+~QDO1?nVODkH9>Ho&{@T=2^$#xQ==pT&bWEXjjU2dYbqfT&4Q!_tGm1_Q^qy*i zaJ(EtC@Y6s2d->1(BtOMY_wCV&Vt^Qy$5NqdZQ}=7&ClJgC!zU{tFsEl9X1)ayPQl z$yO%m)Z`rAMn=P}omsQM+hBp0 zf%O(v)-EvA=I1Z3a|BO{Pu^|(CAzO~d{F$NeARMl9tcCfDa<(mMEQ0U+Ik(|VOI>D zmbHjAO1eJe`Bejr0IoiEok#biBt2{&*mLqrPuJ}mn|ecV_&idUeo3pYg#ZYK(bgtH zH27cX+UU0*6rjPB@lcl0pB~I zaSuq?&*{Kh*9$VsCtfR(af}Cd<`ybIkk75> zgYvg3zI}F6F6`iCzr4vgD+HEV8L^=^;OTWQrd?+7w=z4?bjf>vpl0J$^IU|sWBH;57T^KL$s0D)EfI+IJG;;H(7g| zydt2_qr$*dgsG9w`(e%C8~EkpEPLkpi#J)35_@6S4(Y~vCpXz5eeCpWs7%u;K$Kf3Y?3-fMm3;8y2a~#FHgtE#$-lI|Ow+nYNK$`L0xXS!iC<1055CuYpuuA6n(BJ<%=5O^5;+ONl2}OM`uH za#OG53m&tqlFP3OH$-_-o{Q;*U5>DPl->54g~9zZ$R+mgW#OPfNury{vY+0{)&?2< zyjok$n2bK0;*-zF(%&?Mi=t$KdXW}};OK0pVu33i_MvKbQTtv$x@mF$k%uS8s2%VP zUB!r0Bi&(JCFRc{gY6Ci9AKW3{nh9B8c2Fu#yS7!0E#d>$_v`<2vXxJj zTgC&08p6!(Ag^|G%#kDuc{cf`N3NE;$VA(@TPGjq0_047@a(Q$eU)&OI?es^fiMeJ zuv(H{xqCot6jpKuxqbK>ws^mrF#pe$RgcVnGz?S+%D+zz5ZFMdfMjWyI*Z^N84`SR zj14*CbD1wO;ukg3-WzPFugUO0%AZX&0AX*74f!Il0NRFgfK77dzwBITYl3nOYBK^| zV>jl4eUyDR>Lh@hH#Hk5S9f6%z{-YR1nv8o)t zvsNjSM8s^Q;DClPv*vD3DbEw%*Q>uz*n+vAus#Z@li!cAojH)VIy!bGl)<+J8cLK; zV`>Jf6W5HZzp@X^F+U&JZK2y^)&b?yUewRLDzfi3$FiQpl2#5*MWGS==BdCZh*`^>yRW@%DGIh?f>F9(+SR&2xD*V#?kEAKiDA7i+#9nS!9u~JMc==HY2PZ zugCrqUMMRZZ{CJZWV0PR4Rmr0U0n1wkwXAl`U0@GZQhJkCmLV|J}^oFciR$;thSxq zHQo7Q{ZS;O5*Z)Ye}4-?-xi;gWviq{oyfZu6M;VJfJM|an_-wmrz~*8&~ay`4kB^^ zjyb%LquzgJ%7Kh*M<Vla<7>Omt2c_X+MuWC5Y;0#Z|+H*qPI?hvT_`TK0BU z(_gRmp@8v7dO$xglEX)eU;ZZ7)^4Af9}U2WZQOd(LRUDV8OSi`m7<#ZUtG~* zTC05HJ*-9+BvEk0V~ZLsKQ4~jzLw3$Hv!bszX`AiJ0Gru3G?rcnqS4TrzwK%-)~!S zsq{JGgIGK*q$m@hhSJj}~v0PxcE;4NU6x&g!yo|Js4~bbd?j z7g3(4k`*4zktq7(dCj}&QcmB(JvBeeuZu`#nM9sNNo!*~fR3BdbHg*OM2$OLQ2+Zg zS1VieG@d2^mAKAvT!1$oh|J!7vS!MhMr)N!o-R95z3Edk@2qxfp-$8`#*7*3)kpCZ zSMefm-$J4P)&q~zz+Vh-ya#DU%r&Cr1Su}Ih63pnbSRR!&hYjgAAqNLeIh!O%XB#`3n5$V7d$Ci($54}k*Eo)FzV?RR9 z%XIdEzJWN^#%Ah%t39>T^QDJjZ7M4Z;kU(*j{FVB&sHApCa}r+ zV&ZAuZEY(8I~RtZ_L)Katf(GuCbM&(8*Kb81NWa-R6ksLkytE5U*}64?#~U`QBLYx zP$oN*3I$WL(CrWgvHl&&Z^9rA-zJ0oiYk!;i=v4(1-_wJdCtOkENT{CL8 zfH0vQ-GDH=uM5GkdQ#$v2WriAkN_)-zW~?z2%OH)1BOBN=$uNv30XD7i$-)KU5~$n zkQ0Z4u1>;x9lHrGUda%rBdq})Y9s{QqJFUz%9(c294HG?Wdv-oIk$1j4yUZ$lY4p` zst&gXJ@UEkeQab?qI1hk^dVaG5!%gcUZx52g242TY@SzBYpumTiHUH}fN5=tcv<>K zXRW@em9)b-J>a-4Dt$YK-1h}O7dxGvn(87Yt`xI%3=tTpu9bLrUAB}8&O$JH$hBBX z>%DCn*4(!d-|pSg+cWgWt+cFDQ62vuljmc9ca%3O3Y)V@u+dt#fol;N`<1$WQz7z; z%0|;CUPd;@!@H6GGu1b@KWraqx&tldGp!Jy$t2xwI+t8B{pR=~Gr4lRoPaY+%DCSJ z4XCmc{FfseGbw(v5FkSe1IUnSfvRl!+sNI+N9RkojqY${=Tcn^*5rs5-1?4?-UqR+ zT%c@gT2q_iU+V=pcO&@D>4<27J+-rIi;bV1?Z6unc~+^{O};(LLuJmxB3LI%Ep9qe zN{jSHsXpA(2;ub&?~1spP1S{p@ahbK{ju$_5)MNk;XawV;ITJWLhzcL!NsDsPub?d z=4Fcb`q@NW3}ls!3_pD@Kc|DEzwS@EYkcu^tV6R_?erQmdb-};B<14H98MbF&pvi&{f{X62uTw?8>|+FBX940)SuY~a+MPG9ZOuM-jp&jiQB-h?WjClQ?a9x4K1Oa zjm4B2$C9Vn8Zf(2aa#RsQvh%*3pyE*9nK9Dd_456KNWHPA=zMl4&6a-KC-Do8LebH z3R~^(SGHs;Aw4Mn4S@utx;LwI&os+lK5Q$d4yl$tQT8~^3r%iR!e65j4b8i%O%_0~ zue56flTWOYT_F$l4^Q&wqdU|`%LaD797`y1r0d|$Rz`u#kxAZKi9yP$d<9UbLbEvC zcj302(auAXrpYIyCb(da15{13&!YO5%*gXw%*~WB;`KJ`1b;7Liv8sAw}MyCVDk#d zbJldcU`Mop3-moP7b^=J5|Ss@vRU`dN2L2{xv|Q#<%`d`1go!#gN=eam*JWZ5HHnJ z>ufX^DScQePycv4zT)-doMJ97G+m5V)1l40$G}v?!;%n>FogloYrtT|$3U~UkDtmV zjfEKHQZ&RWu~Y1RLFNL|01%c*e_M>sR_hB<<_eN|BC+I4lf4KGK-o2K8*RV{`0zFv zRQfmjxNk?dp#I+nB1O*$=$z8CS#R->n)v>*;CCfvUx|Mq@y2wNW5BWd%jU@mQ7P3d zvqd+>W-7% zn|6N4ibze#`ao&eg#L7rQ-2z!AB#MR!5Hu`eR_kH12(goq6tbZ>9h*;Q8 z4kCd3!zQ)xU0&=m6+xq@dW02&(N_EMLr#nL>Fys@&crRG&@DyMtOBIVBb1V$3D@eN zcf$}T>9!h!VenU1`4ZqhT02q=d(&F~$$#aAlg%{7H0za-$D{62u4*7{ao zsT3`8o-DT3dE}K|WBTGAL)ucG%k87;*e_dmjq%*+0 zrPcKSvo;a=dv_XdrfggWGz$R>m7O;0dUa<+>RY&W7`Emxu$*OHmv&0*^7`dNT_04% zeRfIKj7@WNveM$HQ;8Z;H#cS)?{ZQbRf zcA$B|K=1u8Z10Is(+kb!c2*mHkoh_-AUh@{>R?i0>K9u+N*wpUOPmQbhCCH^U9{-< ze-$&m5KAW_Ye^)fI}n2hJxgvcuXrGmf6!X|UzOuUBh79f)&|G@e_b2T_*U)_KoYfJ zv~VuwGXC8l(wQjnoJhTwHpxeyM#+zbMwt1XxnHr+_h%%VL}jJC3*)E+s{vJDIsomU z*Pt-Y;^PYu{*M+bcXo6Y;F<{)oi??~`!T@Q{dSIX z_EtUGJ}C-lLe%?kYSXb@=zNKyb_g~vzQ2Ia3Wj5ot}iAnsys7{j8YWEM6O?(c^9DL zUjUT8vi~@pi2r>$RfgWZIzWQ`{^bBN?RSvbeM-cJln51-?LV}ZIy70Ts5E~@xeo9~ zFUBhuh*IB^Uj9yaUv)SS#UJ-yrgCZLfNbnh(N`+Ztp5pg0^Fki4*sv$|5Z5Zzf0|3 zBlE9$1=@Lh=;iV6#`5o$`t&QnDf!o#_}7j4*Ma>1iR(PK>1&n6k7}LrqYug!zP(gy z*`@xjk5kVt^FMw0?)R)^-CNsS7ruYywUM{%9n&~$4RZAt?|v`18gTc5!NT`vN-;BE zy=xa~`lsz5?|!W!-i15#+q#7xp1M%yFE6&cKA17L`rVD*e+{(@K?dvWSoPszIoBM$ zW$_14%fz0SO0H6>{Oa8e17A@cvVHEdSyNDYWdOYoP~}6jcN;jid&uavGe;t z{H>9z%NMSys044g&RFJ?v0~9vOav`l3fN@%{&Cw4>eV;3Ez?-Is-n_wx}sFQ$rNbf zjOLqaf)_5m*&U`hyeQ;Hr?2bmexRgf+CR^L1mw_X(6Jo zCHbf;+U3$-CFZNna3LGXM1F4@SXzRV51i1_S5aZ*e`1Q8L)hGz%=o;m(jT7jC$d{( zOYVQ6vxF5d;(R$}BC!_>#nc^^EmA1qQVgG`jvaLULZu(I@;`0sU&*5A);&&l<=^#3 zL^}FuGycBhxP+nW3i(2EBUauKa;Y&&96m8uOPHOBw+|@-%sTZGvwrMllnwX(lP1O2 z!B(Vv;{@o1XMcWfjxTH@JvIMX$X1rdCKVAnfgAaUsMx6K?)&51)xjNBo>wqQb@`-41wC*K5?r%AVJK&8?=-x2&Y7D=piiwS}oB&*|}XgidH+ecu^%r-NgA7!WhhVg5!c! zFMAz(*$=6uxAcF~IWaRw^UU`TUN*Yn3})iFjfXI-R_n3h=dMAIzk=qA>|;=lwOAYd zWEMs`Bi)LFZN%}fvA}JWt;!lSnvVh8vuBo{I3-=d3JKX<{pe8!!OlmpSF*LQqWS>P zTOx-TaY8f)=XP5NqA|hh3@gtLRm~fp`8k&&>eLeAKxZj)Q{Y|@1Z_nQ)@X?9Ju2B! z5fQ)yK6TR|Z_+A|^WurO!g%o{km%_Ahe+Wb=Lh%~gin?))La=0$)rEbgR*kA3b)7H zK|rW%b-V#0_GE3}t=g;8P(4636rHVoJEf+ z6#TH$4iuRV0* zrAAWx9Xs=5Q1Y!9BXsjm5p?)9pc%#RrQhv8ca#2hh#c^5**64Mw(U!h-O8z<9ANK( ze|!di=Lp5ygi<;-Tiy<+#nTs`F3?Og8QjV}-qFc-JbT-?7958_7e^vaS8Eb-24+yG zc;SZnle#W`C2jW-&i~(Xh`DVh#uA*?a&QA*dRyUORycn0tPfW`l=4)hNl9J?;QnTx ztd5o39ASbe>U9`Q>J*7()Jr`*Cc@031;-;j@?T3N08_LOwH!lP9`{y_l{??X`oCtP zAb69hEEi*IbP-mk+W1~AuzFVL2{9r~JZ+1L0-oWX|9|?F&ozOS0pf}tkJilQkM4%g zxv{=Tjal0_YMt9yw$VT;$Fr|fhsQ$0hr{Q7{w7LneV{s?5xDBx%C(=n*Zgas?1Ht7 zLCE+7Z38p-a@j^EZX+|I$p^@T3bw|CFn$5_0JF3n6!zrQ4RT&dkLRr)CFzN`iA2OY z)=$y&NO5=uRCjXbjxt=S*om?h+blf5LNkj>(0_RXS^4SV!7{bljQ@FpAt3KcJd>y0|B`xB9;3BJ zaQseL)v))MDY zzyUf~DTbKpOSYu_2&y5wMo$La>!GX-o7-}eQ;vOmUdzRE#R~LyXIfReGWYwmR5AJY z%85n>M_Ur`qchq%Q(IFooIaL!lt9rH$i%TtC&9U0=C-ZfCF7aWeXJqoOg&hm=n#6@ zJrNx#ryjn&UwE18c~MJrih_L|8w8kx_D>CR9i5zFi*Au?DaOXRlNx}1AHB zIYDzH9t7Tz`KeA`G;21(Eh=#Ayt0&%<#rFAZ7O=x#eHOI1-WPLLa;U#C-5xI(k<3K zuv>HN7q7m2d7fYTvIhMW3+?n{BfzEy(r*#>r<`yL3k)X}c?mL-J)lQ~;VH9O z9Z^lm_Tno% zK&lkVu3zgp(&Tvrg4ILEQQn>lIfU^hjGgP(NXg=|4L9cu?0aSdA+6Mb_}q*ZQT+w; zcoq(ZZ)x&|rp!|v39K0I9lqNnvRVlp8i2=!@~KT0hU~BMJtMS$P6ZSQ8PL3YOKKjA zK97$mImZ`Ms%9kD9SgGHPeRD3^L9*s7lw(E&+yFMT%o%?3_<>z(A25BsB(orBRnsh z-UXiLYzm?pp~zb}?o#!XlPrj1Ik1@DN(FJ;gZH0=Z+APz!cXf_5BDl&FXwHnKBL8?h&NX~T@GzK{OuNagOGx$sxpdrHg<}#Cqfn|c zI(w7n5IQ zN+sb#)TZPv;pM0eH#xrtqGOLvSCAm_Z5O3OYATl!e*8}u=jr~rH2!tE9bHj`_U7t! zp_JPe^l-cJ{-B+lSfm}!jF7cc%FJkf;~<}XjL+)%juCQk!!XY2Dx<1bvYV@ye?sap zl$%qUo^Gdn;Ik6qI2Wr{67Gu`@Ug?wg{ASFU)I;3Vibsk#0|~2ujip!9}SHUL=xUs zy}h&JJ8>2VO&emN;IA0f(K(U}XsTQFMs=xkphw4iix*yk{(ImeIxkqXq%vOFmy)2a zbd_O?D?laJK@R{S%cVRD$+HhTs?4X>DkH{rGo~9Tip?!-x))1fFBS*ogTHN+G$c9h zWb$tT^U}^sXQ3d9hf*=IF5zY_=&Sk!sv7ExGrt(GQZqW?00B&+BE{n^$||pZa$(D( zf`oS_b`MG?!LZsH{##p9*%`3j+%fFvf|-JSiX%Hqxz4z@Em{|BIJaGG!?;B%PPDn8j#crqd3*t@*BxA zt?DuOLmC>RzK{AkvN?5Q>7GeN?c4Ox*NXHm=tF2{cMd0``L@HOoF4`h?fGFjglChX zub{6cZC_KU*;4W&c6Rqhzjh^< zE-h(P?f^z5tmHu>0mG-8k(#m)2fL?Y<+u5jUjdY6&v7&oy4VVWJXbG@YjxJvQEa94 z(djvbBnAB80R3h+PbcLJ2jI#!gF4*l9#$JRnS=@}_*G+b+_?z&BXzyCS!T9gsgzmW zAV`O7ffC!tE(zc^)1LiVJBeBVbm`F7IPCTqr;u%sIHe_7c-=jN9K~95|J`lflpG&Jdx|Gj4n2^dt z-QVotn^QOBOQFyU!rh~8`<)PA%@2c9hq_=b4LD;^(_wIR90=c4%vhGj@Zjw3Z$d_5 zQI?Zif4RNSi=ow5Y43QO8grN(SUS>*Aav;~WTVNBc&bfDu z^7sUY`-6%~@uxnh_o&~n?qpPU^5RoCCWI3oilTXB^fvB>Rb!?0;25L)B>wdAEdFcP zytOBzi*->tZfGxkBL5T_pYldPK!hIgnD-bm%-m3Xta1faPb}9@VtRyx_L&T`6qX2! z+f|GLxbP^|BNmg)K2^c+;c$HTGQCtBoj4;boxF!_{-W<9K*ehaXH$FLdiaf&rA8&` z_4wi^jN>xaEqToNa~-5eX7A>usB5l)OwHYL2IX{l^y}U}jcS9CJVmv4w;FwoB@22} zv*4gLT*xI)Zx>LIv9zt6v$c=Bg;r2?v>=dKz}(u0081Ig3~f8;P@j9N7CH^G)vb!3 zD!bBtR7-yYd70q67D(Q{NkxVD3AlYGaiT(4oQ-x^hwh@>7DX45(O_<3vNWwI>-}Vozy9nHFM7gxK)ICe>V0VH~uJ;RZpw3!>RP>G_GC6Mz>l<3)`hc>DoPI z6Ab2zV1c+y3FDt$WVBhdf`FG*C}5ckcaeOuIv}L)ac|9ZS9U2rt4U0axR{yYiL%l4 zqb*phVcf1P&Zf{&E_4fOV;tirkVoNnIi(}jh4AJ^DbKdVSv)vnPngisC2FgQCySG? z1mQMNRezGzUO+|wL$LV1TnjpBo7R3VLt~tWpE8bPYAmTW*2|6RVkd_d&nydQmR%g^ zS>L0kxIWYlC`$LiAUNTuYs7K#WQ~u}iFIH!)`#0H4h(LCwZwI0n$SF=zlT4bw={UO zwF(a_R;wBaJ%y3PLNPg-sajVjV>}Zfk!sYp&Gc-Z?I~QWI;+jxR}re{u{xrn@^{}q zB}6s@5+bjTalb1WC-qGU*&R_2ZE^tN6d0lt4|5;Y!Lore-mcVzozuE{n$YBK0eIA1 z35~z@e8V07dLTl-dYIsAV|P(Tj#^8>Cwnpyxtqf=PueYZ3u-4PvdgD?rW+Tv$$b)K zfnWk=sfwEtW7##<`h|l5GKrW1nDL^e%s8U0+|5_<;567PKV_)L-t({1p=Cr#O|ikg z>!tofky=HrrFxW;$EakZzOBx)`6HWyCHELTTRZVEU&?6;Y}n}G^%UyNMK#pr;_jG3 zYXo9HRGJ_?DFyJJ#lKD3Vhm8@KBtRET&*eW20CI^ zS|>j{Ozx5)MHd=&{79j6TI3xb{#Nop)D-?^F7mXsUCkes3>$#Dx`9S|PqbU@pbB&i z07O%;lxWBoPHz*k<=(U4^qIkMH^inb{Hh_KhfN#YC9e~2_&NCyVFeiE!WgHu&_!HJPT^raYeXXIhXlkHZ#@=tZ zNVoizsI4k0$9zAc`=KhPy}am^d>F4ogm_6nl9JHV;J= z;$V$EJ|#@s$?9f;8nB(UpJSHvA|8aNSHQ+jqhzmd6E4|J_Gw`Jip4c?AYtjuqVYj+ z?#Wdjt4ApX?v!gl)xe%l;ofiU4wSU4qT5m2=1(g-t8y6b^KwJ#d4c459xwE~Rm$m_ zEVmm;Z9@$E!J!tbz!>*za9GLIi(I;MUlXCNnRky;Oq(T2qybsH9oR^=?2Kd{=RtiX zp8hSnO^-p)Mph0?hK}a=K^BoE2wLwqDl@|JE*0_@K#f_`oGP7krzKTQARjkc8j-xB zgZ1s4st+v*pqBah_W>ag{2;d3tCOPQ%-tOJB#MVlTNKq#r0qDM+j=NSm+oE#Gd=}| zx5PD1#Bk;3PAm#)_;8I6h>vCK{zaydOB2t}mObIBQ!7GRF}xIQ{Q~mUbuwkIx=|IxRmdp!b;AW!Tk>n`GrueP|pDj|kEBlfa zr7B{I$E<)^@A=zBMf+}f!r2(|<8W2V+O=Ni`^v{-yC<#l6$&@+G@y*I0J7Qw*x=m) zn0(u@w);NI>*N@<|Y@ z=zG+x;Vb7XwBo$HymZo|VVg5O{5OYK^1x26XF&c=!=%oAJL5m(q6ZDZ~Nf zkdNl2&|IJEKCj`F*zaLXiMJ;-qw)=ISpx1T$rgs{e((ZE-DPfiS9;hNxgq~TY>B|N zJ9Hdjjd=xPE0QG*kGG?~`%2}E{illZt(~-wCE+?27)Wo>dCoSBHuFizby_BZ(8;eX z!;2YFk?3L3k4geIt+nWhdTEysHxoF-yKI>ZUVX_8l&)M3wA*Y6ln z1L05Ico`6+M^~8w`@!Jip~85Z{o;bb;q& zU_(kvEP!H@KHI;71TxXK@Kj_iccvhl2ap5D2qdw!{IG+$-r?jq6a3Lp33p>Qm^DS% z;K$(Vl}cC_A`N$6Sd3F^%|TNeJi}iv`Z`oW&Xr z!#V&txK{yGvD-S?5S}4i5c)u^(0;a|xC@P$*gU0*J8A>4@C|^!$US0<@I@{}Xc@|x zx&4RP`6awX>&xcMHDX1Ai%P83MQ)(_(yWClF+Y8VSww>BA1P}w9rZ_h! zpV{2-N=*w~g@;Baitds7W#Z}d2f~C-T`KMkB6ZP_1g|KJ-Ctmw9aP=dxa#wG`0rNs z;AfR5mFM1MgFn%V8?+VZT|bE#j~?>fqPc(IFBYQ#)i_=ap?8~_U@n{BtX9>997-b} zBbRa_-WFg|4Dmy))E(2`61k8O}Q3C&D-cXsP zOSKX9U>mPDlwHl>dX2RM+Q4I7@aWf4SSQ?wrIj#}Nz`P3|C1&t9f0cJLs!MJv)mRK zMMDucU9$7O-uJnLi!i~$Lrm3Gf3tp^eml0IDyRX0sZ)Pgv0b^T`Ne{5ILljUfTuix?T;0wh`{>ri>iqfOo3=a*}A@aE)*e zmI={UWK_{AMiE??!*?B*btuwk&@YZdnuu61EcMA;zaAzt?8iKHh@2W7^bf$?%SGu^i zS!enlvDSUu${zcp@PO2^t4A&?kdnhOJebGfC5)w${EDlpq0#kDr9SmXHKT7EDc_!$ zEbSc@SRSi6s_*$$D*=qtC}!j~Ry@l#>bqVyxxwr2m5t{bq`w1tGUYX~zfye_{^-ex z+Gg;@qr}*53smW0-CmbEPQ(Fpw=^Bl7QpGZ#pLc}2J2AGRG#rS`~%+Y7O$h*={S4N zYGgACV@kX;L@NiNZ)lQv07dMDFdlCeFZ*dj=ANe7;XB^Z2(B7FHjt}FubCFLtR^o* zTYodi36YT3frZ}3cd#7vac#Mnl;)U2uS6%as4J2Ur9fz=9%*Wc)7Jve;GkEbSM_JH zPJqfRI{f@oO|8qU6aW|B=UI(Fv_D}levak~ns2x_2a0X=c|=bn&x zrC0=Jc%8`^y0Iu1gdJumU3tPtMdkG8hGS5|eON;ylSR>0^zeXC@>x2U2g@(#pLFug zC?(t8`CfaEt{dbO#jAxpW^)N=19K4}8t=?nA^-n4; zz^XHgN^&NTH_w#r!F3;CXfMdb2TszH)hF&MFEsiDS~@y5odqYDYA(xHb^qEHgzKd@TB%(%4}dG#7;v^_g%2 zWj~e=S>*T7$T(3njeGcqSWQ$(Nu1KDEAzlEMS>37tcYW1#HTTp6J`> zK0jkAHV(NRY&FfmaFEbm9m|&+^{uK;Ay39=!!P!gE8A+-@Xk5*B>ajZYp*dFqX$4p zY)>nCysCgb1`JnH-R_DjuELsHiSo3%mj9wR8Eb`l&UI3oh+aES zBbSJxp=3K*Uos61(1A#znf|@DwvJ)4+~1JuG;6=-GxrSXAWN6i&jA}Om}Om%^|eE2 ziH*^6lRg%``$-Ok#uvNIEQ6vjImYO2g1Fw6M?IICLbb2uYX$)fkn|UHCPAnQtSS>4 zOIo(B1d<}zM@sq)9fYV&Y+TB5o!H#gq9{MDcrY@rW|-y!3Z#vLuM}w}JV|(_YmD;` zl&1#b$9a4wl9wU1!Xv?Z84!AG+o0_iifTCxK|wUeQXuZhYN(D zBL+){^GT37>Z+X}B2Qs56J7$~o)b0`%NxrM&RH7C>`$nuATEA-rp8)Qj1LsUU2d&jTiI;xAUAP#VI|%m<8iDSz?}&xVY&QDes{92uuC&o5w=BcID4;x@5%AJLp+F8B zD$1B)fqrhd@{rpp$-Na2j&g8nuxKV@E;si_DeeBjC>bumx7cN9(t2(oCWjtVct-Eq zIqy@SY=S^sfUo%4`(C4feH9F}d)`+y6Z8}Y-_MgN@+Y$rU6OVkO+%s^Em4y`kU$6F zS%0*hdob!~Vvf2K<=&lC$~1Tq9gRL6Gbsah#+B@^5WiyLb25-XQ*iLvw_Ru#ss*q^ zYW{PF#5YRfGlb{@p;8El)~|ITqor+ zttmSq#5e|BI;ROKX6uM!isCq~KA5ti@mMART&OMyT-+YnOewm}nA$z|JT0M1s16Ff zB8=hGgI&*KD=uuvCPe0R@z{PwHOTpf1jkYE=B_t+-3j@~`S6UIxfBI+q|Sdn`*>O< zeY`At`#G`ho4{q%@L12>!G!8=xi0$lbb?_nP7QCC z`H#sr+pmnHj63ZxL7koLoF?CE6f^4}*T$2WZ84J)NPqW^|>ZUb_30 zXrG{0AoO4%R|Vw=mqhAc#osd`5vgSyT+ls$^g4GXnqQsCgkl0RY>5X^^@Cd4fS< zidIs}iLm=<@@N^dWzJ^k*DivXv`6n|XVu09xH8ZJGXTD-wMHpxRTNndpP&>iSGiO! z^7>GN0R-;}lR)s^%zZW`v+(iEeErbP(95Fz`?wxgW?mNW=@iW{a9LO2PM{tK(NJrx z*VF2|y?Jro6$6qw!<-nJ_aJaA3R18}PL|EwN)tNyW%eT6nmrGr8^7jskGX}@#J!rd zR-st;2k**wj!(2s2BKCZi|J(!)mlk7-v@=h@ufAD-3FMcTwrL{K-oIMUFSYOz2q$R z+x-A^IrCqvMuHm7_#`nn++hIh(R?@&<^rvCFe>q!J=af=2_ttEp97eqqOAQqUu4Ny z8&b09YtLgnsxc=$l}$jV-D~inap8k;)uvW?%u6f`A|AmAolkJEnE<^~T5Bewy3^c2 zajv78R63=trUJBd{Lca#==;>A+8joqWF7(Ud)#G#UB~79z@W9>yB1`DN>1LhB#Wq-Tr;@;k#K%)*p)YU1I;N2LE}%cXycx=FnA{mtlwX3# z<9N?tMDyfRrQ;rAlT&>G>3K72xAYfOFFlg)NIoHGH)f#tUY27As&oqb3K? zy~H5p@gO3SFtvH;%nC7l$HeplpJCASsl@Q&No#al(1pHz&w!?EPCP*<=t6$7F?13gsnZGA{<&o|600L~3P z)C9n}^@KK7*_(Wn#N6mx)IlC}ZxtqGW^s{r{eSIUYfw{16wb6Wb*dv7ZG|#o@j=yU zYN{w0rNla-21ZeIghC)pD~hEM4Fw?~2`xH|A`L_(MG#s*Q7Z%o2@Q_~jmRUAv;m0{ z2`G;cLkJ-Wfn3S$-sp6~qd(g}P3Hc{?0&m@_Ut+5?!D)ny~K%5!IE}QGo`K#e0dV; zxmd_o)3rKx&I%nAz#Mv#l4&wG0q4?-#5?1zr=BG#ML;>j{#iN2Q(re?Ul^I!c?UL+ zVS9Ro*QXY_>R@?2L`_+8yRor>4^Ep_Yi#a&aM3U^Y+>M8I*9EfQ)i3_a!K`Q|p=;Ujc<)Qr_osKg;9x;TP+MhP+gCMG^WqdDkQdc@&KzXJy zm2uTweIbjcavwU)_2HsW?ewYGF_+)KDc~SbxFL4N(=w{_DC~3*NlKe1zzY?v)x99Q zTGxOtKY-}_8SZ`5hJ|on5jfEWwQHXDf~e??HN~w+(7fvxAkQ#$+YGHkEu&9&=))(s zf)oiBFj=V6^X#@zsX2nl31$-sYq8)^D-h}}vG;hs^Gkt{1-~pZWC8MAkjBj;oi!aCQZYLC?dT+bHa<7^hfLGXE&`*bw6Jq&G!A&e@6?8o%QN!*n6nR zJmT)|qSXYp2SFwn<+3;mv@>IH{Ckq`Mx@O0WZbv;Qog9BhnGxXEAO!6*6@?MEKtMl z{8kqX238C#l{qg%uxy@bi~`+z$gL;h?@RrW5(d8xy=9H6BCa|%f?ZOr9#xwr){V&{ zxGbhw8UPS78n>PVvi-ih9I!v^C}`n9=sp6MN#rWlU?tK+N%eYNT3a*jt|B&%V;qh;8y`12x&$^%38MAqCkYr7aMyi8oLLi+_*K)FWxAxom^qf|>`y2gEBDEI! zEZ&L4+CXu2e6lsEej{vSN6;K8u;dD$D3w@j`jZ@#jmSZ7sB%GWc6>;+!V62F3VTR+ zpL!y;8t=`NXgF9LE$s?|axb4PPL|v*awMNPzDUX~v?|3W{R47*4g$SkHzoElvmA{M zlsBocx=ao^z1Htd$p7Pz1 GKmG*^8>4*y literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png new file mode 100644 index 0000000000000000000000000000000000000000..75467f2098ea339c96748ad81e931bcc0f54c4c9 GIT binary patch literal 12204 zcmdVAWl&r}*Di_$LSS$w!GZ;M53a!p0|a+>4<2L)1Pd|*cbmasa33ULaCd?`2_7t* z$@`tEQ>Sjdzi!p7x<6)mckkY7_j-D*XRY1cFRki)CvcZ_EyNujWH<*i&n|Z(aFmKqpDc>Ru$F ze}$zoh`mK{MHQ3XJMZq6JFKi|i$-!>sy?`Gyw1BF;|{qAl<2sL4jou#?+$RtB?GUg7(m9n^FZHK>*$(gAN|Ln?FgJJO1p4x=r^|H+BP&*zkryly2ACfX6G zy5p<`Ox3ysD(ER9~)zGS+@G~{;cx}ZE@1nwm z!$z>hR^CY1C(|R!9@?jCPHQn}Tf^D5Kj zb^STX8;I*;>3%43?8yjNN(aEBcv$w`%l>%9gKdvhB_ncc#jAw2BNcC_oZR$w6sC6? zKtY?ox70tZeLdS(k^K*Ld3T41x{en_tn1~WI|F&pZGjziN*YTc+;~x$Xz_uD__Dzu z7i=16_n*~YMT-geu$7Ci%SuxBCQ?f~9t^hW8tLPi+3Cg|@#owaEeWful24;~cdcAy z6(4tDJGeAlDM&HxgMj#|7zz4yf6eY?@SIfN|bu-+hUpPPXpaA}0&?f5^KunFp}nsD9GTTA|WI8bFKF_qtWk z<;p;5zr}~qfAHA;8iqaC#U4nO%%mr+C+eK@@{uf57+6o>ps215VThI|jzN;~uC<(s(uwex2Y(VXiT;ar*nu zHXWlTB)5~5g*^yT@v2bo?Oe_JR1$kp^-==X|B6?kQFH1pH; zjl8hh0e=Bv4@b4@F1~HM9W^;F@*iw9xoFsSgZYV%Y#)Dtcj0vZOg1vF*VKm#Z5;C! zP;Hm`3bPoI7b!D!L=&fn+;|a8jl1T>WmRzdJx5fP* zYG~J7L=ke02h_Lx7&N4Yz$kUK2B$o-hg>HbQm)fLtr}mlyEO5=qaSV+UFVzQTeMQn z>CuVH8<q6NmF~JFxMqEG)vSS+q0sglum zvu2@x^NP=xuh8=he{=oPd^)5p20nY+eGYBjRbQ+f&d!IMNSl78=!kH;8~kUNBTYf4 zhr)XEr&g|67wMej-r?c2HjOUdZ;YYq3`tD4+STL-R|9TOao*10fUfJJ#0|^V4ea4% z@wJ}S?Zg_8SJa6;g2gn1G~kc@Wq#*1zs17B!7b8vcB5#Yzz^loOe$fZX4}c&pe*9iB+)+t9_E(BNrl>;m+8S@wU|ZbK)o-SD5$Xg=}|0Wsk(OeCEo z$dAm_Z#iY}FVn2j)HdTT?KV?CI)N{ecWDZ*@@UV=J&?1i?*S)H%@#OnVWks_uxKG` z78h>RyV?uAAZ~8Ib-WO13!3{~sS-P5r}Z9k;<_Gi{fo{0vnQ*e?eee@f1a^u;`Xo8-hR7hnf+(S7Rb!-k9fy zJCB6a_SVR_oBHSXILwvWfBboLFL=6tfyF7AwHsml#F=>4ddj1Vl#{N4BO#pM@x$xH z{ZsAg&R)_#8qK1J>0cdpYhBn}7(PefHyT;ZG7*9yeFFTRmiLNU5HM>M4QAwqx)73B}Q^YhmX6 zBRA#+>Ua0B6iqFu=MGPqSPa8Rr;Yz3NGv|PQ8O+|6!SsXk|~u z`yY>xb%jV1PW;hhf2ziEi2R%^5WC2ho!QuDaDOXY4T2(l#-DXz^C7z_IN1XwPw6Ar zJ^)VxfASdokAKPa9wFVRe=g@u3&2N6Bb~d^3sFYA-i1Z8nx}+@Y|PHDyJoHO^whDi zj=x}}|8qT-7ljqNq?opOo#W9Wy^?b{!A+_x3!e-^WgPMLh} zEpyEd+euk7fuVo&*A5yUQQg|Ly6XR!+3lp5{r&oDtVJY7KgF%ZAmOb{@a2ks&O?}Z z_S=qb7P*C?reDe-h!FE;Z|KUox5rxru(P&X8?n21N&XIr9}QM8Zm`V_H}Q_xMxuxmGLQ`ZxcPeVdY$`Mz_OI<+g-H2bw%ap4;8-jqwrh{lztE;4o z2d8u}(*N;4({2aUZJqV>@E+^^5R~eFOyV-5c^P>N;3UV|IRBI!WSMfF0^oXjRX8(e zwh^+0)m<_4J3Bw3lE!lz7(z@E6ex`3pD_RMu8Y&|?N7akcvp=HWH2r{uc+x7$>L}z z-cbq`SA16$VvbO`MP^B-fdZam@%Sb8bS$odG+aqm_^n8T$Ld!f&q+Ej>%M+5jx9m0 z`}iBxq{~_FLXOFf#X;TG2 z61JY-?@kOp9pDbRw`-sbQBIFW=EjI!WCn^Suv07hpQ^>e{}0MnPrFhNH|r1Uep#Lr zG*VB0j-GDF*Y9Z6MUAP?RWUAEW^+)*q&Ssc1W_&<6O_LowQ|(na z_O8MlY$*_#@-$fI>9ji`vhJ6~WDaoj)kTApkq@<{d%R4JBGk{Yo7gZ|s5LY-xmP^l zDYN;Roo}bI+WTEVPjr**0yjX@`&P|C6McJbLs$=K&q}=oK1bO6Ec*mYc)l*KBiR4b z;Z`YN2cyLCX7W3hep7Bh_*@gkvHE)GI!0A=oo2JCVDRFM?pQ@owQ+m>57g>RYHNLU zYOk1k(=`)&HGVH2hxdUsEcTx5*CG-Mhg=vw15V7=2io=f`CWpVmh$Vkg%t<7#A&Kb z3*__#0@KxpH@FAq8B=7*&xAM)wzjd%OIrfMlUZl+g;qSGOzY;7KOU-crwLJxCBj)) zVLwpmgc*|g87&~JEGiJq+z1sJ8F6}$KlZAKP5 z928;0ooc5XX&&o0>15w%GL5;|wvuxw-|? zWH89=365pcq0m8OX$i4O<#iebS2$PR8|!h&`*(k~rq=mun4@tp^QgHX=`@cKO;RLzV|tFDpr(PD-rTus*~e2pVP#O$ zrC`qGPtx%pKQhf#%4|SG&Wq%C-~~HXq#exes153>kzD?uSe~ndSUVY20ZJ>u@LLb_ zZu80XqudoI0Q78BQ!Af7rg`LI!@&cXYYaQl3Y^7$S5T@aks>6tkxTMUY?e7$!ua~x zOtQb~W9#G&zl~3XmCtBj4tqnUvYOrP!nIaSl5XKnq+ul-9{P;R*%dswHG0Gl^5>n_-&37lZe8 zv5O6sW+@;23umm$jR4RUvU#69)Ax7+MJ_%Ht+7q-cBQ9c0$0}|3wMywgH)Q=x%4KI z?;XJc%Nc@Km9=N?s>^4ix7kwM2Fff zb-7E=snt-a^n;-C$#3~Z?(GJs-fYxvY<;d{5}=An5h0yMe}Lh`4y^(QpTu)*1VXv+ zkzexg+Nl4}O76c$G9N>4q`Ypsm)+f9!t%{--S=2+~KW6JZ$<<)8Q)oe$6M zAiH&oaizH)&9D{+8=1j&9vWExF_32N6C*{)Ijz-OOyx^lDpL)0ulDUUU+j-f!&QvyiuJv#ccwvTDb7QlM^N8c?4{IYm2evfE%v__-TKu% z=IhV<=dQB_)xs)Z-R}r=^feCmuTesEBXQ6@&ueWq%l8TjLWH%s8uo^?OclfM=yfL(v+P)Ivq17A7}p~L*%h>ouIkfDMbH$fk^voiym zRG3Kvw2lcb7VZ_Q^}x&oV=)Kc25V2q!RS$_3T3)^Yop5$?H)wDa31;LNGQ>yioAS9 zXCWL@@f(P0{$nE1Cga!%VkwEzTDDF%hB$ziN01Fx9IHn{^z92FzaW`?^0y)t3IY8Y zd|R?9Sg?nZnxXC`Hih&Fp8gyA6t)p(WhHD(Kma0kC0(v4U7!FW^r^o=j5U6;|5(FA zmJdHQMuutAQzRCv6bgF9)UT4goDQR(_8I)ad_W$IW;B~ji`gl~OyIV(5vxo)S-B;hf&QJoZ-FEGtO#@pD}wQv!3I1^^Ql7L z4fB&e9R91>ma#C{H;b1g6xP-9HZFbBEIaarL~aLdv*BA+=#v!utFmp+GfHMLB~u3HO49OiAyCF%zvM`|6)_f z+SU<>X*qAIw@N*@g+hoOQ^%+buYM1x*fC`pZdxho*J&lv;TICi2)4SmhK=R=C>btOXcL?Gz;$G zkm51n+G4bPp=g%2c7&os9avCF8Nf`)AM)VHby>PcDEQrxcX^p%JmWAXnaxsapYKdk6eR_va;{}KHFxg8?bd(o5WgzARz^LaS zG+9qf#fwU>dGiw0;cGqJln_Ji))0yDRb>kLN4<#300dQ0ozwk0&WWbjDzd#8(G8}s zo#WZ+idj>Ea^!3`lgulD$xh@q^MP5F5R^5|1Go5#FP^1i+Gn9J6p1Uv)v4mi#-$YTbh6z z<2UQ&)^`_?ks!7Q1EAgO!3>xGF-2WT9ut}|9HMFm&<0rs2DNL{NlgD@#tkLX$)n3O z*KoXc)Yo}d$WqMVRqnbBvt@fj=O`~sXpreV$O7m8QA(1A)?A%)uWznFG+wWhZY`Sm zuD*;I!Jnn;oLP@q74&w*4FQ}gbvS?(@OB@9%k8Ab_vCV0cl7hE*Q0Jg$Hhm4@EYeC zB^cEz<3MW*!y?Qy~v zr&&@PD#ZwOQ*#6;mSU*Y+&zEY{_+^5Xc9zGeJIQT5JX`Rw(-cVHu;{Q6$Rd=yV(%gQ%B3D*;YFnTEu*R`<3FG4Hx;C#+xAy{tVe^RgheF zSe|zk>bn69Gdq;P(@8Cq=vwD;yVHdkn?54Iv(p$e79yr<`_CEEX?6Y5QmB&|y~&^@ zb2VV!))YnF!t22kooUP{_D8Szp9a4x<%%5fstUQ=mx&slU1oZ05OXvewl^G&;HN_) z_5{2|Ky#aASJVUzBMuAB`PWmJQ5U!pz_4V=Ml97)R4;^v?Anye9SM#kRDI9{G;NnUsOZ|b+R|EP7tlh$fL5zG zWnci|@zsx2Jy>h;>n!oW>$F{Ib|^+CP{3>~ON8}B3+&6~tN@JDbyAx70poXRsJjLP zKEuc02z+q|wX8n-$;1CzwL#3__{~HPtkI_fp;81H?Jy^c$AifiR~nsS=4nS>IuToa zp@eztMCQAFlF6Lrfw5kdvdiE1>BQ6ND10)Eo3+RGhx?0CCnG6vb?#@CY~|ZENt3lI z`QZ|FdJdAsSI?lR?`I+^D&L1;ZiywPp5^D+>)`m11msWr z2hcSCj!Luu`5F2d5Gyve^QHo)AE5syXE|>i9ANYt`pC@oU`Ik_p2)YA2E9{AtT#jp zNE1vZo2{FWp!w`h+k47j+xPv>@#UmmKe0LpjE0w!WRJ0@A0tF4=!+WDfQbw4HSL&w z*(~TUlfgV_}AF^+?B7l&g3=?7rOG(}0#B(~i{$}FpU_*T<1-w?hXh9nuyYLkC?o%NCZm8@d zOPV`fqYwL`vuS76$)BGV5FyW~9Czf-b1A?!Wx86#12S z@7s^bCkT9Jr(c0d92q$w#66s^2y2%suh1JrrbIU;O$5<%=6RdgaPY|NtG!MgzMC*Tn;6j`#=aA&Q@QMNB&mXN z7PsP6#O{tAoO5ON14fEGh_l})yC^10b6RgwfHa&3IuqD3y;Gxx1}Wosg&ds~K7p#a zI?F#TD2==;wrHrx+{x#Qg!Y7S)fVIrw#v5RmbS?{pNVA8f)dc0H9|yI+`<$0K8vM7 z??^8X(Dr5PsA_~H$RxI++s`oCpr~3xe=y>hv6Gqv8B=E!dF&BiMR|b)MJg99>IInD zJN9zY&YkFkT3OR%0I*Bi_unsuUE!TWSuBM-2=f#GX-!7(v0LQff6WC5T>F z5Z})bf9FyOnQnpbdI~0&YoI?lbQ$l@Otn9{#w=Dyk8o6Y(`@ns97>qK$QtEXUrXQP z(xQ(TauYmdKqIN91chcc<<&D$0#bFg2Q5IQ%;5c5-NIsvyLS{TTN&Y)GgLyb)T&K9 z12JkgABI%uzB@J5zy|VD=|DmCLX(WtB(3{VpbP>ht2rv$ z?*@YgdiN#y%&130s5<3d${%6tj#gC!t*%Z;3$$AFd#~ffEp?RXPeLh+_8RxT#9WS( zQ-n;PI2uZL7_HiHS*UE5Z`0O;kC_UEgK^C%27A&o_VF+iWE{ zPFo)lJPh2a`j8e}+~5Fgd!7j|K+BwAX}gf`h+$ILpkc>iktG9eLTaC9oWlSt?pEmF z+y$Nlel5kK*KkPVUmlW2){z}FDJg3pNmlnJ8Y|kTg8Gi|ky@%W= zOC)BFUI`pA+CW~$O5C}_AQmmj|8)^S>dB~*D_fa#JHhgvDy__Jp!Qq^inZwm;Zth8s;AhuL> zaF6Zq8wF$Yk*=xt2xcvLYXlAm(Ef7>ed8nq0)9W zssX5N^wEl~d~Am12&)m|)tQC9mXyDq-24YVu3-x6xYRne zk%PWZ_C+97?b;!bvLmT$?{A{S;MuQwllC%S*#Ys6l%N7ju)R;Rg{^lYc*MxmRYO_N zx0PT)x5Sne$~-;rc96B#bM$4KZy}hU5ziZ~b(V1L>|m-|L{(xR07K{qd!Vul|2PphSdOSN6lq`^ zlre7U^}9?XGKiK=&w^~#W@^2x`GM$uYrA9DRdsm3mnC>uURgn8^?%V zd&*{K%trN0p=o^q6cXc%X_kIz&*g0hTc%KjAhFmaFiaw`j4Kr@n`6tQX4`>E6g9gr zj3`3^el8RHdg}RU+9g7GsQ8iERy~z5XAa~feA^V(?;sRL z)l|YZSZ<&SHLn*il}lb%Dr1LVC8fSBx+Rs--rGByOf)aJ;vqGVhbiD ziY=rRAuO0ksdO^CJLq+U@sXZwpQGord%CEW6~v})>%sL=xGxPO%_a0W;kDqktzscRr!Rk=)AyCC^dva7 z63k*|qo%xzSI_1G=-9vy-}BTSLNX#nBFPwUY+vrPLusky3JWYahF~)WitEV}C=g6Y zJk4(~4_fAIy8D$1DMJ)hOv5Tefl79zqE9F?)d}MxN{h43h?1>}7!L>=Z8eHA9rtKA z?y%qgT>s7>huKgxafXUQ=%6z>4a)xM8!}U(o8|^8DiA{%1E8A)MB@T#iHL=za$dcN zZyUu&k)P~>r;0~ayeJ-vqQdyKkqosZYD=*o&X{}{DH|ZX%h62L{&`Q)C#nRSAlk>i zqQsm6@#moVI{XvE4Vhwi9H5x{2P+MW{PLXG89&1ytc}0{x%#2OAtIH*b*dq_Z#?dZ zfeytRVH6TWD*dcanLCYYf#(QSNU7#+Ku-UO=UJf&JJ&FF zes~?GKqA%)?ZGgFVK%#tIR`=K*>r53lNHdXFu0A5QBaVjhZ&Sg`My#Kvbt?zIDeQr za|fPryxf?#$N1rpsI6c-PpzY93aQsOSqKqhl*t~g@fiw63X?Ls+&eLPDo5OM$IR5} zSe$X}d?M=184Vy`>|yb&PPruMo1c42>F(JR#`vj%UHWYjFUK7%0h*sv^lM$kZs3f| zZ@r#WB_x=TH}J(X-Eu%I!#~(XSoRl@8%^$?|64p{ej2z4b-why1)RcSOH+&6V9=!oR@cj6-)=W#|FtFb6h*D*+NNvq3@%uovjEmvNMYh2f7`Y$U zu~jK*`Nnxk7kO@TLFJUl8Lj@P`R!dXcEG7X9ZvYQyZA zoj;Ru^6@fXm&h2wibTPxb1V;}nq;TGGX7mRVp6{~7O( zH%mNatrwe&4XyL!m^NmOU0{eJzWrqnLNRORPFA+~r>eq}n49k76p-#`$6@(7=@*df zm9(;+LSq_UtG<+X^q@UcH5hUI$31X2;_iK+h$kl&+JNk+sILbVQ90f)c4?BA;)Q{~K7d%^VGlo!mB9$;`KV&Q1 z_%QZmqN}{mt9t1fo`=(-ee16i-*m!3i|`LZjogAHahz+cD1;65v%3WgSdYh__&oTywko}3DXGg|O@1x)bZ7o z(azfMoFZVQrirrYrcW`8mh1g~6XKU{o75Xi@3Fpo!sXmDRM1-~)K~*S9l6~4JRy!> zm3}=wI?pE}@bIh3Fa0Zp0odHEx!o{{icz*qp(NA7pU?Xv)F$?wPJwGiI?DA-ungYPgb~tS+%l$kgSwK6uy{_`|3g`=0T$@IfZcs0HWjqNDwQZ>3s8G#>b{u zS;q=bA!D=`J-RK@8Q>WPNFCYRT%TOMx(Z%_^7>iFZhB(sd)D+pdU*dJiv8w0!3lI* zF*BEP%wxPxe$Z#isF98ObVh0*ry<7~uCHz{QT6%aF;qs@F&F?R&PRy*M{NT!tbM0e z(+Pl+NsnD9{=kV?XqUu{JJ5|n>-*8fX^Wm2*Z~UAH-47dH2Q@g?^@QmY10t^oJz8< zDkQMMZ7Giu(a!)K;IN8FEt&t+EuTaen)57){j%gukCE3p1^U8AWi(KKTl{`hc9-6S z!V#AyGSa0-T1I`-+fbL!QDDIUCDR~nyH`ZxrMb?G;j&{`$t%%3@Upeu#KL6#x_R1b z&s(~NoCQO;h?=sr3{%wH7N77GPw;`v)`AGBbhVQSb5YSJ!Fb?xAJ6AXp|NrjO-udGMJ18RW%gy=myQ@SxePNhAIFJ(0Lr3uc zbQ1T6kC6>xGQti)S()RM$4;Xs?saPQ0Qhg+gLD3c;DzEAJ1L?j#_~e9i&ol&naWr` zAqPogzJKGEP-%NOHe1>CT;F)SHx0SgRBm8@Q%`GQm2q;=Qwk!YZc-i=8KDu*T8gqd zcUS)>^m6}vm7jXi-R<8i+>uA7xi;#;q9g9;mw8qQ|AU3-e+BWsf%|{8Zy5ePj(Wn! YYY#-nK8zwpp0GzzQP7aDmNgImUvgZOxc~qF literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png new file mode 100644 index 0000000000000000000000000000000000000000..4f869474e2d300b35c10865af53d35096dcba75f GIT binary patch literal 21811 zcmdSAbx>T<_a_(#8XST{fZ*;<@ZiB4Y22OQ?(Q1A@nGFF-e>~B-Q9va1PDQcOy@hl znwhHEsoJgD{bReT>(+aH&%5WH{@i2toLF^Ld8{{NZ(hB6g{7zwZ$rz7j$na})7X^LySFf;p|9ue#KUZ45 zdZj(2C@ZDyV|p~~ZLnFnAuka@iNrqYlr4%KaORCDnHCfICcZO{sNK>*xjL>a_!=4R1(*t!GES( zI&+l&IBeVxZrt^L{&pZ!=-?cdzca45kRxqyuJHyd?}ZD~W@q@}g0X8rx4r9+sL6i( zV%PIe3Eu@a_>+j>Pa*~Vpn5(m{E+!M@Y?@nOX5kztyQ2peL6glveehl zD#%#`Giwt^Y2)GeHus6--+T5I|2>=RT(1F)7(ylsYH)553gtgoP(AN10_T+;#YT$v zUX=#zYMBU{vIh(s=3(~My$e=X)AwQf(@b-#;{qfWj@ISr({9%q~@%W_dq*tq#@ni7h;jQ?~nGT^4 z5VZ6tqRIYGRBP3Dl?ysQVz1K*{5?oGXe5~S7IuH_iY)}k$>lg)drn_(Rb4JR3k#qI zi^pA-eh!>1{dj+J{zOoq=d;k575t>Rx)A)jet@K7ftSg0%=AZ8>B z?iVIs-tDj~f(O0C(|$4=Q5Af#pi&I}E%6*GpH&-4^%%`<*mNDv{OQp&w@&urpqkYL zsh3N8;W2*30^|*Kv%W4&{^|{fG-G6`+ePp8dEoP^_NDKiZvQVbzxeOr039Bdz5Bf? zVJp6=W_f9MV@C4M@}!ID!@z@sCwxUw_=;~;N9Dz@udV+WbOcNVT*z2Hv%M~q)d+rg z`s^#4B{5Ai2O2XIN=6M<_d^-10VpM0rTz&zdbs%N0&K<3o2Dvy9w_d*kLL9fZ~Q&R zN&j?d5-34s`~*P$waAAaL9l0)xrRqwzJh_h`rD|2TK8x(0+1~Bgs%kCdR+7uQNqXD?cRJi{1x?|4QJ1P zadc7do#>ovOe{r9+{4zYo|ByW3me_e1v(@+j8>w}ghJtnfEY*Y5x46074}?|U4(bh zaEpETC*nO$o{Or~o!v=s*5_iBv$gV}pXH-y&)4gFx6$h(!X@7qF{M?4x(H?3d%Sr1{2=O3k?m77A zEL0;ByhXhiw|E>t7ij&DxRpAuALH}=t(w9* zHS_lh508ic{!A;5mtsa@x`X4*LHPsZZqW+KW=g!P;fD9nyVlV8>OVN0?*2URJXRZkA__YRR%UvUz_jTAgcj-?s8M3|dMcujj0uqTSCYg04x&u~->n1~47+2Q}*=u*cGf~)ARbMLN^qo=Zsdmfv4 z(X<}M35%DJNOJAydj*mIl`67=EjUBB74hC@B}lE9sAkLJ#gnZ2Y2X}H{FxYPPZBkn z1NoByM>qC`+Jox>>*#;YKxoPD`tYZh>gj6l z#WM2m(qySv?X!s#R$Iv zhij$17eix!2bRMJ7n@zG9|14X62>pLq`L>fSCdzw-wU5-ybu1i_g>un*Q8(<+I{%6 zgY%%ioB%i&76VuU{yf61VP>$=2&LFdga=7MT$_>!vJus<44i;R&epfzDVf)*3h#P0 z+{Cy3sZa6WRkgH_KM%U{lZ(Invy|Ku(bHzF6skFcPOK(NPY6yCL@quWaHcI<-v)2B zbPi$pZBu1v20e1VJRETb-og#{yv0j9TmwN}h=1WM>BEgGvFc*9P0!@>N+Cy=%6>_| z5S2{y)-mX*O564)A~t8-e>{lZy4e3;jpzHTF9-7DzwaJbYXVNyI_FP&ji#=*#5WK9 z+}MOA&Yvbo`C$I{S@XQZjM~V7Hyd=ofIKw8v(`X3qZ#Me z#r9ph@qf&GL!dfNUIi=Qnx+4ppjs-=&ComcSJ+AC9g)7CTc;t`#{oVqJP>ZAnf> ziyv?fX5n%)4R%jqyVjP`4sZh_EL&))b@YX$Xz^jzA|xq(PkB#E(V?^&3(53rz0egJ zifxqZeOmsR(K@Z{DN? z41pALIdPV_z9|TyUEjI9aZ6R7$Ck#{7ImF>yYLeoie2%T8=B7ab0mP0$s`3NN`l*T zUOU|q`!FlFnDN5*P`KaHN^0u`3n2fB_Zx~3-cKTCVR2CEs!`clAOFfQRM0XeZ zf1inaTpW180fk7n0(U z-h23V##u3wnb04xvlDMqLij7XF}6ae>N!Ct?(fj%5WV$r23uhhslQVK^Ye4R@+n1G zVE-?98sWfemXA|X{4U$7R2(JCQ)vY296b~U3W(eNpJQ>F(10Eg0DtIg%X3|34Gw3j z-*dECEA!b3xiMS;8NUae-D8SiCciRieh8e~`sYF3_d@k0!h`kLI4NB{hRZC93vGLC_6GZvjS7!JuuVEwegMXD4BxtV#K1;`BSu+0Ah*ZVoO@lliRnFV3mWKTXqt5R zx|<;+wcCVOOz73wXr!KyQfsfN&&HL6JHa+7NJUvFNlnxs0i4+=(z$cDk>hw=$NNQV z!Sg2Z&?c=E*K)Htr9@MgDQVX`SZQB$Uz7K6le$B}ik+|=m{#5x?-G(B&WGmuS46L^Z?u^`@PhHVP}wBO?nK|@*PGVzfemLqfA$_VhW~W&`p0 zHfPfD&aezQKpatkZT!P}*GurqxH`6KKB-6xA)B8FpV*nSz7(o9yAKC1ak~Kb8y>*C zS&m-RekK1(T-s5Zkmwt$IA>V}B`6JoRz|GI!f4?1HD!&}0{T3+sjIz@wKfTF;}{~f z<&v14bA}cHM$?(5s3-RqI|pJhr#x!sw@6P;s({RH?VSz3FGw_`Kkd)Rl*Qmf+`JDxsg_oBF=KiRwWLQQ%X-kEgyBW{$ujKggLir9lFgq1VW z2E_EPwzeSX)aMy3`nQNgyjxWtE&R-EN%OJ)G3`5mNSZaLibsJxwZP%CA|S<6_^=8B zkEK-&bX_x{O9zNb^Kad;_RZGmAQ(9$htG8*x&fCp&JZ!2C}W%}+pTPut{Ju8?^vAS zzn?Ds@54RJ7eYhtNFXW{!L_iTPSin}R52f(YT7Iu#>-`F3F%ko(~hAp zvTnz8E6Ms>a)K1-u{ z9XS=lb@*exva6}@*~tXjdpn_MVrWy6YxgW*h4wQ*OGA{>?TZ!Ps}lx4xUtwHS-xMb zC3-+S18)D&QpO^8Sv?O~=N3)nO(`x=)qTG@LeW(D9=DI~wGVjun8`Rb7T~o}k z9zKFg&AJt}S6?IcIA(eUQ2~;$K;_i-X5FNeOm-%dvGR9Qu{f+l;B^%;__zqICn1Lh*Nc>k zC>msGDZDi_TnF67-EnTaS>?e4MoD)0S*JNz7HC%uY*)X(7(4trpjM$*Co0Ll$+KK_ znA{)0R^>DvTKBM2Hy+!g*`KIB=+`FN{_MLY4KVnt~{Nu1@IC zSKX7wp=)IMeMDUFr=_5D6zWDgMY)(L8wD58PEjNBJ^Cm zQ0f@n2d$cc9#dCE$1C$e8N9*~aW8IXX(-eZE5d~B9$CLb*wzw229qT$Uif&()u>(Fk8p;p@6nz2v|iW-+{mie2Nz=8kSpU zAZCYVf3hBchKMH8QSUKD6~7K6Rp3kTtT|?ivD4E6|J%Z!Tp&c<3KS826~%4z;%b3t zY1J1M?BL-LEbf64ZXR5v(Ol5c9Ef0RqKcY-jz?366!A)3%t-~ac`aH~PjfZ5;UmtZusFE7 z*Q=*zS1p8A2=JyyEy4KohX(&tHVj&jrezq-4JD;kKz;1H2iGX#!vMwqLEd69eQW7L z8j^if_dY4J_;9zn=erqC?JE`R{{XL(oXeuF)#t|=AYR!@%Bpf?P6RK9T8sb*b@3JM zpX#p;>ody0d0$uYgp8tm9~Ch9x`FZV3ogot`|Tx9hh3GT`en+7FB@R$8>Q6ldj z=CikKX;=YoSiUo9oixo|GN57iX~+##M|nUE{1hP(iKky_Xur}rI5}`C%Fxog)3?sA zfxP|)$EpRh2~5};1Sx%dD^sDiib~kCCCG)C-NyD^ia3I2gFHxn-Mq|YoGSv#0f*en z_VSrz5?*XeP=4(w9j(MJX1lrfIcj;V6*SWOU(3HLL7%M=;qv5cf7avT9Op5NZx${7 zwQi<22{-+e1VZZGPu5iLa%wi-bsb(f3~UjN0YnTZK(ix;WxcOG0{+|>?rImS> zM3KmN?6MGdG-t?Pi3-*hzi{KVS9vICFU_puXv?73Z}?>R7v%;q0l#|}p^S&w!2_ae zpqj3{zY-;kdTr4StIa>dnt%lZpQLo8v65i+7y5|cshF`#C`goyregeci^n(o;JZEkBe z9Wy&S2aR$)@|HSKIvE1MAC?_5K0L@0aH=ZWP=#+oH5d~DRy#q9_K>a6`@+m`14``W zeRfqZJFH4Dpp5K>$gnY5ho|XyWrd95O;ZR`_y8kSTuzTpYN#QW&QS>(@ue2FOGZj@ zP@ao1@-VN*9hu7Jg%u6onXfgR1R2aq8BS*t_o()%^^E&&Z^u>BMN-1CX2DQSCjg$h z;*b3S*&z~U0YS0?;E!D_1*dk&sqQ`>d?K|((-jfgmQcnd=oe<~t@J3AYV0Fv!h=3B z0b|KJmRUj@)JPe*2$h}$ra&y5sq6LM9d;q;o2nY?yxnfR$y2NVs zz5_I7{m42DovevC=(caQMWOo3xc(plr3)I<-x{BohAPR+6D7Upu~DQpbEHVAY#@g{ zLrYbWRul>h?ft4Ln0>;E#HP+3`MXtMaj=fCQOpp)9CY zCOSvq{b0RgrnfG28AO^TfcD-n`)8o$D1pEAyBG^^QZ}Oeo$%M6>MCac7AHkEjn^e% zUsRPsX2}U{CuBpV45bQ1HWk??h3KlkvTw=}vJ423Ohs9ik@s|KAO+$cOJV~2>B0cg z8AdyjNQq57F?r!U4fltV&{R)J`s(iv!{6x5kfn2Cr|lWa^TDz*A8Xo*budyB70KSj zCgeTMjF_3%XU*>LV^4t?k_3t7GD9XsKwEE(HlXqh`NJQ*sx-5m&mOoIbG!?jF(3^B zI@1xz;eka)-Fn2BFYP{+cdV;KG@`FuxRUhe!KcN$S}jRXwCr_jzlGnj6C~t(+LcF& zVUm>m(&OVa7F)40CzaT504=~g4qVybcm!U1d%HBV?IOxC_EAguBJjs8J$bV0`YaFa zSo+vyjLE=iqv>&9$V3WDu5Gai1zH-C3QC#;N#Z_VAC*1fr9<<`9SLvF8jUAg0%FcV z&^zx)#VL4x#9JsQWsE(H*E*v&`X8?fP7E6`EfmmfDnKAP`3gs$tfL4(w&2)L)5L;A zAiy2(Y;GB`N22(HUVz7W7?p?DwT`o6VwbMGfU%t3Ny!;1(eSXHm@fV zg@XHS+<1Wl2I(FvRi2qmOrmm>)np4Z*Mg{u%k-ZyNITq&*b7GY=3)#Mm__B9;zv#9 zWk>xON!_@xau4-sPjqN)6{Ap8o=ICjaV@AIivJ3VcajMU!Q*K^&S~qRDNU)wW^s0{ zq;*46N5z({6t9%!LU3EaUK-B~*iH$e5vDp(DCGe(eF7=5DUKQYEX-%YF_vIj06Zi{ z4FeS<5@>xQbb>T~x8(~0|H5*km9fH?+gr9a?r>Y6Cy<5$l5{O}zJ8*$B?dR(svm%L zrs>wrBKp3@LRXl+Alsx@1JD>iQCPIJY=a7js$r?F%HpQrfyKlMd&tK+0k8V_N*@NN z{BATcE&Bf{75}qEV8QUXEh*=OVuHpj%*?`dU`Cg+zb>xke1ST?57hqiTky%Q4wbbD z6+1^7fX_Q}tzjirYhynJO=mvI_E6{5HaR;HnZ06#UD8KEq;N)?f`{yPZeod1jMMgA z{Pd?nvQ98rt{5Iy70fhpukfor=_V1HQK=)MXg<_~h!ue{JB+(2Wbvc9yOb|uTB4av zpX9YEPZc_Npb42eG(`CBH#6}^`mD+aBz9pM@mNP6o=2Az*ws$&b}RtpOz9zIQ6nz@ zV<&Q1q#mbN&4!&`gzj^^S4&tq;Zu6AH!m_W2V-fM@qDJqpCP88_$b+r5NZSFv$o12 zAw`%JkmHr=SH+!6;6|utBtS|`@#Up=@GU4Hf>66AydrI#8;*5Phy_L638}Cpg$*$d z!;+q&WoIn?gL+C=!~%CVZY5%%0X*# zikA;?h~4+AkQalN5Sl7lf_BQ00m=ckVW9QQyOi%`pf9Hy`nG`RDw#8p(gB4^Z;>DZ zg!t6hBBOXW6vCE}kA=G+DGiqaRRh3muL5fxW8!X92sokQNjewz#Z#du|0Z@$E)z_9yT7QjRxV8Y5ZV{1I%g9F2+i;JWJVHjz-nH*g#COa0s z%e#bFQ{pdVNb^A8R+UEdAMBhN*&l7H7zK)=6R{ztGI0P|^(1#|Oer-bu(oT`OZ_Ec z7$66v=aQ640XB^01(lqfR2o=fRY#Lw;=gk@S~ebcLvfm0o=uiaI#Ci5^R@a0%x*fh zx2EO%axj_>nr++)aa?J-9hjZ?Nk6B10x%A&O|7Z5n8mwxD7?Z(hyJ_=+v&bLnBULx z%({h9T(29Kbu0&dKZw4K;oU@R+k59;?~H2U3v%}p_}1<1{-V0 zj;E`re*X41`jN9x%>}Cai((P4o8f>m@tUn=Ef+8v^rP`?>!jg#-+UtD31a|#4Ln>I zu3RJ&a(xH7;1#m4Te(ks3TO`kEJa%SX2|BSsjb^BfD#Q-vUY0}XIkPj0>b9L+oXTM{%yF@Zqkq5dc1Ry~SwIdwSERkdKjGA;pLv1UxMd?T# z0HNxn(jNw77Y;o>e%jyuBFErc;FoJ(UUpOY8qf?VE3!s=U^JT*LIafBAU?GG>>k?* z$(5Sl9PZj{t_BRX8ozRKo$N(7v)0ZD-q+9Z_420`^4BkFYS?`XVi+x!xF;8m$B%BO zY7)|0;D*%Zm$1YZ+2oSfi8O&4Wlou}(hb%_D?J5gbmrGqn0z!HaJkE&9uq}$s|Dr- zioH5-M2d2G5d-m9yz=yrS2PH>Q&@H+qtpOyv(g$)QwzY}-zvBV2o!8;=FRuDb|R=v_dFpU}EEO>Tkpn zlX0HWaKgHrLh0+<9A2yVWtw2*n=2;6jYM3~wY*W%d$TO)7gnU$6;{HB`u(?v16em?@2J$hA-v;44o zPPl3HIj%iH1jS4#uT1irrAyh(oc;Z(gw&x+9F&%fd%AiQai?#337O56NyyzbS<~C$ zGMfAhM39iqi?2=rbxlYYi*A@7V$&JkpvZFtjo0mmG?t}p8aI|`05V$vX|3G0# ztn8HqSVl*x#U?rV-S%KzmRGiCYA~gxUl60eUdX5UQ$AHHu2CtGj)I9-?9WW zI^|n?pkpYC7Y*n|*KTsiDj+Hrusl}LcM|29a{CrIy+w6Z!aJ@sIIl;GugvAvQOU@5 zl8%VtlUFF8a)f(sZKD8Mpl!!b>BXam*uaF0;iAXIvs1<)#djH!gF$&LyajY5fK&S^^; z;ro?tjiXIX7+6GW;rG~_L0;V*g(wZyBSDTQOxWq9M2D)QNC!jMQo#1tibd5;3N@+$ zx;S_g%~`Zy-}1D?xwM3k_dezJwXE^vh1z)57YphunH&0 z$L=yk@ygM&gYB?P3kNLp_zF?>0k~u;+c(l)(M3nlmlIWBgfce3VDT!Z_WheMfHe9g zR@jFfPqxZto>uYwC{xw|9v8(&I-KSb#VBi+03LEZcw%8oGDB)c;6oSyC0Px=y(Hx; zO}mivRdqr93laTj^KKzE8zFQ`nZrS>DzYfOLhQ1=m4*k{0R3YX;bJk~>jja(f!LSu zO*>ZJZfRm5(-6s#@_fw^)8(v~3~%BtQ4Cd!6|3T+$K3w%dU!Ae{>V{DpMHY%#LYWc z=m&K2#JVKzS#w0!BK42NdfKs$1ndtLCUF2|TibKl(Mp1mUq1F*c6^Os3(QKADmQkv zJ5ELf;T=B&%NY_oYqt-4-a3)X?ruB>`c-;|WllJdhI~~E+_+_ims2ENsty2&(HdX( z?7X8xBE6*qU9f_QKrsndk^N$NHXstMk1zUkV3#u~ER1pKn%$f-aw)Um~sDT;i?9 z$=}KyZY(D-R()n`SHF2*CO?s^`*sa;O7rQ%T54&1%V5jB9~O#wN?2CAxKwB8=E*cya$QHcVUCc#&la+(Oza+(Ch*`M zR+Nh~nW<+akNCS!PgDtHY3?l3J6tRj?d)UP4o^g!q!HTrzXph6bJ!AL@H<$_!&vaB z9h8z$RLr}h-hN<3H@L09b7A17921++Hgh!`@_;?i@!J3E-R))7F$oe z^J;iK-CqHERzVtgGQ*oIGV*An90DzySQx_I9#ZCTcmw zM`Al|JcXVbvGvW7Y|Hh|k?FLV>u7InqSNpo(v=}0iKUZZH$`GLdX3N40bOQ?W)&-8 z>i&K50E}lj)$?*_qm&C5n^)v9?Jz=2H94Xg{~K`_&7~(b{cKUJYZ?wfZj=chDV}s8 zz%dedpku2_5TR{XHJcH7(bVxrl!A^mL%-k6u}r;D&@etF2UU8Ri$rXk)v1^u=N*=2 zi#&Z!G#y*43X;p)rk=10>3~D;Hnr+ci2U`>a)3-I@+FyuQ_UB54Rb zVwGEAAnkU_dKP8Oxm&JP^lxheI9YL5KTG0D(`1v}L_}t~ljHpsKdf0=uvPge<}~4c z-on~S?>J!YOor^wW|wAcK8X~DK}@)OXJ_ujBU|U)FoW=?>fTlgN-9DWr(DQ~7K5xt ztDHB+fJ5_loKWYzPAG2{*`V@dY!f~vDvkrxj-E2852Qm&DU>Z&_c8VST}*(4%5`t-Ih&yVNl^oW!{HsX zDyQo#4m+gr&ypDv3=1HG2`AZ4k+Sa6d@Ex2(GlZ%wrPDx{%ozwbl>|5(2;DYSsE^9 z`&KMtOwaja#QCY%E9*ButE^D~-{az96v$-?Fkgo*ob_L`7qAEqRt~Xq=JHI-bW)Y8IkD( zAhg$;{ZT-HJ0`Kd^?BkSoP#a1>QbB$3piL<&nPp&Kyv=SGB6mu4@G5v60oH;kNJ|7 zn}H2ClX@g2ycp-Vn|Hgb0r4jd2f2=XgTnUermg6cWXk32;A`W!Vo`t5sLt~duc=+s4Bw?v-+8go=&+jJBS&S85r3?2V>SeO_mss*&%VOUh zCMS;`G?WV$wabmN4Cf9c*;j1ki!1FHJ1gua#Dp2{P%mLfRe!8BAhz(bpv0au`WDDt zWKk?cLju5SLPA`@K)9~zos*U_n!o|0-yx+}WTT|cQeKYx3aKm>zFvM~_Qb=v`V-x8 z!)%hDr!3d3-S=_lj=#(J$^clsTw*9j@bXo7_MYJXv$2b1Bj_ra z&giaX1xxx;;`MI{9O=7}yccmh#b@%;@F}hr-ziTT$7h?e*_48p^l87CN0pa@bb_2k zmWA7@=js<cOsEXogOjd2W8md3rtb0y`5_Ii8@}uR~nN44*QCaA)*yX=9&J4@OXM{dL z@{S&ymiUmB8|s%RhI~)zH3CvE0}kT1jHIl>zMLfWMYr`H3VY+bPASCZvD~aY@?oYh zh`G0?g?HrGG#1T7j>EJLDS3>B_@lqi=GB(pj%-ViPsRYBTlK9F_f@#bCYE3%TIvtd(8WMwEXKm~ zz&9m%v_f0_FF+CPV;~C`PUD>%!tXT%OZkVO) z%znDfnX52vcSV^LF|Zoe5y69nbg-=RK-VI~DGEE*=s@H(Wg?8>Q>&O7Q_t0vd5;v(hT{Y~)h$J~*DqF?l7)3>zImb`)KAWW2d)B&`Y zydSOo74t&_uWLxa*b8|5(&GM$Ml@(27(%VsiRu(VVH*K#{Ph%M#3cbR0Q<@n&YP$Ar%DUx-~{sGn8Hr5(eh6O1PcdMZ0tJv z*DHjX&=NST`f9y)E&FlJvqbd52WPDH4#TLIvS3N7IV|w{wy!5vgoyS?XQ=)-tvM*A z5LX{Es$y(0?sOWMA24It0hdPV2eUmd+ioKtK83%M=66(*=U7tXDY$#yR zV)w*v5|Tg@_M&UnpvX1=9BMx>>>6u~6Y7?x#r8qZWdR0nmSL zFIJ~~5~8FZZnD2hut^(SPTD>_WoI-Kh7eC*pQJ`&e*Kl;Sfp;-;jr<&GACh*0!p^SL6EmK%LN5pXFW zEhW;1Th9zI9owd<37TgVf`8+hu;qy!Vz`LVYn(J@e(C)B5FE>lGqe@~yLK8=dA%GQ z1gRXIRAg8bkKmj@z`A4nE0|6xA{M1Wg56RP@n3!+M5pTndMDBb@^}2u>Nj@Cn6jv- zX?Bb)dL9EaN%#OS4T!x9q#;STQG-@g&i0B~Q4LLRrzj0w8ZMhYd#8pGL-b<&wJOON z_}LU2qg02uZqdnNINPug@_ekbvqR;{o3Tiua!w3WPJOonh(I4BTv9tJ{R%60O+jj= z1b&QY#dTALw8(^_l`Aj;%{(nf2d4o|nzGjAh%}wF8eR!an^%8|ZRvPE*iRQ@OUz0a zcleNX&6k8>@zM;7UDZ`fPay)o7z89v&8XAIQCAMZIY?tBwysTv;*1R2X(i zA&A2yY_PnsVe!v=y>Xig1DB1fwc~0(UAoRWy$s^p%n>0q z(Q>`ttt59Ee#hXdxO~VQr5PC+; z-jz=?2xhk>C|v$M`a?HD^|N55S)~t4-ldz6C~7d+$;2UvFm`WIwALTx!)`NGDG&qZQr@cxxp4L@!}nb`a)Z1%e2>$tWy^1?h;AX)Q}8>-j@;6a;9 z0?yuKF1#;6^(5E(@T_JgWpU_J+cluQAftB8!qAHP>-RMhHO0mAG%w@@NK-+2lu4ud z#n$FohWAS^4?BvPnRcVJt1Ypn*xAZ#4RWZhFmQ-2b{ZO<5JHYHOE*zf)+bF|$^YHz zS??9qqlT}hgUrZYhZo7a2+G3&i>`U6>P-eq9L|>SERnq>{Z1-<}>7A(}&yb$_b-kHwW2lX2e@ZnjXdpz* z9!4kgS~?I%D2^^6x9^Xjf%d8hQABRISI;pmF*Z_l2{j{Y91Ka37^!xhhLJVVD-oFn zqqx83vX~J3{5FuIPT<;GpZB!5^6^Cs*k0NT z46biy7GPuM7P>#O8T2q?`d98OT!;APDx$zgG@>+mr%ex-y->4?`VHKr!Z)XYFFmgO-&g-W)pJ+{m8O9C=n6d&k^NOOmn;ayT+y8u zNy&^1G3+lagewMxO38SQwC39vgq3kqNZ8fMKTfwU|f=;WqiW$d8G>ct%|oAai0(Ljh|9|9#|(DlkEutFVb{DNAa; zgL(O!tw(#yuQ-f0LoUfWGa^w43Fn=Vz0JQl;}hi0oLEZHictDv;b*yKMV}BUVJL zSWKWwNYpvz`6rr~iLeT5A232o<22wi8Q0j}qk15#y zA-Qf1VhZqL*py+nzp^9Gv$cEAuYir_5_9P4dvT_q{OI7UDMPcP&Rb=-JD%71eu*p0 z*)su)0>p|6Xq?gf+fM+{PrwoAqam8Ebo_Cg{s+G~iD~#k1-sZY!tX{BxYAn2o~`Mr zu!6$pW8LvEx8=~Sh4D;!>UsD;*}HkNZ*5;^Iex5(F#CnM5g^8z69{&xlq=vjrFJw3 zXTzbRMkJZ-uYvKS0T?n@zLF`gBUFKp=BLeCz}WUA&TmA=&)VVq6Rz?YtY9TH%F_bG zU{3=i?j{}|H*8~`1qT@z1^QP_lViKGM-nDVq{vWkAOdMO)cF*-G( ze@RqN@3V~{p{1MGoB2o?InF$%BbqAJ4Ls|05nT#(UJUo2XAz(y5_DP}s9Zh+GWF4* zNrUNF5IJS@wIE8xP@+KGnYw)j?QVFwO#UtEWY%XJ7xlZ%lxDs6{`lYzm^-#@1|(eGP0?amJw3U z7i;k7iRBYfD>^Vo!7Ic6mC8qbd*+Dnra$kt{+9C45R~e|Zsag?9O)5VH|Uls@$O&P z*^0H;uJj}}ok0BieeKMH-8l;{j+(m$G=$LO>-E*2o$2fUGy@C#UyfNHgM4l>)=k)B zp2Wl({~|x%h*lm*;RZ+CclURZ22zlq8Fk&Rzc5_^;Rm#i660!u$u9fa|IUcFtX$Ux zuL(crGj=J#n}PmSvT=#gcbF6gR9s+x+{@_uP#l@X?`Etyx`DW7MW)6<=n%W3Ea2L7 z)rXn^49?5i&hO)$XfD$NoVK;k#DzJI@$tP>UZ*J+%;D$g49zdA(!lr|0u>W{{4&VC zO{8JVDnRT7>&pzHRP=T|>@C+o-&JZSzPw!CY%rpUdv2=tmau4PyQ(t4{U0Y~%e_{s zn)e}Cv<6l^Z=*wu5Moe9(mL@oF&*5eLd{o&rZfVY|058LA%_V;GQ@M{$Zsp^fiG_g znxubZHxF#(?5_Y|7u&qnBG>#-UU6fTqs7G!h~h`nKu}_ey4`#ok;_ngtCyK`Rlf-a z_&#D+CgN+vOScBA%qPdAD4;(#(6T`2Yiu#ku3nKq1QC&-R?i@Mg@6;Gy|bR`WCl^U zt&2^9%?xj1E*DG=d$+W|c|K=fuW4|(BD{=cV)Z}05c(Hn+ZnQ#R@x?tBfgO^-3ln1 zF9z*SGN_K|{e|?O{^&e$Q{uUOc17sG!>@7yFDV9~x&5X7x^w~_S{~nzU-nSq@b9)N z8OsZyhm-CSn?}P$MGVazJEUqq8WSN&bK3CoN1$IVQI%O0l+~7CcEQ|WEMo$4NE#M+bhXvsj*ll#AqrQPniZaXkO$-EUQ{fA08;fGTvoKw!_jfgOw!}w9@n#m6{c%6~Q_xUq_4}z@Dp}_4-tfz`Uwk(d zh1bd4U1wm?S%`a5KP+aWc879gI+GB*Ih^M3$ywAA%&XJUF<72ljThJh1I7tTH&f`M`5OxUFYYG7Zt)_szHpX4D8&Vw0;~+; zYK03(u2w#->z@CN6}sELGKzf_wFgy#7Wf*ifLM@BIy#NnALtlJ>`k8b>B-ZADbdV4 zjTdIByfIzV(y~zsJgF}Qo#Fuvf*CC@#=$$yx?Wwlmc(z{1+Yf@r@Xk8&A06ijqoobciTWFj z$>>j=`;af40l_prXY7o9p2Lf=tc+&&)^u)}cZv&sLO5M1->=iy1;^^%l_&B0{T4mV zug(8_m2(gU&x*`>Z}`sbcUH3x>FN0ZCc*tI#ckrl5iM9?_XXu$~I?Si77U*Gn+Dc`nkVWp(bos64psicz> zpGZy0&r5D;X?jFvJG=zT7`)|(d_9ND1p1rZHYBQWTHJ-SvC;*kupFk@NO9G8xvFu} z+8nwvftL}uliyNyB3RVrvElAupr6ke@yoZ-gHz#HHb8%^F+gTDV(k8!x}TpQT?8N6VzeO zfFzYI%8jMGwEcV|@ z`O;Lxm=J)EnI@fuwbDnd5p8L7)=b<@&4Y;brm^)a?e6Tt+>K7sO6W9K>W#=fk} zOWKaSFkOd6luH*Opjjg8SIM9a`l}1{m!COn=W3NVOAJ!`Sxm~6%_n`io%#ImO@E%M zhckBSIsGB}j{$*QMFpW`^_C!8YIp6)f>VVZAH1LVg$CcMd7&laDtE47iRl9lS^*E% zoM$i^Y zyA9!6g%4vgJ=rzsxAr=D@?38GQJ+UCJ9ZuZn+&v4TZN*{Pt=0aJ$PfS{~g-(B^DNE zu^w%zwVw?YxWxmcd+4i8k+rOLLK171tZ^?VuSt1g`3qh5F7O;pO@~f2KfQhyU3;2rNiw0u3cyU zaETR3!B|4Xk^OP~e-TuIvEoIWfeghxPHEm>cC*HJWD zSd?;so}6A88<%?jkZK)B-~QWx&$7gnG8|w_W>I&W+cvOk>8OzxSd`~OUWebfy|?*B zUP}Das&)O1Dgo)^YVTQFqx^8omncZkZsF&JuQIvKU=GH- zK7%G4n0!i7gv;}#-hrvUp4B$!PJ4)Nh$n2b$(9ZB7*o=06*IOJA3s_(E<)9S>8BKU z%++tJzKPyXV|LR zy!hhtmpC9mkxKOPH%D076Fv8wmMK%8YLfqpazaS2{c97I_&0Y;W1y;`%;&=|*vib0 z>&IVD6^>fYhJ(M%YV++}-(&mQxqlDmmQCP~p&^GyIB<1er8ogX$+T+r?OY~1M5VH%BF79*%u-5Q zO>lg9$R$D~*&ovSSHkuw57gr0Z-(@8vni#)ntrfBl_}b@I5SK)?&+6d7S23>2Wnr- zh^)GYMP7~K(e%`<8{+@b807ShB;Vks0=+C`}8A0hfIihlVvyACa^&ZR(;*6 z492>y(xnMGA3>6<{@sDybo9*J+!4I+=*|jhLAl!9ZUFEzlUvb?Cw%Z=vht%*_}De$ z7CC)14;b(&rnnjo0s{M4f2eEdi%FmOzYP;9pb2}LtK=SoUUX3Iog9zOOcvNhvI^xY z0JzNPF?5`)uO4y4uH@8qYx!AguF`56#9kY0U`y>_&z=zRz3jG3RSMquf3ZjsY*31; z!3}|K(DVbi-tgep45hYHNpEb&0;=28@$SnD1>@JbX5(f#Ka}vAdWN(PTXV{d?W0B% zK&#a`=D@hJaMu=gMfC-qG#~gz%$~uLxU^$9u4mPhULE z(PX?$QIc^B2V&tmokG`zw-b%STYi-FMXlyR)l=L=^Lf>VvS6nZQ{Cag$qc2l6LKWR z-)1;}oX#9n6)HC7{G(B7V?&SP%w7f%8{kS(5IR+?Nk$+$mh^yA zc&ruvLyM_060|plU}f?}x`zPbJ03BSvDD|zD_^R-6$bJfnNRkWv96KqitlMi>#8sO zmrp@&kNJj~0?Ar13`%VMFFr3r49Y`N=koBh{$YJk>K*26NBmhgG#VxsV0NmdK)v%D zPYY0}n;hb}+uQA)!*i`|^m;d9>1&$UAe)2lO&pW_hojL%E^4&x)q}}YbNhX=y8S4w z{vp5cR|Z|F+qawi8GUs@upc9DD7k@NlImyrvYd!iv{`(UJ*zjzxtM*JUWT_F2$|s`A)<4twC^GSJN#_Dn-(*}|MB*2cAE!ZUl z>9Xk%tKdG<=j!h(d~*~Hk$#BOe{y%l!2RB@a+});*H5s7wvjeC0XlDs z#(~e^y$GbMMuD4V-zF45=gjG9mM;oGMfW%yf7H16r4bzB|Go#rGm$bQEGVjhfPUdb z^h?~JVhOZ86>_?d{roP)k-Hm7F70Svl@`mVEj3nysg6-UzVYPVTcMJ+ z@7_K+oa`42SRi)&)jQ+)IGp}JY{TvETiZ=tYiwh$C_J>O3JCcpnCQ@iR zO|LZ^kwKfHP;_oqx9LhpXB2oF<+G(VIfQ4O^sYSb=b*QH3tKM8)>^C_1mWBp?rU6l zAJ$HTNcKrk{``4`GMR1xH z8X@`*5ko9#g0>D#sw>vwX~7yS{S7qDbp$>@54*HDp^9{JINMft-uBo9mGzh#Db8P2 zg|TK)bz3Xt6G~#7s~!Xmvu7EfcD7zu9tn=$6nl2V&8+eFPi!k#Vbv-=hSt#^l0R*7 zzr(F~FjLFis)+9~`)3f~WG3>&8Bn=7gtIiTE>H-qcMjojCOzQ>h!wGEDxe6;sfLF~ zqtDeJH;JjXe)9UAiC4)=KX@p&MOF2*IhHsUagpLkP6)PDn)ztTu>54eC3dU{$Mi#Y zCF_j4?!jF3^SS>Rbfl=;1X`Z+1&IL-jY&;kb*Jbxg`}KQv-Ec?%hVe{1BbR58%2>( z+7NCQB&q7+8=aS+Uzoc_<#Nt^e6DlP_q#jii98dMOZI;6rn`Y3l&e%&lWO4CTq4-q8d!MRR$iu+{0_b|3_N+?lKk8&EM*+`84Y=`}0{kZLKc}jk}VMC_=2l?ZT(S6#j%g(D|)vZ>1 zX=7TzXSuv|62(la7@Skaw2Y*vhJ&5S#ce*`teR=ZyO}i{I$bUjMD#4V$;97bDjP(b z%b48hXm;AT|2Yp@i&}$2oE#SG;jpW&`aYKJl0oy5q^Ti&&h*H#0GlQ!^ujdE zOwqUpv@OzPKbdgBle>>JWB#8%J#8sd!|$L2xV``)6Z&T>(fOzF6Hl`4Bd%0Ls3}VHQR7VSH->LDtrPoq#7fQO@KlP%g_c9OC9bL2k)L;0z zYBh?cGhK)b*L2)1yd$x0*<6`6;{gO2yi}`h@E)dlYObSC#jR9+r5uami!(Vez}0r|MMfKcki=|lP9E;({Vkfo-g}IE~RMe{SldAl#26}(;vVHW7LMTV&m z%okL`sVRkfjiBwb!6p&!rq=I4d&0%jGx>0GTV!2Z;#(O*Vsc;=7utdeI3>R0@;4@qoGkTv;d#&B{|rf;%n&%rX6>=*@MHVk2!z8|e$eLbzJqARK$VuTztN z5CFVl*?Gt}Mb z#lhH%R+hQcNn9Lx!0Xgs_jn0=%(P2Qc7S?(W1 z-j7D6D(W=en_=FrWY!Q=OLispD|T*%k=7XmYXrL z)`uSikWj{ARQ_?=XS%nbjB0J>wV7)aj^juobDS+`wR&|!*m*hjvHbvGC+sPnGrX11 z5qtRhX&!z|i5XOYqN5 zBE5Kw9%C4w)oqxCqVma8B~18=VC?%;KSkz|bh7ynZ;9i>&9*jeoLNXiybV3irf+iM9hBVpX>tr;(B9 zY=Rc8RM)QB`iada+sxN%Aoe=DaM zd={d}<#{P0s%f#gYd7a#n>c_>)&O{P#HPfznWPx=J-tz$K^e76l>dnQHN^gp*N}+4 ciN8X@Qltu=Q6MvU(J7U_4&;87mObKs0QCbtivR!s literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/windows-security-baselines/TOC.md b/windows/security/threat-protection/windows-security-baselines/TOC.md new file mode 100644 index 0000000000..f5a4fbd73a --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/TOC.md @@ -0,0 +1,15 @@ +# [Windows security compliance](windows-security-baselines/windows-security-compliance.md) + +## [Windows security baselines](windows-security-baselines/windows-security-baselines.md) +### [Security Compliance Toolkit](windows-security-baselines/security-compliance-toolkit-10.md) +### [Get support](windows-security-baselines/get-support-for-security-baselines.md) +## [Windows SECCON framework](windows-security-baselines/windows-security-configuration-framework.md) +### [SECCON 5 enterprise security](windows-security-baselines/seccon-5-enterprise-security.md) +### [SECCON 4 enterprise high security](windows-security-baselines/seccon-4-high-enterprise-security.md) +### [SECCON 3 enterprise VIP security](windows-security-baselines/seccon-3-vip-enterprise-security.md) +##Windows Security Blog Posts +### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) +### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) +### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) +### [Blocking Remote Use of Local Accounts](windows-security-baselines/blocking-remote-use-of-local-accounts.md) +### [Dropping the “Untrusted Font Blocking” setting](windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-baselines/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-baselines/seccon-3-enterprise-VIP-security.md new file mode 100644 index 0000000000..0ee6bba877 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/seccon-3-enterprise-VIP-security.md @@ -0,0 +1,24 @@ +--- +title: SECCON 3 Enterprise VIP Security +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# SECCON 3 Enterprise VIP Security + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + diff --git a/windows/security/threat-protection/windows-security-baselines/seccon-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-baselines/seccon-4-enterprise-high-security.md new file mode 100644 index 0000000000..18545b8fa1 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/seccon-4-enterprise-high-security.md @@ -0,0 +1,24 @@ +--- +title: SECCON 4 Enterprise High Security +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# SECCON 4 Enterprise High Security + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + diff --git a/windows/security/threat-protection/windows-security-baselines/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-security-baselines/seccon-5-enterprise-security.md new file mode 100644 index 0000000000..d7f4409b58 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/seccon-5-enterprise-security.md @@ -0,0 +1,24 @@ +--- +title: SECCON 5 Enterprise Security +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# SECCON 5 Enterprise Security + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + diff --git a/windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md index 2766b15d05..af866029c2 100644 --- a/windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md @@ -58,12 +58,12 @@ You can download the security baselines from the [Microsoft Download Center](htt The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. -[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support](images/get-support.png)](get-support-for-security-baselines.md) +[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) +[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) ## Community -[![Microsoft Security Guidance Blog](images/community.png)](https://blogs.technet.microsoft.com/secguide/) +[![Microsoft Security Guidance Blog](./../images/community.png)](https://blogs.technet.microsoft.com/secguide/) ## Related Videos @@ -73,8 +73,7 @@ You may also be interested in this msdn channel 9 video: ## See Also - [System Center Configuration Manager (SCCM)](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) -- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite) -- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/) +- [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/) - [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/) - [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319) - [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319) diff --git a/windows/security/threat-protection/windows-security-baselines/windows-security-compliance.md b/windows/security/threat-protection/windows-security-baselines/windows-security-compliance.md new file mode 100644 index 0000000000..6a59458bba --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/windows-security-compliance.md @@ -0,0 +1,23 @@ +--- +title: Windows security compliance +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Windows security compliance + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 diff --git a/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md new file mode 100644 index 0000000000..fbd3d594b6 --- /dev/null +++ b/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md @@ -0,0 +1,26 @@ +--- +title: Windows Security Configuration Framework +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Windows Security Configuration Framework + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + + + From a594b26c60587c0a86bcfa8345d4b283c9b6e478 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 5 Apr 2019 15:27:47 -0700 Subject: [PATCH 15/51] added intro topic --- ...indows-security-configuration-framework.md | 35 ++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md index fbd3d594b6..06fc71b69e 100644 --- a/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Windows Security Configuration Framework +# Introducing the SECCON Framework **Applies to** @@ -22,5 +22,38 @@ ms.date: 04/05/2018 - Windows Server 2016 - Office 2016 +Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. +It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. + +Because of this, with each release of Windows, Microsoft publishes [Windows Security Baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. +However, many organizations have discovered that this baseline sets a very high bar. +While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. +They can’t justify the investment in that very high level of security with an ROI. +Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: The SECCON Baselines. + +The SECCON Baselines organize devices into one of 5 distinct security configurations: + +![SECON Framework](./../images/seccon-framework.png) + +The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices +(SECCON 5, 4, and 3). +Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). + +Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that SECCON level. +SECCON 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. + +## Security Control Classification + +The recommendations are grouped into three categories: + +![Security Control Classifications](./../images/security-control-classification.png) + + +## Security Control Deployment Methodologies + +The way Microsoft recommends implementing these controls depends on the +auditability of the control–there are two primary methodologies: + +![Security Control Deployment methodologies](./../images/security-control-deployment-methodologies.png) From 82c19bb76e2fa856981bf1ce6dbebaa16864546f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 09:51:24 -0700 Subject: [PATCH 16/51] renamed files --- windows/security/threat-protection/TOC.md | 29 ++++++++++--------- .../windows-seccon-framework/TOC.md | 17 +++++++++++ .../get-support-for-security-baselines.md | 0 ...on-1-enterprise-administrator-security.md} | 0 .../seccon-2-enterprise-devops-security.md | 24 +++++++++++++++ .../seccon-3-enterprise-VIP-security.md | 24 +++++++++++++++ .../seccon-4-enterprise-high-security.md | 0 .../seccon-5-enterprise-security.md | 0 .../security-compliance-toolkit-10.md | 0 .../windows-security-baselines.md | 0 .../blocking-remote-use-of-local-accounts.md | 0 .../configuring-account-lockout.md | 0 ...ing-the-untrusted-font-blocking-setting.md | 0 ...ng-with-well-known-and-proven-solutions.md | 0 ...were-not-recommending-fips-mode-anymore.md | 0 .../windows-security-compliance.md | 0 ...indows-security-configuration-framework.md | 0 .../windows-security-baselines/TOC.md | 15 ---------- 18 files changed, 81 insertions(+), 28 deletions(-) create mode 100644 windows/security/threat-protection/windows-seccon-framework/TOC.md rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework}/get-support-for-security-baselines.md (100%) rename windows/security/threat-protection/{windows-security-baselines/seccon-3-enterprise-VIP-security.md => windows-seccon-framework/seccon-1-enterprise-administrator-security.md} (100%) create mode 100644 windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md create mode 100644 windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework}/seccon-4-enterprise-high-security.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework}/seccon-5-enterprise-security.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework}/security-compliance-toolkit-10.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework}/windows-security-baselines.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework/windows-security-blog}/blocking-remote-use-of-local-accounts.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework/windows-security-blog}/configuring-account-lockout.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework/windows-security-blog}/dropping-the-untrusted-font-blocking-setting.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework/windows-security-blog}/sticking-with-well-known-and-proven-solutions.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework/windows-security-blog}/why-were-not-recommending-fips-mode-anymore.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework}/windows-security-compliance.md (100%) rename windows/security/threat-protection/{windows-security-baselines => windows-seccon-framework}/windows-security-configuration-framework.md (100%) delete mode 100644 windows/security/threat-protection/windows-security-baselines/TOC.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index d60b30950a..1cf0d92355 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1019,19 +1019,22 @@ ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) -### [Windows security baselines](windows-security-baselines/windows-security-baselines.md) -#### [Security Compliance Toolkit](windows-security-baselines/security-compliance-toolkit-10.md) -#### [Get support](windows-security-baselines/get-support-for-security-baselines.md) -### [Windows SECCON framework](windows-security-baselines/windows-security-configuration-framework.md) -#### [SECCON 5 enterprise security](windows-security-baselines/seccon-5-enterprise-security.md) -#### [SECCON 4 enterprise high security](windows-security-baselines/seccon-4-high-enterprise-security.md) -#### [SECCON 3 enterprise VIP security](windows-security-baselines/seccon-3-vip-enterprise-security.md) -###Windows Security Blog Posts -#### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) -#### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) -#### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) -#### [Blocking Remote Use of Local Accounts](windows-security-baselines/blocking-remote-use-of-local-accounts.md) -#### [Dropping the “Untrusted Font Blocking” setting](windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md) +### [Windows security compliance](windows-seccon-framework/windows-security-compliance.md) +#### [Windows security baselines](windows-seccon-framework/windows-security-baselines.md) +##### [Security Compliance Toolkit](windows-seccon-framework/security-compliance-toolkit-10.md) +##### [Get support](windows-seccon-framework/get-support-for-security-baselines.md) +#### [Windows SECCON framework](windows-seccon-framework/windows-security-configuration-framework.md) +##### [SECCON 1 enterprise administrator security](windows-seccon-framework/seccon-5-enterprise-administrator-security.md) +##### [SECCON 2 enterprise dev/ops security](windows-seccon-framework/seccon-5-enterprise-devops-security.md) +##### [SECCON 3 enterprise VIP security](windows-seccon-framework/seccon-3-vip-enterprise-security.md) +##### [SECCON 4 enterprise high security](windows-seccon-framework/seccon-4-high-enterprise-security.md) +##### [SECCON 5 enterprise security](windows-seccon-framework/seccon-5-enterprise-security.md) +####Windows Security Blog Posts +##### [Sticking with Well-Known and Proven Solutions](windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) +##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) +##### [Configuring Account Lockout](windows-seccon-framework/windows-security-blog/configuring-account-lockout.md) +##### [Blocking Remote Use of Local Accounts](windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md) +##### [Dropping the “Untrusted Font Blocking” setting](windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/windows-seccon-framework/TOC.md b/windows/security/threat-protection/windows-seccon-framework/TOC.md new file mode 100644 index 0000000000..847450193e --- /dev/null +++ b/windows/security/threat-protection/windows-seccon-framework/TOC.md @@ -0,0 +1,17 @@ +# [Windows security compliance](windows-seccon-framework/windows-security-compliance.md) + +## [Windows security baselines](windows-seccon-framework/windows-security-baselines.md) +### [Security Compliance Toolkit](windows-seccon-framework/security-compliance-toolkit-10.md) +### [Get support](windows-seccon-framework/get-support-for-security-baselines.md) +## [Windows SECCON framework](windows-seccon-framework/windows-security-configuration-framework.md) +### [SECCON 1 enterprise administrator security](windows-seccon-framework/seccon-5-enterprise-administrator-security.md) +### [SECCON 2 enterprise dev/ops security](windows-seccon-framework/seccon-5-enterprise-devops-security.md) +### [SECCON 3 enterprise VIP security](windows-seccon-framework/seccon-3-vip-enterprise-security.md) +### [SECCON 4 enterprise high security](windows-seccon-framework/seccon-4-high-enterprise-security.md) +### [SECCON 5 enterprise security](windows-seccon-framework/seccon-5-enterprise-security.md) +##Windows Security Blog Posts +### [Sticking with Well-Known and Proven Solutions](windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) +### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) +### [Configuring Account Lockout](windows-seccon-framework/windows-security-blog/configuring-account-lockout.md) +### [Blocking Remote Use of Local Accounts](windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md) +### [Dropping the “Untrusted Font Blocking” setting](windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-baselines/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-seccon-framework/get-support-for-security-baselines.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/get-support-for-security-baselines.md rename to windows/security/threat-protection/windows-seccon-framework/get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/windows-security-baselines/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/seccon-3-enterprise-VIP-security.md rename to windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md new file mode 100644 index 0000000000..0ee6bba877 --- /dev/null +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md @@ -0,0 +1,24 @@ +--- +title: SECCON 3 Enterprise VIP Security +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# SECCON 3 Enterprise VIP Security + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md new file mode 100644 index 0000000000..0ee6bba877 --- /dev/null +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md @@ -0,0 +1,24 @@ +--- +title: SECCON 3 Enterprise VIP Security +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# SECCON 3 Enterprise VIP Security + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + diff --git a/windows/security/threat-protection/windows-security-baselines/seccon-4-enterprise-high-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/seccon-4-enterprise-high-security.md rename to windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md diff --git a/windows/security/threat-protection/windows-security-baselines/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/seccon-5-enterprise-security.md rename to windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md diff --git a/windows/security/threat-protection/windows-security-baselines/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-seccon-framework/security-compliance-toolkit-10.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/security-compliance-toolkit-10.md rename to windows/security/threat-protection/windows-seccon-framework/security-compliance-toolkit-10.md diff --git a/windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-baselines.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/windows-security-baselines.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-baselines.md diff --git a/windows/security/threat-protection/windows-security-baselines/blocking-remote-use-of-local-accounts.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/blocking-remote-use-of-local-accounts.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md diff --git a/windows/security/threat-protection/windows-security-baselines/configuring-account-lockout.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/configuring-account-lockout.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/configuring-account-lockout.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-blog/configuring-account-lockout.md diff --git a/windows/security/threat-protection/windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md diff --git a/windows/security/threat-protection/windows-security-baselines/sticking-with-well-known-and-proven-solutions.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/sticking-with-well-known-and-proven-solutions.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md diff --git a/windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md diff --git a/windows/security/threat-protection/windows-security-baselines/windows-security-compliance.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-compliance.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/windows-security-compliance.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-compliance.md diff --git a/windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md similarity index 100% rename from windows/security/threat-protection/windows-security-baselines/windows-security-configuration-framework.md rename to windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md diff --git a/windows/security/threat-protection/windows-security-baselines/TOC.md b/windows/security/threat-protection/windows-security-baselines/TOC.md deleted file mode 100644 index f5a4fbd73a..0000000000 --- a/windows/security/threat-protection/windows-security-baselines/TOC.md +++ /dev/null @@ -1,15 +0,0 @@ -# [Windows security compliance](windows-security-baselines/windows-security-compliance.md) - -## [Windows security baselines](windows-security-baselines/windows-security-baselines.md) -### [Security Compliance Toolkit](windows-security-baselines/security-compliance-toolkit-10.md) -### [Get support](windows-security-baselines/get-support-for-security-baselines.md) -## [Windows SECCON framework](windows-security-baselines/windows-security-configuration-framework.md) -### [SECCON 5 enterprise security](windows-security-baselines/seccon-5-enterprise-security.md) -### [SECCON 4 enterprise high security](windows-security-baselines/seccon-4-high-enterprise-security.md) -### [SECCON 3 enterprise VIP security](windows-security-baselines/seccon-3-vip-enterprise-security.md) -##Windows Security Blog Posts -### [Sticking with Well-Known and Proven Solutions](windows-security-baselines/sticking-with-well-known-and-proven-solutions.md) -### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-baselines/why-were-not-recommending-fips-mode-anymore.md) -### [Configuring Account Lockout](windows-security-baselines/configuring-account-lockout.md) -### [Blocking Remote Use of Local Accounts](windows-security-baselines/blocking-remote-use-of-local-accounts.md) -### [Dropping the “Untrusted Font Blocking” setting](windows-security-baselines/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file From fce180e11836e9c91ef1d371e952da4ed14b5db2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 11:16:04 -0700 Subject: [PATCH 17/51] adde text for levels 1-3 --- ...con-1-enterprise-administrator-security.md | 11 +- .../seccon-2-enterprise-devops-security.md | 9 +- .../seccon-3-enterprise-VIP-security.md | 121 +++++++++++++++++- 3 files changed, 134 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md index 0ee6bba877..115f7495b7 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md @@ -1,6 +1,6 @@ --- -title: SECCON 3 Enterprise VIP Security -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +title: SECCON 1 enterprise administrator security +description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 3 Enterprise VIP Security +# SECCON 1 security configuration for enterprise administrators **Applies to** @@ -22,3 +22,8 @@ ms.date: 04/05/2018 - Windows Server 2016 - Office 2016 + +Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. +SECCON 1 guidance to help protect devices used by administrators is coming soon! + + diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md index 0ee6bba877..3bd6d70cc8 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md @@ -1,6 +1,6 @@ --- -title: SECCON 3 Enterprise VIP Security -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +title: SECCON 2 enterprise devops security +description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 3 Enterprise VIP Security +# SECCON 2 enterprise devops security **Applies to** @@ -22,3 +22,6 @@ ms.date: 04/05/2018 - Windows Server 2016 - Office 2016 +We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! + + diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md index 0ee6bba877..45d186bd76 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md @@ -1,6 +1,6 @@ --- title: SECCON 3 Enterprise VIP Security -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -22,3 +22,122 @@ ms.date: 04/05/2018 - Windows Server 2016 - Office 2016 +SECCON 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here. +A SECCON 3 configuration should include all the configurations from SECCON 5 and SECCON 4 and add the following security controls. + +## Behaviors + +The behaviors recommended in SECCON 3 represent the most sophisticated security +configuration. Removing admin rights can be difficult, but it is essential to +achieve a level of security commensurate with the risks facing the most targeted +organizations. + +| Feature Set | Feature | Description | +|--------------|----------|--------------| +| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable | + +## Controls + +The controls enforced in SECCON 3 implement complex security configuration and controls. +They are likely to have a higher impact to users or to applications, +enforcing a level of security commensurate with the risks facing the most targeted organizations. +Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and the rings methodology for those that do +not. + +| Feature Set | Feature | Description | +|--------------|----------|--------------| +| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. | +| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
- AaronLocker (admin writeable areas) when software distribution is not always centralized
*or*
- Managed installer when all software is pushed through software distribution
*or*
- Explicit control when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). | + + +## Policies + +The policies enforced in SECCON 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using the rings methodology. + +### Security Template Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|---------------|--------------| +| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. | +| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Account lockout threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. | +| [Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/) | Reset account lockout counter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. | +| Password Policy | Maximum password age | 60 | The number of days that a password can be used before the system requires the user to change it. | +| Password Policy | Minimum password age | 1 | The number of days that a password must be used before a user can change it. | +| Security Options | Accounts: Administrator account status | Disabled | This security setting determines whether the local Administrator account is enabled or disabled. | +| Security Options | Accounts: Limit local account use of blank passwords to console logon only | Enabled | This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. | +| Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. | +| Security Options | Domain member: Digitally encrypt or sign secure channel data (always) | Enabled | This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
- Domain member: Digitally encrypt secure channel data (when possible)
- Domain member: Digitally sign secure channel data (when possible) | +| Security Options | Domain member: Digitally encrypt secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. | +| Security Options | Domain member: Digitally sign secure channel data (when possible) | Enabled | This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit. | +| Security Options | Interactive logon: Smart card removal behavior | Lock Workstation | This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click **Lock Workstation** in the **Properties** for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started. | +| Security Options | Microsoft network client: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB client component. | +| Security Options | Microsoft network server: Digitally sign communications (always) | Enabled | This security setting determines whether packet signing is required by the SMB server component. | +| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. | +| Security Options | Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. | +| Security Options | Network access: Restrict anonymous access to Named Pipes and Shares | Enabled | When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:
- Network access: Named pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously | +| Security Options | Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. | +| Security Options | Network security: LDAP client signing requirements | Negotiate signing | This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. | +| Security Options | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled | This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. | +| Security Options | User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests | This policy setting controls the behavior of the elevation prompt for standard users. Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. | + +### Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|---------------|--------------| +| Control Panel / Personalization | Prevent enabling lock screen camera | Enabled | Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked on the lock screen. | +| Control Panel / Personalization | Prevent enabling lock screen slide show | Enabled | Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. if you enable this setting, users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start. | +| Windows Defender SmartScreen / Explorer | Configure App Install Control | Allow apps from Store only | App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly. | +| System / Device Installation / Device Installation Restrictions | Prevent installation of devices that match any of these device IDs | Enabled | This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. | +| System / Device Installation / Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes | Enabled | This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. | +| System / Internet Communication Management / Internet Communication settings | Turn off downloading of print drivers over HTTP | Enabled | This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not already installed locally. if you enable this policy setting, print drivers cannot be downloaded over HTTP. If you disable or do not configure this policy setting, users can download print drivers over HTTP. | +| System / Internet Communication Management / Internet Communication settings | Turn off printing over HTTP | Enabled | This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP. if you enable this policy setting, it prevents this client from printing to Internet printers over HTTP. If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers. | +| System / Logon | Enumerate local users on domain-joined computers | Disabled | This policy setting allows local users to be enumerated on domain-joined computers. if you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers. | +| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. | +| System / Power Management / Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | This policy setting manages whether Windows can use standby states when putting the computer in a sleep state. If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep state. If you disable this policy setting standby states (S1-S3) are not allowed. | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Configure minimum PIN length for startup | Enabled: 7 | This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. if you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits. By default, the value is 6 digits. NOTE: If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. | +| Windows Components / BitLocker Drive Encryption / Removable Data Drives | Deny write access to removable drives not protected by BitLocker | Enabled | This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed, it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\\Administrative Templates\\System\\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled, this policy setting will be ignored. | +| Windows Components / Cloud Content | Turn off Microsoft consumer experiences | Enabled | This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. if you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs. | +| Windows Components / Credential User Interface | Enumerate administrator accounts on elevation | Disabled | This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. if you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate. | +| Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. | +| Windows Components / Remote Desktop Services / Remote Desktop | Do not allow drive redirection | Enabled | This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format \ on \. You can use this policy setting to override this behavior. if you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP. If you disable this policy setting client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. If you do not configure this policy setting client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. | +| Windows Components / RSS Feeds | Prevent downloading of enclosures | Enabled | This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. | +| Windows Components / Search | Allow indexing of encrypted files | Disabled | This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. | +| Windows Components / Windows Ink Workspace | Allow Windows Ink Workspace | On, but disallow access above lock | Allow Windows Ink Workspace | + +### IE Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Internet Explorer | Prevent per-user installation of ActiveX controls | Enabled | This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis. If you enable this policy setting, ActiveX controls cannot be installed on a per-user basis. | +| Windows Components / Internet Explorer | Security Zones: Do not allow users to add/delete sites | Enabled | Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. If you enable this policy, the site management settings for security zones are disabled. | +| Windows Components / Internet Explorer | Security Zones: Do not allow users to change policies | Enabled | Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. | +| Windows Components / Internet Explorer | Security Zones: Use only machine settings | Enabled | Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level. If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer. | +| Windows Components / Internet Explorer | Turn off Crash Detection | Enabled | This policy setting allows you to manage the crash detection feature of add-on Management. If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely, to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply. | +| Windows Components / Internet Explorer | Turn off the Security Settings Check feature | Disabled | This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled | Enabled | This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows | Enabled | This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn on Enhanced Protected Mode | Enabled | Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. | + +### IE User Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|--------------|--------------| +| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. | + + + + From b81534b16aa281dc14b161f73d4b539f02edc888 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 11:25:45 -0700 Subject: [PATCH 18/51] updated descriptions --- .../seccon-2-enterprise-devops-security.md | 4 ++-- .../seccon-3-enterprise-VIP-security.md | 2 +- .../seccon-4-enterprise-high-security.md | 4 ++-- .../windows-seccon-framework/seccon-5-enterprise-security.md | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md index 3bd6d70cc8..276b177186 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md @@ -14,8 +14,8 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 2 enterprise devops security - +# SECCON 2 security configuration for enterprise dev/ops + **Applies to** - Windows 10 diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md index 45d186bd76..9264d4914a 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 3 Enterprise VIP Security +# SECCON 3 security configuration for enterprise VIPs **Applies to** diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md index 18545b8fa1..45774709d6 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md @@ -1,6 +1,6 @@ --- title: SECCON 4 Enterprise High Security -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 4 Enterprise High Security +# SECCON 4 security configuration for enterprise high security **Applies to** diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index d7f4409b58..5097d6f911 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 5 Enterprise Security +# SECCON 5 security configuration for enterprise security **Applies to** From cc6223daecf17e9d48bd47196bacaa99dbce873d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 11:46:32 -0700 Subject: [PATCH 19/51] added seccon 4 --- .../seccon-4-enterprise-high-security.md | 186 ++++++++++++++++++ 1 file changed, 186 insertions(+) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md index 45774709d6..17d3cef98a 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md @@ -22,3 +22,189 @@ ms.date: 04/05/2018 - Windows Server 2016 - Office 2016 +SECCON 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most Enterprise organizations. +A SECCON 4 configuration should include all the configurations from SECCON 5 and add the following security controls. + +## Behaviors + +The behaviors recommended in SECCON 4 implement a more sophisticated security +process. While they may require a more sophisticated organization, they enforce +a level of security more commensurate with the risks facing users with access to +sensitive information. + +| Feature Set| Feature | Description | +|------------|----------|--------------| +| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. | +| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.| +| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials | + +## Controls + +The controls enforced in SECCON 4 implement more controls and a more sophisticated security +configuration than SECCON 5. While they may have a slightly higher impact to +users or to applications, they enforce a level of security more commensurate +with the risks facing users with access to sensitive information. Microsoft +recommends using the Audit/Enforce methodology for controls with an Audit mode, +and the rings methodology for those that do not, with a moderate timeline that +is anticipated to be slightly longer than the process in SECCON 5. + +| Feature Set | Feature | Description | +|-------------------------------------------------------------|-------------------------------------------------------|----------------| +| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using the Rings methodology. | +| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and Enforce Attack Surface Reduction Rules:
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macro
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Office communication applications from creating child processes
- Block Adobe Reader from creating child processes
| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | +| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. | + +## Policies + +The policies enforced in SECCON 4 implement more controls and a more sophisticated security +configuration than SECCON 5. While they may have a slightly higher impact to +users or to applications, they enforce a level of security more commensurate +with the risks facing users with access to sensitive information. Microsoft +recommends using the rings methodology for these security configurations and +controls, with a moderate timeline that is anticipated to be slightly longer +than the process in SECCON 5. + +### Security Template Policies + +| Feature | Policy Setting | Policy Value | Description | +|------------------------|-------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Security Options | Microsoft network client: Send unencrypted password to third party | Disabled | If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. | +| Security Options | Network access: Allow anonymous SID/Name translation | Disabled | This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. | +| Security Options | Network access: Restrict clients allowed to make remote calls to SAM | Enabled: Administrators (allowed) | This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. | +| Security Options | Network security: Allow LocalSystem NULL session fallback | Disabled | Allow NTLM to fall back to NULL session when used with LocalSystem | +| Security Options | Network security: Do not store LAN Manager hash value on next password change | Enabled | This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. | +| Security Options | Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). | +| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. | +| Security Options | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security and Require 128-bit encryption | This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. | +| Security Options | User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled | This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows | +| User Rights Assignment | Access this computer from the network | Administrators; Remote Desktop Users | This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right. | +| User Rights Assignment | Enable computer and user accounts to be trusted for delegation | No One (blank) | This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. | +| User Rights Assignment | Impersonate a client after authentication | Administrators, SERVICE, Local Service, Network Service | Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. | +| User Rights Assignment | Lock pages in memory | No One (blank) | This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM). | +| User Rights Assignment | Perform volume maintenance tasks | Administrators | This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. | +| User Rights Assignment | Profile single process | Administrators | This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes. | + +### Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Network / Network Connections | Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled | Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. | +| Network / Network Provider | Hardened UNC Paths | Enabled: \\\\\*\\SYSVOL and \\\\\*\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1 | This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. | +| Network / Windows Connection Manager | Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled | This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time. | +| Network / WLAN Service / WLAN Settings | Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering paid services | Disabled | This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". | +| System / Credentials Delegation | Remote host allows delegation of non-exportable credentials | Enabled | When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode. | +| System / Device Guard | Turn on Virtualization Based Security | Enabled: Virtualization-Based Protection of Code Integrity – Enabled with UEFI Lock | This setting enables virtualization-based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced, and the Code Integrity validation path is protected by the Virtualization Based Security feature. | +| System / Internet Communication Management / Internet Communication | Turn off Internet download for Web publishing and online ordering wizards | Enabled | This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry. | +| System / Logon | Turn on convenience PIN sign-in | Disabled | This policy setting allows you to control whether a domain user can sign in using a convenience PIN. | +| System / Remote Assistance | Configure Solicited Remote Assistance | Disabled | This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. | +| Windows Components / File Explorer | Turn off Data Execution Prevention for Explorer | Disabled | Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. | +| Windows Components / File Explorer | Turn off heap termination on corruption | Disabled | Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. | +| Windows Components / Remote Desktop Services / Remote Desktop Connection Client | Do not allow passwords to be saved | Enabled | Controls whether passwords can be saved on this computer from Remote Desktop Connection. | +| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Always prompt for password upon connection | Enabled | This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. | +| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Require secure RPC communication | Enabled | Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. | +| Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security | Set client connection encryption level | Enabled: High Level | Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. | +| Windows Components / Windows Security / App and browser protection | Prevent users from modifying settings | Enabled | Prevent users from making changes to the Exploit protection settings area in Windows Security. | +| Windows Components / Windows Game Recording and Broadcasting | Enables or disables Windows Game Recording and Broadcasting | Disabled | This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. | +| Windows Components / Windows PowerShell | Turn on PowerShell Script Block Logging | Enabled | This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Disallow Digest authentication | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow Basic authentication | Disabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. | +| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Disallow WinRM from storing RunAs credentials | Enabled | This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. | + +### Windows Defender Antivirus Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------------------------------------|-----------------------------------------------------------|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Windows Defender Antivirus | Configure Detection for Potentially Unwanted Applications | Enabled: Block | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. | + +### IE Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. | +| Windows Components / Internet Explorer | Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet | Enabled | This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. | +| Windows Components / Internet Explorer | Specify use of ActiveX Installer Service for installation of ActiveX controls | Enabled | This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. | +| Windows Components / Internet Explorer / Internet Control Panel | Prevent ignoring certificate errors | Enabled | This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Allow software to run or install even if the signature is invalid | Disabled | This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for signatures on downloaded programs | Enabled | This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Turn off encryption support | Enabled: Use | This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page | Turn on certificate address mismatch warning | Enabled | This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Logon options | Enabled: Prompt for user name and password | This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Show security warning for potentially unsafe files | Enabled: Prompt | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Enabled: Disable | This policy setting allows you to manage whether script code on pages in the zone is run. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Enabled: Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow cut copy or paste operations from the clipboard via script | Enabled: Disable | This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow drag and drop or copy and paste files | Enabled: Disable | This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow file downloads | Enabled: Disable | This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow loading of XAML files | Enabled: Disable | This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow META REFRESH | Enabled: Disable | This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download signed ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use ActiveX controls without prompt | Enabled: Enable | This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow only approved domains to use the TDC ActiveX control | Enabled: Enable | This policy setting controls whether the user can run the TDC ActiveX control on websites. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scripting of Internet Explorer WebBrowser controls | Enabled: Disable | This policy setting determines whether a page can control embedded WebBrowser controls via script. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow script-initiated windows without size or position constraints | Enabled: Disable | This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow scriptlets | Enabled: Disable | This policy setting allows you to manage whether the user can run scriptlets. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow updates to status bar via script | Enabled: Disable | This policy setting allows you to manage whether script can update the status bar within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow VBScript to run in Internet Explorer | Enabled: Disable | This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Automatic prompting for file downloads | Enabled: Disable | This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Download unsigned ActiveX controls | Enabled: Disable | This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains across windows | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Enable dragging of content from different domains within a window | Enabled: Disable | This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Include local path when user is uploading files to a server | Enabled: Disable | This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Java permissions | Enabled: Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Launching applications and files in an IFRAME | Enabled: Disable | This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Logon options | Enabled: Anonymous logon | This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Navigate windows and frames across different domains | Enabled: Disable | This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components not signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run .NET Framework-reliant components signed with Authenticode | Enabled: Disable | This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Run ActiveX controls and plugins | Enabled: Disable | This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Script ActiveX controls marked safe for scripting | Enabled: Disable | This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Scripting of Java applets | Enabled: Disable | This policy setting allows you to manage whether applets are exposed to scripts within the zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Show security warning for potentially unsafe files | Enabled: Disable | This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Userdata persistence | Enabled: Disable | This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Web sites in less privileged Web content zones can navigate into this zone | Enabled: Disable | This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Initialize and script ActiveX controls not marked as safe | Enabled: Disable | This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Java permissions | Enabled: High Safety | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox. | +| Windows Components / Internet Explorer / Security Features / Add-on Management | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer | Enabled | This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. | +| Windows Components / Internet Explorer / Security Features / Add-on Management | Turn off blocking of outdated ActiveX controls for Internet Explorer | Disabled | This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. | +| Windows Components / Internet Explorer / Security Features / Consistent Mime Handling | Internet Explorer Processes | Enabled | Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. | +| Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature | Internet Explorer Processes | Enabled | This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. | +| Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction | Internet Explorer Processes | Enabled | The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail. | +| Windows Components / Internet Explorer / Security Features / Notification Bar | Internet Explorer Processes | Enabled | This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. | +| Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation | Internet Explorer Processes | Enabled | Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. | +| Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install | Internet Explorer Processes | Enabled | This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes. | +| Windows Components / Internet Explorer / Security Features / Restrict File Download | Internet Explorer Processes | Enabled | This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. | +| Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions | Internet Explorer Processes | Enabled | Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. | + +### Custom Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------|---------------------------------|-------------------------|------------------------| +| MS Security Guide | Configure SMB v1 server | Disabled | Disable or enable server-side processing of the SMBv1 protocol | +| MS Security Guide | Configure SMB v1 client driver | Enabled: Disable driver | Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\\SYSTEM\\CurrentControlSet\\Services\\MrxSmb10. | +| MS Security Guide | Enabled Structured Exception Handling Overwrite Protection (SEHOP)| Enabled | This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems. | +| MS Security Guide | WDigest Authentication | Disabled | When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. | +| MS Security Guide | Block Flash activation in Office documents | Enabled | Prevents the Adobe Flash ActiveX control from being loaded by Office applications. | +| MSS (Legacy) | MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. | +| MSS (Legacy) | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. | +| MSS (Legacy) | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. | +| MSS (Legacy) | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. | From 42da439d2e0f204036e005baabfa1623b4306027 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 11:53:05 -0700 Subject: [PATCH 20/51] added controls --- .../seccon-5-enterprise-security.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index 5097d6f911..4f8a1253d2 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -22,3 +22,23 @@ ms.date: 04/05/2018 - Windows Server 2016 - Office 2016 +## Behaviors + +The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. + +| Feature | Config | Description | +|---------|-------------------|-------------| +| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | + +## Controls + +The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. + +| Feature | Config | Description | +|-----------------------------------|-------------------------------------|--------------------| +| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | +| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | +| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using the rings methodology. | +| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using the rings methodology. | + +## Policies \ No newline at end of file From 5ab744e07698b2f7e1a4981cb999889a12d77c86 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 11:55:29 -0700 Subject: [PATCH 21/51] added secon 5 policies --- .../seccon-5-enterprise-security.md | 200 +++++++++++++++++- 1 file changed, 199 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index 4f8a1253d2..17e575950c 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -41,4 +41,202 @@ The controls enabled in SECCON 5 enforce a reasonable security level while minim | [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using the rings methodology. | | [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using the rings methodology. | -## Policies \ No newline at end of file +## Policies + +The policies in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. +Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls. + +### Security Template Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. | +| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. | +| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | +| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. | +| Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. | +| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. | +| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password | +| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data | +| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked | +| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation | +| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. | +| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. | +| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. | +| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. | +| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. | +| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer | +| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system | +| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file | +| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. | +| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. | +| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager | +| User Rights Assignments | Create symbolic links | Administrators | Determines if the user can create a symbolic link from the computer he is logged on to | +| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. | +| User Rights Assignments | Deny access to this computer from the network | Guests; NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. | +| User Rights Assignments | Deny log on locally | Guests | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. | +| User Rights Assignments | Deny log on through Remote Desktop Services | Guests; NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client | +| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. | +| User Rights Assignments | Increase scheduling priority | Administrators | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. | +| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. | +| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object | +| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads | + +### Advanced Audit Policies + +| Feature | Policy Setting | Policy Value | Description | +|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. | +| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. | +| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials | +| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device | +| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited | +| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out | +| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. | +| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer | +| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account | +| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) | +| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed | +| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder | +| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects | +| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. | +| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings | +| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy | +| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. | +| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications | +| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used | +| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. | +| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. | +| System | Audit Security System Extension | Success | Audit events related to security system extensions or services | +| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem | + +### Windows Defender Firewall Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection | +| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection | +| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection | +| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile | +| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile | +| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile | +| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection | +| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection | +| Private Profile / Logging | Size limit | 16384 | Sets the firewall log file size for a private connection | +| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile | +| Private Profile / State | Firewall state | On | Enables the firewall when connected to the private profile | +| Private Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile | +| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection | +| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection | +| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection | +| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain | +| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules | +| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile | +| Public Profile / State | Firewall state | On | Enables the firewall when connected to the public profile | +| Public Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile | + +### Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server | +| System / Device Guard | Turn on Virtualization Based Security | Enabled: SecureBoot and DMA Protection | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. | +| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Enabled: Good, Unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. | +| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | +| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | +| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Enabled: Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. | +| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. | +| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. | +| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Enabled: Do not execute any autorun commands | Sets the default behavior for Autorun commands. | +| Windows Components / AutoPlay Policies | Turn off Autoplay | Enabled: All Drives | Allows you to turn off the Autoplay feature. | +| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication | +| Windows Components / BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10) | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. | +| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation | Enabled | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. | +| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | Enabled: 196608 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software | +| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | Warn and prevent bypass | Allows you to turn Windows Defender SmartScreen on or off | +| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. | +| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites | +| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators | +| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system | +| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system | +| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network | +| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. | + +### Windows Defender Antivirus Policies + +| Feature | Policy Setting | Policy Value | Description | +|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus | +| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. | +| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Enabled: Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. | +| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set | +| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection | +| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. | +| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. | +| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). | +| Windows Components / Windows Defender Antivirus / Scan | Turn on e-mail scanning | Enabled | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments | + +### User Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. | +| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers | + +### IE Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | Enabled: On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. | + +### LAPS + +Download and install the [Microsoft Local Admin Password Solution](https://www.microsoft.com/download/details.aspx?id=46899). + +| Feature | Policy Setting | Policy Value | Description | +|---------|----------------------------------------|--------------|-------------------------------| +| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device | + +### Custom Policies + +| Feature | Policy Setting | Policy Value | Description | +|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------| +| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons | + +### Services + +| Feature | Policy Setting | Policy Value | Description | +|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------| +| Scheduled Task | XblGameSaveTask | Disabled | Syncs save data for Xbox Live save-enabled games | +| Services | Xbox Accessory Management Service | Disabled | Manages connected Xbox accessories | +| Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played | +| Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live | +| Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games | +| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API \ No newline at end of file From fb3ed08be97a3e52d8166552e872c2a16d80313a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 12:02:43 -0700 Subject: [PATCH 22/51] added link to rings method --- .../seccon-3-enterprise-VIP-security.md | 4 ++-- .../seccon-4-enterprise-high-security.md | 6 +++--- .../seccon-5-enterprise-security.md | 7 +++++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md index 9264d4914a..17990975e7 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md @@ -41,7 +41,7 @@ organizations. The controls enforced in SECCON 3 implement complex security configuration and controls. They are likely to have a higher impact to users or to applications, enforcing a level of security commensurate with the risks facing the most targeted organizations. -Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and the rings methodology for those that do +Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not. | Feature Set | Feature | Description | @@ -52,7 +52,7 @@ not. ## Policies -The policies enforced in SECCON 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using the rings methodology. +The policies enforced in SECCON 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). ### Security Template Policies diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md index 17d3cef98a..7fe9cc64a6 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md @@ -45,12 +45,12 @@ configuration than SECCON 5. While they may have a slightly higher impact to users or to applications, they enforce a level of security more commensurate with the risks facing users with access to sensitive information. Microsoft recommends using the Audit/Enforce methodology for controls with an Audit mode, -and the rings methodology for those that do not, with a moderate timeline that +and t[the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that is anticipated to be slightly longer than the process in SECCON 5. | Feature Set | Feature | Description | |-------------------------------------------------------------|-------------------------------------------------------|----------------| -| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using the Rings methodology. | +| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | | [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and Enforce Attack Surface Reduction Rules:
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macro
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Office communication applications from creating child processes
- Block Adobe Reader from creating child processes
| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | | [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. | @@ -60,7 +60,7 @@ The policies enforced in SECCON 4 implement more controls and a more sophisticat configuration than SECCON 5. While they may have a slightly higher impact to users or to applications, they enforce a level of security more commensurate with the risks facing users with access to sensitive information. Microsoft -recommends using the rings methodology for these security configurations and +recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, with a moderate timeline that is anticipated to be slightly longer than the process in SECCON 5. diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index 17e575950c..ed958a060d 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -22,6 +22,9 @@ ms.date: 04/05/2018 - Windows Server 2016 - Office 2016 +SECCON 5 is the minimum security configuration for an enterprise device. +Microsoft recommends the following configuration for SECCON 5 devices. + ## Behaviors The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. @@ -38,8 +41,8 @@ The controls enabled in SECCON 5 enforce a reasonable security level while minim |-----------------------------------|-------------------------------------|--------------------| | [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | | [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | -| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using the rings methodology. | -| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using the rings methodology. | +| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | ## Policies From 23eeaab301c202e004256444d9ff9e0c08626e4f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 12:07:42 -0700 Subject: [PATCH 23/51] fixed links --- .../windows-seccon-framework/TOC.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/TOC.md b/windows/security/threat-protection/windows-seccon-framework/TOC.md index 847450193e..2972d04f05 100644 --- a/windows/security/threat-protection/windows-seccon-framework/TOC.md +++ b/windows/security/threat-protection/windows-seccon-framework/TOC.md @@ -1,17 +1,17 @@ -# [Windows security compliance](windows-seccon-framework/windows-security-compliance.md) +# [Windows security compliance](windows-security-compliance.md) -## [Windows security baselines](windows-seccon-framework/windows-security-baselines.md) -### [Security Compliance Toolkit](windows-seccon-framework/security-compliance-toolkit-10.md) -### [Get support](windows-seccon-framework/get-support-for-security-baselines.md) -## [Windows SECCON framework](windows-seccon-framework/windows-security-configuration-framework.md) -### [SECCON 1 enterprise administrator security](windows-seccon-framework/seccon-5-enterprise-administrator-security.md) -### [SECCON 2 enterprise dev/ops security](windows-seccon-framework/seccon-5-enterprise-devops-security.md) -### [SECCON 3 enterprise VIP security](windows-seccon-framework/seccon-3-vip-enterprise-security.md) -### [SECCON 4 enterprise high security](windows-seccon-framework/seccon-4-high-enterprise-security.md) -### [SECCON 5 enterprise security](windows-seccon-framework/seccon-5-enterprise-security.md) +## [Windows security baselines](windows-security-baselines.md) +### [Security Compliance Toolkit](security-compliance-toolkit-10.md) +### [Get support](get-support-for-security-baselines.md) +## [Windows SECCON framework](windows-security-configuration-framework.md) +### [SECCON 1 enterprise administrator security](seccon-5-enterprise-administrator-security.md) +### [SECCON 2 enterprise dev/ops security](seccon-5-enterprise-devops-security.md) +### [SECCON 3 enterprise VIP security](seccon-3-vip-enterprise-security.md) +### [SECCON 4 enterprise high security](seccon-4-high-enterprise-security.md) +### [SECCON 5 enterprise security](seccon-5-enterprise-security.md) ##Windows Security Blog Posts -### [Sticking with Well-Known and Proven Solutions](windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) -### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) -### [Configuring Account Lockout](windows-seccon-framework/windows-security-blog/configuring-account-lockout.md) -### [Blocking Remote Use of Local Accounts](windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md) -### [Dropping the “Untrusted Font Blocking” setting](windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file +### [Sticking with Well-Known and Proven Solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) +### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) +### [Configuring Account Lockout](windows-security-blog/configuring-account-lockout.md) +### [Blocking Remote Use of Local Accounts](windows-security-blog/blocking-remote-use-of-local-accounts.md) +### [Dropping the “Untrusted Font Blocking” setting](windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file From cbe8d9a03b6e03ade6aed84010f6010c189c3f78 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 13:24:24 -0700 Subject: [PATCH 24/51] fixed links --- .../threat-protection/windows-seccon-framework/TOC.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/TOC.md b/windows/security/threat-protection/windows-seccon-framework/TOC.md index 2972d04f05..6038ad503b 100644 --- a/windows/security/threat-protection/windows-seccon-framework/TOC.md +++ b/windows/security/threat-protection/windows-seccon-framework/TOC.md @@ -4,10 +4,10 @@ ### [Security Compliance Toolkit](security-compliance-toolkit-10.md) ### [Get support](get-support-for-security-baselines.md) ## [Windows SECCON framework](windows-security-configuration-framework.md) -### [SECCON 1 enterprise administrator security](seccon-5-enterprise-administrator-security.md) -### [SECCON 2 enterprise dev/ops security](seccon-5-enterprise-devops-security.md) -### [SECCON 3 enterprise VIP security](seccon-3-vip-enterprise-security.md) -### [SECCON 4 enterprise high security](seccon-4-high-enterprise-security.md) +### [SECCON 1 enterprise administrator security](seccon-1-enterprise-administrator-security.md) +### [SECCON 2 enterprise dev/ops security](seccon-2-enterprise-devops-security.md) +### [SECCON 3 enterprise VIP security](seccon-3-enterprise-vip-security.md) +### [SECCON 4 enterprise high security](seccon-4-enterprise-high-security.md) ### [SECCON 5 enterprise security](seccon-5-enterprise-security.md) ##Windows Security Blog Posts ### [Sticking with Well-Known and Proven Solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) From 010f1d7bd8b1d81ddabbf4801da394712ad40501 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 13:42:48 -0700 Subject: [PATCH 25/51] added categories to intro --- .../windows-seccon-framework/TOC.md | 10 ++--- .../seccon-5-enterprise-security.md | 41 ++++++++++--------- ...indows-security-configuration-framework.md | 13 ++++-- 3 files changed, 36 insertions(+), 28 deletions(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/TOC.md b/windows/security/threat-protection/windows-seccon-framework/TOC.md index 6038ad503b..8a4ce81dac 100644 --- a/windows/security/threat-protection/windows-seccon-framework/TOC.md +++ b/windows/security/threat-protection/windows-seccon-framework/TOC.md @@ -4,11 +4,11 @@ ### [Security Compliance Toolkit](security-compliance-toolkit-10.md) ### [Get support](get-support-for-security-baselines.md) ## [Windows SECCON framework](windows-security-configuration-framework.md) -### [SECCON 1 enterprise administrator security](seccon-1-enterprise-administrator-security.md) -### [SECCON 2 enterprise dev/ops security](seccon-2-enterprise-devops-security.md) -### [SECCON 3 enterprise VIP security](seccon-3-enterprise-vip-security.md) -### [SECCON 4 enterprise high security](seccon-4-enterprise-high-security.md) -### [SECCON 5 enterprise security](seccon-5-enterprise-security.md) +### [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) +### [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) +### [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) +### [SECCON 2 Enterprise Dev/Ops Workstation](seccon-2-enterprise-devops-security.md) +### [SECCON 1 Enterprise Administrator Workstation](seccon-1-enterprise-administrator-security.md) ##Windows Security Blog Posts ### [Sticking with Well-Known and Proven Solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) ### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index ed958a060d..dbb8dd85f1 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -25,25 +25,6 @@ ms.date: 04/05/2018 SECCON 5 is the minimum security configuration for an enterprise device. Microsoft recommends the following configuration for SECCON 5 devices. -## Behaviors - -The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. - -| Feature | Config | Description | -|---------|-------------------|-------------| -| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | - -## Controls - -The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. - -| Feature | Config | Description | -|-----------------------------------|-------------------------------------|--------------------| -| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | -| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | -| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | -| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | - ## Policies The policies in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. @@ -242,4 +223,24 @@ Download and install the [Microsoft Local Admin Password Solution](https://www.m | Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played | | Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live | | Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games | -| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API \ No newline at end of file +| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API | + +## Controls + +The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. + +| Feature | Config | Description | +|-----------------------------------|-------------------------------------|--------------------| +| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | +| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | +| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | + +## Behaviors + +The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. + +| Feature | Config | Description | +|---------|-------------------|-------------| +| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | + diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md index 06fc71b69e..c245933403 100644 --- a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md @@ -31,10 +31,17 @@ While appropriate for organizations with very high security needs such as those They can’t justify the investment in that very high level of security with an ROI. Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: The SECCON Baselines. -The SECCON Baselines organize devices into one of 5 distinct security configurations: +The SECCON Baselines organize devices into one of 5 distinct security configurations. ![SECON Framework](./../images/seccon-framework.png) +- [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. +- [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. +- [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. +- [SECCON 2 DevOps Workstation](seccon-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! +- [SECCON 1 Administrator Workstation](seccon-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. SecCon 1 guidance is coming soon! + + The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices (SECCON 5, 4, and 3). Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). @@ -44,7 +51,7 @@ SECCON 5 should be considered the minimum baseline for an enterprise device, and ## Security Control Classification -The recommendations are grouped into three categories: +The recommendations are grouped into three categories. ![Security Control Classifications](./../images/security-control-classification.png) @@ -52,7 +59,7 @@ The recommendations are grouped into three categories: ## Security Control Deployment Methodologies The way Microsoft recommends implementing these controls depends on the -auditability of the control–there are two primary methodologies: +auditability of the control–there are two primary methodologies. ![Security Control Deployment methodologies](./../images/security-control-deployment-methodologies.png) From 77b6f11b0b8cf3896b7331bf5f06fa7846a414f0 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 13:46:24 -0700 Subject: [PATCH 26/51] moved policies --- .../seccon-3-enterprise-VIP-security.md | 50 ++++++++-------- .../seccon-4-enterprise-high-security.md | 60 ++++++++++--------- 2 files changed, 56 insertions(+), 54 deletions(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md index 17990975e7..e3a3824c6a 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md @@ -25,31 +25,6 @@ ms.date: 04/05/2018 SECCON 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here. A SECCON 3 configuration should include all the configurations from SECCON 5 and SECCON 4 and add the following security controls. -## Behaviors - -The behaviors recommended in SECCON 3 represent the most sophisticated security -configuration. Removing admin rights can be difficult, but it is essential to -achieve a level of security commensurate with the risks facing the most targeted -organizations. - -| Feature Set | Feature | Description | -|--------------|----------|--------------| -| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable | - -## Controls - -The controls enforced in SECCON 3 implement complex security configuration and controls. -They are likely to have a higher impact to users or to applications, -enforcing a level of security commensurate with the risks facing the most targeted organizations. -Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do -not. - -| Feature Set | Feature | Description | -|--------------|----------|--------------| -| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. | -| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
- AaronLocker (admin writeable areas) when software distribution is not always centralized
*or*
- Managed installer when all software is pushed through software distribution
*or*
- Explicit control when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). | - - ## Policies The policies enforced in SECCON 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). @@ -138,6 +113,31 @@ The policies enforced in SECCON 3 implement strict security configuration and co |----------|-----------------|--------------|--------------| | Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. | +## Controls + +The controls enforced in SECCON 3 implement complex security configuration and controls. +They are likely to have a higher impact to users or to applications, +enforcing a level of security commensurate with the risks facing the most targeted organizations. +Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do +not. + +| Feature Set | Feature | Description | +|--------------|----------|--------------| +| Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. | +| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
- AaronLocker (admin writeable areas) when software distribution is not always centralized
*or*
- Managed installer when all software is pushed through software distribution
*or*
- Explicit control when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). | + +## Behaviors + +The behaviors recommended in SECCON 3 represent the most sophisticated security +configuration. Removing admin rights can be difficult, but it is essential to +achieve a level of security commensurate with the risks facing the most targeted +organizations. + +| Feature Set | Feature | Description | +|--------------|----------|--------------| +| Remove Admin Rights | Remove as many users as possible from the local Administrators group, targeting 0. Microsoft recommends removing admin rights role by role. Some roles are more challenging, including:
- Developers, who often install rapidly iterating software which is difficult to package using current software distribution systems
- Scientists/ Doctors, who often must install and operate specialized hardware devices
- Remote locations with slow web links, where administration is delegated
It is typically easier to address these roles later in the process.
Microsoft recommends identifying the dependencies on admin rights and systematically addressing them:
- Legitimate use of admin rights: crowdsourced admin, where a new process is needed to complete that workflow
- Illegitimate use of admin rights: app compat dependency, where app remediation is the best path. The [Desktop App Assure](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-is-Desktop-App-Assure/ba-p/270232) program can assist with these app issues | Running as non-admin limits your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious code finds its way to one of those programs, it also gains unlimited access. When an exploit runs with admin privileges, its ability to compromise your system is much greater, its ability to do so without detection is much greater, and its ability to attack others on your network is greater than it would be with only User privileges. If you’re running as admin, an exploit can:
- install kernel-mode rootkits and/or keyloggers
- install and start services
- install ActiveX controls, including IE and shell add-ins
- access data belonging to other users
- cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
- replace OS and other program files with trojan horses
- disable/uninstall anti-virus
- cover its tracks in the event log
- render your machine unbootable | + + diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md index 7fe9cc64a6..deddf9b612 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md @@ -25,35 +25,6 @@ ms.date: 04/05/2018 SECCON 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most Enterprise organizations. A SECCON 4 configuration should include all the configurations from SECCON 5 and add the following security controls. -## Behaviors - -The behaviors recommended in SECCON 4 implement a more sophisticated security -process. While they may require a more sophisticated organization, they enforce -a level of security more commensurate with the risks facing users with access to -sensitive information. - -| Feature Set| Feature | Description | -|------------|----------|--------------| -| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. | -| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.| -| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials | - -## Controls - -The controls enforced in SECCON 4 implement more controls and a more sophisticated security -configuration than SECCON 5. While they may have a slightly higher impact to -users or to applications, they enforce a level of security more commensurate -with the risks facing users with access to sensitive information. Microsoft -recommends using the Audit/Enforce methodology for controls with an Audit mode, -and t[the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that -is anticipated to be slightly longer than the process in SECCON 5. - -| Feature Set | Feature | Description | -|-------------------------------------------------------------|-------------------------------------------------------|----------------| -| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | -| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and Enforce Attack Surface Reduction Rules:
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macro
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Office communication applications from creating child processes
- Block Adobe Reader from creating child processes
| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | -| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. | - ## Policies The policies enforced in SECCON 4 implement more controls and a more sophisticated security @@ -208,3 +179,34 @@ than the process in SECCON 5. | MSS (Legacy) | MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing) | Highest Protection, source routing is completely disabled | Allowing source routed network traffic allows attackers to obscure their identity and location. | | MSS (Legacy) | MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first. | | MSS (Legacy) | MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled | Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability. | + +## Controls + +The controls enforced in SECCON 4 implement more controls and a more sophisticated security +configuration than SECCON 5. While they may have a slightly higher impact to +users or to applications, they enforce a level of security more commensurate +with the risks facing users with access to sensitive information. Microsoft +recommends using the Audit/Enforce methodology for controls with an Audit mode, +and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that +is anticipated to be slightly longer than the process in SECCON 5. + +| Feature Set | Feature | Description | +|-------------------------------------------------------------|-------------------------------------------------------|----------------| +| [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and Enforce Attack Surface Reduction Rules:
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macro
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Office communication applications from creating child processes
- Block Adobe Reader from creating child processes
| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | +| [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. | + +## Behaviors + +The behaviors recommended in SECCON 4 implement a more sophisticated security +process. While they may require a more sophisticated organization, they enforce +a level of security more commensurate with the risks facing users with access to +sensitive information. + +| Feature Set| Feature | Description | +|------------|----------|--------------| +| Antivirus | Configure Protection Updates to failover to retrieval from Microsoft | Sources for Windows Defender Antivirus Protection Updates can be provided in an ordered list. If you are using internal distribution, such as SCCM or WSUS, configure Microsoft Update lower in the list as a failover. | +| OS Security Updates | Deploy Windows Quality Updates within 4 days | As the time between release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, engineering a process that provides the ability to validate and deploy quality updates addressing known security vulnerabilities is a critical aspect of security hygiene.| +| Helpdesk| 1:1 Administration| A simple and common model for helpdesk support is to add the Helpdesk group as a permanent member of the Local Administrators group of every device. If any device is compromised and helpdesk can connect to it, then these credentials can be used to obtain privilege on any / all other devices. Design and implement a strategy to provide helpdesk support without providing 1:all admin access – constraining the value of these Helpdesk credentials | + + From 61fa2978a2bc4b3476e6528c3dbca74bb88495aa Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 14:44:00 -0700 Subject: [PATCH 27/51] edits --- .../windows-seccon-framework/seccon-5-enterprise-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index dbb8dd85f1..08dc258e1f 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -36,7 +36,7 @@ Microsoft recommends using [the rings methodology](https://docs.microsoft.com/wi |-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. | | Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. | -| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | +| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | | Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. | | Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. | | Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. | From 2ca45f7a91e0a6b40f157d02265af68c99db6746 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 16:28:09 -0700 Subject: [PATCH 28/51] renamed files --- windows/security/threat-protection/TOC.md | 30 +-- ...con-1-enterprise-administrator-security.md | 4 +- .../seccon-5-enterprise-security.md | 4 +- ...indows-security-configuration-framework.md | 4 +- .../TOC.md | 0 .../get-support-for-security-baselines.md | 0 ...vel-1-enterprise-administrator-security.md | 27 ++ .../level-2-enterprise-devops-security.md} | 4 +- .../level-3-enterprise-VIP-security.md} | 0 .../level-4-enterprise-high-security.md} | 2 - .../level-5-enterprise-security.md | 244 ++++++++++++++++++ .../security-compliance-toolkit-10.md | 0 .../windows-security-baselines.md | 0 .../blocking-remote-use-of-local-accounts.md | 0 .../configuring-account-lockout.md | 0 ...ing-the-untrusted-font-blocking-setting.md | 0 ...ng-with-well-known-and-proven-solutions.md | 0 ...were-not-recommending-fips-mode-anymore.md | 0 .../windows-security-compliance.md | 0 ...indows-security-configuration-framework.md | 66 +++++ 20 files changed, 356 insertions(+), 29 deletions(-) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/TOC.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/get-support-for-security-baselines.md (100%) create mode 100644 windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md rename windows/security/threat-protection/{windows-seccon-framework/seccon-2-enterprise-devops-security.md => windows-security-configuration-framework/level-2-enterprise-devops-security.md} (88%) rename windows/security/threat-protection/{windows-seccon-framework/seccon-3-enterprise-VIP-security.md => windows-security-configuration-framework/level-3-enterprise-VIP-security.md} (100%) rename windows/security/threat-protection/{windows-seccon-framework/seccon-4-enterprise-high-security.md => windows-security-configuration-framework/level-4-enterprise-high-security.md} (99%) create mode 100644 windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/security-compliance-toolkit-10.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/windows-security-baselines.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/windows-security-blog/blocking-remote-use-of-local-accounts.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/windows-security-blog/configuring-account-lockout.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/windows-security-blog/sticking-with-well-known-and-proven-solutions.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md (100%) rename windows/security/threat-protection/{windows-seccon-framework => windows-security-configuration-framework}/windows-security-compliance.md (100%) create mode 100644 windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1cf0d92355..2fe57b0501 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1019,22 +1019,22 @@ ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) -### [Windows security compliance](windows-seccon-framework/windows-security-compliance.md) -#### [Windows security baselines](windows-seccon-framework/windows-security-baselines.md) -##### [Security Compliance Toolkit](windows-seccon-framework/security-compliance-toolkit-10.md) -##### [Get support](windows-seccon-framework/get-support-for-security-baselines.md) -#### [Windows SECCON framework](windows-seccon-framework/windows-security-configuration-framework.md) -##### [SECCON 1 enterprise administrator security](windows-seccon-framework/seccon-5-enterprise-administrator-security.md) -##### [SECCON 2 enterprise dev/ops security](windows-seccon-framework/seccon-5-enterprise-devops-security.md) -##### [SECCON 3 enterprise VIP security](windows-seccon-framework/seccon-3-vip-enterprise-security.md) -##### [SECCON 4 enterprise high security](windows-seccon-framework/seccon-4-high-enterprise-security.md) -##### [SECCON 5 enterprise security](windows-seccon-framework/seccon-5-enterprise-security.md) +### [Windows security compliance](windows-security-congiguration-framework/windows-security-compliance.md) +#### [Windows security baselines](windows-security-congiguration-framework/windows-security-baselines.md) +##### [Security Compliance Toolkit](windows-security-congiguration-framework/security-compliance-toolkit-10.md) +##### [Get support](windows-security-congiguration-framework/get-support-for-security-baselines.md) +#### [Windows SECCON framework](windows-security-congiguration-framework/windows-security-configuration-framework.md) +##### [SECCON 1 enterprise administrator security](windows-security-congiguration-framework/level-1-enterprise-administrator-security.md) +##### [SECCON 2 enterprise dev/ops security](windows-security-congiguration-framework/level-2-enterprise-devops-security.md) +##### [SECCON 3 enterprise VIP security](windows-security-congiguration-framework/level-3-vip-enterprise-security.md) +##### [SECCON 4 enterprise high security](windows-security-congiguration-framework/level-4-high-enterprise-security.md) +##### [SECCON 5 enterprise security](windows-security-congiguration-framework/level-5-enterprise-security.md) ####Windows Security Blog Posts -##### [Sticking with Well-Known and Proven Solutions](windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) -##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) -##### [Configuring Account Lockout](windows-seccon-framework/windows-security-blog/configuring-account-lockout.md) -##### [Blocking Remote Use of Local Accounts](windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md) -##### [Dropping the “Untrusted Font Blocking” setting](windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) +##### [Sticking with Well-Known and Proven Solutions](windows-security-congiguration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) +##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-congiguration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) +##### [Configuring Account Lockout](windows-security-congiguration-framework/windows-security-blog/configuring-account-lockout.md) +##### [Blocking Remote Use of Local Accounts](windows-security-congiguration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md) +##### [Dropping the “Untrusted Font Blocking” setting](windows-security-congiguration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md index 115f7495b7..bf1890abdf 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md @@ -14,13 +14,11 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 1 security configuration for enterprise administrators +# Level 1 security configuration for enterprise administrators **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md index 08dc258e1f..a29c50f1fc 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md @@ -14,13 +14,11 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 5 security configuration for enterprise security +# Level 5 security configuration for enterprise security **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 SECCON 5 is the minimum security configuration for an enterprise device. Microsoft recommends the following configuration for SECCON 5 devices. diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md index c245933403..5ec7880a83 100644 --- a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md @@ -14,13 +14,11 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Introducing the SECCON Framework +# Introducing the Security Configuration Framework **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. diff --git a/windows/security/threat-protection/windows-seccon-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/TOC.md rename to windows/security/threat-protection/windows-security-configuration-framework/TOC.md diff --git a/windows/security/threat-protection/windows-seccon-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/get-support-for-security-baselines.md rename to windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md new file mode 100644 index 0000000000..a5b9862f6b --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md @@ -0,0 +1,27 @@ +--- +title: SECCON 1 enterprise administrator security +description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# SECCON 1 security configuration for enterprise administrators + +**Applies to** + +- Windows 10 + + +Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. +SECCON 1 guidance to help protect devices used by administrators is coming soon! + + diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md similarity index 88% rename from windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md rename to windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md index 276b177186..ee6a1d66b4 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-2-enterprise-devops-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md @@ -14,13 +14,11 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 2 security configuration for enterprise dev/ops +# Level 2 security configuration for enterprise dev/ops **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/seccon-3-enterprise-VIP-security.md rename to windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md similarity index 99% rename from windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md rename to windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md index deddf9b612..51aac3468c 100644 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md @@ -19,8 +19,6 @@ ms.date: 04/05/2018 **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 SECCON 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most Enterprise organizations. A SECCON 4 configuration should include all the configurations from SECCON 5 and add the following security controls. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md new file mode 100644 index 0000000000..7e92159bd8 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md @@ -0,0 +1,244 @@ +--- +title: SECCON 5 Enterprise Security +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# SECCON 5 security configuration for enterprise security + +**Applies to** + +- Windows 10 + +SECCON 5 is the minimum security configuration for an enterprise device. +Microsoft recommends the following configuration for SECCON 5 devices. + +## Policies + +The policies in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. +Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls. + +### Security Template Policies + +| Feature | Policy Setting | Policy Value | Description | +|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. | +| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. | +| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | +| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. | +| Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. | +| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. | +| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password | +| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data | +| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked | +| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation | +| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. | +| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. | +| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. | +| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. | +| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. | +| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer | +| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system | +| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file | +| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. | +| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. | +| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager | +| User Rights Assignments | Create symbolic links | Administrators | Determines if the user can create a symbolic link from the computer he is logged on to | +| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. | +| User Rights Assignments | Deny access to this computer from the network | Guests; NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. | +| User Rights Assignments | Deny log on locally | Guests | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. | +| User Rights Assignments | Deny log on through Remote Desktop Services | Guests; NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client | +| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. | +| User Rights Assignments | Increase scheduling priority | Administrators | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. | +| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. | +| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object | +| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads | + +### Advanced Audit Policies + +| Feature | Policy Setting | Policy Value | Description | +|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. | +| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. | +| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials | +| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device | +| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited | +| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out | +| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. | +| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer | +| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account | +| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) | +| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed | +| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder | +| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects | +| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. | +| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings | +| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy | +| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. | +| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications | +| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used | +| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. | +| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. | +| System | Audit Security System Extension | Success | Audit events related to security system extensions or services | +| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem | + +### Windows Defender Firewall Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection | +| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection | +| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection | +| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile | +| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile | +| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile | +| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection | +| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection | +| Private Profile / Logging | Size limit | 16384 | Sets the firewall log file size for a private connection | +| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile | +| Private Profile / State | Firewall state | On | Enables the firewall when connected to the private profile | +| Private Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile | +| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection | +| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection | +| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection | +| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain | +| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules | +| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile | +| Public Profile / State | Firewall state | On | Enables the firewall when connected to the public profile | +| Public Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile | + +### Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server | +| System / Device Guard | Turn on Virtualization Based Security | Enabled: SecureBoot and DMA Protection | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. | +| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Enabled: Good, Unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. | +| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | +| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | +| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Enabled: Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. | +| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. | +| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. | +| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Enabled: Do not execute any autorun commands | Sets the default behavior for Autorun commands. | +| Windows Components / AutoPlay Policies | Turn off Autoplay | Enabled: All Drives | Allows you to turn off the Autoplay feature. | +| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication | +| Windows Components / BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10) | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. | +| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker | +| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation | Enabled | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. | +| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | Enabled: 196608 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | +| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software | +| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | Warn and prevent bypass | Allows you to turn Windows Defender SmartScreen on or off | +| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. | +| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites | +| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators | +| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system | +| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system | +| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network | +| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. | + +### Windows Defender Antivirus Policies + +| Feature | Policy Setting | Policy Value | Description | +|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus | +| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. | +| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Enabled: Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. | +| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set | +| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection | +| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. | +| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. | +| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). | +| Windows Components / Windows Defender Antivirus / Scan | Turn on e-mail scanning | Enabled | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments | + +### User Policies + +| Feature | Policy Setting | Policy Value | Description | +|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. | +| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers | + +### IE Computer Policies + +| Feature | Policy Setting | Policy Value | Description | +|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | Enabled: On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. | +| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | +| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. | + +### LAPS + +Download and install the [Microsoft Local Admin Password Solution](https://www.microsoft.com/download/details.aspx?id=46899). + +| Feature | Policy Setting | Policy Value | Description | +|---------|----------------------------------------|--------------|-------------------------------| +| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device | + +### Custom Policies + +| Feature | Policy Setting | Policy Value | Description | +|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------| +| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons | + +### Services + +| Feature | Policy Setting | Policy Value | Description | +|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------| +| Scheduled Task | XblGameSaveTask | Disabled | Syncs save data for Xbox Live save-enabled games | +| Services | Xbox Accessory Management Service | Disabled | Manages connected Xbox accessories | +| Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played | +| Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live | +| Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games | +| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API | + +## Controls + +The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. + +| Feature | Config | Description | +|-----------------------------------|-------------------------------------|--------------------| +| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | +| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | +| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | +| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | + +## Behaviors + +The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. + +| Feature | Config | Description | +|---------|-------------------|-------------| +| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | + diff --git a/windows/security/threat-protection/windows-seccon-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/security-compliance-toolkit-10.md rename to windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/windows-security-baselines.md rename to windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md rename to windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/configuring-account-lockout.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/configuring-account-lockout.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/windows-security-blog/configuring-account-lockout.md rename to windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/configuring-account-lockout.md diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md rename to windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md rename to windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md rename to windows/security/threat-protection/windows-security-configuration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-compliance.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md similarity index 100% rename from windows/security/threat-protection/windows-seccon-framework/windows-security-compliance.md rename to windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md new file mode 100644 index 0000000000..c245933403 --- /dev/null +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -0,0 +1,66 @@ +--- +title: Windows Security Configuration Framework +description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +keywords: virtualization, security, malware +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: appcompatguy +author: appcompatguy +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/05/2018 +--- + +# Introducing the SECCON Framework + +**Applies to** + +- Windows 10 +- Windows Server 2016 +- Office 2016 + +Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. +It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. + +Because of this, with each release of Windows, Microsoft publishes [Windows Security Baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. +However, many organizations have discovered that this baseline sets a very high bar. +While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. +They can’t justify the investment in that very high level of security with an ROI. +Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: The SECCON Baselines. + +The SECCON Baselines organize devices into one of 5 distinct security configurations. + +![SECON Framework](./../images/seccon-framework.png) + +- [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. +- [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. +- [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. +- [SECCON 2 DevOps Workstation](seccon-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! +- [SECCON 1 Administrator Workstation](seccon-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. SecCon 1 guidance is coming soon! + + +The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices +(SECCON 5, 4, and 3). +Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). + +Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that SECCON level. +SECCON 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. + +## Security Control Classification + +The recommendations are grouped into three categories. + +![Security Control Classifications](./../images/security-control-classification.png) + + +## Security Control Deployment Methodologies + +The way Microsoft recommends implementing these controls depends on the +auditability of the control–there are two primary methodologies. + +![Security Control Deployment methodologies](./../images/security-control-deployment-methodologies.png) + + From 9ad987584e8841d92c07814e9305c23686a2b0f4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 16:33:11 -0700 Subject: [PATCH 29/51] changed to levels --- ...indows-security-configuration-framework.md | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index c245933403..b7d3fe624b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -14,13 +14,11 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Introducing the SECCON Framework +# Introducing the Security Configuration Framework **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. @@ -29,17 +27,17 @@ Because of this, with each release of Windows, Microsoft publishes [Windows Secu However, many organizations have discovered that this baseline sets a very high bar. While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. They can’t justify the investment in that very high level of security with an ROI. -Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: The SECCON Baselines. +Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: Security Configuration Framework. -The SECCON Baselines organize devices into one of 5 distinct security configurations. +The Security Configuration Framework organizes devices into one of 5 distinct security configurations. -![SECON Framework](./../images/seccon-framework.png) +![SECCON Framework](./../images/seccon-framework.png) -- [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. -- [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. -- [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. -- [SECCON 2 DevOps Workstation](seccon-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! -- [SECCON 1 Administrator Workstation](seccon-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. SecCon 1 guidance is coming soon! +- [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. +- [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. +- [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. +- [Level 2 DevOps Workstation](level-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 2 guidance is coming soon! +- [Level 1 Administrator Workstation](level-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 1 guidance is coming soon! The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices From 49d7db20739ef95f6b1ccb2d14839fd484576a0f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 8 Apr 2019 17:05:53 -0700 Subject: [PATCH 30/51] edits --- ...indows-security-configuration-framework.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index b7d3fe624b..cc6da3108b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Introducing the Security Configuration Framework +# Introducing the security configuration framework **Applies to** @@ -23,38 +23,38 @@ ms.date: 04/05/2018 Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. -Because of this, with each release of Windows, Microsoft publishes [Windows Security Baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. +Because of this, with each release of Windows, Microsoft publishes [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. However, many organizations have discovered that this baseline sets a very high bar. While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. They can’t justify the investment in that very high level of security with an ROI. -Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: Security Configuration Framework. +Assuch, Microsoft is introducing a new taxonomy for security configurations for Windows 10: Security Configuration Framework. -The Security Configuration Framework organizes devices into one of 5 distinct security configurations. +The security configuration framework organizes devices into one of 5 distinct security configurations. ![SECCON Framework](./../images/seccon-framework.png) -- [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. -- [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. -- [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. +- [Level 5 Enterprise Security](level-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this level are generally straightforward and are designed to be deployable within 30 days. +- [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days. +- [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. - [Level 2 DevOps Workstation](level-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 2 guidance is coming soon! - [Level 1 Administrator Workstation](level-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 1 guidance is coming soon! -The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices -(SECCON 5, 4, and 3). +The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices +(Levels 5, 4, and 3). Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). -Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that SECCON level. -SECCON 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. +Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level. +Level 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. -## Security Control Classification +## Security control classification The recommendations are grouped into three categories. ![Security Control Classifications](./../images/security-control-classification.png) -## Security Control Deployment Methodologies +## Security control deployment methodologies The way Microsoft recommends implementing these controls depends on the auditability of the control–there are two primary methodologies. From aa79a917f858379bde1651784693c208a0d5a79a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 11:21:31 -0700 Subject: [PATCH 31/51] edits --- .../TOC.md | 10 ++++---- ...vel-1-enterprise-administrator-security.md | 10 ++++---- .../level-2-enterprise-devops-security.md | 10 ++++---- .../level-3-enterprise-VIP-security.md | 18 +++++++------- .../level-4-enterprise-high-security.md | 24 +++++++++---------- .../level-5-enterprise-security.md | 20 ++++++++-------- 6 files changed, 45 insertions(+), 47 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md index 8a4ce81dac..e994f2c0ff 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md @@ -4,11 +4,11 @@ ### [Security Compliance Toolkit](security-compliance-toolkit-10.md) ### [Get support](get-support-for-security-baselines.md) ## [Windows SECCON framework](windows-security-configuration-framework.md) -### [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) -### [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) -### [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) -### [SECCON 2 Enterprise Dev/Ops Workstation](seccon-2-enterprise-devops-security.md) -### [SECCON 1 Enterprise Administrator Workstation](seccon-1-enterprise-administrator-security.md) +### [Level 5 Enterprise Security](level-5-enterprise-security.md) +### [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) +### [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) +### [Level 2 Enterprise Dev/Ops Workstation](level-2-enterprise-devops-security.md) +### [Level 1 Enterprise Administrator Workstation](level-1-enterprise-administrator-security.md) ##Windows Security Blog Posts ### [Sticking with Well-Known and Proven Solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) ### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md index a5b9862f6b..9c4bd61995 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md @@ -1,6 +1,6 @@ --- -title: SECCON 1 enterprise administrator security -description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization +title: Level 1 enterprise administrator security +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise administrator security configuration. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 1 security configuration for enterprise administrators +# Level 1 enterprise administrator security configuration **Applies to** @@ -22,6 +22,4 @@ ms.date: 04/05/2018 Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. -SECCON 1 guidance to help protect devices used by administrators is coming soon! - - +A level 1 configuration should include all the configurations from levels 5, 4, 3, and 2 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 1 enterprise administrator security configuration guidance! diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md index ee6a1d66b4..78f183b8b3 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md @@ -1,6 +1,6 @@ --- -title: SECCON 2 enterprise devops security -description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization +title: Level 2 enterprise dev/ops security configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise dev/ops security configuration. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,12 +14,14 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Level 2 security configuration for enterprise dev/ops +# Level 2 enterprise dev/ops security configuration **Applies to** - Windows 10 -We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! +We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. A level 2 configuration should include all the configurations from levels 5, 4, and 3 and additional controls. We are planning recommendations for the additional controls now, so check back soon for level 2 enterprise dev/ops security configuration guidance! + + diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md index e3a3824c6a..ae8b0b6cc3 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md @@ -1,6 +1,6 @@ --- -title: SECCON 3 Enterprise VIP Security -description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization +title: Level 3 enterprise VIP security configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 3 enterprise VIP security configuration. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,20 +14,18 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 3 security configuration for enterprise VIPs +# Level 3 enterprise VIP security configuration **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 -SECCON 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here. -A SECCON 3 configuration should include all the configurations from SECCON 5 and SECCON 4 and add the following security controls. +Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here. +A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors. ## Policies -The policies enforced in SECCON 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). +The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). ### Security Template Policies @@ -115,7 +113,7 @@ The policies enforced in SECCON 3 implement strict security configuration and co ## Controls -The controls enforced in SECCON 3 implement complex security configuration and controls. +The controls enforced in level 3 implement complex security configuration and controls. They are likely to have a higher impact to users or to applications, enforcing a level of security commensurate with the risks facing the most targeted organizations. Microsoft recommends using the Audit/Enforce methodology for controls with audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do @@ -128,7 +126,7 @@ not. ## Behaviors -The behaviors recommended in SECCON 3 represent the most sophisticated security +The behaviors recommended in level 3 represent the most sophisticated security configuration. Removing admin rights can be difficult, but it is essential to achieve a level of security commensurate with the risks facing the most targeted organizations. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md index 51aac3468c..a09ad7377a 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md @@ -1,6 +1,6 @@ --- -title: SECCON 4 Enterprise High Security -description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization +title: Level 4 enterprise high security configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 4 enterprise security configuration. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,24 +14,24 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 4 security configuration for enterprise high security +# Level 4 enterprise high security configuration **Applies to** - Windows 10 -SECCON 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most Enterprise organizations. -A SECCON 4 configuration should include all the configurations from SECCON 5 and add the following security controls. +Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. +A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors. ## Policies -The policies enforced in SECCON 4 implement more controls and a more sophisticated security -configuration than SECCON 5. While they may have a slightly higher impact to +The policies enforced in level 4 implement more controls and a more sophisticated security +configuration than level 5. While they may have a slightly higher impact to users or to applications, they enforce a level of security more commensurate with the risks facing users with access to sensitive information. Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, with a moderate timeline that is anticipated to be slightly longer -than the process in SECCON 5. +than the process in level 5. ### Security Template Policies @@ -180,13 +180,13 @@ than the process in SECCON 5. ## Controls -The controls enforced in SECCON 4 implement more controls and a more sophisticated security -configuration than SECCON 5. While they may have a slightly higher impact to +The controls enforced in level 4 implement more controls and a more sophisticated security +configuration than level 5. While they may have a slightly higher impact to users or to applications, they enforce a level of security more commensurate with the risks facing users with access to sensitive information. Microsoft recommends using the Audit/Enforce methodology for controls with an Audit mode, and [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for those that do not, with a moderate timeline that -is anticipated to be slightly longer than the process in SECCON 5. +is anticipated to be slightly longer than the process in level 5. | Feature Set | Feature | Description | |-------------------------------------------------------------|-------------------------------------------------------|----------------| @@ -196,7 +196,7 @@ is anticipated to be slightly longer than the process in SECCON 5. ## Behaviors -The behaviors recommended in SECCON 4 implement a more sophisticated security +The behaviors recommended in level 4 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce a level of security more commensurate with the risks facing users with access to sensitive information. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md index 7e92159bd8..e3e8a6598b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md @@ -1,6 +1,6 @@ --- -title: SECCON 5 Enterprise Security -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +title: Level 5 enterprise security configuration +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 5 enterprise security configuration. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -14,18 +14,18 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# SECCON 5 security configuration for enterprise security +# Level 5 enterprise security configuration **Applies to** - Windows 10 -SECCON 5 is the minimum security configuration for an enterprise device. -Microsoft recommends the following configuration for SECCON 5 devices. +Level 5 is the minimum security configuration for an enterprise device. +Microsoft recommends the following configuration for level 5 devices. ## Policies -The policies in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. +The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications. Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls. ### Security Template Policies @@ -200,7 +200,7 @@ Microsoft recommends using [the rings methodology](https://docs.microsoft.com/wi ### LAPS -Download and install the [Microsoft Local Admin Password Solution](https://www.microsoft.com/download/details.aspx?id=46899). +Download and install the [Microsoft Local Admin Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899). | Feature | Policy Setting | Policy Value | Description | |---------|----------------------------------------|--------------|-------------------------------| @@ -225,18 +225,18 @@ Download and install the [Microsoft Local Admin Password Solution](https://www.m ## Controls -The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. +The controls enabled in level 5 enforce a reasonable security level while minimizing the impact to users and applications. | Feature | Config | Description | |-----------------------------------|-------------------------------------|--------------------| | [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | -| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | +| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | | [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | | [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | ## Behaviors -The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. +The behaviors recommended in level 5 enforce a reasonable security level while minimizing the impact to users or to applications. | Feature | Config | Description | |---------|-------------------|-------------| From 19f8349262f0b67b802fe0f0175310f5b481eee2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 11:53:10 -0700 Subject: [PATCH 32/51] eits --- .../level-2-enterprise-devops-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md index 78f183b8b3..3de02c1510 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-devops-security.md @@ -1,5 +1,5 @@ --- -title: Level 2 enterprise dev/ops security configuration +title: Level 2 enterprise dev/ops security workstation configuration description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 2 enterprise dev/ops security configuration. keywords: virtualization, security, malware ms.prod: w10 @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Level 2 enterprise dev/ops security configuration +# Level 2 enterprise dev/ops workstation security configuration **Applies to** From 1734ca518b0a2cffbb7a029080d1ed7f6e91a2ef Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 11:53:17 -0700 Subject: [PATCH 33/51] edits --- .../level-1-enterprise-administrator-security.md | 4 ++-- .../windows-security-configuration-framework.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md index 9c4bd61995..bc0e695034 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-administrator-security.md @@ -1,5 +1,5 @@ --- -title: Level 1 enterprise administrator security +title: Level 1 enterprise administrator workstation security description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework level 1 enterprise administrator security configuration. keywords: virtualization, security, malware ms.prod: w10 @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Level 1 enterprise administrator security configuration +# Level 1 enterprise administrator workstation security configuration **Applies to** diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index cc6da3108b..397806aeb4 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -1,6 +1,6 @@ --- -title: Windows Security Configuration Framework -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +title: Windows security configuration framework +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework . keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -27,8 +27,8 @@ Because of this, with each release of Windows, Microsoft publishes [Windows secu However, many organizations have discovered that this baseline sets a very high bar. While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. They can’t justify the investment in that very high level of security with an ROI. -Assuch, Microsoft is introducing a new taxonomy for security configurations for Windows 10: Security Configuration Framework. +As such, Microsoft is introducing a new taxonomy for security configurations for Windows 10. The security configuration framework organizes devices into one of 5 distinct security configurations. ![SECCON Framework](./../images/seccon-framework.png) From a4dd9b7de94c29e4d35eb4680e07d8be166f474f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 11:58:45 -0700 Subject: [PATCH 34/51] edits --- .../windows-security-compliance.md | 4 ++-- .../windows-security-configuration-framework.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md index 6a59458bba..3c0522fd4b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md @@ -1,5 +1,5 @@ --- -title: Windows security compliance +title: Windows security guidance for enterprises description: This article, and the articles it links to, describe how to use Windows security baselines in your organization keywords: virtualization, security, malware ms.prod: w10 @@ -14,7 +14,7 @@ ms.topic: conceptual ms.date: 04/05/2018 --- -# Windows security compliance +# Windows security guidance for enterprises **Applies to** diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index 397806aeb4..0b921824e1 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -1,6 +1,6 @@ --- title: Windows security configuration framework -description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework . +description: Describes the policies, controls, and organizational behaviors for Windows security configuration framework. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy From 73286ba6c14ca42ac8e52af8912c44043baa8acf Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 12:39:35 -0700 Subject: [PATCH 35/51] filled in topic node --- ...con-1-enterprise-administrator-security.md | 27 -- .../seccon-5-enterprise-security.md | 244 ------------------ ...indows-security-configuration-framework.md | 64 ----- .../TOC.md | 24 +- .../windows-security-compliance.md | 11 +- 5 files changed, 20 insertions(+), 350 deletions(-) delete mode 100644 windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md delete mode 100644 windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md delete mode 100644 windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md deleted file mode 100644 index bf1890abdf..0000000000 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-1-enterprise-administrator-security.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: SECCON 1 enterprise administrator security -description: This article, and the articles it links to, describe how to use the Windows SECCON framework in your organization -keywords: virtualization, security, malware -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: appcompatguy -author: appcompatguy -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/05/2018 ---- - -# Level 1 security configuration for enterprise administrators - -**Applies to** - -- Windows 10 - - -Administrators (particularly of identity or security systems) present the highest risk to the organization−through data theft, data alteration, or service disruption. -SECCON 1 guidance to help protect devices used by administrators is coming soon! - - diff --git a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md b/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md deleted file mode 100644 index a29c50f1fc..0000000000 --- a/windows/security/threat-protection/windows-seccon-framework/seccon-5-enterprise-security.md +++ /dev/null @@ -1,244 +0,0 @@ ---- -title: SECCON 5 Enterprise Security -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization -keywords: virtualization, security, malware -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: appcompatguy -author: appcompatguy -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/05/2018 ---- - -# Level 5 security configuration for enterprise security - -**Applies to** - -- Windows 10 - -SECCON 5 is the minimum security configuration for an enterprise device. -Microsoft recommends the following configuration for SECCON 5 devices. - -## Policies - -The policies in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. -Microsoft recommends using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates) for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls. - -### Security Template Policies - -| Feature | Policy Setting | Policy Value | Description | -|-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. | -| Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. | -| Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | -| Password Policy | Store passwords using reversible encryption | Disabled | Determines whether the operating system stores passwords using reversible encryption. | -| Security Options | Accounts: Guest account status | Disabled | Determines if the Guest account is enabled or disabled. | -| Security Options | Domain member: Disable machine account password changes | Disabled | Determines whether a domain member periodically changes its computer account password. | -| Security Options | Domain member: Maximum machine account password age | 30 | Determines how often a domain member will attempt to change its computer account password | -| Security Options | Domain member: require strong (Windows 2000 or later) session key | Enabled | Determines whether 128-bit key strength is required for encrypted secure channel data | -| Security Options | Interactive logon: Machine inactivity limit | 900 | The number of seconds of inactivity before the session is locked | -| Security Options | User Account Control: Admin approval mode for the built-in administrator | Enabled | The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation | -| Security Options | User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop | When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. | -| Security Options | User Account Control: Detect application installations and prompt for elevation | Enabled | When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. | -| Security Options | User Account Control: Run all Administrators in admin approval mode | Enabled | This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. | -| Security Options | User Account Control: Virtualize file and registry write failures to per-user locations | Enabled | This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. | -| User Rights Assignments | Access Credential Manager as a trusted caller | No One (blank) | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. | -| User Rights Assignments | Act as part of the operating system | No One (blank) | This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| User Rights Assignments | Allow log on locally | Administrators; Users | Determines which users can log on to the computer | -| User Rights Assignments | Back up files and directories | Administrators | Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system | -| User Rights Assignments | Create a pagefile | Administrators | Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file | -| User Rights Assignments | Create a token object | No One (blank) | Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. | -| User Rights Assignments | Create global objects | Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE | This security setting determines whether users can create global objects that are available to all sessions. | -| User Rights Assignments | Create permanent shared objects | No One (blank) | Determines which accounts can be used by processes to create a directory object using the object manager | -| User Rights Assignments | Create symbolic links | Administrators | Determines if the user can create a symbolic link from the computer he is logged on to | -| User Rights Assignments | Debug programs | Administrators | Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. | -| User Rights Assignments | Deny access to this computer from the network | Guests; NT AUTHORITY\\Local Account | Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. | -| User Rights Assignments | Deny log on locally | Guests | Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. | -| User Rights Assignments | Deny log on through Remote Desktop Services | Guests; NT AUTHORITY\\Local Account | Determines which users and groups are prohibited from logging on as a Remote Desktop Services client | -| User Rights Assignments | Force shutdown from a remote system | Administrators | Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. | -| User Rights Assignments | Increase scheduling priority | Administrators | Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| User Rights Assignments | Load and unload device drivers | Administrators | Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| User Rights Assignments | Manage auditing and security log | Administrators | Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. | -| User Rights Assignments | Modify firmware environment variables | Administrators | Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. | -| User Rights Assignments | Restore files and directories | Administrators | Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object | -| User Rights Assignments | Take ownership of files or other objects | Administrators | Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads | - -### Advanced Audit Policies - -| Feature | Policy Setting | Policy Value | Description | -|--------------------|---------------------------------------|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Account Logon | Audit Credential Validation | Success and Failure | Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials. | -| Account Management | Audit Security Group Management | Success | Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type. | -| Account Management | Audit User Account Management | Success and Failure | Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials | -| Detailed Tracking | Audit PNP Activity | Success | Audit when plug and play detects an external device | -| Detailed Tracking | Audit Process Creation | Success | Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited | -| Logon/ Logoff | Audit Account Lockout | Failure | Audit events generated by a failed attempt to log on to an account that is locked out | -| Logon/ Logoff | Audit Group Membership | Success | Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. | -| Logon/ Logoff | Audit Logon | Success and Failure | Audit events generated by user account logon attempts on the computer | -| Logon/ Logoff | Audit Other Logon / Logoff Events | Success and Failure | Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account | -| Logon/ Logoff | Audit Special Logon | Success | Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network) | -| Object Access | Audit Detailed File Share | Failure | Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed | -| Object Access | Audit File Share | Success and Failure | Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder | -| Object Access | Audit Other Object Access Events | Success and Failure | Audit events generated by the management of task scheduler jobs or COM+ objects | -| Object Access | Audit Removable Storage | Success and Failure | Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. | -| Policy Change | Audit Audit Policy Change | Success | Audit changes in the security audit policy settings | -| Policy Change | Audit Authentication Policy Change | Success | Audit events generated by changes to the authentication policy | -| Policy Change | Audit MPSSVC Rule-Level Policy Change | Success and Failure | Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. | -| Policy Change | Audit Other Policy Change Events | Failure | Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications | -| Privilege Use | Audit Sensitive Privilege Use | Success and Failure | Audit events generated when sensitive privileges (user rights) are used | -| System | Audit Other System Events | Success and Failure | Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations. | -| System | Audit Security State Change | Success | Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. | -| System | Audit Security System Extension | Success | Audit events related to security system extensions or services | -| System | Audit System Integrity | Success and Failure | Audit events that violate the integrity of the security subsystem | - -### Windows Defender Firewall Policies - -| Feature | Policy Setting | Policy Value | Description | -|----------------------------|---------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a domain connection | -| Domain Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a domain connection | -| Domain Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a domain connection | -| Domain Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile | -| Domain Profile / State | Firewall State | On | Enables the firewall when connected to the domain profile | -| Domain Profile / State | Inbound Connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile | -| Private Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a private connection | -| Private Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a private connection | -| Private Profile / Logging | Size limit | 16384 | Sets the firewall log file size for a private connection | -| Private Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile | -| Private Profile / State | Firewall state | On | Enables the firewall when connected to the private profile | -| Private Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile | -| Public Profile / Logging | Log dropped packets | Yes | Enables logging of dropped packets for a public connection | -| Public Profile / Logging | Log successful connections | Yes | Enables logging of successful connections for a public connection | -| Public Profile / Logging | Size Limit | 16384 | Sets the firewall log file size for a public connection | -| Public Profile / Settings | Apply local connection security rules | No | Ensures local connection rules will not be merged with Group Policy settings in the domain | -| Public Profile / Settings | Apply local firewall rules | No | Users cannot create new firewall rules | -| Public Profile / Settings | Display a notification | No | The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile | -| Public Profile / State | Firewall state | On | Enables the firewall when connected to the public profile | -| Public Profile / State | Inbound connections | Block | Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile | - -### Computer Policies - -| Feature | Policy Setting | Policy Value | Description | -|---------------------------------------------------------------------------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Network / Lanman Workstation | Enable insecure guest logons | Disabled | Determines if the SMB client will allow insecure guest logons to an SMB server | -| System / Device Guard | Turn on Virtualization Based Security | Enabled: SecureBoot and DMA Protection | Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices. | -| System / Early Launch Antimalware | Boot-Start Driver Initialization Policy | Enabled: Good, Unknown and bad but critical | Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. | -| System / Power Management / Sleep Settings | Require a password when a computer wakes (on battery) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | -| System / Power Management / Sleep Settings | Require a password when a computer wakes (plugged in) | Enabled | Specifies whether the user is prompted for a password when the system resumes from sleep | -| System / Remote Procedure Call | Restrict Unauthenticated RPC clients | Enabled: Authenticated | Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. | -| Windows Components / App runtime | Allow Microsoft accounts to be optional | Enabled | Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. | -| Windows Components / AutoPlay Policies | Disallow Autoplay for non-volume devices | Enabled | Disallows AutoPlay for MTP devices like cameras or phones. | -| Windows Components / AutoPlay Policies | Set the default behavior for AutoRun | Enabled: Do not execute any autorun commands | Sets the default behavior for Autorun commands. | -| Windows Components / AutoPlay Policies | Turn off Autoplay | Enabled: All Drives | Allows you to turn off the Autoplay feature. | -| Windows Components / Biometrics / Facial Features | Configure enhanced anti-spoofing | Enabled | Determines whether enhanced anti-spoofing is required for Windows Hello face authentication | -| Windows Components / BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10) | Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives | Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. | -| Windows Components / BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows | -| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow enhanced PINs for startup | Enabled | Allows you to configure whether enhanced startup PINs are used with BitLocker | -| Windows Components / BitLocker Drive Encryption / Operating System Drives | Allow Secure Boot for integrity validation | Enabled | Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. | -| Windows Components / Event Log Service / Application | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | -| Windows Components / Event Log Service / Security | Specify the maximum log file size (KB) | Enabled: 196608 | Specifies the maximum size of the log file in kilobytes. | -| Windows Components / Event Log Service / System | Specify the maximum log file size (KB) | Enabled: 32768 | Specifies the maximum size of the log file in kilobytes. | -| Windows Components / Microsoft Edge | Configure Windows Defender SmartScreen | Enabled | Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software | -| Windows Components / Windows Defender SmartScreen / Explorer | Configure Windows Defender SmartScreen | Warn and prevent bypass | Allows you to turn Windows Defender SmartScreen on or off | -| Windows Components / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for files | Enabled | This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. | -| Windows Components / Windows Defender SmartScreen / Microsoft Edge | Prevent bypassing Windows Defender SmartScreen prompts for sites | Enabled | Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites | -| Windows Components / Windows Installer | Allow user control over installs | Disabled | Permits users to change installation options that typically are available only to system administrators | -| Windows Components / Windows Installer | Always install with elevated privileges | Disabled | Directs Windows Installer to use elevated permissions when it installs any program on the system | -| Windows Components / Windows Logon Options | Sign-in last interactive user automatically after a system-initiated restart | Disabled | Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system | -| Windows Components / Windows Remote Management (WinRM) / WinRM Client | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network | -| Windows Components / Windows Remote Management (WinRM) / WinRM Service | Allow unencrypted traffic | Disabled | Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. | - -### Windows Defender Antivirus Policies - -| Feature | Policy Setting | Policy Value | Description | -|------------------------------------------------------------------------|-----------------------------------------------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Windows Components / Windows Defender Antivirus | Turn off Windows Defender Antivirus | Disabled | Turns off Windows Defender Antivirus | -| Windows Components / Windows Defender Antivirus | Configure detection for potentially unwanted applications | Enabled: Audit | Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. | -| Windows Components / Windows Defender Antivirus / MAPS | Join Microsoft MAPS | Enabled: Advanced MAPS | Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. | -| Windows Components / Windows Defender Antivirus / MAPS | Send file samples when further analysis is required | Enabled: Send safe samples | Configures behavior of samples submission when opt-in for MAPS telemetry is set | -| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn off real-time protection | Disabled | Turns off real-time protection prompts for known malware detection | -| Windows Components / Windows Defender Antivirus / Real-time Protection | Turn on behavior monitoring | Enabled | Allows you to configure behavior monitoring. | -| Windows Components / Windows Defender Antivirus / Scan | Scan removable drives | Enabled | Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. | -| Windows Components / Windows Defender Antivirus / Scan | Specify the interval to run quick scans per day | 24 | Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). | -| Windows Components / Windows Defender Antivirus / Scan | Turn on e-mail scanning | Enabled | Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments | - -### User Policies - -| Feature | Policy Setting | Policy Value | Description | -|----------------------------------------|-------------------------------------------------------------|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. | -| Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers | - -### IE Computer Policies - -| Feature | Policy Setting | Policy Value | Description | -|---------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Windows Components / Internet Explorer | Prevent managing SmartScreen Filter | Enabled: On | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. | -| Windows Components / Internet Explorer / Internet Control Panel / Advanced Page | Check for server certificate revocation | Enabled | Allows you to manage whether Internet Explorer will check revocation status of servers' certificates | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone | Java permissions | Enabled: High Safety | Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | -| Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. | - -### LAPS - -Download and install the [Microsoft Local Admin Password Solution](https://www.microsoft.com/download/details.aspx?id=46899). - -| Feature | Policy Setting | Policy Value | Description | -|---------|----------------------------------------|--------------|-------------------------------| -| LAPS | Enable local admin password management | Enabled | Activates LAPS for the device | - -### Custom Policies - -| Feature | Policy Setting | Policy Value | Description | -|-----------------------------------------------------------------------|-----------------------------------------------------------|--------------|---------------------------------------------------------------------------------------| -| Computer Configuration / Administrative Templates / MS Security Guide | Apply UAC restrictions to local accounts on network logon | Enabled | Filters the user account token for built-in administrator accounts for network logons | - -### Services - -| Feature | Policy Setting | Policy Value | Description | -|----------------|-----------------------------------|--------------|-----------------------------------------------------------------------------------| -| Scheduled Task | XblGameSaveTask | Disabled | Syncs save data for Xbox Live save-enabled games | -| Services | Xbox Accessory Management Service | Disabled | Manages connected Xbox accessories | -| Services | Xbox Game Monitoring | Disabled | Monitors Xbox games currently being played | -| Services | Xbox Live Auth Manager | Disabled | Provides authentication and authorization services for interactive with Xbox Live | -| Services | Xbox Live Game Save | Disabled | Syncs save data for Xbox live save enabled games | -| Services | Xbox Live Networking Service | Disabled | Supports the Windows.Networking.XboxLive API | - -## Controls - -The controls enabled in SECCON 5 enforce a reasonable security level while minimizing the impact to users and applications. - -| Feature | Config | Description | -|-----------------------------------|-------------------------------------|--------------------| -| [Windows Defender ATP EDR](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | Deployed to all devices | The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an *incident*. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step. | -| [Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) | Enabled for all compatible hardware | Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as [applications will break](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements#application-requirements) if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the ring methodology. | -| [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/) | Default browser | Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | -| [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Enabled on compatible hardware | Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | - -## Behaviors - -The behaviors recommended in SECCON 5 enforce a reasonable security level while minimizing the impact to users or to applications. - -| Feature | Config | Description | -|---------|-------------------|-------------| -| OS security updates | Deploy Windows Quality Updates within 7 days of release | As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities. | - diff --git a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md deleted file mode 100644 index 5ec7880a83..0000000000 --- a/windows/security/threat-protection/windows-seccon-framework/windows-security-configuration-framework.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Windows Security Configuration Framework -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization -keywords: virtualization, security, malware -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.author: appcompatguy -author: appcompatguy -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/05/2018 ---- - -# Introducing the Security Configuration Framework - -**Applies to** - -- Windows 10 - -Security configuration is complex. With thousands of group policies available in Windows, choosing the “best” setting is difficult. -It’s not always obvious which permutations of policies are required to implement a complete scenario, and there are often unintended consequences of some security lockdowns. - -Because of this, with each release of Windows, Microsoft publishes [Windows Security Baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), an industry-standard configuration that is broadly known and well-tested. -However, many organizations have discovered that this baseline sets a very high bar. -While appropriate for organizations with very high security needs such as those persistently targeted by Advanced Persistent Threats, some organizations have found that the cost of navigating the potential compatibility impact of this configuration is prohibitively expensive given their risk appetite. -They can’t justify the investment in that very high level of security with an ROI. -Assuch, Microsoft is introducing a new taxonomy for Security Configurations for Windows 10: The SECCON Baselines. - -The SECCON Baselines organize devices into one of 5 distinct security configurations. - -![SECON Framework](./../images/seccon-framework.png) - -- [SECCON 5 Enterprise Security](seccon-5-enterprise-security.md) – We recommend this configuration as the minimum security configuration for an enterprise device. Recommendations for this SecCon level are generally straightforward and are designed to be deployable within 30 days. -- [SECCON 4 Enterprise High Security](seccon-4-enterprise-high-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this SecCon level are generally accessible to most organizations and are designed to be deployable within 90 days. -- [SECCON 3 Enterprise VIP Security](seccon-3-enterprise-vip-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this SecCon level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days. -- [SECCON 2 DevOps Workstation](seccon-2-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. SecCon 2 guidance is coming soon! -- [SECCON 1 Administrator Workstation](seccon-1-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. SecCon 1 guidance is coming soon! - - -The SECCON Baselines divide configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices -(SECCON 5, 4, and 3). -Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). - -Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that SECCON level. -SECCON 5 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. - -## Security Control Classification - -The recommendations are grouped into three categories. - -![Security Control Classifications](./../images/security-control-classification.png) - - -## Security Control Deployment Methodologies - -The way Microsoft recommends implementing these controls depends on the -auditability of the control–there are two primary methodologies. - -![Security Control Deployment methodologies](./../images/security-control-deployment-methodologies.png) - - diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md index e994f2c0ff..d305b00ebe 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md @@ -1,17 +1,17 @@ -# [Windows security compliance](windows-security-compliance.md) +# [Windows security guidance for enterprises](windows-security-compliance.md) ## [Windows security baselines](windows-security-baselines.md) ### [Security Compliance Toolkit](security-compliance-toolkit-10.md) ### [Get support](get-support-for-security-baselines.md) -## [Windows SECCON framework](windows-security-configuration-framework.md) -### [Level 5 Enterprise Security](level-5-enterprise-security.md) -### [Level 4 Enterprise High Security](level-4-enterprise-high-security.md) -### [Level 3 Enterprise VIP Security](level-3-enterprise-vip-security.md) -### [Level 2 Enterprise Dev/Ops Workstation](level-2-enterprise-devops-security.md) -### [Level 1 Enterprise Administrator Workstation](level-1-enterprise-administrator-security.md) -##Windows Security Blog Posts -### [Sticking with Well-Known and Proven Solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) -### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) -### [Configuring Account Lockout](windows-security-blog/configuring-account-lockout.md) -### [Blocking Remote Use of Local Accounts](windows-security-blog/blocking-remote-use-of-local-accounts.md) +## [Windows security configuration framework](windows-security-configuration-framework.md) +### [Level 5 enterprise security](level-5-enterprise-security.md) +### [Level 4 enterprise high security](level-4-enterprise-high-security.md) +### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md) +### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md) +### [Level 1 enterprise administrator aorkstation](level-1-enterprise-administrator-security.md) +##Windows security articles +### [Sticking with well-known and proven solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) +### [Why we’re not recommending "FIPS Mode" anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) +### [Configuring account lockout](windows-security-blog/configuring-account-lockout.md) +### [Blocking remote use of local accounts](windows-security-blog/blocking-remote-use-of-local-accounts.md) ### [Dropping the “Untrusted Font Blocking” setting](windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md index 3c0522fd4b..aaf62986eb 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-compliance.md @@ -1,6 +1,6 @@ --- title: Windows security guidance for enterprises -description: This article, and the articles it links to, describe how to use Windows security baselines in your organization +description: This article describes how to use Windows security baselines in your organization keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy @@ -19,5 +19,10 @@ ms.date: 04/05/2018 **Applies to** - Windows 10 -- Windows Server 2016 -- Office 2016 + +The topics in this section provide security configuration guidelines for enterprises. You can use these guidelines to deploy security configuration settings and to ensure that user and device settings comply with enterprise policies. + +| Capability | Description | +|------------|-------------| +| [Windows security baselines](windows-security-baselines.md) | Microsoft-recommended configuration settings and their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. | +| [Windows security configuration framework](windows-security-configuration-framework.md) | Five distinct security configurations for more granular control over productivity devices and privileged access workstations. | From d7e0bbe7e4f0766628ae6278323d8ea4f9aebef7 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 13:42:14 -0700 Subject: [PATCH 36/51] fixed path --- windows/security/threat-protection/TOC.md | 30 +++++++++++------------ 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 2fe57b0501..fefb79462d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1019,22 +1019,22 @@ ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) -### [Windows security compliance](windows-security-congiguration-framework/windows-security-compliance.md) -#### [Windows security baselines](windows-security-congiguration-framework/windows-security-baselines.md) -##### [Security Compliance Toolkit](windows-security-congiguration-framework/security-compliance-toolkit-10.md) -##### [Get support](windows-security-congiguration-framework/get-support-for-security-baselines.md) -#### [Windows SECCON framework](windows-security-congiguration-framework/windows-security-configuration-framework.md) -##### [SECCON 1 enterprise administrator security](windows-security-congiguration-framework/level-1-enterprise-administrator-security.md) -##### [SECCON 2 enterprise dev/ops security](windows-security-congiguration-framework/level-2-enterprise-devops-security.md) -##### [SECCON 3 enterprise VIP security](windows-security-congiguration-framework/level-3-vip-enterprise-security.md) -##### [SECCON 4 enterprise high security](windows-security-congiguration-framework/level-4-high-enterprise-security.md) -##### [SECCON 5 enterprise security](windows-security-congiguration-framework/level-5-enterprise-security.md) +### [Windows security compliance](windows-security-configuration-framework/windows-security-compliance.md) +#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md) +##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md) +##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md) +#### [Windows SECCON framework](windows-security-configuration-framework/windows-security-configuration-framework.md) +##### [SECCON 1 enterprise administrator security](windows-security-configuration-framework/level-1-enterprise-administrator-security.md) +##### [SECCON 2 enterprise dev/ops security](windows-security-configuration-framework/level-2-enterprise-devops-security.md) +##### [SECCON 3 enterprise VIP security](windows-security-configuration-framework/level-3-vip-enterprise-security.md) +##### [SECCON 4 enterprise high security](windows-security-configuration-framework/level-4-high-enterprise-security.md) +##### [SECCON 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md) ####Windows Security Blog Posts -##### [Sticking with Well-Known and Proven Solutions](windows-security-congiguration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) -##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-congiguration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) -##### [Configuring Account Lockout](windows-security-congiguration-framework/windows-security-blog/configuring-account-lockout.md) -##### [Blocking Remote Use of Local Accounts](windows-security-congiguration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md) -##### [Dropping the “Untrusted Font Blocking” setting](windows-security-congiguration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) +##### [Sticking with Well-Known and Proven Solutions](windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) +##### [Why We’re Not Recommending "FIPS Mode" Anymore](windows-security-configuration-framework/windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) +##### [Configuring Account Lockout](windows-security-configuration-framework/windows-security-blog/configuring-account-lockout.md) +##### [Blocking Remote Use of Local Accounts](windows-security-configuration-framework/windows-security-blog/blocking-remote-use-of-local-accounts.md) +##### [Dropping the “Untrusted Font Blocking” setting](windows-security-configuration-framework/windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) From c2a3849eac922e9187fbbbab44d0fc858c0a5e06 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 14:35:20 -0700 Subject: [PATCH 37/51] edit --- .../level-5-enterprise-security.md | 2 +- .../windows-security-configuration-framework.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md index e3e8a6598b..5b7819551f 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md @@ -193,7 +193,7 @@ Microsoft recommends using [the rings methodology](https://docs.microsoft.com/wi | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Cross-Site Scripting Filter | Enabled: Enable | Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on Protected Mode | Enabled: Enable | Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enabled: Enable | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Use Pop-up Blocker | Enabled: Enable | Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone | Don't run antimalware programs against ActiveX controls | Enabled: Disable | Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. | | Windows Components / Internet Explorer / Security Features | Allow fallback to SSL 3.0 (Internet Explorer) | Enabled: No sites | Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. | diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index 0b921824e1..2160e044a3 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -29,7 +29,7 @@ While appropriate for organizations with very high security needs such as those They can’t justify the investment in that very high level of security with an ROI. As such, Microsoft is introducing a new taxonomy for security configurations for Windows 10. -The security configuration framework organizes devices into one of 5 distinct security configurations. +This new security configuration framework, which we call the SECCON framework (remember "WarGames"?), organizes devices into one of 5 distinct security configurations. ![SECCON Framework](./../images/seccon-framework.png) From 3016575b39529c825b3d05cd8d53224dfc17b1e8 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 14:44:41 -0700 Subject: [PATCH 38/51] replaced rule list with link --- .../level-4-enterprise-high-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md index a09ad7377a..4f337c5d9b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md @@ -191,7 +191,7 @@ is anticipated to be slightly longer than the process in level 5. | Feature Set | Feature | Description | |-------------------------------------------------------------|-------------------------------------------------------|----------------| | [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) | Enforce memory protection for OS-level controls:
- Control flow guard (CFG)
- Data Execution Protection (DEP)
- Mandatory ASLR
- Bottom-Up ASLR
- High-entropy ASLR
- Validate Exception Chains (SEHOP)
- Validate heap integrity | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at either the operating system level, or at the individual app level. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. dynamically generating code without marking memory as executable). Microsoft recommends gradually deploying this configuration using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). | -| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and Enforce Attack Surface Reduction Rules:
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macro
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block Office communication applications from creating child processes
- Block Adobe Reader from creating child processes
| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | +| [Attack Surface Reduction (ASR)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)| Configure and enforce [Attack Surface Reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules)| Attack surface reduction controls help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. There is a risk to application compatibility, as some applications may rely on blocked behavior (e.g. an Office application spawning a child process). Each control has an Audit mode, and as such, Microsoft recommends the Audit / Enforce Methodology (repeated here):
1) Audit – enable the controls in audit mode, and gather audit data in a centralized location
2) Review – review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure
3) Enforce – Deploy the configuration of any exemptions and convert the control to enforce mode | | [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) | Configure and enforce Network Protection | Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology. | ## Behaviors From 9d75953d444361e382d80b03866868042bbaedc6 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 9 Apr 2019 14:54:36 -0700 Subject: [PATCH 39/51] edits --- .../level-4-enterprise-high-security.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md index 4f337c5d9b..2986d0f69e 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md @@ -196,8 +196,7 @@ is anticipated to be slightly longer than the process in level 5. ## Behaviors -The behaviors recommended in level 4 implement a more sophisticated security -process. While they may require a more sophisticated organization, they enforce +The behaviors recommended in level 4 implement a more sophisticated security process. While they may require a more sophisticated organization, they enforce a level of security more commensurate with the risks facing users with access to sensitive information. From 95b4b07c24eaf5d9cde959d78b73d6654b5ae40f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 09:31:21 -0700 Subject: [PATCH 40/51] fixed typo --- .../windows-security-configuration-framework/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md index d305b00ebe..0655e11899 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md @@ -8,7 +8,7 @@ ### [Level 4 enterprise high security](level-4-enterprise-high-security.md) ### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md) ### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md) -### [Level 1 enterprise administrator aorkstation](level-1-enterprise-administrator-security.md) +### [Level 1 enterprise administrator workstation](level-1-enterprise-administrator-security.md) ##Windows security articles ### [Sticking with well-known and proven solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) ### [Why we’re not recommending "FIPS Mode" anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) From 1d703645c303b3a60d80a8dfae73c23b2b9a1e8c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 09:32:06 -0700 Subject: [PATCH 41/51] removed blog posts from toc --- .../windows-security-configuration-framework/TOC.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md index 0655e11899..8ea1c320ba 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/TOC.md @@ -9,9 +9,3 @@ ### [Level 3 enterprise VIP security](level-3-enterprise-vip-security.md) ### [Level 2 enterprise dev/ops workstation](level-2-enterprise-devops-security.md) ### [Level 1 enterprise administrator workstation](level-1-enterprise-administrator-security.md) -##Windows security articles -### [Sticking with well-known and proven solutions](windows-security-blog/sticking-with-well-known-and-proven-solutions.md) -### [Why we’re not recommending "FIPS Mode" anymore](windows-security-blog/why-were-not-recommending-fips-mode-anymore.md) -### [Configuring account lockout](windows-security-blog/configuring-account-lockout.md) -### [Blocking remote use of local accounts](windows-security-blog/blocking-remote-use-of-local-accounts.md) -### [Dropping the “Untrusted Font Blocking” setting](windows-security-blog/dropping-the-untrusted-font-blocking-setting.md) \ No newline at end of file From f7b48d061ef4b1bf4f42fa9e1f62aab684f2f727 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 09:38:49 -0700 Subject: [PATCH 42/51] added sec baseline redirects --- .openpublishing.redirection.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ab677cc666..53b257dff3 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6,6 +6,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-security-baselines.md", +"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md", +"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/get-support-for-security-baselines.md", +"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np", "redirect_document_id": true From 92643b8ff6db355c96de24559e6d4b53c2fdd106 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 10:16:14 -0700 Subject: [PATCH 43/51] added links --- .../level-3-enterprise-VIP-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md index ae8b0b6cc3..9c8c264402 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md @@ -122,7 +122,7 @@ not. | Feature Set | Feature | Description | |--------------|----------|--------------| | Exploit protection | Enable exploit protection | Exploit protection helps protect devices from malware that use exploits to spread and infect to other devices. It consists of several mitigations that can be applied at the individual app level. | -| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
- AaronLocker (admin writeable areas) when software distribution is not always centralized
*or*
- Managed installer when all software is pushed through software distribution
*or*
- Explicit control when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). | +| Windows Defender Application Control (WDAC) *or* AppLocker | Configure devices to use application whitelisting using one of the following approaches:
[AaronLocker](https://blogs.msdn.microsoft.com/aaron_margosis/2018/10/11/aaronlocker-update-v0-91-and-see-aaronlocker-in-action-on-channel-9/) (admin writeable areas) when software distribution is not always centralized
*or*
[Managed installer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) when all software is pushed through software distribution
*or*
[Explicit control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy) when the software on a device is static and tightly controlled | Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. Application Control can help mitigate these types of security threats by restricting the applications that users can run and the code that runs in the System Core (kernel). WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). | ## Behaviors From 81595a96cb2d4f1beb4daf0739751b8e5540c19f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 11:30:40 -0700 Subject: [PATCH 44/51] fixed links --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index fefb79462d..f225ae046e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1027,7 +1027,7 @@ ##### [SECCON 1 enterprise administrator security](windows-security-configuration-framework/level-1-enterprise-administrator-security.md) ##### [SECCON 2 enterprise dev/ops security](windows-security-configuration-framework/level-2-enterprise-devops-security.md) ##### [SECCON 3 enterprise VIP security](windows-security-configuration-framework/level-3-vip-enterprise-security.md) -##### [SECCON 4 enterprise high security](windows-security-configuration-framework/level-4-high-enterprise-security.md) +##### [SECCON 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md) ##### [SECCON 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md) ####Windows Security Blog Posts ##### [Sticking with Well-Known and Proven Solutions](windows-security-configuration-framework/windows-security-blog/sticking-with-well-known-and-proven-solutions.md) From ce3762eef2e1e0cdb9260cb3296ab3f9d73c465a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 11:49:03 -0700 Subject: [PATCH 45/51] fixed link --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f225ae046e..caec919411 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1026,7 +1026,7 @@ #### [Windows SECCON framework](windows-security-configuration-framework/windows-security-configuration-framework.md) ##### [SECCON 1 enterprise administrator security](windows-security-configuration-framework/level-1-enterprise-administrator-security.md) ##### [SECCON 2 enterprise dev/ops security](windows-security-configuration-framework/level-2-enterprise-devops-security.md) -##### [SECCON 3 enterprise VIP security](windows-security-configuration-framework/level-3-vip-enterprise-security.md) +##### [SECCON 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md) ##### [SECCON 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md) ##### [SECCON 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md) ####Windows Security Blog Posts From d988308e51f7bf9fdde2b6bf1b853007ec4e3eab Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 12:42:38 -0700 Subject: [PATCH 46/51] fixed typo --- .../windows-information-protection/limitations-with-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index f3d8fb9489..6cea68fc1c 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/05/2019 +ms.date: 04/10/2019 ms.localizationpriority: medium --- @@ -125,7 +125,7 @@ This table provides info about the most common problems you might encounter whil - By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it. + By design, files in the Windows directory tree (%windir% or C:\Windows) cannot be encrypted because they need to be accessed by the system even when no user is signed in. If a file in the Windows directory gets encrypted by one user, the system and other users can't access it. Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. From 0ed9b9163852602f6a973ceefa56458880ec1771 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 12:46:57 -0700 Subject: [PATCH 47/51] fixed typos --- .../windows-information-protection/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 6cea68fc1c..34fbd59f55 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -127,7 +127,7 @@ This table provides info about the most common problems you might encounter whil By design, files in the Windows directory tree (%windir% or C:\Windows) cannot be encrypted because they need to be accessed by the system even when no user is signed in. If a file in the Windows directory gets encrypted by one user, the system and other users can't access it. - Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. + Any attempt to encrypt a file in the Windows directory will return a file access denied error. For example, if you redirected C:\Windows to OneDrive for Business, new files would be created without encryption. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. From 19a72a687904430f2b3445f7dbc481287cb31e39 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 14:52:06 -0700 Subject: [PATCH 48/51] removede xample --- .../windows-information-protection/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 34fbd59f55..6cea68fc1c 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -127,7 +127,7 @@ This table provides info about the most common problems you might encounter whil By design, files in the Windows directory tree (%windir% or C:\Windows) cannot be encrypted because they need to be accessed by the system even when no user is signed in. If a file in the Windows directory gets encrypted by one user, the system and other users can't access it. - Any attempt to encrypt a file in the Windows directory will return a file access denied error. For example, if you redirected C:\Windows to OneDrive for Business, new files would be created without encryption. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. + Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. From a5bc93ae9a49814be71b25cfda5e124c86981705 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 15:19:05 -0700 Subject: [PATCH 49/51] added server core edit --- .../applocker/applocker-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 758f313aac..c40cc607a5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/16/2017 +ms.date: 04/10/2019 --- # AppLocker @@ -92,7 +92,7 @@ AppLocker is included with enterprise-level editions of Windows. You can author   ### Using AppLocker on Server Core -AppLocker on Server Core installations is not supported. +AppLocker on Server Core installations is not supported. This applies to all versions of Windows Server. ### Virtualization considerations From 3c24289d2cbd17a9ace85a215594a7da130fb7d4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 10 Apr 2019 15:58:36 -0700 Subject: [PATCH 50/51] added image --- .../images/seccon-framework.png | Bin 125416 -> 64034 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png index 5a1c8ce2ad996437920b2a7384fa5a1f31326c70..06f66acf99dad691d7362ec4b1c438327d65f419 100644 GIT binary patch literal 64034 zcmeFZbyQqY^B@Qz34!45F2UUzOK^90Xsm&zahD`G!QBb&?jC}>y9IZ5-_B?Io84KP z|7Oo{4)p8y>fKwnZdKh01q8`usC4Fe+}>}F>Sv^H}h zGcmIO*$PsewscUCflLJ{G`ZwiZ(<%*+w!0J3ueL2SwX zj%aKGadr}k>+9Sa*X>)$2)1JD%sA2>T_2b+IPZVF^E zvoQmk**ZBwVcGrzYi9{@f;d`2{x639&*T4Q0w`(a<^MCse-{@p_&-xPI*GeLm+>!x z{CA-p)!gmOSX9g$A+|J|?=4q#*Gnn7S=3o{lwTMG)Z|49w2S&=wxgQG?Nw+q=3?g z83Zx~u$k}zO}LC%nT$<2xS)SHd6{^*ps$$%je*=iZc}zsW8lBv7lQzu|8l{<-#7jL z_`ae82r7lfHvhxp{FTkW>;sSjIYKwq{a@0fYG(hhD;p5mKR5ZA6NO0 zXa7aS{|ye+8-FkVqp+Y~{-g5DY@vG20jkgzQ9IOOV6IA~#lEPyr5&xfdSRRNp)Zkg3zYHpczUa4!Ht-GzhL7~UNf_*0zwMzc>!+zTex8tg? z138tR5+}LcrI+yi(cthh$L{L#@UY{cW85qOxj&l72Xg-pEE1lYpP?6jzv*Q91ODDb z6A5Oe%8K|002&37bRp%xfJHG5{ssCw>VJXegb&W>=q7Bl%CAV!q7kQpwFg<_RF3u0 z(F1E|>&xU-b-s%oP7y5C%hz197$%s}S9|uXh33+UiIo)E{#L0`@B7RIttRl&h3&8+5Hh^2HBTd@?Jt>ba@8l-u>QXS5U4 zwY5`|ld(xj*P5w!cXpcfBZ5C@9^x?gs|+4q&rDC#_V!9wQtG5r4zbTFtbh~3f}oOmwwxixm09lsj)0e^}*`FK-9>v z(9p<8S6&@qR#2=`A8S~*f8)k`=T`yv$zN1DiSJbf?Sfz9_nH`5b${8MB8IR6Nk}H1 z{k!LFy-%%AQ-WEyE_-a2-7=Sm=MJbPd#OxkeWOY{tgmAN3Y~A}TX&X8A_ex#KY>r1 zgIR0uPFgS{`SO`Ih!&m7BUJuG!7EQJa@t~wuK)h#FvufU%Zxb{QdH+vA(mPRZkUxw zb!xQ)Z%!v6mRx_tB~A^OCCoo|X>b)6bDIpDaG~rqa|`@mtpC4L08`=(H*8BA1NrZ` z`bsa$`|k+kZ(&gEzFD1GeIUP)5=mbhnY;tn+OFv|68EBe$4a!hM5fwyX8!N+>lR6|p*?T0{qv(FEp1 zn9Nt+luPnPDec})co-=Rv%$s2W~U$PMqlC0HE1H=uem=H=j%Cj1xDD5kt6_|ozlsdr_8`9S7&&SDa0HEo&1jX>Cdk$HMUA66zhftgQKNw3yrRhOBl|f}hi~TSFIw ztGx6*;qjQuUs?KA`v>KZ^)V-!1CfDGZYIE`CW1B(HsE_j;qaJ>xl`(_(NoOvTe*Xq z?RdXFrx5TOOHP?{`dIPB+r>JZY<18I2jKFDy=$w`hDU=#E#!x5`gUF2G5Gd{dZIYP zE9QLj{^il7JWz#-1_O6)bOsF`2L7W4+qt=|FRWTiFJ8+0Ck&u{(y=D|1P+OJTt#~} zWX&aljqzhg=E1>Dsc7S0S`=UFd|iuiv7LBe1Z&<|mpolxTw{RA=@APsE%wFT^`4?8I3(uW#;x>NTwWOY&O<-C+be9WHqywS2P zM#WOGnx<(uk2h&5o_`ZQ5aA*QQwKX%ebB0+_%0A>6m4s}%7NNPSZ1OKQ#9y(LxpzN z!!;7Vh>J^&QgeO6LXEVX>6K;J@%hDKU8%O;Y!b~%^F+t1kPl`yC0k*k$vq8yF)RiU ze>wf`Z6zH&@LnQjbARn!qP6E<_SvI$?e~=TfwwetB%GfRe`vRdc%aHeC-jeJG_LT! z6Upv!0PL@2Dx@nRF6CE71$=~!Gue_-QPr*wW718D&iaoiHaGkM(O9 z($~*lnRK<as`!x$ifaC42a?2^!iuz$d~Q&k*PB2V3R+F{FE7F~iAnK&0FfH~bW`k?x9# zLk5A@c4Mv(F0;qc%<@RmNpwhC#i{-8eQo$ABzPn1$B^Z*Q{CGyKB6I4$4+*c-n~;yj#O16h*`BFj=BtT~#JG;8%zSW_3jz8#rY*+$3}<5wU^dU$Yu9y(0) zZfbs7AVnM{$#Ah*>y|2*;5{yw0Qsp3!akn!-G{%nKK(2WQaq_LavUiU#=d{!;?n9l z_;bsZdCzw%Ru%_R6o17+90xWN%U@pEEp-GC3)R_mMq*nNCHY}C6KArq_oBNG{0`Do z2R|6TlrDK@vH_}gYr#t_KV6KJ^b%pK((`c`lho^proT2aqawGuNqNn=)_ZqUdpO3e z6C^IbrkunoA4J4gK()-$wS4FeC-A*RrhI|IvOWC%J{Hc!NsFEvxoUyK-Fli2AX0dg zHq-8Mgo>K0?I7JXICP`9#Eutc)hE?)%2*m2`wK_SQ2 zzcOf;@h50I&6_jlL3wk1DbwvvpE0#V|93xZnjI^|cc?o2YJcIX_!LJ~V}wg}Zw3Jg zhiP~6vB>&QG2PX0R%>99W8=DX_DY&Jqiyo)Y_z@?o1$RPM$fV%>h-m$DXSSGq+?`4 z^0Et6;2NtSW6-|O{;*6Q(?^dvUoNXSlr|IT<+Ay(@ls)DczwYF;qBgHe5}F-6we*J z*-}s+4{ie0G)Pv*RUyLbDJ}!5t{e>w>)e3qn_j8=T?|6arhkt6T<(okuP@5DIA+x| z_&A;26o!wG)x%c+eCOzt{5{NT8n+9B4n~$P!(FtuT5*Ps7atkwv1hWdLfzrb+8hkl zmLm5Z7Jo40ek&54M9)7QJ`x>0cDk!^H`H&t19fx|lmRJJNr>Fesna8cS}vns8!oOP zG6^qPLu{0o9yAj9YHlS;gWJJGL~~q==;vkw8}jO@n=9vY&cen{CKdb|9nNcut_W_G zaOoQ@ZLCL&j*cj)%GFz&Wt08WU*hBKx8rm3q1!3XHV{Wghlz>T?5^*_sAQ&nXqx$vbcdr#y2+R!@pSZcp~^uw^~l2(mFW!J%CaB z_hzKy5R;yR^kZw?88uIGz3IL%aZEhc@l&5g(+?i?tY0t%_cLSE)-nh1<`M;B{H)W{ z+j+3596@>b;fjbUvGBB#E#YIDiH~rLoQ*GMM_p+0h>+4<0oIJ3I^9(t$lsQ__nnq?+nF?55y}WLCP6*{jchE4q6rTWcN5C+iPpCN zbPLV<*p%qX&5{pz&&^@K=%xRt@6AO@N)mdS$_`N6_KE0#?fOP(BD)<}A(KGG2lSAz zFyS?&x9z){khEDH_P*sh^xU6|WCJGgL|!<2m5vP#HCg0*TDpw#y(OlmPIEJ1ty;3K zSU*3znv%CivD?c+BItHqn;5SgTMgfXAu84C3(HJ$_@J5gfoA>>C3EUIC0&V056u}{ zEA4X&n=f|L(yzDhgxpnLlsS)+f*<9~nf~n7>3P!kg~P#dx()1)tcz;ZB{TILKXZ%o zH=h9Xm~ESj=tg0Mo}%Pa@c^7|$*BPBAitVX#1pQOeDaRZYFKjyvS22jm1(S97)a|E z@poN;T!hGsI(}CNwbY{FhXfU5g0s#K{bBjW<~saH*to_LO-M*wK(P3iI*3U}u2f?2 zwbh?mayn!m&&5!7EZZsGM%~u6S^e1Mg2mronbvc2pKc%a-U*rx?-l_=SK38`2ZIS~#*4i1+ zd$CF`<}1UQ@x89#>g(F#dj~@GynF_WI~5gZavshmcT4;8AS|r+wg|d1jc2@*F`qen zv9Y~eHI_=xvic>8t-I`K_&CbE+$LYviZQEb0D~j4Oee#Kk2@d|XyHs$>uq<6Tl@KQr z;_?PHV?IaxJ~`y#2J|U)}rbPCf)sM^P~vP;(q4a=Hvi}hZz#oY03 zB@#3@Qo(Y?*E2{^`%bCX)r^6@E&dZnFZ#Q*BtGcoDD&fP)WC6l3$*fWTb|)BEz_+6 zpEQ?jAJnn2nVO-a!=hpL_#-^+3YQv;%vW_zSWA-1-=4tK%Nvjgk4kUY zCtc|;$oVp-!CfsV`UBadyaam{Mw+WuzO)Qt{(!1t-S7u>U0D#Q(v_bj^8ONEIOB_- zR&8*(K0Y9BObB>w1yc|khn1#a;8|uy&c$W3@SQq*u1xNP11t^Y_IJy-BMFlL-yh4c zGRi84kk(M2>ej2;&LRtB+0?rBgRO7U6SkKjrwtxY+=#k|Ru$VW1g?r>mrG2f072N6 zQCeSY;y6Y4r~10~@;}M)hJg60OYy0qVKXlG`q@v8-ummy7j?iGk8qj2rfTy;W4dSG zQmtF@iLp-svm`?W#u5Y7pa5aM_$J5Dj}7Zds`VIU)TiQoaY?}{Pn)Dp2h&GI=;J9@ zSATp-eFdOrMJ*_dc&Jo6F7B*A7#$zsC)U6K)H*opYFuF&a^(#UwR&tI2gDS9&{LoZ z+c*O1)Q3I7g&m`EYlZEJzA_K%ch;NKj>I6#5sgG;7=4rW!V2s(>*H|wJQPm_hx6Pl z^{6PB$5mISh4cDEdwtDxtAnGi-uapYh?kD#y_CaY+SrO!4t;&$al@};w6e0}ZQRXB zpvHT@z3nCdepLYAAUH3^lwHyb0Gqpgs`9;ds@Z?;M^{xb&`f@NlV@I9rl+~cngucO zNIR^}D(b0ghs>#SlN{BQ%5P`H;q5-k%Ff!Zg2>Z*&7@~;M8tw}N=hHt4ds(7b{6Cf zIo)K~>Mh<)5`c|)?Zti$gORD%;+WH;gq&z0)H%{}F#$g0KlBD)s$gR)Z+S*8@ zBw;P`vESgd+tUy*_a@CU)pVRpQ%X%$HU^}(kAR);_;ubOv;O+%^I@FMuPgBE$%1i7 zN}4*JE9^*Aj`1x_vjzIP>1WN+^jh!VV-X@)ZZ7m1PM^NPG&NoAb<$>5x}9f4JZ*gB zhL}%Mk$42tsm@pD(fz3H>)IJ{I_OS?#AL4B#N)&y{ET;dQ-8B?*YL{u!sFG@J_*@R zjW~)+M-M1sRRfmBM5E8tINGpYM`c(3zPuR|Ux}d@B~9jTc3d95R*y&S%%|$;X*gt{ zB<@{{JjTF0l>oDJtEE?Gw`_MyU8>C2)E!r~*4|Z>y;1Cmj6Zze=X?)r*o>n@G&AB= z3S196$rxu41i*oF)P7xfYu1~%kL+wt2Bk-P+x@EdDb|Wa`H3~CrJveSY<^e;5>*%y z!V6;1`XDAwbuD*9Od37!a24}`zvZTZ6L4pgopXQcOZUmLzAZlxyp;0bo}Jxzr7~N- zeK~f2#6hD-!(6`qrwg@jceDNR%p(z)bS2o~gTNWBEnYWUF zp7vn`GRAM)Ass!O_m69-)H<-$HTx5kcWXMasY9Np6Adi8nPY!Cy)NZdQ4$_J+8-n0 zuwHH&{_y@GZgz_1&Z;MC1C)KXjyOn;LffA|cg>2scz>jQ$ne_m({Aujob+?di@jXp zm}b2CG`x+xM(Lsdmw`iB!k5cyb3@>51gNzk_h=^vV93oqrFL+g85*Y&o(FQf2?7_O z$TS(5didnI-UJpCRG57N&`QXWL~*iIJWN0u2I;en<#J+I>Q7uCJGnV`r;UN{Wi|{+u$gpvRwE-{{I43%I?j=5-e` zP7Q0>y8b+#PBhc)*MKq6JA={X()#1*S}zc_wdFG8WDrr{33=E(xt|~GU+(1__JNVq z%n`3IiGlA&1u&;<=wF99+&7UkJVL{ePz2-r-+pyIOyc?>iUJx`rs}S+_~h{M-T?)L zk~cxlS}vAk;p(I_0JCw2?Zhpl*rVALZ9ls)lvER~l6TkAgWF~0ZhtNP%SsY=;^O;q zf#{QkrAMo$Fv9MI&HG)3gOm#fJ%+$TOC&(3xj zTbbgaYrOb5%z!$`SahwcW6|AwK`)TW$YL$?>8DnGnTtNC>*w%ZX2Yy^Q@+=3N5zxO zX<4RiD^O%kx6ifRSwNi2M>QH_Q_n!@_G$ThZ-HT6uuF2Z!hZfohCmhcKn4bi{k937 z(^mbQ%)xY@8O2wg5~m*DS?{v~TTD{YEBMG`mfP9xmTXGoIsT>gH8ss(c9=Nj!x96n zI<`qC@sx7>yrB!L`ai)iN`uvKr`ux#A#y^(yTQ0Y`l^^`(|3nc6d0`ur^&4>p@Q4t zsvgUMQ%ZrN$yvp8C~7{!1}v`2UrbGFlnNk*LJz^C=}?(EcXQjPHgNkknr`2u)sc}# z6agsK7KlwAC{%`;UXnze^Hn1WgCP++FON<4<|oZRlJEe|Z{{n%33>CrKK)_SQPrdk zDd?#%0eQiiGw(cZH>P(QBQMg>Mfe&Fim&jl8`Z~O9C41er;dWCx~t3HBKr!2bl)9M z+1O-n;7>)mwo@}jpHl{h`}H;n5@01}iivYUU0Pbly)*?mtfqUa?u*Ee!C@b8HqMoI zL44uzL}wHfN})ldwoTs89`8}}YvVdz(_2n9SbW!6e6t$y$e6;RhUN2hzF(dBxd}HU zUy;;&WFr-la;(!3p$plD_->xGRDoq=>;Td-CaVG(d!=2n}|2N^vYrQI5XB+be)kGbJ@ z8^7`fz3VE#>B&c7Tycv+XK#L4z?&zQb+4CS%n4N+9~`7S0jC17yHpq0mTT@zJ~1& zIp6Q&!-uX5f2Cc-qvr$V!R<&ZA82zV&Vz)NH0Lht%QRU`OuoOKZ^e3DDNhmb(q;}z z)3SNF4P}=%1ztHR@RE!9-JY#O^~Y&j-_w1k^eV32uQ+|ED(CKU zKbLl*!SQmR2ez8yZVa0U;9udBU5um4;loQyG)xZ1M$}0T?hDU{(5hfi$$oKzo;>xo zJ)F7*k=!;P3_74z`fm|v5Nx&0PhP00NiMbbc8!OB^>F(eJRU!HW7_DbO=`oM`4El* zAVeXZ6^Zf3Ov(KnFo7AFL{+1Ahy^~jK4eXDzaBsM6kO=Jec7bxwb^|?1W!8Oij#n1 zU!)oue2f6c7{1oK>XW3xi{x_r?OaETJO3NM+LHUP-j1m}eY&*w5yt_R@_qrZ=<6iy zR?GR#w`8w}%BQbKONhoRV?V)fkoWXck+JhJIo@#U03R!#mpTX$ySkkwvf(9k-wMFw z6Lu|J5SD;#NL|RZf>l1j=QGT+ywx&bB#j8p--0(D>=u|@xlU%TT6tVqSan7>?%$Li z9ciN#eEyxAt6^KA-);r;7{I1`(8XS@*&#+lx5}=1k9zmBO27Zz=y4F}?3-`FTe!Ct zM`*CzZYif$rZz0O=R&p+7BPsgJ15@wIC(Xe8vi3$+ehP;KO>wmF8M0^`q^ttP`|vD zosO@G2@&I+*Db9|%w@yYu7f3hAudR>lu2q;D>Xcbc8d3xNS> zkL1aV|4z34ul(u%{1n)-JVpFR61-Lr4rzSpwdga{ox~v*n~zp1U|MJfv;54r8k!W> zn&Q@(+91sRLKm04jY9rC^vC(V(ntqczO;k{zq(YgAZsTq3Tx*tT@huzott&WdK%`G zJ5xImm^Vh>R?4w))(?Jv92llTGdeeEe`#*Bo~n{6oZ{wGP|fRYlFupoPON*FZIww4 zR^H$lcd4ah@4>d<>L_7|>$}i=ci^S*`8)AMVQCn(tX4w=lkR+N$oDslCEIL)UvvmS zAS9CEpI?xOLzh-aoUyZ`VQpCpKW+7?59{{ydOdN^)J=09VHH|0GjC)M$QVnx240zJ zDTY~|but?|ko)B9S)McnO)1hcqjY5MW+p0Gkj5$%fGyKw@$UNv1TiR<4lr-tmev^R zs~gZp=9;j8_ysBUi)}F@rSKbN8*+3s(r@p273b7;v$i(Iv((jCt#Q`8`!2S(c2zYb z%%}}cSz75S{lbvgIiSw7szR3aoVT(%dCI5Y?5s3Jb5ohFb6JGz3_~}4bN1u` zr;$H<>uD~$pyWS^UnQSx{oozv^yM8DImg>E3IASHVl(xbHen_ z`nsjKQVf$*?bRyjwu%!Wx(WQ6!%?Xz?9;HAtV3dLWAciQ(J=f{-M)Nz@&~({r^VkQ zI4tI?0z!9Rp`KdvVgIOYO*3Lu%?BqqQn}r-3hm02*6cPn&=>r7W{f&RM|rLMu?RVh z8&nvv>xsWT$z2Wy8JezCBqD4UO|<9P#T*QwR4eP28Q*## z-z0*bmNralr6|SKF^L8nQ;OP+QGT2Te)_ljlzhl(vN9JJ#sT@u#1&<@K-W#JU z`gW(~ZQ;D!#K_PmHzj4xvAMo$$mpBzG#YwKQk96pA68Pnan>cR2sthO0QHK4XV1}5 zL;?EUFEoD$quKXz!zPaPQLBV?Y61%~&5su~7{+%uQz6iBuX;)2dY}e_MzA@N(fNbL z@+-{{cfCTiy0g~>Tq@%IP%<=r&)k4yj@hALPNQi!0zF@iK6`44zlFw(G&U&YMF%(u zstl`uEB1YP$cN}m3)NyDxVWZg>wT&YXU{8q(LdM?F_jrM?(HqBC0yP;3h;z8^_1z| zOol&gy0;23rv>X~6IWTt*xzrbxsp&y^!ukhhx!A+qOlmqQF`MhuNY@2^7w8#vtMK! zw1bt9`~k&a$zgD)>6lw0%&0%gTh)F7HpzxzeW}MY)Unyj;Q<}$y*mg@ zpm&R5Z0FmHn5Ywr$1^VV!>_SHwryqSb$*wPMaT9wcA{B6^N^z$DbV5?4(}IC6`-aA z>RiEMmQd`F%Q!ZdcbKyjY_+=#3%0rMj@H(SZ5NtL4cO&>7>-Vrw~xJX`gNe0VJ~M_S#XnG|>TtjLA>aA+XC3w0^GI@@oudHZ{PxE@Lb z!RSB`Ybj|PhqTmNxTBpFc0{BIqQP8yM*Tj~)3d3Raf^khG2rP0lV2ETh|60TK0djW zZhQ+?yPsEEN4wC}3PTn8PPyn84eXhYj@;=BowCc?{kT^6jkzi~eIUR7_Jh=gPj(1HWqpWgI1T@ya!h!4N-da?@(_Ge9y(uf|IACI z=ZK7}-#wn?nbJ_hAK1A!A@Iy;k=8kxM~-sl;eIZT;4G#a60&uH+33Xn-0~gnO^1mw z5wedG(!q%LoY6w-Epbc!a>eD@8Y_K6?JTr(>X&`ZE2C;r+@&o7J`{X-O-)?Xe#Q@Mv8)bokYA(&v9(%ZetwoKAc5Vh3bUs-{SdR%NWLMZ%LYjaitG3oa8;b?ZV^6}LO#7pn7) z52<{xq1x-~`^0^AQLlRSjIRl{#8oWXtI&xnjy%$aEN26Bx5|dgSga~!LY`xXW>WI> zUG;;NKZpA~RdFd&0oa#%N&h583)l;c+f0;_JmRnK(6t#=U!idhm0NJX z+zE_9Mcmn*ZMgC96gkS(<$1V8O($mHam}2Q@TWsAAQ=_)&GwDd$0&W~=C(%&Bm68P z7o7faPRW2WQo#fl(%Kn93yqz2N{4nB=jT{*Tnt&l=@j(vik6e=oHiVJ8xT)?0f7n1 zH#vIcCV;pau=j)t4>zf!i?S=rq4{*N`l4iCc68+exC)4)#A;^ zPy0vF=GJG`Dbk`Sv2+Z3o>n;($qg-xK~IDCoXO|pv#9S{VVgdOdjCc-m9)@Xbru=h z3rpv*E-S!!;jOSVe$8D$635NHrlJm5C5h5&%dXp-Jse)>q~VUAFC6C|Dyf3QD@Gn= zxUo>MuzMI;Zt}WB&h#A(M8?9YcdhGYfu5>Nds?o+*P`EkTV>Ygo$A)Il_~G!hDEEg z_tnmGG?jE4OxV?(A@h+-w{Hnftl!;C01G!rA&=!o7OGTXI>mB-VZIx${&3Mea!#mOFf(3Rf2 zjZ%kdiW)e4WsvWlht1l28jfc>z5dhAPO=WZB|=kAyOIt81%HVO65cpT9s0)Hl-f+d zDkg3K$Mkn)ieYt)dROFb2-RiG(pMV3!KOpK^w5W|GtAfM#6c4H5eWN~qy0jSJ+~0? zkpv4KZ}t5Wi2;3`Bg*^xEZl6oRd%|cXpfiy4OR_V3N~1QqBI8|?0-R3AhIO}1#wF` znGVxoP-wlmJAAM6y=)}rMhdEa2?A$plk?5;1~t2r{E_UM4SrY9Zoht(W~FSTm#{l>XSH z2pR|>ze#Qtm@P%9@;=g%mLYDF%k@2-2~6dQ zCtPYJigHxo4ae_;ap>4)=dcBuKpx2jMAY)pCTs2+2m)CoI4m7{8W^~bJbvK3>A-`T z{kix%OKnZbV7QQFyG60wDOMMd(3-|^OyfWQTF!zAngRdWOMMdu zqEB3wwTYolwSS@kBAW*jf9jMXBoYzf{IDshBjzav&GW&9hFiwN`Clm3jz+kirdT)k z0tdF0YY~>#=m3YOZ3>6j=`$u{(0E0pP14Rp0+K%Fqa27%(?A*o3f7Mll93x0s)$1C z$oS%n@MCrzIiB8I&R1oFdK!J>GX6?0Fqc8(n7OO$As*s8L{qS2m1ZsW zVOU$^;Y2LEMD2VHH2pJyJcURY%9blDc|^Ir4b|kAyFv5Lz4%1FPk(3d?CE(TT~Ij8Z`z$izgCd=8a(hHhulKKYxHKEF&=abbCJ=c3MbS=p7z zC!~NP(=7ILSx&sosX&9ZXE)bNw_b~T;d$=UlJD+#7Z%Jn(UHPC&{~;-Op&c5p$jPz zZ>)w=HkKO;#HB7m!x}oZLJl9QbPgzX!Ej*$aCHFUb#@VnPqZjfeD#Vdd&6%--)CZ1 zp1(hOqCXwGuM>t8rKf7PfpnQr;DW+9uv(1ogJ`asDqi1(j3(rKZ?DjL9uHI$(2*6+ znumvGVQDjrRt4(8AFFQrDc$eQ*x7H~>-^^#CR&B#@jspi9W*4fhK5lMNRxHLN{FP- z=1WJoq-2?-<2B%Ku09`xPju4U`|K-kHuuil9}y@T*?(D4t!Wt1(tiIZ?yDrH#iL_3 zhwY)GL`Bjtj_2$Qwm{{}W_BP3elyKt@SLoV(B&?NEAyJSq&9v)fL2z5bo-UcNu!@a z`i(nwz&wLOz0F3z*Z|AND#s1W2)yrI2-P@^Xz*AF&N`_yY?H<>?JifAiTKCtQzmKp zv6Q{e5xVMnuLs|MYx;hQA_r%O)C2XZaGgnn`P#Oz(g8!4JF^QMh&w~$T<59oZBU!- z-MgfbB@4OOo*zYJJ*R!UIr)K$Is`5?^Cmh3x2r?aw9zrusKt!kr$%3Qq8pN%c*S-; z|H%$`^&E9Xew4Ozdv?1Z;}Vq zOQl`inqfJA5IGXKv_!%82T3JHpuv;;UHdGEO+nInEJ7;WC4-Z!$yH`cxTD|G;tP5C z3aURQ@waW#xcS3x-*BmUb99fiRa>sxuSwNC7|ixk?$TQgT36dVrJXn>Nk)qS}^An$SLJFh{#c-CWXfzD2M~6Y@ShPIj4UO@AWC{ z-_M2UpATR+z}3KMPwczi2-avi4bcJeRu5>o6*4uOC50xNqT{o|X; zZY3)-V}0?qwMnG@V3}YC`tg(#x|47C6Ck#7Lsc(mK5{3AA9wD-FfBGx^}z)|0+!^@ zVLtG>+PaEnx|!btiGMU$ymJ2xMd!vy+v^HF(>riT+)DtH#%|f3$lJ+NQ#N=-8LiWr z)P7fX%l2cs*u&|r{UkXra&jJJ_cs|R%kQwBJem(t)?5(2Zl5pB-ds&0ZX;+Vga>{I zT8z#cF(Zgp=mHY}n|nxRIM#=aLFk^t%;|Xhjkk9vdCuPy6R@VleuoZX38l)Qut(0{*|xOc;5MFA~=7y_-vgU}e;r6~_VKK6If4GIi z-NQ_d>h7<=a|%b=v3BZZ~b4xI7f$y5gob zYPhOP`!UP~tA2*R{L&X*KjTEfvZ`QM^K!4Z$PoAG(=%UootPwtuaJ*#u)ec1qhW+u zbn4KK453^6EFL|OC(XWiR*H3xjBe#CNRKdj9e0(WSew!KyaCK`YhnxSMT2DC~ z{E?s3-nf90xY&%fCKqrzHe~SWR$VHMaxrm8Tm>VY-|=!}ICHEAH%O?oJYvaq(+~9q zyzL)sB1(e$ocg%>vyj3m&GGE>YE!IgWDKula3zJ}z#~sUA4C|y;Oi*97yqx4s7a376~Rf%cajA>8K`#r9qtc+4}?}j*nR@fJGV@! z^lUzLLS%mku&dDsj$Dz3-@$Gt3Z+Pzaw5FudH~H zkn4p1*kCXBNLn(a>R`O`b`XOIH3tnTk_)}B{mU@q2+k--LbATi^xYH|h|N?@>9(Lb zRDM7dLG;~L6vM-Dj05srv)e%Ukb%{>#$JIG`3>sCguso~o;!M8UhDl1)Qs8V&DL&> zaeNsVnkqt`Q221x7wdM)j6$m5kEDZ1;U!(@Xf&?lTUkrB#jJ{7g`TgM-xXSqsdw&r zLbJX26k3P-`sC&;N|%uMxeM}GRMVP(QU%kPcig;!ZS9V5jX{3%=Z_!X-cL00rdh8W zZBI2Rf5CUmLQmgoPR)15+(gTek&@^6eFAM#ki701~R=>ns;H#O@5%4i$jb!%&IRFXDMO5d}yQWGQb` zm^-PXI)P?o8H^@!L~3O%3R%;KM51|;e<#IpSd!fel2P@z$b#xQK>)D-Cl@(@>Mz$K zdQeIF+u+RX#UQev?9U)DJQ}}&NnD@jx~xO%kT5d~o^g(&;HVL_qWm4=2fi1$M3Ck2 z|6r;h6bJt*bxRbtHGrF)6Qi{I>t`Im*l4hPiEB&K9n5q;_d8hSI^lMPY3)g^iFs?1 zrz3N${-M{@aM8@G1L_jCXw2Do`&`bISYPN%)MyPUNn|ycIEo_l`r!J7Jg?=;XEpTo zolaQ=+vR-bxb|F4`_?wpb8(in>`uPIpJkesi$m*hP+1m_|^<;RHFzC zu;8-t5kuXUvN8$X`Ing7_5#!J6=%h!4i|-m;>nhfte-Y``9{ zKMndD*}$X~W?sKnJU?X*Zjl9OW)A;+`DEy+CikIg4cfE<^V8_F#56RA?6QJgc||)k zw6)IhG_SJ+<|)@(N~jlQ7AfwWtj_~4=8H-@eLii)^tf6i4>FQ6Cpu5X*CNS(?ay{5 zcQIi77TX7ua#0}%2sDim!EiopCXGfY>GL4NJ}x;=mQec7`+A>!3GNh^v47YoG+#fedO?RG?C ze-d5f30hW&j0{$}7>r-`^$iXI$k<;^P|-FFNQ(yn*1tHJErgbFu`5e{IQP7JmdhAcRYbR(dDqNs zYkFaNAi}g?$knj6nzD;Q9P#A~oprtc{FGpaFc7}IC z6>wk#xs8W9Ko=5!F1~TgHm}k9@Py_Wvmqr9^SSOk5^du%*+9N-^7|>Jkmv}08mA^_ zuY$;g`1Yp4t*Q7tt#I7F6&9WfE&|Rz6shLp`SKk8o<^dq%y*m*LtNOd3PUsOvXUPr zJZw^*yiVE@`$#t9RPTli@mP&cW!xUYB<}v1zP*Pl$84wqpB0AktOMp{Ljj6=f!)~- zJLTQRPpetjoG%U4JM4C3~&NJK!S~$s9|Qri}j-=M5|C@ot%OL3^!=#z$z%INrRh#o ztQZLmOLio1Mf@3>E^Dg|3BKOw4zFstUt!9U+$%tB7_q}2VOx{3(3Dqf45THTrTwQa z57f(m(jTtrzLq}G{o3=;98zdiM&5eLOviV1-Xkekb@eDeQy=ybr;OfIiFvArKi|6C zc!c2P95p*fx8PS85{Xw-IAPN!ieC9FooeuN&~j7{gq%)$(GSVUT0K9dJ^yKFW}C95 zJDrX5`VMxWO_kDDlnvV1W?oj|;r?a4mpzh+Ji^kun0vf3mwrqwf6SKP-3B|6Y%$Nw zdjhJheM=<2J2z-GlCJIgVa5F)xO|1YYKMxUfnjJr8gt{nwMu{s5 z`fTD+TWgBtZn1umJd<0*kI*i|giUWaXbPE^W--hkP$p;1c*j=Z(Yce7D!ec*$mbw8 z*LX4zEn1z8nL`xhtjLk*Nu^KCU|=y|n7kH9S9lkkQR)*tNpUzQ&KJt6M5J zxLGcT4S!z-MrvYr5)1qyheVs+9YVWtTVsjNpb?eW*Xn-vT&nd2blJ1t;zG?&n76kO z+l2yL=52QE<77huwP1k93FY2)7qMP8#WMSFz0Q=ZoY^L7PZy|g1ah08` ziyUzT#++DGkxo4%VxIl*7J;_NH3)iu9!Sak=U=%3nK6Dr6ZX7z15#H1EW{AQi&2vN zXCpg$Ak{SbKYQN)+N1yMb4N3l5+VNoDX9G)XrdPuy?1MgdQnT)w`YriaWO0blE{0; zyI81KR;SV^&$_gSl$|r#D328IajJ~y0vWSxsN2cJ3Orxm(soGkI|?jmS++<;HnG?X z!py4F>9CuqT4=0gw`o{%846IY6$0ZmkG$FEMsTj3t#iJXwsqDJ*1I61*NJ~0L_s;o zJ3Ha~bz&ecLwceZNzHOxD~Cprh`AQ!dkO9Md$+MlH&# z`E9!rBMx6s*`}eR?~wSUn$K%pTua`dKaqlzITjnMs;QY6m1LPxM#^0~5UxkJ?F3*- zB_L&XS3@h4u_k(-ATQWXa2%~9S<4K!O%83-pVFqxim=p|SIrQpMh|RVb<2eKgPL{PObZy;)kmZ!*6KY5M5dG4 zp0-04NPV!Bb*BGTJ{7vnSAJ+%vP}KdjJ(8%Z6vh;2W?_UfqO^uzTbv*Vo**FQ}mD< zq>CY9ExF{~!kOP2*96F(0TJoY9Y;mjPH->g3l~JcrTCxz|2JUfGlrKfwP2WZWO2E` zfE%{y7;QfK?CTaB8#-$hYMSU;9`dLw{FPqf=$tl&aRnRV2W{DJDuv$q>9gCM>J?#y zUq=Eb-^;$qFqGEaQ_75ISAzHW@m0a8XG<(U?$N5jebDuC=2f3)aE~B;om;QzTKqa8 zXyq9Jw890ToJDUcYHy?&uhcBCBP=(tPZr{@Y%l+Xa-WLvm>f=ce!n*XS5VVdLUH4Z z7^b9&f_ww9B3xLiDcJ#cJnpn+Gi_}}#faE4tE-nO=~Ngr>e4Z$76fx{3YYNIK`>IN!dD2Tjws zjh!a>#kSR`jcwbu(b%?aZ>+}I*tTusy`OpiTg}ew?B3UYan9#pk4(K(o(bpRI}Cs` zx}W=YD4<>RQe2;3&3L9U9v6o3faMMU$?K{wrFQU-n`ITAr0ch-if9=EueT0gZydimD${Ls4hqV7#y>E=$^)4v!-~R`7757y9IM1l+f4{&IyB z`1ebFy3mSLzI603%Up2j$CT2DYRLYBAbM zJ%iTSpI=a1T$G|V^i55k*Z+LqBM|7f&Klfb&!^~8yLFV%XN#vBD1<}my`FUvld~r> zxj6CfE+;|O-4)0?uBWki(VJZ_Q)k^ov+j$0G!Z8g?#}n|bZn{J7eW$f`|OT8+Rps# zwS&z9PI=f811;mW3(6|)m45Rd_gsu-uSxog1et5Di+n^_A8s!JukQ~v1RO;_Cor-w z;*?IR=&zNVKG9l10E2@Y%u``CFq%$hJzWHC<|Lh)H=~QS)Ca**g|=o7w!Fy|9&NsusQp>E7X+f@BQX> z9Xz*r|7U60`tG9Rn+1IS?svL=NF*fQ>o2Zrz1pt!ujjOCJ@VrA6I^eXzP-@N45p)r z$+AEDg6+rIq%wbtiJdO0pM~|FjA!1tg3z1S9QWktGlzSjkJF&bn+gbE`8XT<4{q4KThzQVrx0Tq40+)WIDhT`LtlwRMo&V&&3_k2dpK}HMGIUVf4UYC`I3R~?o;3J zM|!)mmZ!@AyuH`<*<%mMFg=`ET|odw8K5 zc?>Bv6bu{E9%g;(--r+CP5KTy7Sh*kW=*yeMz!{^cHQlFb))~7^jVijL|W7vlEz^& z-(~4D#t5+D66o_L_*3F~pRRk`=K)#!GnupVxm;8SFMW$%jcySejjF>*ndfzU=r{VV zR6JY2@V6C&_3#o&TvY7vdJdRWyX?qujLga4U- z3CU-33B!hGW$&f_-U||HqV1JyK{Vq(rgUq|qBi`?tvA&AkU{MJ8v2XMc{+c{ zp@RL~NprUMD)+kE8UZ~x43ts)L^FRkSKU-pr8Aud7(g^CAbI>|#!X+%8rSFGx^68Y ztEN@#40qS^wjgmmhaR$I);YzhmsS6Xt@cJm@ySP-s*)GC@B6ixh_a~^KkGdw!=`pq zOU8{`7?>daFU_o;&l4D{TK;@7dRlZS-~M|k-qn1YtH5r8TXSVFMVYYnq4 zGFsyTo0x+%YgO+b0bju;M!GtkSggIT^?^54!1TPvdqmy!dM!$d^NWj3rE2Xi{4}TC z(uTR`@H2bVkfxr3+L&?-qbC)X^j)E;Xq-D6@&W_7}D_d zE;~!Mlf|$E?l-QF=C9;v^S$4I@a$Y;XP4{Ms_QA>vdi+4yNPVISd{@4?XmjRY?6co zD9lSs7ie#L=H!J5AV{);!=20scH~F(%QueYZ9?igYUxM!kCM@UY%{VZF1~UkdA>m+ z^^2r-vJ`k0i&;pkWWH|M*f;4^UJ;Q)$%1R(*HqhpmWMHUlunu;Lu49u#us|cp(vBw~!T&n7)eKU48MXB0A&Fi3 z)?n*lr7WyxZSNh^Sh`0ko;9hXu5`#8C6r}w`o2(}e_k>x(iTY{_TxGZ83tE-S^0v1sw0 z2ss`lLi?0rYf)Dr(^r5aavwD^68XEnX`P1K(rOd}uL-CD0K*aI!$0emHnAcy?gB{3 zRkE&fX=l->$#?jqqv&ItEcLUh6(!v@3Xo$5OZkj$Gl*Sa;m14!d&!zAuzzQyVJ4#? z8OcM80xS=GXjYk}9`~ zQ`M?Dweojg)wFZ6skgQN(8GDl>SNS7>aJZ)^>_`^S?W$1QegRaJa`;=eBSV}ll~mVc?^@OgYE7!O8D zOv*$5^T+8N7r*r2u|XeN;4^Yj(wxfiFg{btgFB0x?cO;t1@^FrQuNoa23|}qseoNIO7!Bknb)co-PEUs;4xyV+3pd0vO0F(UchXOxwd*qUY{vtuZzL|LO9 zlT#!m{>`$eh6o>BQVAb|{f;GFqGV98Qlp-TiZe(hhu7(*DWVJkVM;#JKEDRuO>hjB0=&`ihVpBu) zbJ+kN@`jW)0iX=W7SzBM-0X@Zko+lVLvL*S9~n?n4GdVVh~)714=JjTtTgqe7nUSs z;&ZFLrjWWd>A_d*3mF6uv+urX=KSvaU_A z9ardsvl#>J zlxXShhuX}@rLEteC@INnPa}g-14!L2D+;Nz-UjtP+;6?c^X|Z2>Pgo#%R%CRQ(F~d`OTI19Hcy@BnCz{!iK>pB`dncHX!Z}99 zme)jPc~pST-9`OgEK#4@(O~6jQT*-s-P(~z>vLL@)bi-trJ+Zy_R|x_9ec(9!6u%e7uK^W#vc4E(P3V8-NBOt}GB2Om(I7Wt~!>}<3%SY2}^s_FO_h!USP z;QP_{_6(d`FLtZenRZb2_DU)ax8qV-@U`}&y52BXAp%#EzVX?}wN^Nj{NRcj1pu|> zbUL{1>NrZ(3sKOO-7t}#=g+YLc!-}LyP2dhY4w&Ef$81->GO?bGVONjAy5tqLZn1g z)Eoe2PS3|JG);G|5F(k+kB$di*UfRunz;CXqe=f!IF2!ih}0Uv!NEcJL(G=kKJC6; z3D?HeS*q&zr1hbobm?~I$ntO34W+Wtv={>hZnvM*O{N;3k=dMB)o-!b z;HHwR62(7~ruz;P&lGj?Zmk{7d%T z3wBx#&@n4b9#Ca?Ln{#(TMw8_==KvlDa&@sVp6-|bs>a-1G2>f{=H2PJ9j$075scD z?)6N%&t@iVKr8#628ivcVzj$Ubp^a03EnR{>ptzRq4VP@anh*TPC$6Mzua`SrdBG|gwe#5=jJV-JbSWJ(l z{)m)C47BYcW{&Uj4m7=7&&csH*q5O1hy{w{#@PUCE?u9I^JW%bpQ}Q9`?otZ7?`_b zv`h*#w7z9i$37(B4sUU3D4@-LaVnPDE-MMZyX;8dxhyOW1~VL1HK+2Xsp{^pyShK= z1JJ68tTeuiK4enELzHeT>t%D+v z-#M^qn~<02U~6&Ur_x8i((sd9U81$AvVGam(9%*S!rq`dINAtf$Xq_0+Q~_=s$SOG z_I5j1==10&TIH};7g|4yQU;BuSW57x(==iFR~zDu6GO-|5J)*uuPa8le!z8%F2 z?dE7OTM8Fd)mdpze=ogVoy=aQ;9KCbRdkk*+Qgf}rN)B-9c(7Fql|>R8_L^PEjpxI z0DzWLv>t#sm*9;_PIg{Ol&Z2XmPb?c-4Eb#BQM}%IiIM8#d78A}dC5&r4bMxi}DkrEJ}3jrTH@D>*}g`q6aLG^nJ2lw7lMLzuYsnA%93fh%EA!NE{50lnY!F4(yb zQ(JX6oY?-FobzvgRZQcH-u&?Y|T;yzmUqZ2ZH>mzJxcU$O(WPZ#3F$R1u-L=LABrYZE+ zQkH6HW~EKM(#r^EJ@Ut-8@TR)Ll3eH8jblbl7g$GyY1bKXXzT?f;{zXXz57Oojm`P z!d63~RnBoSqVzdi0Cce^t|f5Ojwk6gkMB3ehujqrM$Dhxyg9h7cV{-imtqWdJ0z&? zKrKmNnfS?`OjDif=?ajW0P8J(+L2i>GSbHBV)cH0#4vbw&GC3OWk#V`dbb|TC@sT- zRDxC%8bd)6@Oo)Fjyo7h%$L=|>DR((VBq#*elP~K))U+aMQ)dT0JTE7!fhLdnZ;jE zR^Ex#_niiu!s0@^-VO^LGZ^pMsQ-C~Mv*1*cmXixn3$g4J6>&OwbWM+0FK)!?N{VI zfzRH3gL91y-yB65{e!V7cPMVxgWSLX!=+#(1RJ0@ZA+xnkc3%R=gbx^ezJFTanF=)+jbAkm>u6+5kxKSD~9XB(S79AgnaArc#P!577 z)mno6-$5bV$OknBio~Y)Beh*#Trq1<06m~f`{&-AJ&HJ@p%KwRwUH*3dKyHXe82eh ziYj0y>xE8pz%K5cBXWB&RN23NlfD}kN~_!)!*PYu;!YbgO57Q*DZBj|k_l!6=`#M$ zBy-h|258(Cs@|@kDKdL1YCwq2Vv$<|Sbtc%S~4(q8+8}WP# zNV3JE44&+YWlaa*PfpcAh(%Y=-@XiwY)^}qRqelCrtx6qsxo{$aFmz3?IN*TldvaG z7XU7ORJ7JNhm(`1GZs`-&ZD0*Gr+Bz+vWNo=?uAWe`xnBp=jQC_gghkWH@}A>mi{0 zJ)uHHb3Z0KIh{^#;~pL5eAGfkRqIH7@o;cly<6OH;kGF?H1{YHA)KMHKZLZ>tmt@7 z+VHD_1TSQvuCpwtylrPSwLUwWoku!&y@m9my^7e>zxeJg%}ge)94?( zlxy-Yo6W=8QA;IZUiy5DZOjv%R;sGL*B0X=L3+QHHa0Wh+dcMIQ}8xdmJ>smNk1lr z-f(}0P1dNzX~KNp4s}WsROzUgz;eDzkX*2>vaZ}9J(h2%!C|k{o%s`}sH-a%s$eE1 znlo2=Z;T}V;d%|ScIHI45pSU4)SwXIq9;gbEt=uEUN&9@&F?Ty;g(FZvB3*-Ns-_E zX#);TMb*Tt*OT&e2?luA%F`~iHeK)E3rVo1>+i>dgV*u|y+{2zRMksaw!#&bw_uQf zu%*-IQf7%m$*1`UiyD%ki_}Cw-{mD?7SqozaD2Hmpg*xudl_4YrpHfNdK`aSX0Uzw zVr;;T)W=2JH6#qp@KNWm{^#~XS*;zZh;gm?j_Y0Eee%=ua<*FS4m-D3KlR<9{!qD^ z$K`?`$r%QlUW$XVME@ajLQB43fA9IT`aaR$UteZ~>ui5}F+0us%2X8LFqwA1Y4wP5 zmhUHMcJ@ga&wK-PPES96L0@rO6p(G<{&i$-uh8#CK}D9N&BnYqyHp4 zy*U=k9(LRY?2;n}Dp&lL*oj~`njv#DiXi?^AGt2AMdN#E&!zRD*zZMRTl-mh_ z_1E=WOf~&5E$%po0|+rcpJhX38Q7D7cYCqyddjDoD=Rk`L^Lo=W8B6P_%PYr84T;s z@s;u76%Ky8u^i|suos^$LHj`uAk6-m-p)AbykvIg3<-RGLuPC#POKo@$x4eP>Mb-( zV~u|7HvEv7;KxjXW>xXKOfj@1k0$0$>mb49Eu`3SIwvn^4E}9UKv|PliEG8kgakjD z%AeDGu@zd^3*%nR72#;JJB}mu?k|unB7*<<8lDf|^&x;vgcoUD-5z@bg^wKO=<~;l zc6TrjUEp0r7#ax)K&{jbF*{M}dQG$bqh^YGy(sW>t!}R_ll;LoRuJct#>W{<4tM&{E&o=X3CcR#=Z*a9tNED10O zM;lqaf$EKv{gP`o)gAFC7BZav&cF}I^%D8&c2dimErxHf$G_u^`Ldg6?bI%p4H?$^ zmD!bkh)~kl*iKax28FLbf`Q%ocq5CU+i3W^f&wMoKA1thEfGssgbI+a5cwh!CZ~_) ze2xK>%ctEnJK!;7h`{fkT0Hi^;+G7EM8SdKy zK#85~ayiO84W4Lae{$UYkp(DM2dy9_^0wpDpIZlzTBJz`KE7JMoG{z=@K=g^c@;v# z*fiLaM1hreJy8TuW%RG%{V1KX8V@{>+v6j+Q>nLvV`K=;lQQ5%MHuHU# z**2%kTvUi44w)nawRrxy(osjdwW~Dy8(MSN>YBo__tomS21}kSiL~NQ67$oLX$C0C zJ=7lc2Z@U_4mJJ1JoL0WdhtpG#cg(`DCr_3L9u|>@IdBfC6AA5bsOm-tQ7y*tA(dc zH6<&{;QfBel4WB0aa_&S8pLjwhrGv$9Py|_s9mkJ__GeG0m9B486Rk2@Ymcko%X1dc`SxKA2ym!%A-Wp; z{c%DD`s|nxKM*PQQe(Vao!L*N2VO*CKk(^&>?m1r>xbDl^S1KxTFwCl3L-@nS1N1v z(%6<2Oy)WE!-K3rm!SY?yhnNCKDZetxNIiHoX>m3oUoib-`ZSF=c(Zl0yS}QYptRD z_2TEn91m*sAOTQr7zMla*-8?i_ZSG*yFH2)G6Oo4;kfZ~)76&sjt32J8Y2Mc@#5X| zn!Ov&LoX@<$b8cF6V_%RD@60qN^xO3f;Arn^rz(d8{tWU$N-O{4$@qB3;m`Dk9+{-zX*b`q zkwPpE(`U{2&Sms1ft<;f@blfaLG1#};C@Qy@o2L!W0)?Lvq9?)_AlFgIN?M}#+a+3 zEM1MWS~12&04c$OYN8COalKrsIKFF%<1i}QM@^#DzArHB5%ITpcH|`*ANP4uLH>R*HAyPAr|4@M{l7Aj=^C`7@}bd|q!=%F^RK#Y{T-j#g}F9aog!Z!^|9OC&lP9ky7{ZxosxZU@E( z+RiV$vlN`Zt2iXinp5lcAa{p-Z&xSpHFfFkM#Rj)gPg!vr`hNX(CH6qR)1Z5M5+}CDcg(}T(mq0$o zDihRZa$6kC?AsH#4Y4l3PC-LbHh6;=d1}?~4A-R!&N+#OM$MF$!0|{?kwYu!y_r`- zq72B1(Z}?p#O`Ow&!Gy#}c*&27`)C{4XtmdLH*j=qC@OCoJde1y}) zG`Wo`&ORpUkJi${(CphY;-zEoms!il>qDcFC)$>YnV2|hoKvcsOnjdF>zQdImK!qO zp*l9U%%TZOfHJ$bPh(@*I%7<#zCja{$Bl7$8GxJ*p&?3IWk5o6-c9i-4>AHo-L8-H z1X+NOg~Jj|ubnP7=h-QhBV+VmP!RBy&Mlx~4IPZT@#ZCfozF+*#joEVdzq}F3KroJ zT3=3du{(>=kzsES?3eU=>87XeF2*|_KOC5$r;%Ct1>m)07}dI?_VI95bI9;&7i;DF;c0qgRd5SlZkJx)<~W0qe6+?_=(KnN%$VK}w6F!%x0xLp^J@|Dt(CYD;e>d> z6emW|p*}R!-MLtb6Z@W`rfmAbRGt@S2AELK5^gB6(DLg@SUv7>O)fgASZwx$<0M-U zFezd(h6h03La=pS?pKg}JQ+)BCX>aLmBz$Tnl4>=07n>!&eI%sHJshr0_1(FLW_`d ziKT+D-qvKSl2D~N?a}ORf{P1OQZ_CAvI6@Hn$O#??6w;bfBYk`IL4tY=29*7d;GRa zH(Oe^ZeUtl>1Y;yDWG0oS89#C+>e7)RU4eBG-lg5{HzVJ)i43u>{rQLmpM7{Z5M1= zpYAH-dh-x}(o`!ADrFs_($eN7^U#buAJNsiycq+no(9tgo4O&q+EcG&-`CM>33-jf z+b7{SQ5*@b^vT%i^zdN6O_1SQG1%M<%4K&jo|_0V%8}zxH>5C$2tOtwWJUQ8kX#rsX^v)|_3~uAULzNXfPUeyhoFr4t11XfhLM)S~IP zN^ZnWtar|x(T!06c5#V{1sJ0XVvlJ~pj8C-Kv!b`zL|#*^zB8?|lSPoXwqrE?|9$_2GsYcQ=Zhd-=JF>%IS z^M!D5F1`qtt-Tm@6PW#w!E5)bm5@KFsz#n`m?b)|d3t+Pj2bD9;fXHE*_dUjs~cy| zh6E9`r4$5NuU@^jUh-eG*DP!EFvk}b7K@rRl5=r6N#fune;&1qcV(YiCtdqEd+KZRhNzk`g=h;8b=x z&fu!H^qOvRV*fu0K6%Vhm-KvD2{I(i@k?r7Q4Rp;r-vwM9RnpT!>WXRs?#6Xgd2-d z%hWDE249PZAbYMbCtKaS*@2_3mMmJeajtt#k|!Uo;t?TeJ8}PFQ%tiP$pD-WVb`;z z%287O;Jf}}Ax04S6p3}?;5PY;v=En$z!R4-)WH7RC5?@*|Lez4>yX1iTqKTPMFHa1 z&#E>j{V{A@+|nxJu~fa5eCMl0UK@NOZ*-}Qchypp-OB6WlA?XR4e?vJEIbY%WiitOC-Z~#{`uloFasLP*X-HdpcDFd|Rra5G! zfn<`yU{a2h8wX@QR?ZLyl$~AscH#aIL22m*Y*{K?-1I?g{9$g3Qs^_{<+}&n#yp?h zzi%EnFueEgpcxO}2q>wdaLaT98{r`2?8ZSGpMB+UA9ML>`i8>6#VI|UiQ=PEEDtS2 z<=O9?he7)Vp5$7-ZYq~^rJ6ApUI(>}iaKgtPL9$&3qF!q3r_&3?#QgGJiJfNG8_-e zrPOLopBhkAWlnph-sn>n$$9cn^bgw9cId1=9tF#4dL;%c6m?m|tl#l5CBi@Z+Y)Ur z%>BXM4n4xiDr=&@Q8DmDkMpF@3nMjIy*ZPe(87d@E9igOyS)M-emEWC)34bBP(`B0(}<8uu`98b)cozTK=) zJUjHU7ri8KeeT3S3)Hup7LCN6KT|<|dLI`HSaLbS9MjH0@{326kOa8R%fB1elcxR= zxLzF!IBt56WsVfY+}zDdWsRmXVSl~8cI%`oU>3AA0Nj(w{ft1iL}sQQA!u;T^8Mx9 zg)1v7qKS4eay!k`r*$PiD=ksAo;Ial?ZxFQLNh{2!t{HK9n{8wuaHl~v^Sn=r=gr{ z@Ppp82Kzo5*7(0Be5S-e*g%-@N_5m+^*G5tFy>UXmO~v00oGRZ#gg1**V4OdbJZwc zzbfyetH$GtTm45_x;xtN)OXGMLYOnLn`P^6gKN7n7zVo=Yi5cP%@aLc5Ei!W5Buwk z?@7<&5jmJUN;Uk*3_m&L^b%w&Q6P|hU0M&p!6E&m~CbN2t@9O_B&y{ ztkB(n+{D-zK>imNJG|dZ-zLt?;;@=EA3wWZJ=dO3MQPGw6)&G<7tS#t5^@SU9m$m_ zpP4zC8Ju>&PqtLsU((X2wbn;w!TPcVGyKR?5w)WKXWrj7J{nvspl5yRpEfO{n6wD{ z@S-p44}P*Y+~=wQYt>Z)xed=H!u1zfYv=tGDRXXBK=o1{+ylL7Q(be%jzngoCEsXo zAgjiw3F5-Y44rR8E*rWzn8z{|B^T(ro{evNI{*i-PzI6CK^>*^o4c^!B>X5Z!?9CQwsq z+OAf%{eH!&ecbpJZ#Jq9d~(+v_izlsNM85YTm;6eJiq*9smNu3pI1FVf?m~J!_hvQ zV-Z6rBEsmwnxflPf^{Kd7@;F93_d?ykk=Tk)$g`l(JS3vLMF!S$nhWAtwh&2Y|pIn;z66ihzuX}*M*14eUN zQ-ToYbQDIGsjC?$%&L75!mtc90wTJb_gwSQD*Lk9Z+V!&Hfvu86}cGmn-qj+@V?Y% z{O!f|AO+5B&Y9APR4pDoRv>IbY)>XvrS9epDvK31fDl^JAIplE#PTvCVvp?a*Yija zlW3A+@6=UqjgO#*YI)SL=}ZbC0$TlmJdMzjk@eq_hEH}rPkHM6!E;I;cV?LPY#XRf zx5RrzMRRjs@G4w%H0HK*C9&|Mw_3WOZEj8pgM?ciGGG#UyfVs92x_a03f`tdvCjxU3)6Z{d_&G#kzrp-#BqMpj53mJRQXQdZd> zA8Y+-o%ap=;P4oSoo4whmnU2(l!-NXCkdyFxab>?&wq4me2V!WPIk%LE_#&sVupVc z(tadmqF+~hT>TSeTy~1c>Fi*b*B}fEXVqHrIfGcKZuY*VUMz0gu{m>&2jfI+_t+V5 zGHM?)Egw&-dw#^SQ5FG2W-fYf&SWf}DYc3paO)I>NV?h$_Ypgysh&T4L^6KZ^absU zr*Rr4r_g`ut@8e)V1{8akX{Ex-47(pisL8nLjgo)O=B^!|BQxQ!W;%0Cscp=o9GOr zbAvq<4vy&Msnk?E2n$>3rlW4UMn@`tvq)P z3c8;XZPU@QZm);N!|y%Z_c6Tqfpx?1@Orl!R#cj#tIKwfk!gbqowGA1ek7i_GDeKR zM!gWI?FH*=qqsPWJ`@{U$2}&CDX{L{8}XE9s?%jcw6poN_m3#&-gt@U(Iw}KMu;Zm zMy7R8I9?2LuSn&Gh0+s(uyW$thnZ8hz4W(dwntQ_@~ZPgG5LWvKFq)B3UjoO#1h@Z z>ULw;l@`JPQGH(GqIhZif}i~sO1PZq#>m9f8xd!&pff(Ssi=)WZ|8^5J%FdHDBq_p z9)}H!d5^RO0sEAfyc=EQ%fXHzud@zGZ_&LRON{UI9R>ziUI36UQ7pDs0B=i0ZE&-v zS8_fnps3V8EzY7R*zhZwpF35;q1(fWDKZ&4?y@r_ICzUB+p1dxSFE8BrhV514I^lA zwGp=wV8{ppQAY@+o3g^t^r{Wp1Dc>(3k*^*yMJ)wqi35rhS7P2|8a^^cl^qVUac^+ zT<2lC*~*6FiJ5f3wy^%=EkDl?MYY^3R}q1C;`NY9Zx8DnK~r_F%&MkI&090ZkjhMH zJer$`RFqvtBT<1%t9iQjdnhrltf=V&u%+)j7a^P3-w3`*S`VNh|^>ylw94bkkP@n~wqCuAk6g7|S1r6UG`m$?*d+**Kd}ucO zZI0&JdZIp6Lksl6_v4}5mE!;I=J$!{X*bSAa%)-0>s;e$il3*bnhL3#H*U@z*v6NS z_UGM$6~qe>U#gwTg5-B9sPB~CTz5?=iekF*hW==tfH9RS%bMSd6}0nb$V;M9bz3ij z)+SxEGG{B*s%F>Ve9xUFn!2mUR10zyl~!`vb7D`Ty{R8>i!e?f@=FFl;^dF`*o(%0 z_Fr(prUizGL!p1Of$0+Tq}0e6b_SJwGTd>niImg=s&#a z(ojzV6Tas9(DmJS)3L}-U^`l^OyPNC-VH9O?|0!w5n^uc>b_4nQz{C(31Cr*3PB=Z z>ZMCR8n2R*{tq#dpIJ!@#7T8!68Yr%`WhJgmfXGS<2q+0bn}BH+=`d{{ipZ1uqCzC z(Y_T}e<>(DC=~-rtm`orBU2U=#JD(CRz^qiNrB0~aFIltP6_X9RvC{Qq%;wk`1r_H z8Ay1g@4VbO!2<;E~BM{G6=S*mF%09ZdVaj@bAW3NOoVCh+s#}w&4W_>Mp=k$fzXIp#aPT82uku`PlU6Vmq z@&rKJvOa&oz1{SNf*ecyT;i4_>u;BqZH4yz-wa5uzNEG%QV19+>5@m1lR&ZNOb(sr zJARFm@e7auVLC3wnm})humtyB53v}1tLZ=;i(2?63uMG`0Z5UhI-q}RGzS27WGQy* z&LUz8a(>o87YEF>#0Ebw4k4zewY;4fRU@qp)9)^0`g#Lkdc}U`#9+|awR4?N`h4Jk z^Ghl3B5`wDQpqH-x#AHRjC!FE1AX3GUMzUCO>8^z1Ca1iIpauU3M&z7QUahv!{ePIT5a};s4L`kRezB*jKSl ze#-d`o->l*i$xH(7Uz*<2G6b$T43*~dYIT&@>>5sS;e}0)Oe^sfWLgUa5QfE%x2(d z&0M$PWj+iht#4L&hDyFj#s@mf?&pN4D6Y*!l7Hqc1bIAW@a5hO>`GnsKHW3i-IMiz zb%B2NiMaV?LDtclhg0z%kV7O_tzECmPNQyFqMymbe4hPByIJ|!E1BS!F(Ds+b}>%iS&;#UZDF7aGB+n4iV6sLJ=)2Vz9Ha2+bbhu0zWk&d7u z!TmbXVxxSH35}uOw$?6!j%-Xl7tKYdamv=Tnyh@7mB{5GrEt08cj$jl#NU2>o5ZI1 zQFjuh>6!ELv<1ec)y*sUXU*9_l90S;%4)Ef}QY2r#iugKUB zxzld4WEA@{ONCa5zOvOdpxDd&?hJEZ@`Q^;mNP z2KLx#-eiX`A?l!o5JI^N-$H33zvzdaM=*DQOmCG8gGHG zRSA$d6IpEJ+I?~>;KwS1mBycS*=;-8^YzI~%NYX*!I0Q~+`VobL&{~-v28dmu(!u| z{|``(B&o)yjQ~iT`*|ZHyLn~cKl9_Y;})6E6PV!K?5C19uP?AFt)32?B3ZvU7zIeK(DI;CS9iLI+?`?Y6m5nE@J{rbQX;;S;mHo67zOciMOhwR&h}g|yL}>Khv-#T9f5m^iSS94O zguD<9Uv3v0xE!$0SV7~Uk>5Kl)4Xg+rp58t;`UsclE;f_uhl_ki9z}Zw@kg zt)}U4lW%UGx<7Y;t^HxPAvk&KA4~)m5Ovnu8WRO9)mvg`6h1y&>0AHKSG1ne0|^pk zipMKSfEKCqk&>aLK0Xtlmkg=e@9rOh_G{no(0H=h}(r_PEQc^%&BRo%V-lGbD%wwr|p39A+XgKb-pJLin zWld2~{WGtmF3-tPz1?{W7$+mdk5Uw(thn`U%YQq3OODCD=eJx5ua7E1io(GH5SS=F z4f{*{f6AC-V4V3+Gn|uZXep^{ZrF=UtM9)MKDmHb;)4}~3ylWa5Q{n>UrVakY-wqA znu>}I3nS$n!HaIz-F;?hOk=+|inS`>=X^Du6m7iiBQ_UKR;p$rd^gmHw01-aR8?%d zoUYMaAGlclIn8TsI5)vi8e6{qD`o)rLODr}W{ah)id2%Tw$>T9Dj#PsWMF#{GpDW+ zFOTW`92yQ(Y87==O}qV_5}RY^lhVR$c(xjY@w=S?TiYzf^NK;c+@`Agl{V`f3_2~% zRWI&Xg^ZJkZpsgL(Q(W~C`Y0Fm(NO1Un>J3QRZ)eJBH=P>O$C%{PyBV*)Bz5eRCXNTXZOq6}a1k zw0?HpHS8*H;?2RLqrO+-n53y%Sg_8}dAn_Evwl@4-C&UXv%O@v45AZBZkWjO-zr}i zA`n+mY3Qu019-AjRMNu3h=JX2FtdALhC15%`T)3vHmB|DA+9$&z~-C}RmJseG{G5Y z7!9}4EtMdQGH_}wF$@wmL(WPe2F#+s1ArQHJ4hNK8)|pxc7mtlh5GgYrorlSmnhRw#;$CZFEnB| zKLSwp$YlLu0QAgbdn4nR-z0u-r5gS!oWVR7Mk5-Z?mLbX?LnS!ii|K=gBXm_bMs|% z4R?fy`0HlFpP}FB_NvK_rN0_^0)~UNzaj1?>xr&q?;#FsIdd~0!I?2EQRiC)_wJP)ajyD>lYfD%twL8akFe%sfB|NSInmC z9R!|dwXSPRmlZGuCnui^1F?VJ+<5F?K96s&mra$FfJ5m19sm`gQN$+&DY)@^eeyAM zVN2CPEV17nIu2mG-Pds91G4{=wUJ5F7bi>x8yEVT6xYoGM$S(!d}Khdvxf#mRYbCs zmRqE^?mgaac&3scW`&s7TPR;St%86F4KS%9`Vjo}%kIY!3jbEqVmj_$C`e2Oa{lZp zP1n~`PP8EW_4-;AIObx7V6o5`V)d!8e?b18`E_@V%CKnYU+zF#PMnP6u7DUIKm370S6O;x zz&648wXetgtYZc_c@VFM)sDk=bSgbKOJZTG`I}Wv`a(-#*{s<^7wdR2HCu72xqaLF z-$CngPn4T(!uyZOuBs`CIJI2=^{S}dNHH8UJYT+G|AJ>IqGT*^2*6M!!?zOfA7rwH zACkF!vKB~=AwW4D?RR3MOEQH0#yZvVa1{NT2SSl1qaB`ge7%yj3fRbq zs=)6(83i11Jm|#HUckOEJz>Js0IKs^@-H?_gl>2~cHvGJ zgkG`HVsb{oe+ZynrerZq&OT$rrc+1UsK(JZ=6P_GJWhwG{4h$h$+DHwo@ zwPD^XClbuPq?FqJ`4>raj^V#`3!J_)4IiaaIR!Qbb$_tY-{wb_IndllEB!7Cy8JT|gcRGFd6EJPkIbk+J$PO;@Hn(r;D#+-Os_sRQ(C^G9j zGZbR>qW|=p@alf8Pn|ZPA^HN$-@i<)FlPM^=UP&_#}I)Dq^Sl{fs*`L_6{#Cs(u1! z5*ymm_x*zO>8(J%m|sfYpD@TYYbEP@b+Sp5`Dw?1jX_bfYF(x{~kQKj#EDzum7ZQ~3kyl-BdUvsSeOIosZkh+_noe`eRRq8fZ+OB& z0Ydd<&&{@h})?^<5raFM+kpsMW=Fpd<079N%4%bMtP_#cF3Yoq{!CUh&Ij@PwE z4kWPvJM!BJq#%r%%^5!Q-!-Kp{T=b+{A2iG=@7JuVjApFHw;m>zp;1_kLwLs-+xs% zXK?Of{y#jzXe)nk4lhmdtDOxF(XVO}^}i(kivHa=3$bK>*HV@I;O#zA#S-i8U0&$H z!rxj6Dd$?{&A-@4NcbUIF|aL(Qp=4f7Y&bWFqLKh2pUXBRU{biCR0tJHC&|U%)%BR z#MQtE)1nd;n#M_7ASOj-+7^g53mM8wFk{o3(|bZ*vmfF>kd>86{}KVS3KDu@^6G@p z)s4gpd2l&feKh1MBI3jCaVZGDnfG?rJ@HK`emYVr+`>rvm z&$o%w03WuRXE`=s(B+ql!UgdSpR?0eiNL^25hHHRV_7U77OZ;j&3MbMyA?mwo%+Z# zvnv!^Zdblm41VtMy1`lE)es8Pr8^L(JpCL?lr;RiQY)-^BjDl&YpyHVjgX7$=>V_e zgS%1nA*vfkzGea`Y`4eJ&DA%su;=6qaE>7V_-ISidz`_PbgzgKYl@>Ow4+XXD9t+) znAb#cNpuNe3*V_;DDe~(77|i*PML*@?$Y0b|ATtbg@*}lJ%kk%(!_&D_<B$6a6KirE(fC>l-xRLZijJcx7_L=9gR24)qzg&YR`c z;p98w72Bx(_i_Hn%gq=)FPoP5UT@BdRrKfMHubD?u^x3xDi)Ky$`2v8I^dfoS%E9q z`RtA+Hy18Xb@~-C6Zrn=%D#?VCSV31d*#V>bG14M3Auf^1Bx+T-Zou*;gw|C-Y)OO z`>|nZQ9*44pJv3G8j<#E9{%relvM+}HTuscspqCVLFh;KZf`bkyBwiKp;=eF2NMHW zx_S?1mv1_qgpZps`(P%UwN@t9$k8KXNA^byn zwC$j?PX&bi3I!D=*x*{&4Fku&AeY~QRpo;V1;+yqAq3^O5_|3CZr6QxIL+Mb@V_AA zFM5mosiTo-Nf}hEU{(`dA}i(m#%lx<4mH2r*{XGPvxRMk5rB7> zk*F@88!A`mxTz3rUF>v-u{FQ-_xADl3+FdeajRjOVTDHlV+!=5SHVmOnPZ=te8Kv5 zgf_h@+lFyH^s4XHa^{f8;oqWRH!a^nphn;*x7g;Mh3P|n<`%)Qu{D|gsjZiQG!o?X6`+0h`}W)K>(=Clt1eXT*C|p}e~8ivF=qImP$WH& z+?*mxZ2va#HZJ@KYoT|Ry9l<=KC$8KqBiy+_{LNcIRvW$N>-mQlO{iWW!IKbh9yK= zC!ZbtFk>NymScLd-qGj0d;{bE`y13di}tn8)u*P-w`;bmGh;D0ZJPbV(PI2MR55Fdo;$A7x2Ob&|` ztqXR%ccAaGRP43w+r$5lwzmq4s(r&phwhSwp%m$s?vRp}1}SNzySr0BLOK+X4gu*B z2Bf9CLAty4`~83WbRX<}T^mk@8D_2Z*8SX1Z`hBba|wNOlRk_t_#O63DfXHax>qUw zHR)g3jzB~KwCauYjg{Z!URz2w&mr$jloRyjgDd{JAJe?8&j`s#%t}9wRHDe#(JNp4 zZnr0Rn0)kmhfiYDy2}=P!TUMn8^xz&N13>#=SarM*~PI_^nxSes@Jno-|&9Ui889) ziMQn;8>c{#45pB>HT5Ktx6+{BafD~p^sFnz$ZPs(yq`aGY$_Muiu*+A{w(plYW=;Je90IIRTQt ze}6w{Rvb!c;vkKLO%XhY884-X*%uq6x8y@VJk0O)qP~7|N?7rfVZDDJ3nEbH6a$qbKt#^?_+x=g z$UySiTF`K2%LZb+lm*?37pvRI@luxb(J@YYlTFz^p2l~s{MkBfWTd1dT!`2x(-r&A zibaYNZxQF`PYxSZ39RZ#M4_CVs%7~MR@M@Rlw@SMx3(4+ikSmyt7VXF?&M-5Bf?3A8~5Xa#&Cb$#Zo2o%k^{3FF4(Bkdb#BFWov7 zsuqi(Bj#kLQQi#QoE$K)$8|D7P+A-6uELZwDJd6U{$3aiTYErcZA!29o=Bjn~NjM6 zl%;It+Aseo9*>7$=F(r?R>Ry|f&k52Zm{z_S2|c)pco*DyXm1iIjB21+gmn1)C28& z-H#9j|3W5auTL zP?4<`qn1pp@n-kGcX(J6{T;r3I%E8EH7({Ojeg{qSF6XWTTFX>ONE05KZ-N*g(E+e zgKr3{tntr4gjk}73*OcnTuJxv;M^feNyLjBe&-id<*=exR<F<>aqbF?IVM&^-6BF%|Z5HYb+DUbEBCBPrt<*~0pIIMR)4Ot$5O{ZNXq zI+Q)GV6R>w9JfUzy#ST;(b1cYhK741sJcgSlIcws8jgsQlTUM>JI(g|r>{>sgONPf z(ag-@mayh#8!B2#lFT8fXk8Ih1>cdhn4fNBW1(n})6>VSzJ5^C7#|U7Z7Z$Dopo^u zbfomWP<#6}aHr+^xf9{$L<*BU+cFG^fz(0Xyz5u&y6*u-v@UKcXqy^ zJZ()&08VlCY8YESoHjw_>fY0-mUbhgM@c%)LM;dq>hr1j;3cH^8~^KGv*RT#(^`ds z@?XJJYFaGVx~snehGMFYs*hRrZU4FQOG~SDStSeF6~N0y*H-<#0W}pTlKklU?jNsp z&Yz-{BfcFl9QZ}Nwk0O}O2&;Nwzp~nS3SKm^=4&KN1t)zb}c1sW2QsKM~Kn~ z6AcX)(RL+1FV7`PzR|8n3WtURx8qsl<*V`K_^OV+ssOBj0G1E4*)#O)I5=Xlm28Xd zaN@YDYj7T*y)gczcgfU_cZ4Tpd%G&Z!&#c6OOM|*jUbr~&s#iE z(UYqqe;*qrfFlbHYdtupv!?w6aHFq;$ZKjq-evg*FT)bk8siB%PcM_*zn^?52Da4m zX4Wg^JwFk;Z*SxaK_Ji}EvN{V3LlhRN?jxv0g^WydFU01*42#`7#Z#Ta7W?WMt-f> zTS9|+B4fa;bi_<*YJiRXw=)J<&ZK)$CNYIlmBj`r>w#UToC#=eF$*S+#= z>VhG_ulV7aAq}?oPCR$_Ydmb*W1=IBnx5mec3_)d>RgG*#UhRd?X2#EU9mlEz4<1y zQI!DSnfmI+7=ek*(U+9lPtd@DO~3Ku3>(nCtE*k|m6esR4<6QfY68T{wIJzSNbT)F zYD~^ZeeagS0T|(Q$88uup{eO8n3xlPe=MtrN$Cmkxpr@?{n^;_v1{cyenc5`eZWK} z!9+#nKZZIxpIj}RoOQd5u6<8~7%#UT-E0~?2M;5spwG?WN;9CxL%T-(!+)rAnj*J9 zylC-|O0Dr=hj@Ce(Thn)Aw1n_YiLVV$k;GZ`r`WglZcQh(>FN4Tt-d$Ffpm(Rm7wX zDTge8jLEyVZE0>+iQ3>WLk0O7$#f=L?|?Bo9vczK6_0v@uOm(g51lO908(W=PD`PY*1A_vbNeYOztLp8=^d*+A8zAIZrZg*`pp<6_9%; zp0{k4mPbve`uw+CVweuL!Tjzj>nIRY?kv0@o(HG+(N}UaH7S0NH?t$+4#3dUQO5UN zf&l+&yjo}X&`S91lWgZ+N9a1jC2U{O!%t^&(hPZ2qIiA8f^8ilEumYtl~OU)m9yvM z)V@O0@aUl;l36xk>%2MTj)mr?f_curWQ9EH1SLK!qaa&rYH2;!aU+g1yw7KhPMfz= z`#meDe=j0y=)gDQp;ECnm2WSx>WNjAL&5dXULv16dF1_Xwxj$?8Im>MHZuPt`DY2I zSMk30)I)=5>SvxwhkSZt%jKk>R{%TT7pbx8>=5G4GX4)ob}7_8r5E{vD`^T^4;w=> zxD~3_U8h<5q^TQ2Np4DqBfR5WBK-TYO>2jxSaE$esDl0L)7!~!f@__9@jZSL>CiHF z{y;j^c_yecTlnkU{f~R%1K=Xl6%0(>D^KAOR7d{iUGTGqON|BfgdMk7i;E{mE&T(# z%d6A+oL*eufSdMF^AZtZ_&r6*m6qWVPCb5fdE8bK{Ee^gvqs;-r!Oa|SBE z<1dnkXvb$(&s$PRU@TG{4e1&I4JwHUJe=XpN1+!l9Y-}hk+QQLHh#}y4pAli{#K_V zZy$LA^9ztML<@f{Q3d;XdNR4T-r%)ud<#pB8h6;GdD65n=RMZQbGo*RvWRV9a z$NmO}-r7jSE;8HJOaNOm6EO6FA6=XiS^75;#ZcLo|B^uCdTkIlsOA)0>Uix}C*k79!9{(EqB= zrLfhEbR6_@{rxH-ue#djjdqD?9StX*LtEGv0#M##$q9SZbl?Slw&!Zlk%_gUCqG0( zYyEO&Z9isr0$A!rZ&nwPE#82`y5bvhb>+g|*Y}bciJwmz=BYU zw=}&a-iR7kEAOB<;{IHn!kXrVNC@WUzE%0r@Kad(B5G1!#K#-`bD*Uy$$SuO~<{cHPZaB+pFKJ6}ocU?*+FxbZ(azF?nxBt* z*8&Sx|EWz*X8EX<9r|a@*CO@y0;OQ2R{#Q#(jE$EC(M>gI5GsqX;dVgYl|r>VInHc zP>^`%LLsU79Bs~a$55k;^AizEstaKo?b<9SH&6D=sFXjg@Dhgy3p%sY4L7y8>&q$v zrNdu7=&egmKM^5jXj4l6I6k_PWg7js&%N7YTYvKZIgt(*ajVqgQ z!tHY*%5R>oMc<+zXmujb1}Z&4$DewZ`?ClFtLgi;af>;YX=Ph*dQFo|Ly(HDQ6zbKuYa(j+=H)U{e zrI!jb>ju60+9-g2&y9Az4WiMhQOEW<9}ZNdRa8o*R{8&361ULd;iZd^7b~w_&WwJN zVq)tPI_{hyE|f*Ej5w_MH0zQC`VW+pbmmD!#VvE-nYr}s z6OPY!*6D2R&ticgONTxN?=Z2+m>B5=HnDIhRZ|-G3;);rNKAfI#8iCtIqwB+cO7zod{hbOzHBF>K zJUV>H!6I5F76!3lK~ftuI(SGClfwJ;F(IOvK*s?=K6x)Y-)s9fAvD55ps^K`%CJAiP$?{v)9xNC9)-Xf!eRw zpgH#Z1_=C}PM^*H@$}1w85w(!^qdIWy8G53C>^4n_An>B5+O7mj|`2aRUGcK)E_tR z5>e-5A>FMBynAqU^!uS^6k;6^8vL*1~FPrKaM&ggln7@aGpu@y9jx z3GhZn-+Dg|s=2z-jHR`O|3)ndrOX^aJ%fWuDB*m90L!AL=Jn=%2AN_y@XC}M#+5Pw z{`B&d(**+;7cNDdK}&Olr}SHK0;f&Xteus!aO5v3CVvP*Lsu`X8PGi`v9NaN9)2;P z2M3?*l>zAiTKqg+2aKjb* z5rN<>k~MOiB{{!94hP4;z+a`07T6P{UcBl^El38Pq1fx^%E%mD7_tC1w2Ql-ws$y> z-gkxTjf6iRtCZ`Ft;Pp znR-p;v-Wp6J{sN3;w1wr8CGAMlr++xL6iD!8|ioG)8!Htbc>7C*6P=@)t%zAw$%&w zbL8YzuUn>lR>#K2RlemjL`I4$VqzkI7L!VJ_KP?BXj{B*-?r z8MXp0{_}~n*-VXZU-nXXm?OnUo@AwO-tXCkNVZL~+m;`3&&Tnib$)8G8O*3?%c#&4 zHkz}KfKTnD?lfR^{3Z8u!sCa^kB%uZucK%xD}h3#yBoQQeU}Xfs`Y1^Wb+Z+fSewB z+04q#fz%HaS?bQBMmPQi9tZ1@XlRrs=aRC@SkPwflpO0k?LNuYDBfQ)cLZ;SviJxZh_GiDoK_TZgUJ(^O$F%u$x^L7oL+tOr>IL{;IJQVy zNnql)qb#Y~MUm4fp1ph{zcM+^0L^F?qqX-N5LdxPH)5^I-x)lf2b{JG;oBDP9Dg#0*73)e``zvE?n1T==kG0>t+>Z_M_zAR*avqOv7@`OiEHH%LJKa&bM6wd z{{EwZJ7#_7|55R#G}*2NtAQ*8t20V)f*ysedFH}w_IysJtB;N+#6HEfm47K@%>F}`%Tgab7k0=a7#kL)fsPjf%N?!SCWS^D-W6ho}Ep>wg zb1B097oKpz(=2nD2jPy{M&TYq@qIlzebtOy1ZdFFpbY^-*eBQ4yAP=^|1)*9Y23As zk8ByArj%zA`*Tnw|{Q_*iQ5b#clV4$3&6IJolF`tIIyX zGMFw%s9r=ZO36g{0-w|42x+BXYjt20c5}KUHSA+Dt{^LW?0r7;HKyLe5b9%EMNx}9 z))i9Y{2F+peU52fBboMnSflB$->&Q#N}P4XZBZ%c4HP$e8y1MqVTSwSW%X;EBX1Jc z^u!5@g&S|`m$^+F^Reltht z&(b!SzA{fnJ=5}xQedZpm??)&FFh>0Sk@HczX{<8b@V=+lJENbcXl=^m4#GdIN_)Z-Ic=_~ zPb+;j9K21mXDa-0$53I4~>W!PDcC0vCdVb1>&(IFe%u15Uxu z-PjpQUndNqDFp6AL7|k^s^iBC z)Q4RfSKX5X@>zEhTnIKDh8d}GOtLOsPUQHm<2x%pc&@xo1C$D63*K!dl#&*qFP%Nz z$RgHoe69_q_fE4=OLaK})zvNR6i70m4PjoJ_(V;tywqAgOsqrFR45OLI}q6swosc2Id$(O5Mtg06Di+|CF-HbE>+s%?oz#m#03+99{OvGn|mA=^&MNsf0IhUH} zvh@)}f3B}r`|!=rv-zn?1dc}!!v~@^9{3~Ot&@AL(#)tArLswn)F!QdST#zmPUqO_i~O?NJy|8T zk2264n_t{={qycynuSfYgJ#R)cUDboHBnWYn@y{8eA6DouWzhw6N@siBj8{EmA(Hx zd$O?1%rW;}{jx}8EBnp+2g5AV^QkD_Oa>&MlH6>PIV;!D`-_=)@7+4B=*$ZE(P7ec zqa_PM!Yu2$R9=0!5!tt243;TIQ8`7KC=f<4f!7iAk6)T5Tj%w>R@# zLnej{B!0k7r>0YhS~!Q9??z6>!*cK{l+Wc&HPfu%s^%y3RBcOJ*lm(J`p#8eGw<0^ ztd=P3G|$x_NK4Dfi90%8uf`a(aQO1Sz=t!QWMDCjO*8C1_K!fqz@@~lAo~7&whl#J z-g6bsiaRm^)`PQgy8~#-MrBL0P;hh%C^PH1&-%OXB@3p@_Ue+y>GKm65ldh(y^YPu zxGXA$)D9Agh9M@5h7CJ97#M@)P&Js|%6f=NmrMacGb$31W)x2CyRtd6IlqqkFQnhN zd=8}zyF+hsDdMoGca@~|7E4c%!y8q&twqSjx2?vNY?`9;*&m|YwJLG)w{SR=aG{0= zXOzA7%i0cCg+XXJ1fEDKY#@3kb&c3z1B*gti<+IPMTMFT9`9*YV3MrbT`Z~a^Viv> zL;Sr6hyzqKE=4Gj3?;yW_V>p=RNn@|XF~*K2_0O$IGqk0H`bG}Yt&|fw@{f3$O8(SM{n5nxXQz`)CIhqM3~EGK z%TrC+m10Z^7MhRSr~2rf?IM&#-rp;mpP>coJ4H;N>iu16hqqNB*ftN=3MsVA9u`RL z_0%d(C-_`y6YNxF5;R1VNGD}-8N_*$JFt|c&3uxcntg1@+=867c7k6t=|FA01 z7Va@~;qSP~@41JFbJ+CFwl?-baH6tyx3?s@|A~ z`jj(Si5S`)jPpwS8>0u}wWFzEW>^#16}&`irDpnj50W@abWp_A91H5snhI3>DFg0Z zqA(z?{7Qm`h4_<3Q&bH9$|3ZD8wyI79SjevX{U{1FGL>4(|0M9lhghzt#UtBS_u%4 zw(h0pU)0x5bwqYNR{c;A$|lO$ILEYXx90b>oV8+4A=j_`g5Vn5r!-c2yDS|PukEtR zT{$DrzO>v_x@MfAeUbYGBQt>eLw_^p&{@B!zknw-7R;j94hY%nc z80_%4)~fEr3xTrn*i_+Z#D-qqg(la$XkPWu7> zAU|QvDNHKJI^V(}M2tHUFRuJp?Mh7BFg!R4|n~!?FhNHYCe>x5@uHOi`EU}S%OYMnmLH<$lWZ#EF znDjFQ>F7uY*vaqta{Tb&40X6kJM=;sU!6=++?*HBy1X!XQY{0DFA~0EDLUQ4oRw^N z6>+LE41;Q8yrV}d!jfpUxKU!b%Qj@d+kG|>UZV3jwR3@j%D(eV2^9-63WAti`c|*6 zKdO3Of992zNJAnb_jZa_CE!PK_AfuS+EHfFg;!BImf_;4>r`(tLYG<7a z!b=Y9iHC;(BY~?`vFHdX*5k07xypE@z0MTh)6@HE;`Okh2W#pFjZn*6P+&YnmJ;ww zu_rtz!n@fQnYc2BZ_nT zq;R@+L+4`s?v1(EgHT44n4JZIg$SGS_hF;yJon_x249DSG!i15Fb-ei(J%oLhya=C z=nKJFPY4KQDXha673Cl~IUDpmA3j?4jStbnsBgZGG?NHy5poqoMQCzMlFWWWeTaTY zb&nyT%G1VxqG))`c8E-A={Uf{f;RHjm8V@Fot18{-h@x$^2K$!h{w#;oGb2Jy`fN@ zy^H%G6>*sM>5qFFd2OMvNIero$sm49He-H>WpWMli4ndZ{wg2^-{vaZNywwSJgez5 zda_!pwXjQ+%7TBHeWl$nrQvqL_6)+As`Nk2vnub*{Sf8)vQBr7&#XYzkEV%{HAe#s zr6bem(F1JRRvf)Z|2l-13nI}gzpX@mpvYD}f6jS2mRq3>h@(fDHG|ujW=km&5t%eGc9E^8KayVc)iCiUE)97POef-bPr@!u}VJr)RlOb@awz zt!H(incD_Us#V_9@~up7GqS#Hs!CSpDc!)8^x-mHOa79zO)aUQGzNcHzTAFBd;@*%iQ;tw{vyEbsn}@zy z;t%X-#rzRBZgX_tR*{Vd&eHWg_xFAF?!lGvotGIM*Ir{Xg=TVEsW!L}4;4O0sUZl83%9gm^&s3Gm0LY#QD+`?M~fpl z!pEOa)YdSvxpzAG@BY1ZgByc~Uxj1^BC9q{(<4BaCPGI*{lB?zBiP)=S>TcF<;!e8 zwUwRU-u8VXaDfYR35>Y`1gs+>c=8|&eZLd#DA4su+QmR|;rldvb6@P-M?;|ZdBGcHemr=&nsKDA@o(MU^{9Y3~TUru(h1LAkQk$vYifz-bh zqdDWx`)%$Fe?AjPGcTqPk{lM_?^HI2yOYNmwk-3b>P-u{jN5VJvQ6Fhm3gCx?HqC4^(pV0o1Bd;C0lf{#<6gBnYBb zS01**6I|?xMxJs8&GS@7qFjDcDnwolI`Mv9WxH&4T_!91_lCBd@4JdCoVaKJeeCWT z@BTfyQ1oE|ec?r8z=ze3FC^K>MG`U1$O!qkM))Sx@%Jjc%ryS}kQrQPv2j@3c0b!F zkaId(`(cP@*y^n|`OT^^&xqJx$E>`dHGZ@7Gc5s8K_xaT>&?CqrzZ!c*QR$aJ`Kpl z!3q;ZNP};S4&b1_$T=|1=@~#i$H**=-WwWQihR}HpOC;}af^AUzPIjqty*^A*Czj z2D;5Q!Hv5NboO?!{V}4ld%9D71u5|?u{OhN^7hQ1)iJPT2rCHOps})IrEn%hgYS#) zovoR<7X~da7yB6|N&j&R4`)-)ptA>hv|L#HpN_RN2qK91|LgpTOpWgLzt*-i2)JQ_ z|7&Rb87@+i;(wp_L*C|N|KI6JkOI{R-2d}77euW@>VID&4P==7-{+y2;sksD`&{z> z;j(gWabUr-$|3Qee)>4$s~e}$Fjg~QGw_Q4TBd)COn}CexxVQI@~BWr(>0jzM+c!W zgG&(?D1B$2MDv~x-P^#hIrsO$BN;HF&XROZ7B?4D2MJc$(B9p!p&B&H$%#@6@(K(^QoQ{r; zEMnYX?LB%GSO1M|(^W8gV)qLzS*b*&X#58FYs#i=nO+i^OgB|TL}X(l#I3n(@jF82 z@Nh-ZnX9$+50*h~znx7wdemUOiiSDcnftf>kWEMag4VXBr6sSY3^UwcS_W*<1&+{S zFif&x9x$Y@@=3I)-Sz+e(IN&iL~FPwmMN#2*Xs>CE!O|@R3ni7{@$9K4Bf52o?8Az zO7te#n%C33o2)uAud`G^qV#4)0Xqpz=*8RbFPkL(zipNOpLXE?%gb*5(Pbe@9{9%a z2gik9K559J4ovn#V`PC9*VhC0`+A`=!vpu00kap#G@G!te(HM|gFA{~n}z{j9H7O95$+5~=28Q}g>MgXgU>g=#<8PH$-B z-~0MLR5UK@X=yb$ZS)PYoC3X{*J=HCYip~B&sBddi~QeEG<;_l7f@i*>E9Sl{6?i4 zspl<$v~I1LysPVlES2Bn{Ji(+$6<@Qr~(GmV8g2Cu91_{WZD7yM&{^(DH|U@I5XXb zg~KFT>w3L-b^Jmf^21a)NVp512qD6_Nv^6O?oKI@3fa#rtq{mfRsS`^y0#I zGf}o&Yd_7%AAGUuo)JrqVDB?|Izx1w#qc`?1@#{qmGIs6jZ|X(zRypOyqSj?GD51!jA5~S)=ef@;(Jz6^P3XVPoXHR! zUEq5;rCqF?{V`z%4i2u)a&)A>KOLOC|MorC*UC$|hO(G?VQ?yKH~SO6fB#4N!J5@D@{z?^oUC@eu^h?bGJoghb{T|#!Zs<$HV6*8i=W@4d8#MNlp1FE0;o z@yv9wQBhCM&fswYBH`kW{r%gGOaZn!6nb!U)DG?sj>`Uhm#*yM7e@8w=H_^)z*#nv zYR=BY#00%khK9EGOr75G!GW;<1Am}l&sD!Bpe;>nPEc)KU9YoEd7`}%4W^K;lZo6X zS1>IL4R&ubhocLse>`}%%B?>TNP~-`!-3};tOZ})b*)@isL-mjgIwH&)qZ?OAYGwVHf}Y` zewS3}a-VA8XPIy@AD*IjK$xvOT6Gcr6p zZ2l(gZmCu~yPIu8n)jcke$BXUIo%e2JYl*BPFJ{bli=YTKidp_+l`Sxe4SneIOs$% zuLT7KX=%T;x94ao0uGdzn5bNwjKtgC-mavi6ii(`#{=FH9_8cXt0T)lt}rQ{uR}IT zX)j;^E1FFhh~Y+4>!n)RTy*>j?%uxor+E3E$5!%~759PYpV|Xg5PM-aR~Pi|`wPS% z^EWRLyLgy^06G_5DRbY~-bT**{{25p1E_eQi&Nud1TLhksAyIvsi2^sUHM_|9LgULUS__rR5mnR z22%FJ>spz@CQzH^)ytP!ZW?-=5FnzE#}QP(c{7&u zjijWctKialZ;V6RrB?F5Pm`W-Adf;rL#1Pg2#JZSbZTC5bGsfbHVKbb={Hsu6a-K0 zmz(7Zy6r{cy>bWdd!275zLEu<(a*t?0vU03b=7{@umI$mq?D9EywBMHJu8udw6wIJ zpP!zdo{!Icky54((uUwU*jB8JjMkTXQvgo93@Z@dSSB;b2<;&*>_xYDs=-`G;A0@zKq$Fg;ejwono zST=Q6m;0z#IPQD179mqOUT>K>%xlse3S?Yor?`9G+1c4tnRZ>jRuU~0RqjACJ&-)< zND9R&xrQ|#!^)b{cwQ@i<$BG=7B8Iuw%S6YL)DKTO+QNEBr6%G{Wr-%EjUQ9sYHdX z|9-2k=7^K&q1-A~%4`UDegbrgO}Ccz<;(TWf#fo+ig!v%*?bO${{ByUQ)Q+fKW-0w z-Eiaw5?@S<7E->kU(r5E(585v_!l&m1wSu8=94s#cA4C zEm%-r?{+v}4*;-oS1O4X0FYXt48ZZ&6bG>5jr?!7s=*54P_^4km9DRU)Y_;%vs?ci zH8(dWn60e#Wqy7h^q+Qhb8Cvmo1Ww`?ThUSL1}4eK`5!Le7cxWVV`5oV|WL|l8udx zy7~m*gMD%2#AIY-cz9}nAMQ^uM!%H*d$Bw5-#n%isqD*#B| z_Hd>_nETtezrpCiXdyZ*sXY-m4xpn}818|_#`-#)VmdA*<;Zz!&l&?8+j5;{!lyh> zXJ;-Usp)V{Rn=-Rg;!VZGj6IsGypwGNl5{c=;`UHzP|oo{jIDl3RydxXo7>@WYzQC=o>oO=6ot}LylN)k zqzi?SkrBwx9e(@Uvn{`55?z*5u-maHg@3iRJr*X2a*@RWFabggD(uNowy&?R-{`Pn z`2KxTdipQpuHes~aUpLkhWbZFkpH8{2q@Uqudpcuzg%{}Ir2mAua8%%O+s2)ghtQ5 ze*Frt4GSH8o!@@B)eE0qnLyeJm`=UCyugS$K&X9YW~SKFjj8raD)}UEUg%YFpcE9t z1?7MK`~mAvL`)18r|u8mn>Q|Z7rQ9f(AhR0zI)W@f}f3z$BRvG#Kdx^W)3P}zkVG@ z&d0{W61$Yv-Q5ii1(>ZR;W+RAfGGSiorf&0Y)ZCl3Y(Pcw|(Pij)>3R3QnuPf3M@T zaz5to@4vgd%gV|s!pxDgv$3&}oSe*OJKGsfH&|OfvmbCbk!xXQR-#eb(7-#*@O@$z zU zT>PLla@E|=qSXCxdk!eT=GK-uH<=x;K0qfqIn+Otoxetz9vm`FO=)0EnL+hon6ct6Z_&pM?dX{)_qC#~M#>Zx9yG4-jvdZ^ic0rwuPdH3B}q zMp;TPT4rX2!f~)fgSA;18DxN}t*to?4EDZw12mCtV-DN7+O4COW1!yL={vMdoln%@ z+)t{j07L`OT`d^4;|0+9a(@Qlm)!TB_o9waVk)ZVF)19Nj#cY&0v!pkLm=({lL?n< z07Jn>4hadtLPi)Q0xVGz5c%2J60I`XSdtpYweG;cz>yJUEzpD&DH|wMJF&VsJ79$R zdU`KFL)M-il`Q_Qc1&N zfCnJs4M0EI5qq|-n`>=rqw>F58yZq9oBETntdpgyr}yXF*VveP|Fw&Uhh-H0Pd(Oq z8CHX4SFi(_Qc4R8LpFYa!GJwJHa4ar_W0$p4-o~Wt_%2K4a=#*dvEnB+<}r=X`!l> zh(#fI0j4-UI=Xhw7U<|zGeGfsO-~;H^dB%t(^tgs@bFw*T##=-5hyB}KXkuZiiwKS z1&T~6tNv_c0_Zx>a@1V5;|CO5fSgWPc&((WB~r*_nZrac{`*;XsT8d{&7AI8-C`okyqE24r_=^Y{T zD%A!k2r5btfgm8F^dwRO0xBR)3`HQ+sPwK>X?mXQJ@)k(=iHoe)`ev#D=TZx`Myt^ zYsE%I(a`;tm;JfM$Hz0NVO!?DUN22av1FG9p!TX?xZvUWZ>$SGKEB<%J!gg*aZ%Kp z_G3@<%N9EF93&(p20z87Xua0WHZm|a9(R!e#snk+Y)eT=*(N007gl9qX^GiVKx+RU z7UXNvw=g}(Sx}Xgc;+?9yfNWwmPxLeGKd;emSscl4w&x-aO;6Sfcv5$wyVk&jUb-r z*x^{vJ-0BJD6HsTSXd}?{CFdi$&9AQ^%i2ehn7>XPuu9(Rqa(~t&I}x#&Wxoc9A1B zpd;fXpXa*iOVzGjmr!Z@`tY93`7%^P(hD|DN_6Tf3=0dxvKjR#;y+ zBns$=!Tvi&o|)bFQdd(NJ-ocGX6atKbcv{sUi{fgssz{(Se&rKh50>$!MF|)c$J$C^7tcYE_smC@{>}6KQlhJt^t^ zHy46Yp$obf79A*+<+-g;4?hHNLcj2vVB64-K=c7Z!9R7D_!YF12CfG-y*PK}(;=T#HKSuMDwae11H5J*Ba_>03o*C0Z0;gqo`6{{8z;?$Lm(^4=_0pP;O) zjH*qlFZ%V%$Ju#ONX{$w2bMo(h&SYxvk&%m=Q|pnJ-be#Gid5@;suI)yWL3)D-~o= zXOV+WY(B9HoJ|7*OY3dGrYHCfX)=SKN`)4<`CgopW%=$T&GaJFDO|hIi@;>=6)XmzW-?2OpC2 z`SG>LbM&gAp|MbvssGPPbcL!1!c58%WS6+u*z33u=du;@?DDZccx_zJ%BX2j+O$=I z$m`dyA*7)UCI&9PZnPUS_znQ``Sa(nu#NdfHh@Y72K)lLof&G}s#HiGG@8`@{T2<+ zmC<%@?ep>Rsi>-Q7u3_zY69Mt;D{(VRenA>f-5^C1M}v-TFMSpYG!6;UY;~sm#F9+ zYeg4t?*|VaoQk~w4rD`Tv~BXnA zP40t4q8G*;0vYE9f{-!GXjd@x#!z?j(TW3CeA`akthd2E6u@X;Nn*yjxzTE@I^JHV z18PiumjP8DAGkKUzi-_;o3*qztMNrLy-TvP9MRsg&55LkotRJU8_fb9Z$_lJFdu6+9=h9)v_`Ijs4Us+V@aVTL24jedq zI2~e?w6y0Ki>j95y0SP+s+H*k%>f3<{yYdVu&b*JWf|iL)hZ;|*3r=s%Yd4K|Fhi#AFakpJM_#J@-M%8D9R@ANYGc%OgQ&Yf;3JzyJLxFvv3xU9?p zi?sKyMi@hM_VkR5n4_jW?(g`xh)R7Z7ZT%tgS`j}F89Zn(nhyEPftIe(W3aXViyJ+ zz<+*jF7n74L41kPc z`OnSGp`D`%gqAn9w;N!l85#=Un)vwiK@z`x+riBZGp4q#&S19^^ih0u)OYaLM8$w- z0siO}ZvC~OH)iN&9A-8)R?)t?6$Mw|lv8GQwoT%f-6Q&0t(bXeRp<%O${1IRqoSgG zC~TCO>(?2h-`&z-(leuK`1$#%s;&{ZTs8ex^xS0GpFnl>aEv}vgw)Uh%^+l} zP!S4Bc%_z!$!FP@SZ8&(vVr@h-d*+eC^pvspG*U0TR8B+O^Ze-$j|>+QE`8-f~=fe zac=HIPf4oJaQM+uvjmmQYx^+RKp!F^Nx8WVY_<{x9{)vEajZ1A#`%RG?tDr9=NTKDfw}R{`LXt1`y|`lE$ED$ot?&;?tiSTq^i{0 zouoGAm^={2S19vAf~eos}sGBJxh|_Q(yh)z_`~E&Jdw?AY-!; zSFXoDV{h6wR|j6%Kz+o8TM20w^UF&%Axd=3+O=R(FEGx~)Y-T0Z!vb4{zXm5&`t-O zq0wl{x7Sh`Ny*|Np`leDKayi&=;xFFJ{OgooV>iU0^SP!v)yhLktZ3tl_T?`R~_wB z$QAm-j}}x^y3le>3_pMeI!V#g^z?Lunx&T)akRlUr48c_-NHB9cVd5?o0C(vNe-yy zKLA-H{#GB2D;a}b?ZiFeTnm5%FBCEpSNt-V19zKM)}u8 zb^0z9$w*J>vR~iBITg?p_m$Vg=Ub%Q1gbEdsc5;)pG$v1*T4X+@FLfW*zWDClW@mg zy%Ilp^5pU3kD`6d&CP3SYCtu!*EOqCE@)|Kkw{};NYhhOnYt2nUz!>kE^BHgwb-}+ z7{K~hQY!oKL51k}Alexo(1QR9jnHOgQJBw~V)M<9ADK4NXDGC@Sgz)32)w z7t%~?hB@#w?|bp#XSliQHcV!H{qEJ@@NEgpm$|LM_GyGmiHaqI9Rvo05ta!!pLFSAKoQ(DKV!E9QI>*&gP=`NRNd@1zlgo3wxO=aFfLze;WlFbn zW}j6Mq?Cjcwvlmh0!tF3SBL$C4LoOhDsMJUG1D-l5TSF~bx#siT z-lmr?H!Mw-1^xPA9$){p>Y@*3I-oW|16HgJ{|(kdrMcGz(&LM1$>N#UU7<{e^BxVH zYqt%WFJ?ywo{lm$jMs>77%f@x8XEQ}0+fu51TOZo7PQYd2--qJlY6 z^;s_A62GhEnQ`?t%6V){)i9ckkYXzQmNDzQ7FMw_fG)vp70@5l8dB3Sk-l`Z+mWc5EO#qQ%U)nf@5!F-rl#*B z5;m7&w`|#ha!uNK(UdfH1)Uh;7c`Ofa&J33JLr(_%{bL<~^pWIPA zlStow*BsZ#;9y$wFd72u#>qCDfVxw}7Qb&Fg2BK>7zKCluGd@O;p3~GUXDFs>+5;h z^zB+r?n;zONy%&)%?-$zbYJqu%F;YDLGBchNJItA%)CDvQdv*1vRu3>ZfZ zhKD?4b?X)WEKlRf`*RhazTZJ}&MEu7_$^eJ0-EdVyZHJ_8VB41$Zy-Wt@TF%7~4U0 zGVuE`35jse18`90k6c`%YzO_u&JJ&7(S|(*G3i5jIj{ugJY3KZO~G=4TU+;YLAHKA;(R((xZOGkV9L{s3X>`{4?az-; zB#ra#pHE!`juqhNkEKxda&v2&m;`=(cM}%YOzqZ=7}0Z^cqIifWqf=JA)&RCCWeM` zuVw*@us!dc=5cQO^2GzQ>HJ;$V|*wjEFtsaXlq7EN%yb^tyFpLUAflLT>dkFZ5eRF zi#!eq%vVpS>*%!9>((QQ;N){_pFeC-RDBvDJlT#I2au&7nLvq~{q(OIyS%HK+)Ly$ z1nSMvvi1v4DSxH-IV~77$t@QMIy2q@&PPez_b^$jtE*Wo7Cs#h>VU%!ZUT0HE3vLC zTJ#(#wGkx&G^4e(72V==!sqn#!$dz?+gzq$rtRTR6ye-KrFK8)b}=z}OeOvZwZ}D9 z#JE)$PY|##U%p^X;>@|Zx%d>=meNGxoKQ&!y>0uu;B1j%2hy>B=g4F+7_ku)+i{np zpi$sM&c);TLqkJ=PH^-%z&GYX_?h*L3xZX7`T3<_TbbA5HRuy#W7-ME{Ox(xWgDLO zMOiZ-uauT5f-g!*(I6ZsD)yKi6O{A1Z{1xIzw^OvA^W_J=4QI>w|8PLv{nDfy!qCa zvPcn5o9xj)rOj0G^z!oZ^rTMJ>)f6>qA#g+8)VJ8mK&54ruY*3PwC)mNOx4m7+T9% zA;Gy`wYD5ZJ998h!)Z9Wx){n-QqoOptsamakUm(SFU~!NS`!M58+}~bp>_Q&vx3e7 z$4=DQQ=kIS0n%Q)03}8nFb7`?kQ+LqnVFMQa5W1pTtoyfvOVrwQkt3?oN6fv`@zoc zKac`9Z@z!`F0lAf2+Beh1jdOvtA_a#a}fedx{ERbdh`i7dV80UHKptVWR$}CVi zoR9v20U!aZ4|g_9mM%FlKP3ieJU#YpuG1MU28IexhAET@C}|ip$*Jr>Dxq&hQe$G| z;OIi0x$&hE#pe!sUd0L0t5L^n0Cdq!!9M`ny53xC){wptp(5l~-Yb)h+^1+`GmmI)&WstPum{gTBBUeWR~@l4QX^bF8FCe0vuwzhTcR^B|lI}uJ{n3 zRY1mS1F}I!5yXMG`e)+{Z4~BeXw|c`v#6<1kgPNKs_cB$^FMO;G!QsT(mq$Y*nD40K{^)#@suwdS%Jp-|J z9mOkW4D?wxm?VURf7r&xZ<`RwG5)UuRnnI|Xp`TxHQW{*#NNT7z^Qu=FYhUU7Pweh z$X$SW$|iia&)cgM__nCX7p^8rv{T5t%UmiJ3PQKLqcGR4ecCv5b=6c=t!-_qAj;eb z3kU=B2Ne4C>lX$>Nl8hQ8)~G{LM^zW!_Sj#`y{C?@Zl#FxD z-a}M7S|?R!*gL{{ot+Ia7n9l5-MzRsQVuAIOfZoSgDmj^|F-REgiBLmO#>Dt;X3WRt=Ete^E&<<;{?7Pzy~jRpU~o`RPtTc^D{}Cl zHOw~XA>$(>XnT4&OHwybCD;Co$W_GNdt=iM)ko6YsV`n&YB72w>ZIcCS{&oMAodt# zZl|q{jg7MM&5UarWb2@yAo2&=;5Duv^YfGKmY=7WLH>+XDcw#vnVEvJ9vt;g-+ZJa zDMR2{NroP)ftNWg_L$R3NgGQmEjDb~(#>$UH8kv04LdgXs_}&I$Yd-m*EA0L@G@<>=K z>&!kb(!!>5Q84gZ?5*#e$@1}MSq;=IUuxb zsYK7Mx#vbujUyr=6zCDusfeswwa@&Tnwx>Rjke{Gn&bu8os-wM?l~zgF8(Sh=^I>( zA)OuTZ{=FmMB&@Pv=EeW`8RhZSOj_p;xx(0``c2@61WICKUEJ4Vf_?zZdrRfG<2QA zw42U9q?1qftskT1-l#G=hQJr~qyyk8C`UP_bo~b|o>yo?FzK$He70s2&x^D)x{ifk z;03+fVc3;P|Aekxy&B8=R#tR{O&od_^ku+Ra6KB3PHJl9?xtL)0!)0^2pmU}thW)U zcgq%pBuI?>@SrVL28zBjugbsqAhQJtPnk@~M7Lu!pX;ws=@mPtWgArDbzK zVhO!$s|^uG(FqRDhocYUBLKotGV|Wh+6;79SJ?A&l@q~bWkJyL@9p|qf2B^$2=E9& z#@p}TP4Sp4pD0p16#j@KiW(XMo9gq-0z6{lNL@QKBC=`c!#LassQquQW?>x&owR${ z?PUA-JO&)nlBaApM~AjOUiY69kTJmGi4iUKd9-LRU!GH8$xq1S^HEQLK6mZ1B*wL; z@7Tmc_%S;h&CFJE%)8o_WtgV*TI>=fo=k3SX|bla6L`W+auQED@0Hl7s!4KkY903A zOyU)zq1(VqaNZA#h?t{UYz^&&GRJ%9txP1arA6K|-3;lt`s_Ta&S4$c?Z(F4uQXGT zyAco&04QGSjy|7?{FXjERS-2@U7oo44|{kg8G{r|1B&4UyQ~a)FLYX%mR!gyHV*?2 zqkO_B_0ID<7v=Hw-6}5hjr;fR9TFEG@~+rdKD`W;4QaYU*Iqb8MyD$6^Ljknj8Tg~ z!n%v12Nz(gs;a5cVyj5EY`nbYa6$U@?~6XLwAu;RR{3=?zQ%-XcPr5WDW1Fe*QLzN6=6?_Axhi#k71}FC{)+9>OpAW#X*y zQIoem)el8vilq)nu#q!>QVG@ez1RV23DsI+)>nZ!O{fXPGZG#m zJ6PnRgP)(=rp>Grubc-Tr~UQxc-8e|qM~56c6W4)>=Ak=b<4}cBX`XNnvKyWLkJ6q zPGZr3|AQ3KgYP31+GrP#*Z=@H7MhW3qiXIJK=;|Qqy}jqb(eJ$+PqfQXol zJ^_B;)XYr0Qc!75&QWz^JMg*g|*?{PbZjIBQ)ud&@BQV z#V+Ie3+LLAhJ=BIaD&3iOf$66C{b8`u>T>@i=90A#PL9#o2qIh<{yF}3vdjh$>jVu zZ(zw*RGca9E`^dA*&Bb+79#Qa)FPl1ATSc14z%lU4g*}_UVA&~`ExU@A{16&k!6osv!2T)&dpyfj9%45P5$}cF`CP3W$ z4)sH_DF^93b#**yB#_}T+_X;E-vvJitVBpPfkJ@5$SP=wlQ371%q?4N$~$js^J67#KhQG1K6Lf zuV<#F>`5f6LprP;Km$5}ID|zd%sLbZlD)l~Yywa=kmA`$K@txm=Fb!@5{F- zAv7aO93ZdJgme^;=AK(EA}!rwCFRI2En(Bdfkq*K5GK704B)?Y>zM{f17=n2^&{0j z;eg6L5g`Yi^~(ZR4oV1tS7DZ51t4o64`z$f0jUoK2uK=%C4K6x{&U5E=AUfbH8dhb z&jBI8&O#m-;t?_Kh`juAcJai>*qGHnq8L5US14x}<7Gs`EZB$drN%p5yS8E5HfKji zAUw-<3s`7OF^z+wqWE3QZcfk`0(m}eI@_J80Ng&-ius9!&xuW$mQf;Hiu+F8^!!Td zDr`hv7Rty2g*g^vPq0E6ByUpHV{~TrgefDCnjGyp;a&LU;-g7abjs2=vBKC_SyM8$ zh^;MwKTQ>@Tr*S4+EVC*I=26`hO6t(rc`xzH#b&zlqknW>IOt{XrPOSB?kRwyf=G_ z9669ES4PXTm>7^rzKcrW-v!bQ&XzpM#CWum(nis`4=6G*?{ zU=jXcO(T^~B`n2`es{*mSx_$|DkcOUmyruJ1Dnhy%eQtzi~uqj0*G2%Tr?@)fs4oC zd$F*qG{6rDB`_^n66;vLZE^Q+6lB`(gZKk(0RQF?6re~5=q2IOPm%D7>(_>sB7DLI z+Ud?E2ZUebCf~XP&cxX}N~>fGQ3i2p$px#AP4T&!S_-DN&STQ9k^LbyLI9-1tDX*6 zoWVyuhQi6u-|oJD2?m<}0y!a}-sFk(0<>@>Sgef^wa>ho2dQ(EZ0N*)++y|8dPs4| zTKuZH6xifmy(>k$7XKGe>k>u2W^wzX6yIh}bO_cF%o7xb1Lv9+XF2&PTPBh+f^a^S6n~i^L=J@%@o#H^H~IOXVUH9H>5+G5W;|M*kJh=Fn}5U4Lor{Y zd@S}tvN%#!9$4>OXEZ-CnQVmAVN92KC+1}$p%)w)dg|oK+!sCBaVChab#=ufcyo*o z!JdQXMy@Z-jkRCV)2m9pOw{Lk2V(-JDCDfcT1I-?=+etn^KE}+{uSEtFC^$vu?X<3 zOntru^P2ioA$dSnR8*umvH>?SisS9{s_1Rc5hzEx$Kb8c&o8g9tjgWd0eFbVl5m2S zAP8JM*J*oI+G6Rh!iWGqLnk~^(DmIz77jeTR`xRG-a0v1SRNO_nLPAU|q=fb5 z%M2{4X~dqgUAxEhQn1k>LbYw!gXAgGcG+*1~dkB8@F^Dw+sd!{&>rDYRb9kZftK z_G)8LU8sny#yuS!wMCcFn&H>&^&LuraJEfpIk&X*_x@CoQ9e%pL#|5rz1>N)cTV7I zagm5L@0&)FI#SFy(tXh8aWH4~U5Sizn5pd~8-ufczoic!4jWwP=(yUJY9lPVZ{NG! zYBa&~+4AxnzZ^j}jyeyrcH z;rN~iv?~So#GzSV@_PoFoo%U~s-{13@GC1Ys&E)QeZR4flaR~XbmQQZg*C5)EGzyK zo_*csE-JxBx$5ffHdy#rLf%H~_TPtdYxYu4coPpi)+9p3-Zs!!!D*-X3T@wVN$d%n`b1@9x&5)LW?#vWg|gN zY45}&Lt@#75+nK=f?-Am!ewXF)H=rJpoUTsk!^zCRXnjKg9lrIZ!R)eKGH~f!kluT24S;WM8rYru=k^SiqT`SrQi4J z^T!tc8S-{6AzEsG^flXY2-7SRgjHsHyJslMSby=rNTG+{~Gr@yJ*r^n${=VSt{J%`JqH| zw%@3nvVqSi;=01N!H&Yo&JBzrr~J!H`t_^n@2ME<$T?avqXq2G^#41Cz=qyxG<3yixoCF9D2A}D>`H30 z_g{Khjq_o~HXGQJXNTr3i++0~Nio`9o4kq~^>bWO++65YnH*!HqsHEK+1EZ|% zgqf&8_%a_p=sS5ZW44rGxYU!mDS&D$S9WV@s=T;0>9fX{o2qMH)Gc?Ly!cRPCGG#H zelft3ePzU(uD-WmG7t>4Ag+IZaZ$tUuucQLh6Y2959&QUdu8QSaiwmLnu{A;mlVER zoAiZu)k~Cy=y}PgRL^@S?azqWw6Zhj{JnW&bZf#kGfIs##Q`@|2BwT8?NO~yp=Flb6UT3g#tjh{g z*hfur=1uz41AnqV_xn?G#!5HKV|S|Cm0haGk(59mhDM1N13MdeiJIWG`ny!BZ~Pth z9YPfkLB9b)kEy9MRUfV{;$W~G!^6Umy<)k?!!0@+NwHbac#TKX3=E*L3i0z}=MA?X{s!Q9_m-Qljp&!>;qo;`z2n6V&2M-39pzO|aEIAf61)OTY;NhKzt8QSUt&=@y z2aPtB*Jjdep9hZ=89=QgyHuQPpm$*MBABo7)AlbGOKQ%B&L4B?)4lCe2b7T{Jta-{ zsgGXjS8@OM29Z9o_p}oQpt-f3XDSbfoZ63#y^Qw8PpT^GhhN(gi7M4wB0_rqUvB$F zlMh9>(ZORqHWBx&-Csv*9@ggWzxw6AU=4@ClcOE+2iN4wSMy#rY@?PjB`0B5hBS#j$4&Lk#F`pSPGk z`RCakS+4ktX*E`E-ri+AIRADPr!!&6@Z+)7uf;xRf`ULN?3jJ)^}Gx2Ywf{$%?lO) literal 125416 zcmeFac~p~E*Efu{Y88dn36-g89S{MP3WhMW&Vqo7f{alS(VIyLB#ene6-RJDB0@k# zpvn*i2|^%2QKBG;Kp{*?M1%+l2@oIzNb;U50i?+Ne9!l;Z+(BkT3uDVu4|vY&mMkz zpL6!PcED!Of_W?EDJdx}*td7*AtfbMxRTP3Za>WizZps^iUR+efjqQlyHX}iqXYcq zN6$a4|5Q@Sj#3^uJ`4PP?%BPLNF}AEYoPyT>^t;Zw~~@9dEd@I4+pvNBo>jaWka*Q z=@^>Ii`jG78y3U5jd*XIF3s>%VeP$e;nnb!EBNJ`Hl1HM$Gzn2>5|Qq6H#Rrg`JNJ z>rY(61~5M^(a3jtz7}Sp8i!P6ODHmdtZ4=y3V!JOV)nf-fc|tWgLUmH^z&kWz^Wgh z-zX`W&T(8@MTY)#KCiG&b*KEN@i&uSM&C}jwDI0)1oZDEPOjWJtK>gE3-MQ>Ux6R` zpWnWo*+26a=;w}+j?H%RkW5MG<&Mn=iG|EUNr``(?%*m?Q92Kg7T(`@C(NRc;Y*Sk zbgfoWV*M6RsGg~GKL1*~uHyYu;QfoQRg{$auZuUV=P4;2Fi0d6KFXS@^hdEj`RUjO$Z3V9<$n)d`D>!NTim}8KPG0*m{Fs7LzYj6Ch~{u92aLaFr|`a9 zmG)Ws;a)LN8(~7ac5bqbh7wy1y8ExnSlejLPFxvx+KV^ENrzd*aqNgo- z+I6p5HSN0pFJp9;afBa+8)+e}#bYI@q!BT_pAh{;+?Q98C=p@=k!(q`=0!#$XL*!3+1HRQn zOFArtlTahtNvN&vWW;6&eopTa4h?bQhgy9ubp7-pNfC`#hSN5{b3<{0nh!l557&|R zBHzkB2PZMG84L@-NZ^0_nqL6T8o^COc1GpTBCg&Pb(U%&9&iV!V!i1g^0~o zh{3)*D_M~pLsPZKtBV=!6KF$+Cv&uy*4ukQ{8gVjOd`8e$e#kwTVI_7*LbguDS@d7 zs%6%qUJinJ?$F$R4!@7n9~$>t#=00wG6WD^^v`GLWN+V`?mH6JEMZ_m#~%wnZRy-pRcvs7MK~>SOh_advbMC8-!_)}i)s=dwjA65-Kd^0>mLMrz6PH-+3{L$FAOFwn6AZz6$w0OZfF70Rdho=j_qRMFz0%@ndUY!Z@ z462K38YT)gY0o6U-1X0d3uDeBER5*vU2J1*56^+;aue}xbh%uAeC_=|^6gOOBfWO$ zGud^qR=Ge&T5#Ico6+Hw%aQxIarr-v3}pvP*9?)x>*2W$3N&2*qF`S3jzw0FoOR#` zn!t^}QKOjZdP=`CGaN4&I%Uy*R~q>b5_cW}H;P(N(P;(|9aH==@EHT-k`obYWB$lL zgd&GYI%uz}LYqC>t9kP28F1I{5bQNW&mGKj7uIK`v+Pi(2(QH(%#IniZ+N3(`0U5R z$2r2y#r8MyXs!=khfShVeY~j;-E(Ek{|puz9z>l=os5f}0|$EuMid0oxj~%#GbX%X zX>1y=Xdsa0zmCJ`wM8d%>Ho8YdaCtvc8+1_5jpZFc6PU<8VPGzn;hgZ2t zOgszk3BB4k{z?h)HqzJ91(KYoY0Q^l4X0^fbOpOshMmsL5jHYlHTZahq2~;7t$Xgd zo}&%1#q%I7a^1Gex_o&~evZ&;<;ak~-WG>_=q_%2n+=VyrdaBYew?|@$XPAwKEC1E zq_m`Dsit#`4f-&c?E1p^xGg&xg8R86?II$jg1&|Bn!t^$tcXJ1PqTs;lBXc`Puwf2 zJ0gK*sb*9Z=om)h9Vj%Bg(-?`=~Ybm*#+(GX8z$wroPTMy?Bzf6NbB%T)!2EAKo6+ z_b|6Ge`kC;29Mi)Iq4T9v#p@L-t?)DcDO(z8sCsMnh5qSPvU*h|7%To!TybJGYfdl zYOj+R@wLTkKA!|5l)ggxI&n2Fe|qRHyiE-6D@Gm|(+8nbjEx8|WcI1^vj#Lf!n1|s zcbB$UT`20UH?2I9sRDG(ZnDi}1Q#zGwna;OMEt=@`s(EJK6VWQ#2Tr8D(kc87->B` zHIeZA=LC!tQG*)f=i_`9lIxWGzCluU!OaGZs#)5e0FLw+Hx zA>2p*MjGR!wwK4jd;)+PxfvsB-vSw(Go1 zGb0OBs;ElDwgtLUF3i${m9@PQkScUj@OAH8i$S8A4Xn~zy4{mr}%n61QDpT(- z(c4D5#-$RYYi_9qLu7Bl3+qz2fo-!}0TAb1R&G#6$;x7mPO+%6|CT25&T`9FdDQkZ z-j(P>U=~L6>1xlLIfii#b~nvZIPnx)`U0}7ZEH1yhDeoRWvd>**8YD%OYQ+`-1N#) z2#GeX=w-U+Qe-S_*Mo#b_fyaZ0S0)!;jdIqd<|+_N@B2gXuqtOl6DTeuIuX>!G?C< zV|eP{+3H{JCZIz+!X-oWJObKJXIn9%GNmgq;3^qAyDI8A?}N(ZoY<(XP7^hp(}DIQ zS@|IDn#qFon6!f^a+*>Y;rd;!X47-5gsc=M9?|lXIx;A1%pr`hhd_O zW$9dmr)#$K7W%lB7Sg>SZJFugtL(qer}I9zDar!J?DUPLKZGNU%;vD|9vl2Eb-s;1 zdVPU%vfsu!T3fArYz!P~*k4fL#q7xijydn`knw$V1hx4=Uw`QJSGBuF;B08(LXRlQ z3%AYPfl(3#ejf_JAi1AHH}uV_#VY3jS9bhy->tWe1w~H&#qQ4iL)E?ret2*O98(9P zH1Vh`rI+9RK>Z#WW4rlf;Z-bW_$F||3YVSh%RHWM5T~{0dJ3V#DhJ11@(ET>%WaMo zWo)p_6nUpf`-gw%=7@rX^uh~)_Di_zL7{3?L3ZlUr1APSO@*wl{J`RJW|21@T0?Q zgSRno*HV26bbwp?%&H2_xq{!BY%|jl)?BxF4X?N|ZlwFOLSDQE>!r3IB)ETBmC@KY zDf6Yn3%qpU6jbV$(DKp(@_y4mFt(w<6v4H+en-Hjl;6@KvgtnbPQ^`zKx$)?iC^^Y)lkw(^h+P*O#UR zDLKN*A9}7^rU3Y#0l&IV@A|9!>+h+?ODRbV9>d&(Gn;Tu6`EzJ#%XjWJ*@C_u>aEo zg@+r&_7-UCH8sFd0zjH0b6Y0MW z6IXq8u|JF=pIi6Y%8CA;dC(ZV-nNPb=SSXWh{COY2_C689T}weV^7A4Umh8koBhot zC)xHt;w!F~(~S8$!}f6`W6J)C^K2S5h$t`1< z?mKecPbRq9XuMzZwU-p-9za?BsOOE(=WaO*hGSOs)@KL9X2~Q&d0zurmXHHelrQ%t zZZ4;J*B$+HAY<3Zg7g$#SgXw&iR)DdyG_gz6X(TIUdu088M24Pf*_@BrhD z`ht69^Kv8t^CujOH(=QL{GCPh_>`Fnjtg$k5}ERM{WRiI?-)M}9R?ujyV&isO!p!U zYutFI?hs1q(}(_K#q=-%_Q~4dPRH!wG{-k_>at-{bELF&#<$peC41G^5p)v%l%5C2 zk17LE*Q>x|Cb#HFS%M^zRshSVXSgFr!rMovGa*=_C>MLbJ^D)kpHyX&7n38bcl{7k zSkd)9h(2>MrPhYkBj zx^{ngHq5CrL7@FJWDN=%G`bmWsAgc3nZz?iF}Qh4tUw%F5}nPKZQ6ne=h+A@aiT)n z>NWHN=_1viCgcFuyA3i3kG2(Dfy6^#*l%RMHrZpfEUGaTWMeBsWM87mOEL7Tan$x( zheR&2^XDgrn)I{Mqko?BU*N&XCbdJf^JTC%YkeTSUqQAd z?7mi(+3L0rZ*Sbw)qzL3y0|!JL*C}#514<<&7S)FvR3nS#3yl*8_Z~r6|;k)M(E#N zI@@hFGv@5w^}f^wgvMv-|Vq!xfhwnh^h=`dB#J7RU`s`HU$6U z-Bw>_ltn9zi25(jj=H1_@ZrtwFyb@tVgKt4M(7v$XBS1KF(NAqSl@@+jUJp|3}f8m z8cR$J5M^AhS+C0Hq~z{v)LJiUyNduyLlwZk3rwqg$a?9*#fW_gc}gy;N37=RfDvDJ zN5+T>R)&O66($#y)7;DEr2+q|l1Pc}Cm>HEQsOB$64)P4Zw|BUC~U9SAl>UXofQD( zXo|$}QjYLJ_Uq2JQim2HE=L*|$*YJK8dM3@SLj`_)p2EL#JQt$5>n4+egh-A(Rg?F z%eAFC80jHm7VRuzEfqO3a>{pcX=-$)S7c>2e5CT=9}bfZC7Gw8uA8n!z6pk=mu}dM zd*8zy6jwH{AEg7#WWIc4a^Fkb(-3?(>~RLy=8R7j7}*dsGINQ5^;&S|SS@oEKEIEiH>vq5P;5b@lt7csejLbOq*q<+H>n?W}0z{5@x22SxF+m!m1gdg` z`;+V2fk3ji>K~@zlQi4{y%R2R`c4fNfDG+l`Om3a3L;NDII))5l|IMu?p`i`$HVu) ziaP5@OoD9ut|U5-E5mZ#Cn>U^s|m98TQ65%Ii>T~ykuz|j98XjUVz4x>PA(zzEiL4 zK~CjDGmdib7jSxTZOjN~=!&eek>6Q#IWW`rmiwA7o$hJUdhdQut8vWgoK1tzG;l_l zhYbdWmPpaWU2O&s#evKRXIXCJ|O6Nhq>CvaXD;`wP!1r67it0uswcV*I?k8(Qe zw%Kn_IO|=j6_+9PhO)(pxo@Qt7mQ~k98pboD?;ZGNhW^B@oCPjN9P8=&OQ=4M&PpW zNJztripyGBc52Oe+|J zP45J5UVHZ#-pi%+YrMLt@fI*LJW?U)~q>&gCV`Xe2Cb?)Wr zhFe9VCrzt!!0es7)v;{eJ*mcDbh@>Cc(g=|q19F zyG~pw=n({|xw(f?+Zx@&8?#|3Pi`pj!Z#l{)l1TdAhJ`?tsYIBS5*HQz#%?E&@dZ{ zx})WglRSgxqL>ZI`i>}-{5?+e#`33W2u~A~impp*z5FdmF5_>FE;SB8$wQ4Vtw8zy zA)po!P41UHs%r^`n(&r*Quhif|D{W4Iy47-?{K=&cr75VY+h`*f|yo=R+{cT0AnLw z#H_a>Y%VHs1#g&+zHzmVFqK$NzPKG+*+yk+xjc2r;+guVax0=NsB}d6(z=4`t&y67 zK<>j3??_XNwv47fznRAtr*}o|y)8|1)O6G~!lRlyhI(7l2E|qlz(@+qvRjLNUG1VO z?{HF!0^t*4=iRF9?X@ezB~`o1-qYL@@e-4f$dmqQ^y0+H$xRElSQBMtyd>N%R z5q&kDUMcLnO_qLL)pi0*A>38e^lO;h>)y{i#|t93GX8Nl48!!+bv*)hDK{J7Teetm z`mWyX`FIfoTexdt^}{C|0}o}c3wH%IQuI8~+RSKA0-GZzhrd3lD(r0?mf!TJbR-Rq z5&nI*(;s|d6;DhW<&soJvaI*p2BdqInQUQKB}6<1bQP&p#x(&7E-&|rqBcC!cR*?B zzD~eilY4t)o>x)YUy>{CNS+GAb;xjunQX}fB{pxr{aQ!buu_U4%;WLA)Otn8ct%#4dsb%S>u%?$%It8Xej5g)d=q_;@qgygi%ZoyWPa)~_P7o3D9MOl z!Aw6Z!0*w9;00duInCvhUf+gDp5u-1XepqJ|H*m*GQ?mW$6^lMwR(5ma<}=er7LRA zElz&EX{63wSeBR}Mc)P>_bM?h#}NMWq`fconTe#!l;TwavX6g8L$?-$(mA0p>iq z_vI;l8NirrrYN<>Khmm&M>qHR5~2^4id>I>qoP%u6tKlZPDPH`RU>*xA9tTQ6hb~Y zzu4H=>e*@msc=;X1XolO^LX($nFm8Uji##F$B8Qan8Djyf>?5e3AN0M0&|yHaJ%?G z0}OUkvg3#QZ1%TWLVK}{2)A9YL3a*ud(I29ojY&`3c_kRY8&9|BC@f2AN3B0e)BL! zg5FGcWb~2MNL&J#UAEoD@TY+D%FDc6<+S%6Jne;lk4O_H=PZeWnvI(d+28u$I*Ev& z0pq6+Ux%AO2hs*!dCM}K33ZE?Tm#M4)bD8oSijkA5XHX*n8;(ZZ|H9U7V}-2 zQoJop#Q2My530%75uYp7$vHxwa+=67lV>`_>Y&q}^=d1B%j4WMFyb?>!}_z~*g@2P ze|Xe$sNsZzu7#_pc0&oD0#m>`jE^$+Fe>u003W|WmaR0|T{zu3dt6v13K&kY`& zCSsP22dDmPyt6oJ7Nk(}skWjHK0g$1#lWwPHrk^DXA>_6Zh%vFvq;#g9epEz^zAv+ z5Ucs!nqvi>*+ZS1%(0L?*Y_<0B?&tenGVp&7f@hlM<@F?LEl%bAtK0~k=kpc6J*k7 zg)f(b=d2sV=2kKIdk9P+#xADZ2YBVN`luf*b*{(l9pUGYH-XrkkEZ4buOho8#pR;O zX$T1|^?w~dOd0yzzHE%OUl4QH?6ffKSa=xVehf_QF1L@j3gNE|!8?Ka1wd-$w4^fW zj0=rEi^7LHBM&~%pIoH0wLnu5vS(5Ww~d;3iShSiURcwW3K|otgGpEGxu9%bzxKDR zOk57hTd{Io!7e>pDp|xsyUKPJa*o~~%3Zw_HDs`X*7Q|0t z=1TZLC66D6Jrf&3l9_153A+(5(i4!Bn}{TkzytYk>dj5((8FJZ64^`-&TktxuG@+| z1$h@a@}%rw;McvlZQCIRHMrdkV&Vd@!lV1NMW}tIB?oCxbRhna&~xpO+f*s2Uw<;E z;?2UZ>x7FfQ|(X*^w||O5YJqw?eA6;V%>^$3&&mkKnA%lEcWORl9LJBI|9mS!iHlF z1)YNrx%C>3J48LTq$d!B9$kbaHC79cpP1X13!9hhmwkERIX`7?vr9ukFZBF;#_b}M zgFLI95cY%t|FNP+TwC*z-o8GX{C3nHjU7;#rsQ@LBTzwd;9rOGS~+eKZVRYQ<~&>T zQO$6P<+`Tr*Iwpd4)o39xdet)26{)PKgRX|y}t1E2f`E{JZK&}Y=apkrsFavxt!*u z|5e4u9pA&efiMsni7Evxf-_wHPV-iI!s$orwLJH2p}@99l3FeFiggPDj;yHtBLAaN z-EwyEVE-0BqyT%BllB~bhaTiD?XBsL%Pl(O@-5@(fF7$Px8IB#B|Ec;eqnFr^0_{c&F+40?$ zWvT}7b$$)Izj^V%HM&Vl-wJxGze} z=_;$ymErpWR|XX12%VG*3#`+HaqLodg!u^z)a!tvY+V=s`XL%Z+7+c`1fEdvEGqg71@l#<$+Y+hRz3^sGr4PKQ5RUADSmhKWCH(amLgmWi6n`C1z3vV`W6}|my`&R&h^Ogo6 zPgaZAVUI#_?^ z+o+#2&%8!?o%6mzh~0^fgR~J^^F5!I-Fpgqd1DCX_^TY@(Ld2X9@W_->Qpz3uZ^$S9yjmFjHBvtUwqf(acuYjB{`6 zf3ytp{iCL1lu_j91WEx;A0_p8)*g8&AXsqjW63)_l`FW){93P}OPKTaECdl03xITA z%V5KtqYbd-y87|@J)lH+Igk~q@xk{Ct<{cymH7pFV_ooOm&qm*dx&*&qdm%IH-{={ zl_%y!qHPbDfKY1lFQoU`Fnc%K-V-m!^dZbByU6jVd}!9nCOf~4tR7EI8ylI(p;gG) zZE32I%asXS>P(FLWYhfgu}Ua*xY=hC9^5uA?CQrC`Ka+%ky@)2mpAETN9*50FH zZ0xj%S5`F1rKs)t5zn!yzZF$^eLE^>&S{8(!aQvKDm*wR(*uUyZT$yw@BEaJuNV0) z=-0j>-u8=gO5uN41UYY4o>0nJ?hih{&ONziPv&D#)_|dm+xDmha0(ZpYTR?5+}32x z7<$#T(CH_zGfHXpgi!-YW!nrSDHpnP9|Wx9l~GSwuY?!Qd@-dh!~qT#TM~i?HLv;A zzX4I_a`c&9t?&;hHQoRy_?SzIGRBka?mi<|l$K7ko3II9qP>8w#JmPY7S_J#f;1%n1B=6|nl%==W-esg?`Q}E{fewxjR6U=F z!QS~4@idlN60|UTKC44Y=Dsr4>32--a=}IB5C|!$iTU@(9Kn2Vuy0`J8!mmuc zT_Y}snqSqI)4v*gpJ1oCsrm?h}o>h3$^4B(VuEV+1d{(il8#22@KtukTB;X0vV z>edF%7N6@ioCQ>VpIbw$WVA?LqYhq-amIno8j<2*Rrza>i8EorJ9R?6)r*t8C0BuG zC{C?_1Eoou0NZ!?K6P<&_H`}fHIrZ#v*ivC21@#0eo5v5lUU%v-2)0;NWKUtrUR6A zZ`x$9pRpl7^AT@EznF2lnhsVX7eZR0oE-iTm*eN1^j`jsJJ;GTY%c<2gx|qYx^H^3 zlY_VG4&cs<)z2m_S(0F!O><7>*{)#?4)gD`j7?&Oik|&C@(7GMF+~LJ+)zj;S6w&1 zZizGF0C4Dn+0CB2E^`1DvDX>4yJjpUhbD_|MJAj3ZTQIoM3AP`j&Ml3M*RgT+uzG4 zI}j|1I-_UuGg7*X?tr!Jw7xa0uc7T{Z$>7w)RkYWg5vkUnGpF_&WS=g1qSR44Om>q zJRh2-W9oMjZ_H^Hv=^Hf%Mm%jlYPD=;nj>M0>{?? z%%nw!>-Ah=qX~WFs_cI_*0WmXfT%G10t=|3HcU=)7l2*EWYguCE*18Od2eW57^Nz*-ZyQv|caY9@W(CgYK-j z*TUd;OC#=xpA&;fcXN>b+{iZu7Ph%}`M(1%U3my~>9ufJeHX`=!fpixQS7EqQODpQ zCd?d73a{HC62MLwSADQSo5VAChNxZY=K!{c`7-akMEf4C#-CWk4NHzT3vGcFvrbpR zg1N(Ho%I@$IWwQgK=4-?J=-R)bQy8~!L7R_!{7v9MY>8jGi^P5T|R$rGu(J%hfVgi zK=PsTgyQaaH@_EO_1~Cd#@WblWPV7-mU|0Cg8L#1ZCk)82RP!a8PFE~wRv&jgMHJak}cIb5IdQ^lj= zxtBlYMdL%0Ea*qNn9sdjtGSxCJq%xvS(K6%s%lg-IP1Fxywr79_46B+MwuGc9-?~zcQ0~&FYfi%>M}NUAcGN1cM$UdCow< zKms!(`uf30C5>Q33GIDjk5*hQ*iU*d$Iw|#z9kAd5>R~>hGzEs9467*UH&Nix$8j3ku=W>tYt7R;(ThhU-w|+mtQGJRinzbM} zwl@*i+u3ppT_3JPiCpTN+Pn{K?ZI)|)zQa)JqT63D1{ZA#9?bls=>qh|LCC8dj>WS z>fp2m!(#0aZ&s1|z^~)6w*E@desNE7QAkj$CJIqbNV?plgRXY9YbbCyXi`ktBn7En zw;ftMf~0hKGRsW-*q2S(BDb>4XIr%OwvZELkE!jIq~offo~!ajezfqIZZG8|3+G_q zSJc{NCGOwdf-1)cfINp^JcR412@&YsOspYVgh>n7gSo!P!M3o=LkU~SsQCj!+XMTG z^Rz;|Qxa2y2z%x7beOn}F#QCrt0Lw5@0wVo^s}6oS)}@42f;vlJi(?B1WCEy%qy&G z8L$6x=hsj#v%dQM7PdWZcV4XZ@FeO(+pdV~4D8&@?^~-@A$9xO7*+aSL)-hg<~awP zlAZ*FppTn|3v`Oh6tdi1CvJTECA2O`xU8r>fJ2u7)y%6N06Q(eudw>OJQ4|=JQ)f_ z4`muyMBU$kwLuJbQQ8=H_LJ`Mz0f)dtL@4e`-Wg#409lu)Zer=2%mc4JLXl;479Q{z4#mGzV3Kv-i$Q0rYOkjRY0HzCv8tU_btAy0qpF#8+oI9t9q={OKl-k z463zAJ!1`a+__F%m&(=J!XZCCR#=!LtX*B#|C!dy1ErvS)LnxQZ|&D>jtUNFC=hif z+Cff9Zab;OWucyH)%Ne1mz=w{_|?h~f%DivPvTSe=;hdk5ahhQBlyN7#fE^c=axy+1B6#woowzOt9ln3S!e>O1P%u6Q0Y#`A`rX z710ZQIF?8AE4;^ds-P7U3R_oO7NT*UAVifKSOjqDhKB@+g{^S|fhVu!Aa_COvF1C) z26p=w`WH0VLF<@#G5AmkK0S#MS34h)R4zqVnB7mdAz(4B8Jk%@{$9J&1R2}KO4-v*zvG} z<{+SS(Xja&7SRLMKA&8~<=tqosI)*NCx#Nc1_>VJG=el1EdI+JHl|d5HQ|P^ISvwmF&_epop@$#<{@Y=nO8yL2PVv%*Q}(i( za-PB&u2=JOXygZG!|`z#egmX9qmDPi1!H(2=v)@)R5bo7kdXsJXp9C$VEIQZFb}?c#KN5R zva4O6p$=Qp z5;MrW5l2c_HN7asN3HRl$uQhZo8K&wh>V*e--FT}Mmv&Ekw>V^2_QVz2b6~e3D3Mk z23J)s6GdMo*dtKVbT+EP)2)W6>~j(?!6&Gq`NPuTI3McCXE{iU>K^$Zeum&kT&>y( z&W5-IThaZih@wNh_%$61_->xnek9@k8{rKoBo0Y{#QTsMpur-2z>Us$ZPOzt4 z=1ZqSA+8qa(KD7TJhtmbs_bU8?XWE2DJLGYpYCU`&%FI&fw@mUmssHY%rueMf#?XP zpi>1Ht0s6*MhqZD9*k#++Ba`I>OK^#aVg73u@FZhcd7vWjMT<_rD6Nt)}Y z{LKmmZHHtDeRNnd$57}Fh4raPcax4Mz{)={8hsO`>ltDEVbM$Ar*04JM~MiB5MCoo*Qmn#NA|9sIxSJ2>4Nc)B<6 zbQ9?5CeYK}zNfo=caH8C0L|>D)2r$9YC64|POqlZtLgM=I=zygf}6g2WqLh&dOdo2 zJ$iaQdU`#2dOiC8hxO=gd-)9`(l0?pCPiG8nF7|4Wf*#YpiQbRp^37mkELX#GkOL? zhJC`D|2tA_UYUZx`j33RS1Oy`D@MKP4s~{l69>J*o<#atzN#Oxhj~?h%`OLD~+SS9b9GL&C)p z{3F{ll~wc~K5id7^C0`t!}C~91>;PNOIE#08iL(X@q+cqQ|W;fva3KHF)mcZJO25pVwC-~yzuyrPl-OG#|u zWztJNK zQGTtWIjGS+&ZddN4p(&ZJA54bImIv!Za!0Q{LCTfL3!*jb`B?xT`bNR`kV{?5h*|1 zTwhcp4p}R{0?B=H1Es7zpuNo197CR+d=k$W!=&dl&pPdCSe|f5aTF*>MWPumayzSq zG%aW{+>|(WoGzHan?J%32?}e}dct1r36E`JCR_;p3v}94@@72d($La-HB*U|SLMgl zl(CXNEcWoMPgO{GxVNkIl$D2Pkfq`v<}oTbfmxHial2{Sj>e_97uK(RW*vAowo{&_ z3%ZKxvnkw2c<~M7{l45pa%BF35QcYyLwDsO)C%1LKwOH_2=gjMCVEL(*Z z4Sar#4&*2C=G*Eh_Q-oD-W6)90NKJ=nM!xYrZP4YJn?m8*CzHaCKz!h>Bpv@KjlIv ze9!lD1?|mW6G7L&DR~^`4mIs}+%kb+%d1HQad(AbDtpkuvpdH*^9P)*!VxN8`SnuJ z%=fMd7k-gXU0U5|Us~yuTDqg0mNr34&4LD9@xwr}c8cTSN=--@P=|>0mnD)Rk}2Y| zk4m@W*xYG=x%2D}e|Slz_Tk)q|G_Qw#F83i=+ytwRH-jb&zZ*f-_Y!G{**}r$E{m* z6#GrjcfrWI%E})&LD%!)e-Or$6Qc_+r4_^pKS*)JGg$zEEB3-6A7jYrsDfa zlWIWSbpI_#qVFA&2{;x$u9%>IaY1ouk1KjE(d>^g*1%D+E1K|vIHVy*(CVXNnkb*N z+HD#n{>a}k!mU%>~Y%*jmB$#dDJ~Wddy>UKzj*Z zm5ARy^3%G@p1(pD5-A;JJ?7ddyBm11BcDQ?(Uog2FwmJd9WHzq5I(L*_K%*$!r z(TXESB?If>7Pns;-X04`i48!D3~_`dco^PFFxLoHc6-v!0ja+)0s2J8bb)38kVEJ0A0UV7601MG+!>U zT^fER?^QRD+!`2 zEy2)X5GB*PdQ&PIYdxF*Lfx2mAfE2|PRD}(lpxN|ADG*1I!474Q1NaMU8i{=Er)+=b|~?c zQ~Dikie_H-Z68UT(s+z1de}YY!PmY;mM+IvlWaB@^u}+wtx*#al8R=EN3Qq9<2Y*# z*l{}vBowtTcjxe|AeHfHb8J{{#Cwta1nINB!8iMv{$Tgt0^90bRlHPKWU~P z_p!M}oSB6g8&EDZAn!a6j@PpS1AWA)qMCCuCxcyI^VA;I4C%ibx)2WaHdA`QTndhZ z{cmQ&s7<2EEwBesb=+Coa&wRfUvqrpk~l9{aOT%ZAdRmJoLe`ahZyq!-oOJaa0ZuH zbnkMaGkQ#%J1Xd@Qa=4vNDOLli<@DVg3 z*x7%i)ubqWDX9}6G_>Ad;sL~wM}U|XVR5mIP2 z^jX-*9}IJPPn^*xm&41ZrB?q%4m6;ZYrkowk-POI6Q+a9v!p7Z3*NSf>JU10kmLCJ zj8~KDOXo2m?3WASDKDNStU{kn_!5%OIolN#L#$onv^q;yE&xAb+g%|z#XSWAGGt2v zCD!fDV(2Kh13IO#19T9nPf{Qg=j`W`Y=pzg5%%<=BB_S@nKY`ElxVkXk^%O=f4>T}-6Z)-S@t%ibeg-v)8yi~Y;?1(uyp_z4D zubdYCUR+cI{{=z5iEZC=7VTM2kURY9$J|IxX45&Um_6l07=VeONSBheOLBGO{YA2T zL8CzK)%?PVoP$^*es&`tcX=M2&!2BQem&z-fB~*lf}XjAz#$V%qU%13)>TLX7@xv* zj-&yMDPF#UHnkEMP!R;myLfmxP03(X?hP%aRPOow*As~w+M~=hmiQtz9u7jGJ->NM ztt(Cl+uxPmM0u0a0ft za)P7Dpeup&}ex$YJs|+P?xi)9H$LWH*A0Aq$;X!lelETS7 z)$8y0Vf^}rtFVPN#;=BFm_Akz_k!YEwa%pn%_N9TmXezExd2lF&?m(|>|5jL$iCnKDklZamQH< zInE>xj=^F)yEC5X`qG*c!&(=DJr=6aXy?!d@!dLy=E~r`4a<+_Pp;0ud%+bb>=QIi z56|=TQSbE%@?IN_-KB%iyoMa+O=SOlkE=cH^p~JWwst*vjQa*i!Is{~t6IJg1^>gu zGlSJptD&e-pA9s@07SkrFDbZG>lkx#$%eN#Ek~G0K}SFl^nfCQwuLu6iXO>^7yI=T z0*Cue-|h)F>w5m~zwNC+)q5OI@s0pdC-;(asryTOQK-8o^|ZDAFG#+cp<4?_XuB zPWDMl+Q-8-Xn|axbzH}xDtNbQAqm`5YC9+`Ns&VbIPrOoa7_m1X96;MO6%GItZTGl zbz=yihM$c+F`bbH1b`?%jNZ21?Hws7zgWft6#%PlR>{D>>C!zscX7mKCkFD^$FxWJ zwQ3ND-DHS1OeyU>xj8}tc%rQ<`lq@h)>A3k@VSxxA*&As z09tnw6lQG&1NY2memeDmZ4nTGWdnIUKqzWhpBh|j9AQa!kpE)Z6%zJ6_{@A^plKSd z6MLpClBHfBJxYE9a4f@Gsyz?ag6XXL&U<2BfCn%murQ1Bo}-!cF9Pi8vl%1q=n#uA z5L}O86veFbsYqJ+@>@Xl%*W*oNS}WPYG*r)Qi*3LP}OopC1iXViJfwSKg+LE#yv0u zx#uU@V&M_6gEgp#09}OK;zL{91~A_Qn!)>9TBBL(!m!6`#w5NnH!#G-Ti8v-sT)8@rrQx&VjSZ_mt5eO^ftyYvwlUhkRk2V_v ziKdR3aRD&nO`k`0nG$FngMlNg5|l!Z>xy{I&;J{bPsStSXyL#;Pv=*Jd02mzXvp|m zKB7eb8n9k@1=0?6C48&~n+UE}Ra&i&C=+(Z13ep7Xs{Q!TJVKF3|!ebKizq9^`Lk# z!?6cMrEzIK1vf-L_MwePcA$S^Sv4#_y;4y(>%K{&PRU<8H^>cN(^By%{DSqUYvuzp zEoSWiY2TDy!T`e6;6gPBSH~;N#`J@Mg{vnq7%5#7L{OXHCFsD%294kJBo}D=Ft{Hr z?g$6)(I0+%gz6bjEhzAN;cGWN^`njN9&$=Cf8 z)W}HK7%zSXpDpOef&eLQllKl&N&ua)yY0tvX(R}-pJoGuv{eyPi$O;=_FHk#RfM2r z%BZ^NTb^`Sp_uI~*~gOuq_Dva7z*}ZiV2b+`m5m|n#LQ}pzq^n_->OJBsh8k=Mkq6 z;!)7HC+8w*8+dw(D82|v5f`*K15dC_aUJW&I(aJew~?n*`WXI~!1(C|FMAVwB>!J( zX$)+LpwJIqUXD=wPhdn|^II4w!+o!m_|r#FQlW_dbFp^Gy-{k_PzZfwLA3i;W0D!gfQI#j={y)KpPOvgB3#E<-w^{i;tL+Kh+3rS%GvmvK`{Q%?CD3v{Xlfl?9=Zq!whjS{kf4EA2bhhV$xf6Y2x#S!LyD%EO){BO)~Ufo7^ zgHzW4Vw=3mUm3`E_C`tpK zWn7yBXdW!KiL8vT z0Jn;W;AFT3)m+OMA>S7y?~A_JQ%L*(4X)M;?XC zQ%@P{6Sxe1Ln;SlM6F${{-%y#aEmti&sen+_{dgQ@k2Q8M$0< zDNgQq<+*`U9e@i{+vD#J^L96`WJ z0D8O>rSu;k>7a01kTqK>8Zi>YFRJ~gi+S-B&lD1Z@ zm7zsJX4>Mo6_HjdvV&DbK?oQKGYQrztrTgcg0fNvP%E+_0YZYJMvEj2B|r#a2qBOG zBoH9$Iafj~TJV2=o;S~nM_)-G*SXGbkMH@NI)@XAJMH+#V{jh`R*`iFCC{S{uI#^e~k9Hrlr14%Fp-_uO7^Lf?Le4op&akr+63>Y_5j`0ZX>EaDR%{niJ)J_v-N z@tEvR*D=B35hz$#TWhe z9k~2gY1didjp?Q)h3fZEW>>n@2*;ajEab6NCY-@-rgl25Ppam0T&Yke8K3@37YIvei=+4b z6aJZ@>&PKJdDjhX92z*}#@J4_W*AVi-4djrH|rxjivlU24RqGJ7#xqJG1yFqp;HiA_LRkJi=UIxT`qo`=h zN^0zoUUP`fYj(7md8%XDo0tp)f<7zdQxoau2}f0JAvaj3?#&VO%<$Y@T!AAgqzCfn z8p(r5*R0HszL?!I7#Yv1iv@wh0+RQ4tqdbiZ@5*)U;ZxWE5>ht6i%VtaT|k{zSoz6Ge`MsTKhOYd2PF7vH!Rj|xG^yYojBEdmpi z=qNEJ^R1NC{s%N~V?Q&Io=5N%;q^nyZ02m-CPbAI$!-EFP%}p)JQd)EyR5=i zF3enZCE=nfEGAtcPHw8vC)6~urluEN@dB<=*AB*_UhLnO3g~_}#4iz8z*wjr1wK!T ziXNI|ZMLwHn%e4|(QXq3ZL<@oB*UsW4$g5b#=VB@(ptXHBuOr(TO)J?pb`ak-&MuI z+a1^t(y21(8hqw~S(*nG7r-xyze}ulBC>ziH8}iRsPx^gjS1Q%qo5_*dLy?mDo5So zWpyC{t`@P#!yNFX6qNEI+HSwS1XB=^%CxG46!lo^TJc9p`7cMTW)G8%Yi5>acnH=uxDLBMV@CFENtM8cT`pPTRYMi z>(n?v@D6bkc`OAs%OOMJOs&sB`kE7bJqsmVL^IF54t3MSIPA8e8 z5;rzxo-?&pZDtd&)%a$`(j6c{&$uDqaZ`F4P?Bv!)*I~H9e>-hivj`@!-N4~qD?_5 z4D!4O%Pyq;3Jj1(86za!C6rvxM6ugiEVmp~OHkd~83nQb$L73xII53TYdc3@%$qH? zsDf3DFU0-U+fk|#QtlwQV4LAI+7A0fyLSY%_jKvWi;aVw?p8%-S<6BXEUY|N1Gsxj zCCh&Svy6c&3k$?4as`1;@hZr2WuN;;eCx37j=wwWMxn$_g7{4Esy4`z7sva5?PdZI zh#JTcD;!DKp2>wB|Aksbi=5*mx>cWVk(P7DP-E=7Qq>x|rTHeJhF#PwpwBVFJ&qn2 zWiy7$$~q&~8vI%|fR|WfiuzU)&j}b~SXe03WL&^7TnXTASnG%tS~ZJT{5q>HDFP&I z(e-Z=5#2u$?co2AHbLg!F%8eWvp%rr3oRv6AWELAABm=i^c||M?Qw(=H-X%KiGLN4 z!3NNXfTDn>1%01>3XF~WlTvg&B}x_r@8_;11#5I9st;IUw9^fxGMBZJXt#OpdSRjl zdWthWajI(3suvz+0;md0inbrAERBPAE$cbHus^#1`Ln~$6~m*vBvi~&+$;x|0S=CF zTR_-0gb4)Ug4XVb!G)0>9o9BFZeZlD#!XW|?XOaib)0poE##!wmZV?j0swjon1T<> z`0=@vC_B#ha^qRvRjYY-rRh(Fs99isX0EW1ZU=B(V##sN^e>IH<&#PkS9P%YP>Nn68#2q62vHoRO zKucULmP(UiuvngyNf?OYS=GxHca<-!g%%BTOUZ;Y@$HLC!VntQ5y~7)L8Lf+rRLmQ z#2RDp0z9aS3IZW%uX}p7*$y41`>euKR|0vk=5?awliVpBjA*g&t{O_k`>~3)5Y9u| zTO_PTNUVpM$TfHaMIceOoy6V+;#F-ZN75&j^H1GfeFc<X7so z_7#3CR~o+j>2j6jMi? z!{2H52Z#0-Ap88vS?_(ssQ(C;g&`JpjCgIH6+VI`GNf`3XkjG8By}@}AJJ?!lZWoTM+U=Enz>#SCF&AUOE*g>#4jFH~LY zDh{%u`qfWzdnmA|g^fzvFnZwnW2ta-0wHtdD8;?bM67grStb$g+$&((R^{Zgrbih9 zM0b9Ftq-149Wpg_#@kI}%GUuyFkNtZs^2A^l{CkJg#m7={!~5Wo<+qkrE94!#enyU zZ7d%mgW$)o2ZGEj5J!7qg_soQ24uA_Gra*u?}Z`GSE#(}5{PqZE(h8lGV$6r~^qFA#0JJ1-=SiLG>ry})=&Q?j* zK!Mo8YnfSzC=s$E5Lq9r=>oOv^HMlzg+{1HDyRDy{hVO|2)j6wuda95)IrDMMKVMJ z>m8azEGZk>ev{?!mUJ0}C!gPkco0(9gKVO(xE&R*>=tzImKu?kXja@j35gnm6{+Uu z?K$~4#LtxSn4wAFN!}6ybe_g9*FZ!qiTm&gf%$7F6NF=*F1&16Ba5M{sN|y9RwQcO zjK)|LJT0PbQx(K08pv~vAGpvl#;PW98|@)uQy4*;S>}X*yqF?ANqI8Zc)Mh1IeFnt zlHPXqiB(E$C`EOD&93xq|N3qkh?sjrihiE!MT+_Hi-5n$($Z2^0e;)8hhUI~I#lvd^@TEfQ>?+BQ~udA>~MJWkly3|?tXg%@6y8O7~8vo)pl-Hf!RBG@;tt z9ge7-Qf4YTRCg>GzI8snXTMj^-DF#|Ev?%EG*N$SHpWd zh<5cMpjrxL50xO6rDhpnfJumEjm(Ml>b%zKHB46q>N3I*TEX!HwVx}Epj5J(oN@T1 zm7dVBZq>p|v9AXAPLBZF&4&9Qn%!Ekm`0#cuNYxkb!+DCtNZJ;95efR>CUauUrF1Q(xFOJ^4tZ3tXqlpD9o5*QK*wvO7K8R1hx2~ zN|5=C2DJ!8t&0DM;B`wDUQ{-zsp^U@+s03=>eBZ&n`Ps3wS=aJ)$8HOZ->eZ=4eD% zgI>)ko9Fv5iBn402x#4F@>#zI`j>8r1bDTJmDraxm>+@oLAG=Y1Q?p%OZN!Xx!z^` zkXnND{Xd*t`lyUKCgP;ApZ!ocXT#Q_EsXE~cC5Cjg9iJk>v~vbsb$j>AgtXrd4iEC z%A)=27gYNmRiwK7wKzUmW9VUN&{0KT=vPA(OL-0P2$atLz@qrhky?<~IT5j+rSJCY zxEgmA#!T^8tYgYyCMX) zPr8nTf|)IB-;LE7V9#a=4;>Frc(7S*6|QtZR`v-ArHTt*a05_OI=$Bwb7)* z>R4|}x;pJdR+!a{ob#DWRZw03{N!U`AYHT#7ug-4reBDPWcYVCmQHVKOm4>NkbYQD za1-2^G7J|SPXwzu&#nd)45-JvC#4qb4J3i=$UhlOU9Bzu?-VG$E>oC5(rT@XECOykD?sJ8rN+1Qb_BeeCSB2!u`oqX6IkYB_7hOLi-LQU zY7&{vGEi|s7MiKOWY;8nP7c~rxE5+BRED)YGH1I-!-18ajihA-K#8-Y`s~R=_C()? z!N@Qw?D)dF{iYLVt2`UlN{M9kRGtaYNGs_&5`R)T9mWBX(3pU;b}l>FIB)ZuZOy8b zb)bgT_M$Le2DCU_fQe|hp49MrzewZu&U#Qn~Oe34ro+#&y6=mfSnxN!CI-Dugs=M8SMsJkIL zNweHsk(?e%m{F%e%Gx;zVnU*@c(dWRUhTquu)7xppc1eIxO;%J-ro3I6Hvy1{(VFD<96P;I($xA2(Qmf{L?h5&Z+o1HDsj}m3E^2FZbo|y9$ znwaZ~S3hcH8y1k(V4bFon6OfI`bfa(Oo%O3#qVgv1P>I#zO(k7!J^F_km@~HSoO|> zZp1!~WVn^_3zmY_UTk9zEAe!AK#;5lb0+ddOm!Pjm9mQ)QIpuCgca;vFo>%w7UcIM zmRpa+5#x+FR>k`lTBOFMlH5`!d>8ypymkX9uz{#hyVmPs&@jZq+90&n{E3YJm4LvH zX1&1n271u10f8RBXqxUYTsbGr+0=~%ly_;`i#!SRfqVUGUCRzx1^YG#xzH}Yd(AG? z)_-;AW$@fgjUB$_iE%$`YFGdLb4{sn^hSN5&#|kW8`!%+gLPc%vumG~T6W#2GRQ_c zM93moz1YPbw-$D4M}YqOXo_P`P3>-fm6m;E>$s*N{fJ){kY+HWx^@gazVD^SXI?eP zwnjJrh#lC4&%(Rd0)oRrO}rJ9mi_Fb272+T*^bvSJ$?4zHJ?*ge+N6fqty(e7v_B2 z7l8ii;#b#C|F2&Bv+c+n;G}N9D66?Q(8Kl=QikLjWz(&@v#{M<1;qT3CMVtBSX#E` z*c_=pC|;7$2w=#eh92N#ghrR4H@1UHDeh*uEW5X)Iz4R*2W87afBCsaf%A@cc&-2@ zKj}A3OYX~)#K&nq;M3La;HGpd1n94%n)3b>37Tb{pv7uqHp8M@qoi zSo~+J0WRbv!(x3Rlkv?Ra_rC~h#P40diT6=V z(GRQtT9QPEr7Uc8my)42Tc$qT@gZ@Asrv$wQlT`s3&Cpqr(a_2BT#5@auFV?zSA?g zNC*wwm_LiIONioJRDIqBTE@kW|Lf~-?#}nzl$o6|noNfw7FN!mLLB1}%G+TzlcGLg zTW4!_|28cG!&8-z`#3b$eURR(IXoucwjIz20S-XV-#38$6oOc*`j+Gg#e`Fp3yRQH zY}Im0VEBvu=K2ono>AMJ?7T`mXx7&`EG$Pq#Z&Gbd#AU;}v#XWlxeXHKJtYCi( zU`#J@qD`o9B0fHzXMiyPh>nF*&odAoKItlUB>+EUa7V3X39M()V_l2C=u(e60avxD zebrVqzNz3vLBZS1uKsV3hoM`4uSC#@D-wY3O$NIDYFqPSk;r`DxkhZm2k%GdlHa^$?ct$(O4QgQW%?lcfk2DapvtjjyVBRLdS=N%CJqvRL0cANy!x|_!o)rkm z8#M7lonUU{ui_I2PCt1Hsw|cNL_abR{dnAJ;|!C5W%Y&O77k6rhS97gIY$9#{48r} z+aI$`pGzv$$=Xw`5T3079GKO#1CW5NTWVb_qgueXA`Jc>p$ieMhC=$nT~Rb-!G=r`7YA7Al>X(!c8>gVK{_ z^Y5S?)v)C1tq{yuh|b7MYgi#@;+F3qT*F)b-z;pQnlDqHRY65Q?7W+p&4WI*tnjVQ z9-Tb%?1dEpNv+3KfE@A5_}h`>0z1EO%q}UMxI_0P;tfF>WiXE{k?2HQ#3_?%r!ZDs zwbn0V+e$499?L3KiN^spq%L}4Ndo=u_$i#+u%`_RutWkt26cJhB~j`T`trQ9t!qGL z`)qDn?(v(#b&S02GFvuB4w!3|5&}>(_P8w~fQVmK(PMnZf#JYb~H3=y$t+pV_!K zb!HRA1?IOfBf9c6MMP{-GZPe=$ng0Wah9Fhns=?y94u0yT?7XfY3speB$s-ggaD)= zi@#a8f=Ai|ab&diAm!QWQ0T}J0HzTE`dEu5_K(4^K*lGxZ9O@Y{KIO_@N(jd!V3{3 z4omck`eROhULysN;?dFt0>&cD zaHrmZ&{8>CqYKKR=Ra%*ZMOYx00HYU5{%4QWYZI!tJHDJ~UA#$z@TJl}6hKJtBmTSUr($vERR? zEn#3&+Lxg3_Gw}55Ffmil{T@0%G#!E**189xaB79ozRsDK?~}Cu>m0^X+5V#k;q_g zkgq;}3ei|Rly&hL{j_aYmO5L6g+c)9S$JXH_;PH2HY&!EQ(>4bTQcDkhDexrf%GW? zMy;A~_Ug&6H3IS)+)dxfj_G!QM-#GXJ>02gwXM$bt*T!}TNe85d;)VmEgL?a#tm;l zSJX~kM}NO{ZRlaGg2e#^ySLVlhHm{1iZXOx!$glH00h2O#Hki|J6BvI@@z6sHdl?b zg#RpDSsXhbjbkt!(P*7_Yr)DL{_Ye0Ap#Nc6UMT@wAGbndW)Tf*@3WW|{{7X3>n%W^s zB=Qs`D~p&pWmA1Vq*^hATSR}gt04`oObB9%1lb_2< zVNbS7`_B?epgwi9D#3dmSL2c6Z19y8%g#5}(LSPPHMMd2TNMKLi_j>{O>2o9L5nes zkIirscbxnlK#|QC4#k4Ep6;0D0Jxk!0TsPSdX%Uby)#YKWlq$x*kWQ(eYU2F(u0}P zoib&7z=>sAH~^&A1SbO8D z@FKEFcZwipuQOd$4m`PQPuqMZB=7pvR^K+)yb`HWqH0U!Umh z`N=ZBga3B*9yxo{vt2_>s@XVp5+l(m7T41MA2?@!CC?^VxH&9S%LE)?f&m}oC^ty! zia-k6vS0vH=e56zFF&g269ZibC>`NqvTrwWhpH)`F{W4=ssW?E;vF)~>A;%3(I(y&_NRLpF-PSv}Rti=7)@oIq zi`MGNN`ch_03Xfoax31E8&!ztSO3oV6fHH zw%&L41j)m4Y#OTHOa+|kyMxgr!b_&Gb9SHNa1vmM+XMs9uenjUX-Ygg9zC_ zEgO`r8Wt|j25;q*io*aPndwJe?#m?*kR1onzwZhpdCzA9J^wBhqh}sGrv(g!)aG-_ z-Y!HPYB~DzMWZn26r%dfhZ2&9Q_|0`+#*^0AKXYI@#FJ7!7FR}2rosN9y!}h?KroS z!JEWs8Jz+#8dS5uzT#h_YH8Vqzd>J{Zv!QK^8QTUcyfa5MXBTD|3oIBY(hPPqj$to z+?6{fT=j8|mza|hz#Zri_8(o+1!kve>Uf8Nby!ly{{@J}YcScm4RkbSYIN(44RsFl zaUDE3pkr-c|65&P=7Q$I;H<*=C6=7;f%#iF7;d{)Dz*o3Ow^73MP0Y&^WYv!J%4I+ zA`*v|AJcM=0^mLdPvVpQ&sRPy0=@R&=GBkpGhehX9?7ksxX##U?kRx(?VY#Vfz01n z2L=-UT2R~6VpBa#8a@(t3i|sOH@#3eBBXF)GazQuuTgqaJ7jJV2Y|>&3+AW7)kG9} zY0!&|sS5;6SEddAPbp(f*0S(ZT_N|lCOwFGg>CuifXu|usGm}nd0N^^MarK|`DMy~d%3JS`p9PLM<)RlQSO;3{z@BKv4GF{!4vZktnr$&F*J1~ql__h0K+(z z6OJaN&m$l1J)=z_)*Yp=z>ZU9Hah9rOfruAzZlTVF|sNab_OSB?n~zNWM-Xtd%h*^ zTRRXMA@uo+hu8j34=n6VfT-cA~1o!P9dPH>j| zFS`kS$^u7d@D9rQ!DP%1+}W}vfjwTD91M&N*A&RZGG|a$-68Pm#yjSSeA<9f))^bE z#)+0T&|xq`b&VF*WB>BG)E>uE-8h^Nt{d+wwnpU3loCNBs-O0D)9mpl*wY40t5R6s zKQ0cf<;c4%LZl6il-ku-wBS@_AqY=lVQTCx3`Sr1@<|HeGaBCD4-S?$Nti(;__erBwY0wY|P}PJD56r^xM~d-7lZwTXdz3{p;UzZgd~hCzQnlJ6W7a$? z6acgV>shRJQLwCyFCQQKX4vprYLw#o*qG5Z*@J#R>W}fmQ;5!6BQ%aIBDg2D!!Fh zCm0nEQjcuY5g2UCftSx8!4hUOE13EQDS#;ipUir9RYyp9Id~RGyKOz&7Qy_pUOx2- zgH605Qs9$WO;DDxPMieKvh9tJEG^K1)$Mp$h5++4whp}NY(o{M#eRWf5X~)MYJcRt z>EUCZ;345JpT5>y1gd$}**+t<=|TfZnPG(9$c04XNAa`A&|QiBVD9Ri^K5`dntCjF z)p1P+6nvtoU`hz=-OdmP001F106gU3&o3X7)=a>kD|z4(jg=Wf)Fh`t8~_Q=#s*s$ z?3Y(W`VE5tQ)a6mZy5YWgEc5DU~JxK@Ea5T#zd>I&UgjP;Ki?CF@P85}N4vrd0W+7X79c zJv&Gh#LRD+4R5+h|G)1hP4E2=O#LqmvCXx)1p046u5BUwztBL!%GJO{-lSKhgZQ4%=kEi?$g0A#Iq1`v{t57;@pjPR(xOO0HHC5Yej z?KA+EH$~w$Md3G{clF)#Z#wS~p7RZ~;tjOo|C?~uBNH4^0>=bYK7Wk>+5izOD(w#(K1rE@W+!||(I3iGL}+pC|^mULZz1$h*#Iih`Z>Le1(9jnm54eK(cO`>kkOr&z!@q6&n*X_kc0B!}TZA#KopONrp%0=?eY)K})DXKOG>G^!9=F2O zj(Tc{B)v1;&Kd4s9P0iu)~pi%;8Mkn^er`NROKIF)Xx?h4u5%>1}=Ce4ZvjY$Cp_? zd4bG5o0eT=w+4cg(;!)h!l7$lVI^AbfgT7&z~_?MosORDZA{q(RHmOfZzvf zkmukX?b`;Ksz{(+d_BCvLM|Fjkpyn8J&YaWO?yh$31TZa_J|mBsXHujbl}|Gdg4LJk^>Mvx%hhvzHJfa ztM*cKu1l=n0ZL~aezWdf>rs*wZ=w^iw1_2+R(kyQvNDz*?Wp=Y{O)ujIMO*gZlDQh z)aSG%TsS!MTSzcBJC8hcwYt4>9E;>{E@QJxS@utXGgEosjG9185!?)Ky19o^o3HG+j&1%+;v1o zOoC6nwAf8$IsXa!Kk3={3wW!i7WErsTXjqJfP-`s;U!M7emA(XrEo^?%jxdCRx*gB{#%|VJqwV%ol!$NfV(2~K(F6gaET-9UU? z1CDXEt$!h8ayOhQ4R z+k&R!QCS(TtSGisr-A)Vf_~xA$EFUYyZwmiWAc)NFJnVb&`QxO)T^k^Ktb|#9*9ij zV>PN6G80q)vHs^Yvd9$@={9hHF30x2Pu z;!}2t(`ekE67*=6NyXG|ZkH8_y(ihvxlVlmpxDa7blV=?vkD6XW|@DQiRZc^Rs&F} zTmM!m^_DfGnSc$@$cJVo(3j4@&VfTW{=Qn+ximi@Q220rdUhPc%$_Kp?De*mm5#|0 z!SGI8pLb2KqguJYV1=z4J*UbUR+$Y;V$+_qtP6e~8Mk^KtueJ@0(f?@xjF;=(k?AK z7z}dqNY^;H6OT*94Qd&ANjpfBrDzLsV-70Hv7t9|)W<|{mVgQf`%U4c%dEQ&Ikw_2 zEX?1^Q$;<^NLy;QAoByW8|axtLJd0~#qJ%E_ODeIDVdXSN(75ICUT(JH_+iVA+g3X zNwnUBt;6_`8Jg!&v5+8>I4Q95(XI07=I+T984Hmji=I$TPWi--U__3X%ps}OQ+fE| zVG*q3sVEYtrgB-zHL7m( zlQO+A`>1WK4k7Cy%OwvnIxKn}O zO?AiX@ESsW2JRRfVN9rN?M#2CwKe{fo40YxoZj8jFw@0va1@aF4}P zoZy+6kf-AT(FnRQj%XJ+CKhl{-EC+1SaZ)I-~0WAW27$p zV6gZe_ryi!y8Y0#xB&U?9~GwqsrlHe;#C`To}A zdLCCc&^9{r`FCb$Y6NwupXIZpzCe4SOEoyk8*4a53ce|8ve;qBJiJapNlMEJjCQ#9 zf!3&)9O<}Pv$dfV-NN@y;N)NR_vb}4g@0^CrufWM4cUVE8w3YtT}xQBk(2I2-qywv z54#ATU;<%Ox~J%8%ZuU-zKmmxz10fbU7PA`LzftY|6R3D{4MO~7^JeR>0pHT0SUMF zi%yUDLdli!ffna-v;V07AA2-eV@`8X4 z8#V)-?oflMQHT)T-M_}9XLBN0W$=E)TIK)zv=^4b6XO`yVcFqs?nkfX8=F767$zJS zB_&lUF2yK0=zIkJ`f;ALg{vsY9X}?d`S$lQk4}phnp9v(?MEt_=Jx#yuu$vjL{KUxI1@6NBj^KpJ9aPq7#71v>n53%ow;~VI1_79ILh@OeWt^AG$T}0%t zQUK_{!Cjl23O01FX~G3jXue0UGw*vg(8Uy!Bk#=mH{jh&NGUh|@{Z0yb;MktMHi^7 zMnbOnTKGO0WvV=V8 z=Y^p}TvI%*oXjL!rjqF`k$}A>YKQxNFL67fY{=0314pqqeU&1FuH#^qPAPwD>Jm3C zI*~F_T^+$4XW7MlJarRokmK#>>ZB{avF~t`D$X5OV^JjucR9^*b4Fqcv1a;?Q7au> z^Pd^#gI6=M@1_`N_~YaDDo8CmU2J)1=5jVVT>Q`1vW*0H@Yg@93`RW|PA4Y9nK&C1#cNvT*~ zwC4(R9lEYv6TKxpJ2A~%1!Y8S0#{={A9{QY?{rQ8R~4yVL55>=h0=UyipeeJF&PiSa z-N`v!L3|kMdTJ?7_|(}s9c^ZZLXt#^qjuN=3x&LW36pDpzMbxuf*`~RtCtyOi)oop zjX5Q{477uA%~?j{w__PYxya21<*h}@;FfvW#DCnhhxy`ufa10*4?1tHFe|+1yOT{R zPN?3i!e)k!AT7)aDCNJ{jtU;6#%GSp{15EA$34~)$o0#sJ+@k26~Mi_iz}bnpxCO9 zpS<7B>~KzMdoWUvj=QsCwqu{tB}Oms;b)Wxq%5xXE(S?|J%- zLXo5tUy(VG?q?RR8%~tDm#m1HA?urkPI6{qV`~-Y(NjDs>VSz;azw?hRC`w^=W9Ge zS9oiGzpXO=ZVO{4QIRF_zVOh#a7ao>gJ;rcTO~ekF{wWVaNkR+Im_^U5V@1_%(=E) zZU;O_tezjaL!#3g+&@Ji1h=S;E^#yVF5L7=mTnr?5tFHkRhgAA%-*G9ao>tZdymRx z7r`YQa?<^n56nB4>Q*84NmUO5xZJcL8R~{|>dB=cnnZpR)Mj|(bd!-=cOP^?lYj_E zdDEN$5F5>?@(FhFtEwcK$S75GE4Y{RgUpK}VJkYRqMx!WI*qnge(G9uXwD3G`+Le9 zxG~a55gh#V`q&qcy_^jU11#)NVx)+=ezIywACiE4YA+w#pv3OU)#6G~=|_eTd*f~p4%F4dG#>DslEJSo9E+~izRC69TX;4s0*I>d(Fszi2U zL-&^Bapx)6sa#rYP}o*$wo;#(CL95;#M?T_U^NL2A)`uNm}C5dr>gJxMqoESj87Uh zO|hHm_tpZFbt!PQOR3`9KWG_6bIMs3Wsbz}s$GeeJ64jz z;P+VB{y$Ir8cHN}e=2u>p61LnTot=~yEHhg!zQ|b6@g_qazw4+7Yao?8;LH6HPMA} z70#_GMMPz!<=v6D+MugM&TVfu$$wsuZot1DP^~n)L2ziOQ^fLr6>@ZwqBA9&VCsi4 zPY!aL-WTaJ_RL%rSTc}!PEJj*g4((>saqxq&g54sFNcb%b}>qllFl|~B1Hs(eUwmg{G+ zcjmY2%Bn~3K>RP`G~!;BO37WSGR{-^b#awSN*E!QVIq#mY!=0wZsdx-mF#ehKQvUhMn%M2>)*i5qEMD(HqI-d}%*8wjss&A&uj;t&ilR2tUjwUOU%6(;pKgu2eD_ z56%(fB^GvpzGSkjofOc%(a@~W@#ttcwfrd-+&;Bb>3CaloOg{TZO|`Dc8VoWIG3s3 zF0xZC?c17S9pm$bqq6P#d$fV!l$v463NvFSoZ*&<98qTm1wmO%&-WxfLEZ z0_r{7wg~toF6HOwp~_%N?UYUP*eb90O{(>eQcI#w8=4+T1Tme>bnmKU8_MI4*@U}S z$>SAP<=^4yV~##kYtB?aC!LQhxwnK~-=G`YD{`JtJ$zRo|BPY!uDh9j&Z=rczHjw? znNx+-!r|eynl{8k`SGCi*ky3k%)}5kapz%6p7{4QWq;aBiVG)6=lxQ7hBUGXL86=6 zT%=zmiQai{q)RcigF#8=Pp`o`I5DDzv!quH7)XoiZdyxrkyipD{PCrzLSD&0#;duD zZCW-BznMR3{Zz==g;0^feOAC4-=O>~Juy`Mxu`!$_pzaU+i10`9d~RpXL_$p5na$5Nx;zi1rA~X z&Co1{7~i#>X&q*oiMJg80g@)Ia|AUSZv19`)4dY{>;9Y|P=GA|AVVk}8tA+>@)tS9 z!u(U@s7L*XW8`a|rJbK)sJ0)~{H#-AmM~W)>9gig;8StrLFwT6!jUTOkshg!1Q zGu}oL?*Mz|Ifr%cq-E#(opIz;zIu%XkKCw&|=6HV_Mady7THBE6X`81YydI+5|(sgd? z+CWRNec@=OMZC+!aNgKY%k8sMeC7D^j})Fm)V(|8sC7R|w<^AulrgT#r{j)qs+v@w zzo|wZS?7mxNik!7@Jf~VJay4@-)>VKeG5Be>2sUWcDl#+4sqd;|4l-P){^KDbwYX4 zEYv;6XXDlI?)Zx;m%{N?fH;TA$B%oy@7MlM3BXdm;*p{C_p76$JEkwKXPlv79=<=) zk#yV1D?UzC7ugn{I)Qeka^qJ{-b!OCM)9g7?(M&iLR=rqxEioG`Uu4G**3(s^5@Yd z84u_;z=RSD&++AO@0p4c=Yl|sLcP^fgRCS6jwgSl1lz*?Z^!v&p-K*Dm#`geP;p(4yK!={5K-oHG85u*#EEf;#&mjCIb-x z&6D-4xoCFiRf~5o9c=fr1APH)V@Wr-=7oA!hj9b+TEduOukV!LVQm_dom4~(-K!i< ziM!T79}{ok{KJ5<(EzTq!G+Z5tC8})p(;T6ylP|>S`-+MKWK=n2`?Iml=h7jd0(Q= z^!p8!qUHALbp3^f_+d=K*Zy`bpsnPkwVkBg7L>KHf-LNAnqZnf)@sI6FagSmQSSq> zZMGiT4X!UlTep$;UBgDn^&{Bcs{f=1GGdfV4e|+b`+L!cOTLL;k!oS*Dj}UOR8^r) zf+0#==+c8DkCz(k*<&{1QXHS5n=Waw*p0AjYg#P4LbHDmDfjQO;nzHmAxGF)+v=4$ zy6#D*IMT5`(sDleCQ4Z=VQ~rj74mZo-`M0|eD9e=^u~?MN8D0CT%|!fh?1ERol~f! z9Lz~erBz=NWta4`c$3WrQHg1|e3GkKk*s+MXP?#_m93O}t|})(>aQNYaU!szfo_P` z<%_6mi+JT@90LbI%W-+geM4-L@Y^YScT=IBnc_e=!OKs2Lzi+HlE}gBD=Eh}PL*vr z5i>`~%by2ulc-Cq6w0Ak8qQnt)H$>H(!E`r>v11ArhJ%GiO15Nobz7I8e zJ`NhocJGH3So8@M>aAvm{%WtFwQ&w9l{8LPB<~vthS=DO-d1Vn?3XI*efMU{W>8_+}s&`ynlD z&8q?4;|6+v`X$}oPxwz7=quUz-;h3&jay3|I#XNKTTF@eBo0o2AdX2szBG-PiLDVY zhSJg5L}a~%T?%ra`HxA(mOy$U2w(SJ=QnVgj4Tuf&=8>!eF5x@eze+ytoG;*1-Fvv zf&%x83I+6i-+kuGP4CgG`S#7&cUGAGO_8jqb#kU^Nc^eK%%3|Pf%o`OdU9x@Ie1(^ z*CATJRGa`qpt_Qunc3-^-gcBWlAqD1Fax&?j@+;r%cVttMog+P=f)_-L7D-NZkz!3 z;w)E}itgUiKL?4kENhd&PlRpA&(=;=KHVw>Mo3=ivE1)@srV-r{C!Gy;V1~6xalS` zFO9`;GrqAmm$qvAB;(=l3{HgsC(#eRUAN)(j>@M$z0wkQ_QT}(Z#wNC9>FI*KTyT* z;+IU)eSDJBarsq{G{bd@ddsNI)xG_Nv5ofP!13T}RI1s}s-r*8ak7`vvp0HNF!nHB zD>JKdGqw(SC!me>f4nq;4Z9x zzS0@u){FY9Kd8T!JPP0jrhQ+JLLS)QY3qRgZKjXA#p_C;$8wX}&v3ikfE-L;p?kg$ zk1dpOh=j2Bj6&77W;kyz{xZ64oKv?r-1ck=Ub))L;AeEYxkDu>CEa|(o%-)@j^aryTsOYZOdi9(*;33vG$)dM;-|OgbB7`B3lv9r1L+w-+fw5YtW)9X4jw=<@XVJ5T)8(e_IaQD13d4F!zxSNjrR#&y zD+<0q>$DS(Rgzs@;G*U#VmJ_WS;pJc_ok_!5cEYy3%a%6vYCL`u}6z>Fn4!14>+*i zhqPZhk{j^MaD}Niy^3$_$NT`|Nq*jt>Yn$40+rw5*p4;^-NC)(0vCiUL-S+0K?Kek$!A(9LPRrixci1IG)a*&z zI=Z6U)rx0p=1{Mm*zfV@Eo!7Snettu^{+V>3?zCrQ-O>~UdvI5hed5lZ>jiP($CI5 zn4CTjdL=(=IrfIgO%}nSD=a0KfWi5+ntn?~-etwZp;`sx@+P@Y1x@xCD8{oK;+Z9~ z44DJ7B;fQbMu+Lq)3m5T2d6``rw(T_nY7dbxV!T`7tpQJ$ z`B^)47bSUPLQjP^&;uQ#oahQLP7xvei@CSD2#DWdHvK-J;tFj;N?+ZOitLE-ubQf2 z!Dj|JX`r0x7`1n%xlVM))59dz+;3*X@ZeGtx5mX$Q&%?N9CB*1{3be`@j0dr_3Ar_ zJ+7ZwQk`VbTS?pecui!sq3L9DIIrbK0M{1WtdZyk3IHMJ5Cl-m+(ku*#xisEn9oq3 zx5(E1Tv+z(>r>P&W5u*1v9n)stduL-CvtP8g9@~L<+fLm1fVB+CG<#C&va-PC?Bt^ zT?!0tDj3LVC??U!?&>+Fj45&HlYd+!Xk#by3^2=bL=Uq;vAsF?51{*3BRXQXro=r7 z9$bSG0YdQog)&lOd*_TT=q+%Nt`?l#_)UQ_bxxhQd=~?wo2xhtUb?>!I59 zzew1_I!*Atuy)3(KP@ONje#|(f57^ii$5`48T7b1*Ye^>DzN|3hh$|X50fX~9psS- zl?V+^3}uGXaJp#onUBJsoW2vlEsz8^Gule|#x;`g6}1QITl9q+VikVzR2{QIOY4bC zVmC;!!r<8{Pk8%4Y53-dD%JF^UXy^PSU(A7fG0G~A%+VvmC8a2KtJRF6cJo^5$4<`t z?G5*t9vI4VrDC&#wC2pn>Mvy0q4k&5z=3V7{+;oSpBsoxR&;?Yy|`dqARF18H#ycp z*Q^!%$tO(l?^4;`q>=ddeWSWRRy3K{Zm8s0SvxVDXHehHic61jzru0i(|D6s5D3Ht zmC_ozUJ3jmv`MR3p`JYlNsR)xU1xOECJP(z?qw3YkI2avn2cc)DJz8+JCdHG5BKwm z_5(e1ZR-_)L>@*Y-PU19Ie3hWiVHq24URx6%QA8~i+V%8BjenqBs?~?kci_=kJ6lV z8BptA8yP_eo6OVU+v6#%MIo&d6{X->#(~E{X}D!S62Bdr@nrWOplv00FUpi~KPTtB z;--&6ZBiEKLs@@J1vfD%T&R^U)S}CsC@+(mKaH^UqwT1Gi}a6UZx}>vH0aL%d%X}e zP-v!C3HyqYuMO}Xb#ba!Fx7H-??>l~!=GiN6Q$f`hrJ-#Y$`=(#{oECi^cFo&saz9 zc6J|*NTT~i@Cn0)S<4JF*BP3KHl{kXMR0B;T0amQ{49)WB;0VPrQLqjCj$`2ej=&* z7p@(#I+p`qZpQEKDHT%zG$M*q?Ia9o7~H)hdVzR9lpdf+!dQwu)9zkRdaWA_hccMiN$n3#l@q ztjGvd5Ks{UVT2GM6$%joiGUKqiVz?o8DJm*Ldbg<_G#_&zF+?z{tsWnx$kpd_cedl zIB(l;q@Df#IO+Ebm;ShZ{mk~un}2$=uGy@4C}&XZgAU@s^D6{$uCjEU_(@!c&jawA z(YmH$9od#q1@cj6g!y!`csTA|m}0h$nJ^^g_O2F@4r^ai$S=Y}ZGeAT(ncrUd`BX) z1D)vl543{0_o$uz8SeI5h^GlGkK0E5zgLb%-6g(X$v0SDH6ex;(sTZK<;Y6og;T!j1k_ZgYXPPtxlo=oG& zp7r@(K#UXe=F@&#{`;jO!Tk1@v8tC(vq&d9My}L6*T#pDCiP_EbYT-yR%;PHr_JZ2 z6mTsL2p`u`Wm~W8?7-h_+)|m(gXH;y7(<-Wn6(45>F6k$WOx!isBRXWE1quc65&&j z_CuVduZ=fxojuO?-bhcyF^XLwo3R%rs`SG;3fMzksJT8UQaGl;XLL?l911%y1{Pq> zH-)1$+%K7InE;n-WSyiYfNm@KfjC)A(3Th<8I1Yt=ug6M8sW&35Q z^r4D(r+@j7UU~*ODtclr;rSk+voX}a^0~HD{OX>hSjn5V|NllNGH~c-Yl<;c=uElI z6%`6EFTQAoBAYnxgNwMF?gYc>x~Kv5M|V0GwKaLiL2Y!6D@xA&^*v*NmrybvNs&97 zQ8MfDr#C3a3~t60H{o(HwnlA#iUi9naz|9G4?JbvM(4iKEv=3&vG%B&aTm=t{8^9# zM;;bYLFI{lMG@VG1%&J zF9mLOy^RhN)bkd#otOAV+z9vQl7e)S&j38;v6n#V)WO`f#c$!_Oz(xR1xwcj&%RKL zqKwOEjeX01UAp;-dw=rU&}WCxx2vjI=nzuZXZtJ&$R)tx`ej4luP`1z4&=bRqpe}w zTkX{k2ZliZq~J3pXSOUD@`qocu%W*Xp#GrZp!Za-Wh3A9NDI*sVgB-Jd@H}cX_-gq z_}bsgzR=SG>1rP(g_;hW;Sj1+3QqdfsO-<)TW5(uILtVU77p}_K? zH(1wU`oxJSU63;+Dy$`wIdn0`>$}cHtCP!rk6llx|NK$ju7nuF4~&o|9lOV9^x3w` z=?}EF*8m48o0K+s`(23=1_Ru4N>mISoe%K(6E{f5z};}cu{YP|3GjNufVxG3;cPQh zvOcMJ$|bXJmB7P`&o(N6UL_Mm5f|c%GeBDz9z~henjofj_jo$gzOZ3#vb2(?HC� zi7443IsL@TjFPNpxF>FADGw;ps=34>QM&o>NJ;l-g&Bs^&BBXjd;1E5dJKBE6bp2- z$@!sOBT3DV?v~>m-gl(o{L@%j*r#8RZps4{7GC{gLa~zf-i7#;j&6BmeW~`kuXSXJ z^=+?=W3Z2eavyF$zL@^a5$fY}wWp3Tn#3XrzX9Y_AgdIkw>OAqe$JzA38>0-@HkA_ zwsrZ>FTFGF{zn?PLprXCwDHJ{cr4n%vq5?&deLlpF1-}EHXN5d5g8->;q}2x==wDk zI5={}C(Ajao(8F#$@=g?#2w~v?^21^27>?$S`H+E`T?o_8_BBTi-(WkXCkpR;S)zA ze(_cVqf0MGTQg-;x|$E)>AZ>$o5gXIS**6CUIgYrdq)a!F~@1C^0c?g~U`CO+20{^DnNW1{E8 znMSI?gNUTAu)uOk+1>vtn&g^HopnKBM+X6VDQc0WA5!P^TgLjQNAS{Z)HgRl#=?Mq zGMNXYW5;!3ZI%F#$hg!&RD>09st^3|X(s9}=gJFQrli{9=gm#?7nHXne%F9;MOT!a z;p^X)2nwU7yM%VFgV>@`!9_@|s=-pNj$TyP$1VOclzPjC(mEAabg#zRs*Na? zgAd)(h~2(Fx*5p3UX_l6q;VU<<87l2yrbJhQNNI?CdS%&m#6U-Y`x zeMyZreRW?Z^zMqiJWP9c;upZ2AyRSHw_&f0C$UgaBvp?=d?axSPHc8&45* zw9#V_w$Sw$R8_@4jOISwTcxg)vwN#feHMNfpfR*!+%&X5xTOZN7#8G&SgMLzFc0Sy zwC^dR1&Mdb+>lx1E;#DOijKp^x2q>dKNissuy%6 z8f(VBbO_yn&gl15+D`DLnIUPPALISBBBnP0F?G^1I3TL@rA3mq4L{4fT6lXt(^TU) zjBD6N531UUsp_v-sD7Eykq5I`9KK~<0QegVVp?5~Ih+~rV+GH2lKcj36ZYSf+rEZd zQyHI6sIayLr!i&TZc7HumTv$mYBAW0JJIaQaEP>Br62gX7sZVLHoq%*BPtjJFB9o9 zdI!K*sxa=hY1P||?Y}Tyre80v6EM0z$S*(~2cPq@KP(DFQ_{j_PMhwBhv<68;NJcs&$ zhR8tZ%cSnFmeofNv{gwZ=|m*d4oF*6YJwyh+_JCh| zVLo{yQ};4g;JNsIuS~M5pL?+7#RsUKUa&1tMpZ!TptoA56A7u=yHo17iyox~qtlkk zs~}#%r&>dw4&bgbl*Ie3ZtGd4pvHBbS)}%oG@QEAQpokPKP|iynuNKBavoH9o7qpx z_PY_gQVhO0RjL##?_K-~l#jp&uvY3xvFxs1JuNU-{4_6l z7A*!W!(oa7U`mn*@CQhXJrq%ZC)(5QY{$^Kqk!W|jkSCqS6Ql_?v8dI0xB0#J^@r= z_rp`ttGOA{b~PG3&U+Yh7-4P2AfcW;xm2I~4?C{>3r1Z(Uvj?(6dir{E_p(XmqmC@ z%xaWOPKM$i@dmQ0RJ#!o31ZezJ8FCcPyUq^=j}By2fSM{voinhN?3VW3HJaYz*5Gd zu^v}mkXyi2pyRJ>PlhAk^JgvJ$F6_Vy-nC>`2I3Fw`bDt{5YRR?Ua;;lpc(B!Ne8} zS0E>Cdg=-*CUe@|(0z)8$*cxXg1TB;+eCT1_~`)p7-#1#{~gP!`bc$6Fr?|;hPzW!wGkQ9TcLG_e$*bJf%9 z1(-9mrTHLO|63`8Or41iVuny*Tnn^n00VpC#Zk|e4W0gG9gCm*>Fy-YRH_$zhnb)#2i%%5V@#Acg$)F-OcVLR z9_n38`i?94%O?R8(Zvi~i1h4|>+2E5t*YTI zd03sZ5?X5s%^_0olyFFg2+N7#~7KEB;+O8=MDD26@hdoVW3~X!BGO z@^%3Cgb84mLi0iE$#2n64Gq|2=EAn%N;UXx4lAgrlGn+^-0^k~jhi-|JXWPDn?6(g)!AHtw!YuLJ`!ln{<|b9@4L+^vdwz-UH~?l(h$!fQD|Pu}Z#4h3 zDfP{LQ9CXejqZgyB}tyP&bpP!Ja^PP7r*mxoHvMrYfc(=DVg$=nk7C(6@8}0q z)4qXmFI|!LXl}^uW_!#*<`Gr*ytDN{MRKR&Ixv#V)J>E$^WK@hRf=84KQ@mEG@~XO z-F=MjwcRU-<-$$%Hr-J+^S$~V;E^C55T5r7sBd|k;r4L6D(87+!ketgFget8sOU-% z#i44b*rsAU-0w&=#O=RG3*!*}H#bj&030ofJpE2#o-c7_)War_7f8tQ$vw4$1X1pw zs2y}nF@Oa4xB2rIR=q;*L+6uv0Fw?Dx0dD?STp*FR=r1u7 zCDBi~FUOpJd3dCOfqhr}SR_euk6&QMF`WRi>ECw)8ach)Y$_M+SDyL{BKZl3R6C#X z7U$$$jENQvt^?{Ru`m1kfRrMuN%IS-C3c1Sv)MiQed36;Y6pI!*pWpdJ`1l4h7_kg z?+(oyYbsG#j`w%p)91}jFg`np34#SoEO@~}LS1%3+&_0j=;!nH{HW*Ms*1DiaKjjJ z>JbSC3dVE?FUiyo%+(C(P@|rVi+7*#&LUgSK7R}|E7=oQ=uOl3FWe}CjA^`z0782_ z8WQF_h-IUNYTbs7Fx%d`8R>;xMXpjW=(tSyUgiyav}oxePjaK6$V^H$wRo+q6jb>S z3TqqOpzDCtqvi9@fEvHW=@XKN>09-q8pjKO+DwyfM^%6x*AFz7{)68>z%p zcPv)LvN5hS>Rzd%&8UW+{E%ikU^=t`B&&)b>f7fp-_tCWs*o(cKiHNr?Fnk}?HKd{ zY+16fZ93_7AKKJ^>G+8f+2i@%P_0kh?y{p62u1c{7g&Bozo6kU9vmaFmede}`wZk0 z78Lb#<>{6s-&bfZhH1}{zT)BDRZ$~F6=nQ_Sj`RnKw+ZDvfQ6J5K`A#g`hsPYMhw#A8x)OuV>h zDZWF}Tsg4h@-El+;gY|t41StTj7asomV%@L* z0xaLUX@S0QUq!vwR?UWn0dDZx4{P9#Y}0wfSG~Xq2a=Y9w$Ij;o&D6P1ec`ZZs@Jb z$J)cIIOW<8TxWvi9nO99SDK(Nt^y|vJiQ!tuUqG`{}c4#vl^#1`X5Rk8DV+VRg``0 zhmVYH@kJ``vm?L>i9al}C@|^jyAJ#ctavgLHnaCfP2SqYuUN0OhgZ?(wI4Y1X;&W% zn>^0_tc|{I_j$yf{uKrFKX$t6_5V3LtvgOy72b8{16N;W-MX>0tAB?dJXHXE7^n@9 zw3Owq3jtHg{^=mDTbH_fC6fa@w07mdI%@*9)ED5m{4u7pCX{1Z%O7L1{gjvgw>dDm z^nYakAH#+GPt^XWWd5gKw{HE2Jp9kF0Ot1pZzi?!gSTWR*8)T7c^zgTpD&2|T73f~ zWwrWYcP`Ra2z=qw@r;G@kh~c935ileFU{1Nk7N2HP-W^wsd;1A?p0TKoj({XrhFlP zabkgO@WT78Q^KlO{0d4=v;zGR5WYmo9p9y1fVafNI@=zQcC7y2b=#FdVBiUt6Ia}A zX3>I)y%kr9soR50PvsW9J@m)ZPm`V3mC(E#G$_Xe+!3U}2eB$q#l5nTMFIo9{#wojbzKfsZ5?EBn8Qk&sRjv^Sg0K_IOiF)O<8I06fGADp*Txc7d`_Dmw$)29(lR3HOlWOV~lWKWCzqgaKBW0YN z+%(6Gy?ldC^EXjv<$8;1HK88^0EsFPBYCya+dnXWjWLZ}`Sp7MSBd!}(H`NGM7hLd5J0V{Y0%wz=;V@^(jkHTP|~1h{BZ&n0LX zWe<4evEO;oP&G`&doRyg!QRN|^>(&|R#h)JUa#c%+#INo*S^QLGXRH)i2RMR0SKV~ zk$QVOj+$i)Ors>@vGa@=4)>|XpbGER zK)oiwR*?f02s{>&ioNb~&W1!N!nnUc(L-Z6473YDPmo-ksJg>gj~`%VfDV65QnKw3 z4PIWI#(rUOJ@IM9-5(k)Y##p!0%|#Qf!*U*vKG73$Y=ax^fe|Kel4s5yaTsS+*&Qfoai9H2>C)&;%|uxs-QyY}LX^+0lI&@>|rkSaD% zp$24&`r2*NaHf;h?9(-YACJQ#mwFQZ%+xxOL!O-Uq|xyUWU#PcW&i_sNp+n}mVV>x z->PnO-T%nPvj~B+z(^w(;|Y`Nt&>S)My-gq{Fbrs*Qbz|QUw#2ETZQb3wfd@XE|6` z)NKBBmdZ-tBn_*Fafi5r-BR0vw^#|$;d~vIAmX&nUBD2GEZ;X^%z&$F`ryfnd470} zQzbxAq4{Y{(D%+JXsbyj@Y0(h8hryu^V$(qqRb%sE5ORzCz%^#vqX*l38v7C74U^%PTnjQ+h@McREF5w$KL?C7;!kHm&9_@) z*t3W36+*ho-!ASK|J2*Q#sZW2Aa-e#CMXU+eGbiEfdl7c+zckJA!n(dLykddV$~>< z-l^wEsopQ<&;5sJ{aBqQb8{*NukBo|ulWtsl10MyOxQP1KjPuYwlm1z(Kej>{eh_R z8B_koxX_6yY1+yftR<@PUzImO0Oe||cie(AM9+LkeK=p*U>IxOWvPCGiB`mKEj_-h zuxl=0wZG!#aE*;=Z!lEYmJxbId6Yhgk{)9V_s7fBJb!@P_|%L9(w!-z!01A8lw_s@ zGcCb&vh5`EMDJn8&eV;Oi;TEI!8zWovWyi|SO#sQORtGwT%kNIH+KmDu4e?IIVt^} z@R@Xx8q%+o6}op=njyoatw!X*8*(;K4llj`+_Dj(LVSD~C}x1vBs6@v7^?djCjHQ1 zc>S}NJ6fasP&rEJEGbj=ut8q72j-yvqnQ&whWGj-?uI%6sF5*2&EowApgie8j7>W} z=~-H_e3t?Ag%N@Q<3@$^1p}LQEX`*P@~1!F%|wVOiskwaI6g__|l z0unD;5iiT3DkFaU1e3bazw83^PmeMWQe?@bc+pwZ#5~B-LH{&MMGRY2X@Gc`49<41`hKX>BSp+E-c9Zx(El~Fc-R9S@rxY1 z(BKr>U+p$sYXFAM8HZ3(aisl!8K})Lt~*v|pL5-Jp{3_h&zwldBoItYqI!%l6&EC} z0*tx&s%}fy*~eV{r%bo8_XF@*u5uog4Fc+b>=0k=`t6hQh_{8&BI$HH^ZTlM^kty1 z7yGxX?1pgxOALMWeM_!R0q^V@fLf#I_28fusp-Q-5=c>5X{W>qVg7F8A5CMp%N}ZS zO(ap^X6ajV5awIj`u8i^a!G#OcB)sSv2pBtLFlZ*a=yn6Kh^`VuGrrhaR;@6zY=-V zCSifqn@p~oZsBx4EWPJJ8`&ERYV{aZS=MNx) zQp1&+H?cJ^wk;6oGfG0WiO6%)Wyt^B1n7Yd^@#3w4QA^Z*i@zGNLPel%xd6F_lLQ= zQ(+!c^N)`F>ja~1FRKK1%(NYfxbX@-#X!G*jrD8^prrZCQee+j27{C)48-ims99K_ zFGO$I{qTi^e(f&Vk)0W(-!#Dm1hBxaa1d<+1j8&;sy zIGH_SsHk5L6tnEQMT3JroRI7^R}m6f_q1lgRD=$+USs!zZ`%&1QB@7e@c|+oWET~S30~r$mPx0`}WCqxdzc@ZS!RXSS`42`X_T;yGl~?(e`~V#aR$Kko-H{aL9vFX)ON z-GtTx2~!A05Ji};+iEdxlWN5L^QgJ2QyWL?ztUip)jVt`#m@ld58L1%)`Iy4CIU@e zmp=N`4Uc%y2i$hV=G((5?Njqk>BUW-hs8FE^&I}eOM>I!F9HJWOtg*Fu_|Epv(T`@ z;~x2CD4Kw@DeC{Ks6v3=A$2kpFkU$^(q*^1hOXWn!)FLgWfCerPZ%&v6%1!pn#<>> z2J9B_ltr#YFp)I_bkY$g$~^A$KV~bjWjoCql>VU&A{5#3lBh`e3CV}kj%Gj|UxXYl zm>A>^OG=G_wzR5J88fH5)*Q|D@!*nr2qNwvhXLfrq#<(7%Kmx*oEf${1=B!`T~3|( zp@w3@1)4G@w9C9xm@jes(c&t0_{apYnZXyw{D-V4lH*UrQz}Ryj2p}XIt7MA4sMdl z9L3gPnG_E$lrKf!;7i_*nSyO$wU+ zAitTb(t2Vca%OIy{4Co7GVVV=hrfka*VA`C&3IGn%Hvu00V%*j=G1*HCkZs>EGEKp z;h0n8nf@v$r85%N62gG>E>)QogndH{3+?Rza$*HkJ*`UULY0NY+hHp5iU8#7j%c{) zT_Q=&0TD3*FIg{UId>AWAt$dexUKud;@mbxTWW0fXjSy$PLE-CyV9hbV%v_3+!Jm+ z4sJqhWsX;Qtvqr;XzS;Z-jGzK)(w|ThGZ_uxh;ow-KkIYk}^L;4-Dnc^dF0`!AuCZ ztD)qk$|$~{sv@3SGnAiQmlL;xI`Aroifl99<6n;k!=;zyRV7T!;J?hkvI0tMYeX&a za`c_H=L{Filj19Ykz{cmSG8YnS<5d;!#ZHxBkP+QUN4*o->jbt zC3An8h~U?z0W-?A7i35DLMKag1IoKaaL9pRqJ9Gen$u-aOpYLO#uVgKHo%% zUsvS0^m3rbpp4DjiEV$#Fj2dgR8+Z?(!XC64NrPARRhUR36KinILx8Kz@I=%C%(|L ze*4^L%>aM+aCm8K-1E&g4t#MBW@2)fV1f?o=}i-o=rw9Njbh zIiq+6l>+0&-mPwRHAQAzBerPKzRiYpg-elV`qJs*U6 z9@~E?u{oH8+G?Te#eGcG2D6E)jOLaaoB#Rjftwam^+o5^JZkFUj6+qP6)EYn-@4BA0rfA=2sv6jFBA80|PSevg z7^50s$>ajwg9vz;jBdEDfoGs=@FwE9wgxNgWOY#P5}o}fDc@Lwn_@=UxVpMfVd?l! zyf-F;Hp3o-4Xpu8I8EQU zYD)pl-Mu%_>Zx(Mbibdg;tP1)gO=K!2Kdte$$no??-JDbYtN*r3K+MNXB^AJ2xA7a z{uLfrjc=)zYI%$c%46H6`cmNA=o)c}7jMTL@ADT%h>bYmokUgHw&qN*dOS z(wN6qO~1Iv`vy*RznmE%_q1L1K*#5fp{cX6h(Y((3yRH}-RiKH`C zoEUHiKMm)*z1xU!l=gWq%At9y%f#4rGu;`r2Dg(RQWV88MtgxdTTHVf_WMRO-#2 zIVU39IdW97+-;`U!Mexq8N?0JU}lcK92PQrwv+Vus# zs&U|ovw&&-LcU9uHi+9&MUjdJ!rbB1h*F0Y_wzdvu%p)Mj!oPsQ-}SVN87676)>2% z3lD7~kH>6aac@+xv4l&wuDsKxsn))!25{JG9^n@Cl#?}4S0}38`ssTo46m+Z3{(Et4+^di`>bd5jmc zVB8?I%66JX_+3vs)Ohh|o#L7g=EBF@~_ z+sNZOhGG!(&(~Z$v3?>vd{>ggG4m}*s*UvZgdwy;8$^*Ze|KE^X)bR4O^f?ePRDZC zSNq!$&!*6Ogw~V7V>a$+rjJ-nQf+OmB@z$y%~odUO?E;RMOiN zn?JmpT?X;Nvu3^3!w4&=dz9{|xWHN#@`V_-76n{8s|{jjxFLT@Qg~oDe=xFvq|prN zgd_ZpWoSPWYqW50!pw_iGqmya`U?MQ$T8jcqS+`bXq1tY9||Zr3+=ylA;ee@B#pai zCCNBDT<=_q+tN=~C$_`IcsVe!)Ya-7G+r(0{ebzm{1d3XVqQac5aTi~sZfD{jZUm; zqeq$bgaXBg5vQP8ZWJSL(&OJc!Zt1!OiD(kO}f>7bl!*i5WP6mozNDS!Oe2F-xQxS z;jj3@`@on&B6X&KRzW*U3%}>Nct$N>nDwn*sR4EiZA7*J-cmhyVnGhz?S`<|1B86) z7VxDOyzPW}icYWOi$l?Rk2qohRZo%)IA2XaUnx!P!#>HUqEpk2Ns5nWRrH9^agxw_ zfv-~1y?26?FN_FlWj<6hY~vB&l{g#1oAPuWkRk;gDBDjpgq_)%Rs1hr*Hf@AELw%* z6_AyBsd~!lJwGhvJZK+;`(p1@(9X;UxZKy9el)Xq%>l-R4(Sq~FM^K{dD#yBrX*SL zpz1@;p(ml#%e_z6zz_*AFIJPNX7y*MI{AH7TuxrSl8&UV5lJT4$T5Nb*%p|g~eJHQPO229YYo|9#p`s}MAX1-uU zsa=qhU-(5+YoawYQV{<~XAJ1285anei)ea!F^Xg9s^B9J*h9stok@JF6c)OrAgZ6IBGb$+1k6-|@Ni*dRu#BDc z!5(O6Ax;_@<$tfZIG%ncaJQb;GfMknjxiq9))&$mkiwGw+BIU_FR(X9hMzw9GRyVUOms!tn~bhYB{#);C%(CNk9eSGyK`LL z?E8&Ri)hemzJotP5Uqr~L*|9y{agk7M0|yqnBUN=iURvi`{x>lpEI`pLuN{tirQZp zo@kt|qQ|*EGeR`$u@c+|7d^>F;f$E^#mb*5!hp=$ln+I9?OMAH(sYy!Ncn+*uFcI% z`8dNtPj^O%R80^C#h~5T>kCGlqjW%ccFgA;ElT3Gw1u-v7a73$rb^4yE2ff)SYxUH zC(zSzzRFsnW&z&{^Bqi-QrE7VV~`9iZmJYY(^jjXjB$(nR63G6{B=O`>B*v59Lg-( zKK}{CTV+GB1b4h5q@ZfGq;TNrSFk}yYp`Eu#VI>di{U=6>BFw>Payk<`b7)m@goLc z-+K-5)yP0sBQfLZQw=@uFc$bg#Sj^&A%~$MY!%wBJ_ld|LxWLQFob0Dms4ubnjcyW zTO1n5x^R5acTr6}O&U7ZXlnUKFxrs#DkEaBUZc6+nYC>^VRqxj6hD$Wae9CmdC@P# zSX$e~jHlIS$VTmv^(A(FiF>Ng*@ya$ocAH?x)PP}A+v_a=;t^ckOAu`e6s3s9esAC z=o2Le#!BTV;d`N>Aq zv)QFDcdyosNiXDIt2>#<^>9Aez9WE{w(fv+n~_3%3eEMHImu9*xo_+WES76-AjA%I z)|`}~_Nq|`+fWFeyE>NXgg|$+@mDVxKf= zmLB5HSeLV3J@C@=Z<0r@q~*a4j1c|`c=%x*fPgHpCFUN;~R{%lPr*@SI3b#l?1{fM+{(a=)`NU8}_s#8V}h*6VyNjz&2IwICXzO4FlTtx0Lgp=VD5Wp?eS}LW`rcXv7Pt6~KB0L?;J4*UL?1QQ1 zA~6nQg4J!hJ*o^YrOyK?=#?#?za{`};?d|Vo8lFp6k{knNAvWp;}gkQAoyA&f*w7y&`n|3$U3X`XOUqNpT>`P$17{27Dm2`9U%>r}lk4u&3V6U9($hWS zVLcH5zEvd+tl_Cl_7s-`BkLzs^mJSoj^zhXuCT}7{{<(UgKE#P^wGHnu zoL#z!od@dmN=vkS{BGj-uYs#`U$?$`d9)Ci2bG)|#LyYrJq z|AAQiQa@OEXpCfA(go*}-!-_|qdNxQ%3ATo@5)Il$>a|IWz~fKXbZz%4mv-EIOuQ2npQ09<9aNYQA_=O zYOeEUK+nlt-L12Go?M6wJhW7=vA!2_SH5p-`85qp)b6Awbe~UzWh-nHTBl=Gy2qO% z{walzAj9}4JgnMx4b;;ZutF}r>}!|&lMi*Kdg_{{GH0{3cjEP|=~|^e%pY9s&pRP< z?wcl!r}w+pwHVXd`6qyAp8(@3_3M&eH_*i^l85_dW6X*J7S{+ewxD8AJHSx8t!4Ii z57yncpNout4q=>)sjzZ2bVHPeXS!qHoUD9aHc_0!#k(!9n$Uo>rMi{!1}xx&C@P$;Ne6m=ka7>Z@I>nZwTBf2c{cGaO<~I5c+U*DJ9w@G^g>$4wlyd)EX*oy>qz--@rVHc+`@r%= z;*MBmIP{5~{uXL*s5*O&-tP>2Z0nGXR0qUOlFv(js>yZ}!Vj+ng;FIY%@mSl!#jM-yGd9c%Xu=D49)E3~O$`myanjWof)yAd!vr24EE3&>Uj;HzGfmbC*r&(-^)w0kXkP1XhZ zw!JKl|5Lrh0NDbgDl~VGFg%whr3m$A9B%P0HYcBq(Er+gR;^QZ1jjViQr=_-*Bw zug1Esc1DaH8?8P=vG3&g>qPLgTK9Yhm(YN#nJ~l;ySO`~=4>ln2ov4Y&f1>Xnp$9_R7hU{prsHSf%Zpod=r1Q3qu+P@Twc~ z9F9=E*n3qKU&vd0FRIjw(aX)H>wa}~P9GP<62b(8Wa?f_Kh4QdC3NCq5!IzjZ^t+T5Y1=-bwL z;T}_Cyi~ZUqz#Z1Er>WFZ1Rmu%d5Tsz`HPF->NzH(U0_YWX;=*DO7W=9-#!^;P4y`4XcFfA1@{dmU}X*`Y^Pr#2%K^eZpr`VVW= z)3KGf-0p_ChdJ`S#B<61`XFdidCyhV?wzM|eV-}Uvr1OL>$pbGi_6n?FnKq}tz91l zow;GSkdyqg_-WZdxF8IeCWTK=J*k{%`3T+*c0RAC$~>bO*L*wT41*jw@0%UP$9}k9 z-Q*oPR8%Q6FG`DS4MYasZyzIK^ zGqbVJSnzmvDYHG#OHfsk+%r63CFJ!5VUoMx(9xs@3w!Tug5lWk050r5Zx&0-DG#jQ zMce5{wm3O?t(<(j!vF7=<_WVZO&P0em!xiAk4@dw1e8PV^K}`>c73Q{bq(cS%DEI` zoah^vrM8Y1_?4y}zeV`Av?Dsws zpo5GmIV!W zkX^v{Y@ zH|Xprw6;{fVs$Uonu0$WKCM~5G$7_5?LASJZJZaja~zngb=b300t~<6cY0&r(>glM zs}EO*g^vMmys}-#w8t$C2NxE>sVT)fK8c>!eF2pbqmmRV517Vm=s)`nF=Qm~{ld>v zSAdwOv@$^Kf$%IJ0J4APb3dk4t3Yn8;V14pbp6eQgqy<)Be1(wV?a{OsKFNh!!Bw{ zHYGm52YNX>+#Tve$-Wi<<689>wh-J)*dt>N(&4$cDUN->M}<}`%e&b14{q+em1YabMwLSCS_@dZjS#+yea8|^0 zXt#OwJ88|vkCMRw)LBx8-lkKq7E@TmJE{5-bg@?hc{2$DsO7F><2_o=*8(rlf!Ri! zLy4&FJmgd_=?XR*ss+Nf@|kV)s~Ri7{!`c37iTld<$F}k(V8NeZN|+>9_XjjrH`+x zcqWuoCJi66++AS15IG%Af1na~aN>sTW@uCi-;F%Fm`UoVe586R&hOKzqtEsMgDlwR z2FKcK%mhpThcc!J2*<|Xw@&kFZTI3%N53EjND}#Dv*svn1Rw%p;h-Nww z3lHIz9x(3FRGbBDoRC!lb#xN|Ri^pWoZou5$1u~<)hg2sktF-6OJ|H6c)GPeT)PpB zQ!}@=@ExI^zM{+N0W9~ffc)>c_iEed2U2m$24vQPWx?2}X(aFNWmMn@UEp|Vtz_|- z4IsHLrRVny0cgO1x29tp)Ah{-u$D(18y~ik0xByZZu^Kf58_Vsk6oZp#;kfCQ~_Rl ze;EA;c=o=y8NFMApClPrZ@>U!)KYfef>SdIMkOnCO`si0_qv&CH>r1!pQF_*0^720 zj&vDvc7rs3O~0D|PI{%pyT&G?vQHnMGyeSSt{Pz7{r$##2S%sOh5HSc0M-92#slSg z%nBG-8$FZ&7=cbh{HTiqqVU0|S*@2*U(B!ivz>0Vetf+TM>9KHs>i<#D*%W?il=&=RMegP!JR6F8z zWDsZJuQ(8hm!s0P4xUE3m)dVz^e;>JQQP^ng+nOvMvlF|sYbfeLHF%W(6Jt^qBqs^ znu)XB?O|?iI|Ir+tgC&YSI~NgDUX?1pi_Y*yy(sUpz%Y8JhC2B^BeO!&K|dbdJ~g} zR zB+IlS##R>;xky7=+`+`U8-L79O=yAe)zynncxJXW^;P z!cpOM@~xZGr`zZbz{tZrm~*8s)dPgPIA1f@su@>#TLiNz@TXzg=x|tzv4*@4asJ@a zFRTbFnqf%dGJ(P&p&Cn<-I+U2RIgSzZtxsyEA_H7a(HisB)&FH#TgjrzTWS^sf~Cs zcN?hR0b_A+PO{GQ>HgZ5ouQz=tm89+2uIst5{LXH@m{ob8&$)ytt(9X5ic7mc8riD zYjiY(4`O5UXHATWQ;;a~DeCc{iE1E2t`DK!{0|*fH*U;k+@e}qHq4+VDrWnsJ2bWI zl}a4$>SzIKBBh`(9eiP^{^aod_h4ISU5-l{Cc{0vwAQ0r5_?9c;j%j{otb-Jqk3-V zMYijTDg19rSz)i3tP z0H$^L$$$}^22(&`N^wNiQ*vKmmHhM(s4}3`Gf2GjNo+rQ_|Wde;Zsth$<3=%MKOl4 zf4oa7Bwd_&t$Ljc6axMMFRM=m9u@fQ4r3v2kvnz9~vGnaoh$b z@>&~3t)cqEdrO#qzTdONIWdJYH75GEh8SAAVKm`bCP32K_IFY-;=eNG_OEHRTHnQX z#|f9r%-{XEd&h~Uu-2h^;%Cbqo(IeHZrkFE5BW097$m&LBY$}ui5I0>+ofm4?-t`t z^|v#$EVMxe-=>E-?5~a@^Ua_&`Yg~K&>z02WwcDDEqVK5$`&uH*WUG(+N=@S!RwKs zO8Ucm==B`!KlSbMYic9rXZtR-)jAY(m(4YF9%(rFO$;zQ5>N*Epg7B=U*|i`9YsmA z1Ah&9nSRDQYjzq;iVt-87UK3~(RZA?bmnfAkKaMvU-w(z>*HqkCz<{q_TD_4&Gh>p zH;d^^wbkiV(@|yGnJ(5$YwX)}U$nGUrM9$HR3o+^wj|xuOjUG2YM(A>t+gd0k+hVw zf(%MZLXZ+f5(E+1eh*zf?@qlxpYPwlYg{fD51#vZ&VBB4pZj&rc^$*$g{6m6vzYs9 z4V%&z=ty~?zj_m2vq}cayOPfvQ=hj0$s{%#p+I)(n#H7!(|L~&(V*VPKUG&AlT3sG ztf1{vI$kXSb?OPUXe&RoYgx@c#`f%q0|2A1pRy!{^f-HM* z(N|iGRwx^}ntp39r)0&nMQEiCJUk~+RTDk^`TZpHfY9D1*$DsVzsksZxvdXXbD5ib zxT>iE;)%e&HN~^K$FX_tRmv z6ETZ)nx$Fi?Y}QdE*E{X4zM3pc58LJ(e6zF6ivEL%Btby%L~L`dzrzm*OCqof%Iu` zlaE%Uu-w=$A+yc%BqMq5!4T3wFK=j-(mg2T?9K|(*p?R>L!AreIhWR|;T!`OfK zD>_%YyM^y23gj#U`mz3}QO-&*YK}Ef@fAGiL1*h2)D-hc*Par zm-bzhyk-$4R_raCJE7qP#Fv(}!AadN4`IkB@?{aeAB_lcvK-Dk;U62{m;B>`7p)4= z4rge@f*v2c1KA>yf$h-RcI18t#|jA-@s<+PHTsOJpuGL5VitMZS>AK~qtV8D8Vqv;+i-M6! z3&Yv0TpH=Rck!&0b|4LTUJw~t^_ld4A8viw;nO?fP_6r}peIPT!U#m{n4Y)#^?){6 zDysf#moGp=C>c4D7DXyHtFgBjfA$_Qd-@2$0{}%yc@qyKD2Z;qIe5QZ^kv!_Y1nBq zV=s{TH;tjv)?C4FwTe~Ew>5{9sXl|6v_Jw%Crj5j2`}1@*q)#Memd5suDZ)0W?ZNI zM8P%x_$^~kH=(#W>oz?xD9nsijDuGjy#j886eOt{Oy0pMFQge`nIES2p|Q{K1*@RY z_|S-tSQ)^IVjPwKdh5`$BZL~TzC+(k)P0XX5l7F)TxiKc14(598(*BWa4?SBj5^`= zQ!l*R0`KS*-fht>Ez27}qW=!RJld;Uwa?;LpmyuXK*Z4}zqt?cbHLHEHEG=KhEdlu z9-i10)>YoYsE2iKlgG!8#Av$3njjsM8>BvgIY)Gnuu`{is|0M6>XOFhS=8C? z--cM8=>SKln#qmlw4tUh%0lkD{rTmuk-ns@K3tc!^|cts3AU*&zuxve#9VOP((6H^ z$OycCSnXAzJteJ@J~c>(mhQC25wsF_W1Y;FC&D9>~EXvN#NVM$HZxq>8UzA zZl`MmZASWwW)7q5I|XxV9P*;(yQ<8e)9QEws~)E*XWg!q0BFKg9X}xpiRF%Gk-CRg+5IM)GH z2Pa`fU)-y9`8GUd`u!Y0Qwib)7wIztRJ~Ej&sK=o^Qz4w7<~NNwc(7|pm0g(#Fi!o zp?s#D+nS1(vH*qL)otFB7eD#kEN7IMUJrX8A=OBo4kV9TAJ_Ao>DhK83+bB-aNdo} z@B&>}{Fu~55ZJqAU#|(<-4mr#^J4uFCLx!eWz#y}Y_9E=`X|&tdP4ZHZPxnc(WmN; z?6yqkd;f9s0Qk8bvdgpJ)*H1PsITN{d0Z(0q8h2vdtIB-H*{9( z2Sj8$-M_isC}#iV&>&z%znTM>SC`Y%X14b#>loyxZ!|HJbvv4R<<%~^}_G61j% zBp+R)U9Mloq7LWeCMl)f?VwX2FP$qxdDi=ey14xSS>f96rPEx~I-zdL>DkOL0q;G+ z=j=@99RTBKjDMu+RWPAdLcJ*mNAnYI6sPU*`fYz2QfUGg1MuMFivszMisJe4fhA8& zfz+~QDO1?nVODkH9>Ho&{@T=2^$#xQ==pT&bWEXjjU2dYbqfT&4Q!_tGm1_Q^qy*i zaJ(EtC@Y6s2d->1(BtOMY_wCV&Vt^Qy$5NqdZQ}=7&ClJgC!zU{tFsEl9X1)ayPQl z$yO%m)Z`rAMn=P}omsQM+hBp0 zf%O(v)-EvA=I1Z3a|BO{Pu^|(CAzO~d{F$NeARMl9tcCfDa<(mMEQ0U+Ik(|VOI>D zmbHjAO1eJe`Bejr0IoiEok#biBt2{&*mLqrPuJ}mn|ecV_&idUeo3pYg#ZYK(bgtH zH27cX+UU0*6rjPB@lcl0pB~I zaSuq?&*{Kh*9$VsCtfR(af}Cd<`ybIkk75> zgYvg3zI}F6F6`iCzr4vgD+HEV8L^=^;OTWQrd?+7w=z4?bjf>vpl0J$^IU|sWBH;57T^KL$s0D)EfI+IJG;;H(7g| zydt2_qr$*dgsG9w`(e%C8~EkpEPLkpi#J)35_@6S4(Y~vCpXz5eeCpWs7%u;K$Kf3Y?3-fMm3;8y2a~#FHgtE#$-lI|Ow+nYNK$`L0xXS!iC<1055CuYpuuA6n(BJ<%=5O^5;+ONl2}OM`uH za#OG53m&tqlFP3OH$-_-o{Q;*U5>DPl->54g~9zZ$R+mgW#OPfNury{vY+0{)&?2< zyjok$n2bK0;*-zF(%&?Mi=t$KdXW}};OK0pVu33i_MvKbQTtv$x@mF$k%uS8s2%VP zUB!r0Bi&(JCFRc{gY6Ci9AKW3{nh9B8c2Fu#yS7!0E#d>$_v`<2vXxJj zTgC&08p6!(Ag^|G%#kDuc{cf`N3NE;$VA(@TPGjq0_047@a(Q$eU)&OI?es^fiMeJ zuv(H{xqCot6jpKuxqbK>ws^mrF#pe$RgcVnGz?S+%D+zz5ZFMdfMjWyI*Z^N84`SR zj14*CbD1wO;ukg3-WzPFugUO0%AZX&0AX*74f!Il0NRFgfK77dzwBITYl3nOYBK^| zV>jl4eUyDR>Lh@hH#Hk5S9f6%z{-YR1nv8o)t zvsNjSM8s^Q;DClPv*vD3DbEw%*Q>uz*n+vAus#Z@li!cAojH)VIy!bGl)<+J8cLK; zV`>Jf6W5HZzp@X^F+U&JZK2y^)&b?yUewRLDzfi3$FiQpl2#5*MWGS==BdCZh*`^>yRW@%DGIh?f>F9(+SR&2xD*V#?kEAKiDA7i+#9nS!9u~JMc==HY2PZ zugCrqUMMRZZ{CJZWV0PR4Rmr0U0n1wkwXAl`U0@GZQhJkCmLV|J}^oFciR$;thSxq zHQo7Q{ZS;O5*Z)Ye}4-?-xi;gWviq{oyfZu6M;VJfJM|an_-wmrz~*8&~ay`4kB^^ zjyb%LquzgJ%7Kh*M<Vla<7>Omt2c_X+MuWC5Y;0#Z|+H*qPI?hvT_`TK0BU z(_gRmp@8v7dO$xglEX)eU;ZZ7)^4Af9}U2WZQOd(LRUDV8OSi`m7<#ZUtG~* zTC05HJ*-9+BvEk0V~ZLsKQ4~jzLw3$Hv!bszX`AiJ0Gru3G?rcnqS4TrzwK%-)~!S zsq{JGgIGK*q$m@hhSJj}~v0PxcE;4NU6x&g!yo|Js4~bbd?j z7g3(4k`*4zktq7(dCj}&QcmB(JvBeeuZu`#nM9sNNo!*~fR3BdbHg*OM2$OLQ2+Zg zS1VieG@d2^mAKAvT!1$oh|J!7vS!MhMr)N!o-R95z3Edk@2qxfp-$8`#*7*3)kpCZ zSMefm-$J4P)&q~zz+Vh-ya#DU%r&Cr1Su}Ih63pnbSRR!&hYjgAAqNLeIh!O%XB#`3n5$V7d$Ci($54}k*Eo)FzV?RR9 z%XIdEzJWN^#%Ah%t39>T^QDJjZ7M4Z;kU(*j{FVB&sHApCa}r+ zV&ZAuZEY(8I~RtZ_L)Katf(GuCbM&(8*Kb81NWa-R6ksLkytE5U*}64?#~U`QBLYx zP$oN*3I$WL(CrWgvHl&&Z^9rA-zJ0oiYk!;i=v4(1-_wJdCtOkENT{CL8 zfH0vQ-GDH=uM5GkdQ#$v2WriAkN_)-zW~?z2%OH)1BOBN=$uNv30XD7i$-)KU5~$n zkQ0Z4u1>;x9lHrGUda%rBdq})Y9s{QqJFUz%9(c294HG?Wdv-oIk$1j4yUZ$lY4p` zst&gXJ@UEkeQab?qI1hk^dVaG5!%gcUZx52g242TY@SzBYpumTiHUH}fN5=tcv<>K zXRW@em9)b-J>a-4Dt$YK-1h}O7dxGvn(87Yt`xI%3=tTpu9bLrUAB}8&O$JH$hBBX z>%DCn*4(!d-|pSg+cWgWt+cFDQ62vuljmc9ca%3O3Y)V@u+dt#fol;N`<1$WQz7z; z%0|;CUPd;@!@H6GGu1b@KWraqx&tldGp!Jy$t2xwI+t8B{pR=~Gr4lRoPaY+%DCSJ z4XCmc{FfseGbw(v5FkSe1IUnSfvRl!+sNI+N9RkojqY${=Tcn^*5rs5-1?4?-UqR+ zT%c@gT2q_iU+V=pcO&@D>4<27J+-rIi;bV1?Z6unc~+^{O};(LLuJmxB3LI%Ep9qe zN{jSHsXpA(2;ub&?~1spP1S{p@ahbK{ju$_5)MNk;XawV;ITJWLhzcL!NsDsPub?d z=4Fcb`q@NW3}ls!3_pD@Kc|DEzwS@EYkcu^tV6R_?erQmdb-};B<14H98MbF&pvi&{f{X62uTw?8>|+FBX940)SuY~a+MPG9ZOuM-jp&jiQB-h?WjClQ?a9x4K1Oa zjm4B2$C9Vn8Zf(2aa#RsQvh%*3pyE*9nK9Dd_456KNWHPA=zMl4&6a-KC-Do8LebH z3R~^(SGHs;Aw4Mn4S@utx;LwI&os+lK5Q$d4yl$tQT8~^3r%iR!e65j4b8i%O%_0~ zue56flTWOYT_F$l4^Q&wqdU|`%LaD797`y1r0d|$Rz`u#kxAZKi9yP$d<9UbLbEvC zcj302(auAXrpYIyCb(da15{13&!YO5%*gXw%*~WB;`KJ`1b;7Liv8sAw}MyCVDk#d zbJldcU`Mop3-moP7b^=J5|Ss@vRU`dN2L2{xv|Q#<%`d`1go!#gN=eam*JWZ5HHnJ z>ufX^DScQePycv4zT)-doMJ97G+m5V)1l40$G}v?!;%n>FogloYrtT|$3U~UkDtmV zjfEKHQZ&RWu~Y1RLFNL|01%c*e_M>sR_hB<<_eN|BC+I4lf4KGK-o2K8*RV{`0zFv zRQfmjxNk?dp#I+nB1O*$=$z8CS#R->n)v>*;CCfvUx|Mq@y2wNW5BWd%jU@mQ7P3d zvqd+>W-7% zn|6N4ibze#`ao&eg#L7rQ-2z!AB#MR!5Hu`eR_kH12(goq6tbZ>9h*;Q8 z4kCd3!zQ)xU0&=m6+xq@dW02&(N_EMLr#nL>Fys@&crRG&@DyMtOBIVBb1V$3D@eN zcf$}T>9!h!VenU1`4ZqhT02q=d(&F~$$#aAlg%{7H0za-$D{62u4*7{ao zsT3`8o-DT3dE}K|WBTGAL)ucG%k87;*e_dmjq%*+0 zrPcKSvo;a=dv_XdrfggWGz$R>m7O;0dUa<+>RY&W7`Emxu$*OHmv&0*^7`dNT_04% zeRfIKj7@WNveM$HQ;8Z;H#cS)?{ZQbRf zcA$B|K=1u8Z10Is(+kb!c2*mHkoh_-AUh@{>R?i0>K9u+N*wpUOPmQbhCCH^U9{-< ze-$&m5KAW_Ye^)fI}n2hJxgvcuXrGmf6!X|UzOuUBh79f)&|G@e_b2T_*U)_KoYfJ zv~VuwGXC8l(wQjnoJhTwHpxeyM#+zbMwt1XxnHr+_h%%VL}jJC3*)E+s{vJDIsomU z*Pt-Y;^PYu{*M+bcXo6Y;F<{)oi??~`!T@Q{dSIX z_EtUGJ}C-lLe%?kYSXb@=zNKyb_g~vzQ2Ia3Wj5ot}iAnsys7{j8YWEM6O?(c^9DL zUjUT8vi~@pi2r>$RfgWZIzWQ`{^bBN?RSvbeM-cJln51-?LV}ZIy70Ts5E~@xeo9~ zFUBhuh*IB^Uj9yaUv)SS#UJ-yrgCZLfNbnh(N`+Ztp5pg0^Fki4*sv$|5Z5Zzf0|3 zBlE9$1=@Lh=;iV6#`5o$`t&QnDf!o#_}7j4*Ma>1iR(PK>1&n6k7}LrqYug!zP(gy z*`@xjk5kVt^FMw0?)R)^-CNsS7ruYywUM{%9n&~$4RZAt?|v`18gTc5!NT`vN-;BE zy=xa~`lsz5?|!W!-i15#+q#7xp1M%yFE6&cKA17L`rVD*e+{(@K?dvWSoPszIoBM$ zW$_14%fz0SO0H6>{Oa8e17A@cvVHEdSyNDYWdOYoP~}6jcN;jid&uavGe;t z{H>9z%NMSys044g&RFJ?v0~9vOav`l3fN@%{&Cw4>eV;3Ez?-Is-n_wx}sFQ$rNbf zjOLqaf)_5m*&U`hyeQ;Hr?2bmexRgf+CR^L1mw_X(6Jo zCHbf;+U3$-CFZNna3LGXM1F4@SXzRV51i1_S5aZ*e`1Q8L)hGz%=o;m(jT7jC$d{( zOYVQ6vxF5d;(R$}BC!_>#nc^^EmA1qQVgG`jvaLULZu(I@;`0sU&*5A);&&l<=^#3 zL^}FuGycBhxP+nW3i(2EBUauKa;Y&&96m8uOPHOBw+|@-%sTZGvwrMllnwX(lP1O2 z!B(Vv;{@o1XMcWfjxTH@JvIMX$X1rdCKVAnfgAaUsMx6K?)&51)xjNBo>wqQb@`-41wC*K5?r%AVJK&8?=-x2&Y7D=piiwS}oB&*|}XgidH+ecu^%r-NgA7!WhhVg5!c! zFMAz(*$=6uxAcF~IWaRw^UU`TUN*Yn3})iFjfXI-R_n3h=dMAIzk=qA>|;=lwOAYd zWEMs`Bi)LFZN%}fvA}JWt;!lSnvVh8vuBo{I3-=d3JKX<{pe8!!OlmpSF*LQqWS>P zTOx-TaY8f)=XP5NqA|hh3@gtLRm~fp`8k&&>eLeAKxZj)Q{Y|@1Z_nQ)@X?9Ju2B! z5fQ)yK6TR|Z_+A|^WurO!g%o{km%_Ahe+Wb=Lh%~gin?))La=0$)rEbgR*kA3b)7H zK|rW%b-V#0_GE3}t=g;8P(4636rHVoJEf+ z6#TH$4iuRV0* zrAAWx9Xs=5Q1Y!9BXsjm5p?)9pc%#RrQhv8ca#2hh#c^5**64Mw(U!h-O8z<9ANK( ze|!di=Lp5ygi<;-Tiy<+#nTs`F3?Og8QjV}-qFc-JbT-?7958_7e^vaS8Eb-24+yG zc;SZnle#W`C2jW-&i~(Xh`DVh#uA*?a&QA*dRyUORycn0tPfW`l=4)hNl9J?;QnTx ztd5o39ASbe>U9`Q>J*7()Jr`*Cc@031;-;j@?T3N08_LOwH!lP9`{y_l{??X`oCtP zAb69hEEi*IbP-mk+W1~AuzFVL2{9r~JZ+1L0-oWX|9|?F&ozOS0pf}tkJilQkM4%g zxv{=Tjal0_YMt9yw$VT;$Fr|fhsQ$0hr{Q7{w7LneV{s?5xDBx%C(=n*Zgas?1Ht7 zLCE+7Z38p-a@j^EZX+|I$p^@T3bw|CFn$5_0JF3n6!zrQ4RT&dkLRr)CFzN`iA2OY z)=$y&NO5=uRCjXbjxt=S*om?h+blf5LNkj>(0_RXS^4SV!7{bljQ@FpAt3KcJd>y0|B`xB9;3BJ zaQseL)v))MDY zzyUf~DTbKpOSYu_2&y5wMo$La>!GX-o7-}eQ;vOmUdzRE#R~LyXIfReGWYwmR5AJY z%85n>M_Ur`qchq%Q(IFooIaL!lt9rH$i%TtC&9U0=C-ZfCF7aWeXJqoOg&hm=n#6@ zJrNx#ryjn&UwE18c~MJrih_L|8w8kx_D>CR9i5zFi*Au?DaOXRlNx}1AHB zIYDzH9t7Tz`KeA`G;21(Eh=#Ayt0&%<#rFAZ7O=x#eHOI1-WPLLa;U#C-5xI(k<3K zuv>HN7q7m2d7fYTvIhMW3+?n{BfzEy(r*#>r<`yL3k)X}c?mL-J)lQ~;VH9O z9Z^lm_Tno% zK&lkVu3zgp(&Tvrg4ILEQQn>lIfU^hjGgP(NXg=|4L9cu?0aSdA+6Mb_}q*ZQT+w; zcoq(ZZ)x&|rp!|v39K0I9lqNnvRVlp8i2=!@~KT0hU~BMJtMS$P6ZSQ8PL3YOKKjA zK97$mImZ`Ms%9kD9SgGHPeRD3^L9*s7lw(E&+yFMT%o%?3_<>z(A25BsB(orBRnsh z-UXiLYzm?pp~zb}?o#!XlPrj1Ik1@DN(FJ;gZH0=Z+APz!cXf_5BDl&FXwHnKBL8?h&NX~T@GzK{OuNagOGx$sxpdrHg<}#Cqfn|c zI(w7n5IQ zN+sb#)TZPv;pM0eH#xrtqGOLvSCAm_Z5O3OYATl!e*8}u=jr~rH2!tE9bHj`_U7t! zp_JPe^l-cJ{-B+lSfm}!jF7cc%FJkf;~<}XjL+)%juCQk!!XY2Dx<1bvYV@ye?sap zl$%qUo^Gdn;Ik6qI2Wr{67Gu`@Ug?wg{ASFU)I;3Vibsk#0|~2ujip!9}SHUL=xUs zy}h&JJ8>2VO&emN;IA0f(K(U}XsTQFMs=xkphw4iix*yk{(ImeIxkqXq%vOFmy)2a zbd_O?D?laJK@R{S%cVRD$+HhTs?4X>DkH{rGo~9Tip?!-x))1fFBS*ogTHN+G$c9h zWb$tT^U}^sXQ3d9hf*=IF5zY_=&Sk!sv7ExGrt(GQZqW?00B&+BE{n^$||pZa$(D( zf`oS_b`MG?!LZsH{##p9*%`3j+%fFvf|-JSiX%Hqxz4z@Em{|BIJaGG!?;B%PPDn8j#crqd3*t@*BxA zt?DuOLmC>RzK{AkvN?5Q>7GeN?c4Ox*NXHm=tF2{cMd0``L@HOoF4`h?fGFjglChX zub{6cZC_KU*;4W&c6Rqhzjh^< zE-h(P?f^z5tmHu>0mG-8k(#m)2fL?Y<+u5jUjdY6&v7&oy4VVWJXbG@YjxJvQEa94 z(djvbBnAB80R3h+PbcLJ2jI#!gF4*l9#$JRnS=@}_*G+b+_?z&BXzyCS!T9gsgzmW zAV`O7ffC!tE(zc^)1LiVJBeBVbm`F7IPCTqr;u%sIHe_7c-=jN9K~95|J`lflpG&Jdx|Gj4n2^dt z-QVotn^QOBOQFyU!rh~8`<)PA%@2c9hq_=b4LD;^(_wIR90=c4%vhGj@Zjw3Z$d_5 zQI?Zif4RNSi=ow5Y43QO8grN(SUS>*Aav;~WTVNBc&bfDu z^7sUY`-6%~@uxnh_o&~n?qpPU^5RoCCWI3oilTXB^fvB>Rb!?0;25L)B>wdAEdFcP zytOBzi*->tZfGxkBL5T_pYldPK!hIgnD-bm%-m3Xta1faPb}9@VtRyx_L&T`6qX2! z+f|GLxbP^|BNmg)K2^c+;c$HTGQCtBoj4;boxF!_{-W<9K*ehaXH$FLdiaf&rA8&` z_4wi^jN>xaEqToNa~-5eX7A>usB5l)OwHYL2IX{l^y}U}jcS9CJVmv4w;FwoB@22} zv*4gLT*xI)Zx>LIv9zt6v$c=Bg;r2?v>=dKz}(u0081Ig3~f8;P@j9N7CH^G)vb!3 zD!bBtR7-yYd70q67D(Q{NkxVD3AlYGaiT(4oQ-x^hwh@>7DX45(O_<3vNWwI>-}Vozy9nHFM7gxK)ICe>V0VH~uJ;RZpw3!>RP>G_GC6Mz>l<3)`hc>DoPI z6Ab2zV1c+y3FDt$WVBhdf`FG*C}5ckcaeOuIv}L)ac|9ZS9U2rt4U0axR{yYiL%l4 zqb*phVcf1P&Zf{&E_4fOV;tirkVoNnIi(}jh4AJ^DbKdVSv)vnPngisC2FgQCySG? z1mQMNRezGzUO+|wL$LV1TnjpBo7R3VLt~tWpE8bPYAmTW*2|6RVkd_d&nydQmR%g^ zS>L0kxIWYlC`$LiAUNTuYs7K#WQ~u}iFIH!)`#0H4h(LCwZwI0n$SF=zlT4bw={UO zwF(a_R;wBaJ%y3PLNPg-sajVjV>}Zfk!sYp&Gc-Z?I~QWI;+jxR}re{u{xrn@^{}q zB}6s@5+bjTalb1WC-qGU*&R_2ZE^tN6d0lt4|5;Y!Lore-mcVzozuE{n$YBK0eIA1 z35~z@e8V07dLTl-dYIsAV|P(Tj#^8>Cwnpyxtqf=PueYZ3u-4PvdgD?rW+Tv$$b)K zfnWk=sfwEtW7##<`h|l5GKrW1nDL^e%s8U0+|5_<;567PKV_)L-t({1p=Cr#O|ikg z>!tofky=HrrFxW;$EakZzOBx)`6HWyCHELTTRZVEU&?6;Y}n}G^%UyNMK#pr;_jG3 zYXo9HRGJ_?DFyJJ#lKD3Vhm8@KBtRET&*eW20CI^ zS|>j{Ozx5)MHd=&{79j6TI3xb{#Nop)D-?^F7mXsUCkes3>$#Dx`9S|PqbU@pbB&i z07O%;lxWBoPHz*k<=(U4^qIkMH^inb{Hh_KhfN#YC9e~2_&NCyVFeiE!WgHu&_!HJPT^raYeXXIhXlkHZ#@=tZ zNVoizsI4k0$9zAc`=KhPy}am^d>F4ogm_6nl9JHV;J= z;$V$EJ|#@s$?9f;8nB(UpJSHvA|8aNSHQ+jqhzmd6E4|J_Gw`Jip4c?AYtjuqVYj+ z?#Wdjt4ApX?v!gl)xe%l;ofiU4wSU4qT5m2=1(g-t8y6b^KwJ#d4c459xwE~Rm$m_ zEVmm;Z9@$E!J!tbz!>*za9GLIi(I;MUlXCNnRky;Oq(T2qybsH9oR^=?2Kd{=RtiX zp8hSnO^-p)Mph0?hK}a=K^BoE2wLwqDl@|JE*0_@K#f_`oGP7krzKTQARjkc8j-xB zgZ1s4st+v*pqBah_W>ag{2;d3tCOPQ%-tOJB#MVlTNKq#r0qDM+j=NSm+oE#Gd=}| zx5PD1#Bk;3PAm#)_;8I6h>vCK{zaydOB2t}mObIBQ!7GRF}xIQ{Q~mUbuwkIx=|IxRmdp!b;AW!Tk>n`GrueP|pDj|kEBlfa zr7B{I$E<)^@A=zBMf+}f!r2(|<8W2V+O=Ni`^v{-yC<#l6$&@+G@y*I0J7Qw*x=m) zn0(u@w);NI>*N@<|Y@ z=zG+x;Vb7XwBo$HymZo|VVg5O{5OYK^1x26XF&c=!=%oAJL5m(q6ZDZ~Nf zkdNl2&|IJEKCj`F*zaLXiMJ;-qw)=ISpx1T$rgs{e((ZE-DPfiS9;hNxgq~TY>B|N zJ9Hdjjd=xPE0QG*kGG?~`%2}E{illZt(~-wCE+?27)Wo>dCoSBHuFizby_BZ(8;eX z!;2YFk?3L3k4geIt+nWhdTEysHxoF-yKI>ZUVX_8l&)M3wA*Y6ln z1L05Ico`6+M^~8w`@!Jip~85Z{o;bb;q& zU_(kvEP!H@KHI;71TxXK@Kj_iccvhl2ap5D2qdw!{IG+$-r?jq6a3Lp33p>Qm^DS% z;K$(Vl}cC_A`N$6Sd3F^%|TNeJi}iv`Z`oW&Xr z!#V&txK{yGvD-S?5S}4i5c)u^(0;a|xC@P$*gU0*J8A>4@C|^!$US0<@I@{}Xc@|x zx&4RP`6awX>&xcMHDX1Ai%P83MQ)(_(yWClF+Y8VSww>BA1P}w9rZ_h! zpV{2-N=*w~g@;Baitds7W#Z}d2f~C-T`KMkB6ZP_1g|KJ-Ctmw9aP=dxa#wG`0rNs z;AfR5mFM1MgFn%V8?+VZT|bE#j~?>fqPc(IFBYQ#)i_=ap?8~_U@n{BtX9>997-b} zBbRa_-WFg|4Dmy))E(2`61k8O}Q3C&D-cXsP zOSKX9U>mPDlwHl>dX2RM+Q4I7@aWf4SSQ?wrIj#}Nz`P3|C1&t9f0cJLs!MJv)mRK zMMDucU9$7O-uJnLi!i~$Lrm3Gf3tp^eml0IDyRX0sZ)Pgv0b^T`Ne{5ILljUfTuix?T;0wh`{>ri>iqfOo3=a*}A@aE)*e zmI={UWK_{AMiE??!*?B*btuwk&@YZdnuu61EcMA;zaAzt?8iKHh@2W7^bf$?%SGu^i zS!enlvDSUu${zcp@PO2^t4A&?kdnhOJebGfC5)w${EDlpq0#kDr9SmXHKT7EDc_!$ zEbSc@SRSi6s_*$$D*=qtC}!j~Ry@l#>bqVyxxwr2m5t{bq`w1tGUYX~zfye_{^-ex z+Gg;@qr}*53smW0-CmbEPQ(Fpw=^Bl7QpGZ#pLc}2J2AGRG#rS`~%+Y7O$h*={S4N zYGgACV@kX;L@NiNZ)lQv07dMDFdlCeFZ*dj=ANe7;XB^Z2(B7FHjt}FubCFLtR^o* zTYodi36YT3frZ}3cd#7vac#Mnl;)U2uS6%as4J2Ur9fz=9%*Wc)7Jve;GkEbSM_JH zPJqfRI{f@oO|8qU6aW|B=UI(Fv_D}levak~ns2x_2a0X=c|=bn&x zrC0=Jc%8`^y0Iu1gdJumU3tPtMdkG8hGS5|eON;ylSR>0^zeXC@>x2U2g@(#pLFug zC?(t8`CfaEt{dbO#jAxpW^)N=19K4}8t=?nA^-n4; zz^XHgN^&NTH_w#r!F3;CXfMdb2TszH)hF&MFEsiDS~@y5odqYDYA(xHb^qEHgzKd@TB%(%4}dG#7;v^_g%2 zWj~e=S>*T7$T(3njeGcqSWQ$(Nu1KDEAzlEMS>37tcYW1#HTTp6J`> zK0jkAHV(NRY&FfmaFEbm9m|&+^{uK;Ay39=!!P!gE8A+-@Xk5*B>ajZYp*dFqX$4p zY)>nCysCgb1`JnH-R_DjuELsHiSo3%mj9wR8Eb`l&UI3oh+aES zBbSJxp=3K*Uos61(1A#znf|@DwvJ)4+~1JuG;6=-GxrSXAWN6i&jA}Om}Om%^|eE2 ziH*^6lRg%``$-Ok#uvNIEQ6vjImYO2g1Fw6M?IICLbb2uYX$)fkn|UHCPAnQtSS>4 zOIo(B1d<}zM@sq)9fYV&Y+TB5o!H#gq9{MDcrY@rW|-y!3Z#vLuM}w}JV|(_YmD;` zl&1#b$9a4wl9wU1!Xv?Z84!AG+o0_iifTCxK|wUeQXuZhYN(D zBL+){^GT37>Z+X}B2Qs56J7$~o)b0`%NxrM&RH7C>`$nuATEA-rp8)Qj1LsUU2d&jTiI;xAUAP#VI|%m<8iDSz?}&xVY&QDes{92uuC&o5w=BcID4;x@5%AJLp+F8B zD$1B)fqrhd@{rpp$-Na2j&g8nuxKV@E;si_DeeBjC>bumx7cN9(t2(oCWjtVct-Eq zIqy@SY=S^sfUo%4`(C4feH9F}d)`+y6Z8}Y-_MgN@+Y$rU6OVkO+%s^Em4y`kU$6F zS%0*hdob!~Vvf2K<=&lC$~1Tq9gRL6Gbsah#+B@^5WiyLb25-XQ*iLvw_Ru#ss*q^ zYW{PF#5YRfGlb{@p;8El)~|ITqor+ zttmSq#5e|BI;ROKX6uM!isCq~KA5ti@mMART&OMyT-+YnOewm}nA$z|JT0M1s16Ff zB8=hGgI&*KD=uuvCPe0R@z{PwHOTpf1jkYE=B_t+-3j@~`S6UIxfBI+q|Sdn`*>O< zeY`At`#G`ho4{q%@L12>!G!8=xi0$lbb?_nP7QCC z`H#sr+pmnHj63ZxL7koLoF?CE6f^4}*T$2WZ84J)NPqW^|>ZUb_30 zXrG{0AoO4%R|Vw=mqhAc#osd`5vgSyT+ls$^g4GXnqQsCgkl0RY>5X^^@Cd4fS< zidIs}iLm=<@@N^dWzJ^k*DivXv`6n|XVu09xH8ZJGXTD-wMHpxRTNndpP&>iSGiO! z^7>GN0R-;}lR)s^%zZW`v+(iEeErbP(95Fz`?wxgW?mNW=@iW{a9LO2PM{tK(NJrx z*VF2|y?Jro6$6qw!<-nJ_aJaA3R18}PL|EwN)tNyW%eT6nmrGr8^7jskGX}@#J!rd zR-st;2k**wj!(2s2BKCZi|J(!)mlk7-v@=h@ufAD-3FMcTwrL{K-oIMUFSYOz2q$R z+x-A^IrCqvMuHm7_#`nn++hIh(R?@&<^rvCFe>q!J=af=2_ttEp97eqqOAQqUu4Ny z8&b09YtLgnsxc=$l}$jV-D~inap8k;)uvW?%u6f`A|AmAolkJEnE<^~T5Bewy3^c2 zajv78R63=trUJBd{Lca#==;>A+8joqWF7(Ud)#G#UB~79z@W9>yB1`DN>1LhB#Wq-Tr;@;k#K%)*p)YU1I;N2LE}%cXycx=FnA{mtlwX3# z<9N?tMDyfRrQ;rAlT&>G>3K72xAYfOFFlg)NIoHGH)f#tUY27As&oqb3K? zy~H5p@gO3SFtvH;%nC7l$HeplpJCASsl@Q&No#al(1pHz&w!?EPCP*<=t6$7F?13gsnZGA{<&o|600L~3P z)C9n}^@KK7*_(Wn#N6mx)IlC}ZxtqGW^s{r{eSIUYfw{16wb6Wb*dv7ZG|#o@j=yU zYN{w0rNla-21ZeIghC)pD~hEM4Fw?~2`xH|A`L_(MG#s*Q7Z%o2@Q_~jmRUAv;m0{ z2`G;cLkJ-Wfn3S$-sp6~qd(g}P3Hc{?0&m@_Ut+5?!D)ny~K%5!IE}QGo`K#e0dV; zxmd_o)3rKx&I%nAz#Mv#l4&wG0q4?-#5?1zr=BG#ML;>j{#iN2Q(re?Ul^I!c?UL+ zVS9Ro*QXY_>R@?2L`_+8yRor>4^Ep_Yi#a&aM3U^Y+>M8I*9EfQ)i3_a!K`Q|p=;Ujc<)Qr_osKg;9x;TP+MhP+gCMG^WqdDkQdc@&KzXJy zm2uTweIbjcavwU)_2HsW?ewYGF_+)KDc~SbxFL4N(=w{_DC~3*NlKe1zzY?v)x99Q zTGxOtKY-}_8SZ`5hJ|on5jfEWwQHXDf~e??HN~w+(7fvxAkQ#$+YGHkEu&9&=))(s zf)oiBFj=V6^X#@zsX2nl31$-sYq8)^D-h}}vG;hs^Gkt{1-~pZWC8MAkjBj;oi!aCQZYLC?dT+bHa<7^hfLGXE&`*bw6Jq&G!A&e@6?8o%QN!*n6nR zJmT)|qSXYp2SFwn<+3;mv@>IH{Ckq`Mx@O0WZbv;Qog9BhnGxXEAO!6*6@?MEKtMl z{8kqX238C#l{qg%uxy@bi~`+z$gL;h?@RrW5(d8xy=9H6BCa|%f?ZOr9#xwr){V&{ zxGbhw8UPS78n>PVvi-ih9I!v^C}`n9=sp6MN#rWlU?tK+N%eYNT3a*jt|B&%V;qh;8y`12x&$^%38MAqCkYr7aMyi8oLLi+_*K)FWxAxom^qf|>`y2gEBDEI! zEZ&L4+CXu2e6lsEej{vSN6;K8u;dD$D3w@j`jZ@#jmSZ7sB%GWc6>;+!V62F3VTR+ zpL!y;8t=`NXgF9LE$s?|axb4PPL|v*awMNPzDUX~v?|3W{R47*4g$SkHzoElvmA{M zlsBocx=ao^z1Htd$p7Pz1 GKmG*^8>4*y From 57eea3cb3b20b2c30defa8548a218ecd16fafe1c Mon Sep 17 00:00:00 2001 From: Louie Mayor Date: Wed, 10 Apr 2019 23:57:27 +0000 Subject: [PATCH 51/51] Updated advanced-hunting-reference-windows-defender-advanced-threat-protection.md --- ...-reference-windows-defender-advanced-threat-protection.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 467af897d1..e513f42e95 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -42,6 +42,8 @@ To effectively build queries that span multiple tables, you need to understand t | AdditionalFields | string | Additional information about the event in JSON array format | | AlertId | string | Unique identifier for the alert | | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | +| Category | string | Type of threat indicator or breach activity identified by the alert | +| ClientVersion | string | Version of the endpoint agent or sensor running on the machine | | ComputerName | string | Fully qualified domain name (FQDN) of the machine | | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. | | DefaultGateways | string | Default gateway addresses in JSON array format | @@ -89,6 +91,7 @@ To effectively build queries that span multiple tables, you need to understand t | OSArchitecture | string | Architecture of the operating system running on the machine | | OSBuild | string | Build version of the operating system running on the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| OsVersion | string | Version of the operating system running on the machine | | PreviousRegistryKey | string | Original registry key of the registry value before it was modified | | PreviousRegistryValueData | string | Original data of the registry value before it was modified | | PreviousRegistryValueName | string | Original name of the registry value before it was modified | @@ -110,8 +113,10 @@ To effectively build queries that span multiple tables, you need to understand t | RemotePort | int | TCP port on the remote device that was being connected to | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | +| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | | SHA1 | string | SHA-1 of the file that the recorded action was applied to | | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | +| RegistryMachineTag | string | Machine tag added through the registry | | Table | string | Table that contains the details of the event | | TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |