From a58d47d3e4ea2b3f77367625ba7d20daeea3fb15 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 22 Apr 2021 21:45:30 -0700 Subject: [PATCH] Conversion to YAML: ./windows/security/threat-protection/TOC.md --- windows/security/threat-protection/TOC.md | 723 ---------- windows/security/threat-protection/TOC.yml | 1412 ++++++++++++++++++++ 2 files changed, 1412 insertions(+), 723 deletions(-) delete mode 100644 windows/security/threat-protection/TOC.md create mode 100644 windows/security/threat-protection/TOC.yml diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md deleted file mode 100644 index 0ac50df65e..0000000000 --- a/windows/security/threat-protection/TOC.md +++ /dev/null @@ -1,723 +0,0 @@ -# [Threat protection](index.md) - -## [Next-generation protection with Microsoft Defender Antivirus]() -### [Microsoft Defender Antivirus overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) -### [Evaluate Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus) - -### [Configure Microsoft Defender Antivirus]() -#### [Configure Microsoft Defender Antivirus features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features) - -#### [Use Microsoft cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus) -##### [Prevent security settings changes with tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) -##### [Enable Block at first sight](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) -##### [Configure the cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus) - -#### [Configure behavioral, heuristic, and real-time protection]() -##### [Configuration overview](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus) -##### [Detect and block Potentially Unwanted Applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) -##### [Enable and configure always-on protection and monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) - -#### [Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server) - -#### [Antivirus compatibility]() -##### [Compatibility charts](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility) -##### [Use limited periodic antivirus scanning](/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus) - -#### [Manage Microsoft Defender Antivirus in your business]() -##### [Management overview](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus) -##### [Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus) -##### [Use Group Policy settings to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus) -##### [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) -##### [Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus) -##### [Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus) - -#### [Deploy, manage updates, and report on Microsoft Defender Antivirus]() -##### [Preparing to deploy](/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus) -##### [Deploy and enable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus) -##### [Deployment guide for VDI environments](/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus) - -##### [Report on antivirus protection]() -##### [Review protection status and alerts](/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus) -##### [Troubleshoot antivirus reporting in Update Compliance](/microsoft-365/security/defender-endpoint/troubleshoot-reporting) -##### [Learn about the recent updates](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus) -##### [Manage protection and security intelligence updates](/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus) -##### [Manage when protection updates should be downloaded and applied](/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus) -##### [Manage updates for endpoints that are out of date](/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus) -##### [Manage event-based forced updates](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus) -##### [Manage updates for mobile devices and VMs](/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus) - -#### [Customize, initiate, and review the results of scans and remediation]() -##### [Configuration overview](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus) - -##### [Configure and validate exclusions in antivirus scans](/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus) -##### [Configure and validate exclusions based on file name, extension, and folder location](/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus) -##### [Configure and validate exclusions for files opened by processes](/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus) -##### [Configure antivirus exclusions Windows Server](/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus) -##### [Common mistakes when defining exclusions](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus) -##### [Configure scanning antivirus options](/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus) -##### [Configure remediation for scans](/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus) -##### [Configure scheduled scans](/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus) -##### [Configure and run scans](/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus) -##### [Review scan results](/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus) -##### [Run and review the results of an offline scan](/microsoft-365/security/defender-endpoint//microsoft-defender-offline) - -#### [Restore quarantined files](/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus) - -#### [Manage scans and remediation]() -##### [Management overview](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus) - -##### [Configure and validate exclusions in antivirus scans]() -##### [Exclusions overview](/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus) -##### [Configure and validate exclusions based on file name, extension, and folder location](/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus) -##### [Configure and validate exclusions for files opened by processes](/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus) -##### [Configure antivirus exclusions on Windows Server](/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus) - -##### [Configure scanning options](/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus) - -#### [Configure remediation for scans](/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus) -##### [Configure scheduled scans](/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus) -##### [Configure and run scans](/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus) -##### [Review scan results](/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus) -##### [Run and review the results of an offline scan](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) -##### [Restore quarantined files](/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus) - -### [Troubleshoot Microsoft Defender Antivirus]() -#### [Troubleshoot Microsoft Defender Antivirus issues](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus) -#### [Troubleshoot Microsoft Defender Antivirus migration issues](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating) - -## [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus) -## [Better together: Microsoft Defender Antivirus and Office 365](/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus) - -## [Hardware-based isolation]() - -### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md) - -### [Application isolation]() -#### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md) -#### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md) -#### [Install Microsoft Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md) -#### [Install Microsoft Defender Application Guard Extension](microsoft-defender-application-guard/md-app-guard-browser-extension.md) - -### [Application control](windows-defender-application-control/windows-defender-application-control.md) -#### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md) - -### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) - -### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) - -## [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md) -## [Network firewall]() -### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md) -### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) - -## [Security intelligence](intelligence/index.md) -### [Understand malware & other threats](intelligence/understanding-malware.md) -#### [Prevent malware infection](intelligence/prevent-malware-infection.md) -#### [Malware names](intelligence/malware-naming.md) -#### [Coin miners](intelligence/coinminer-malware.md) -#### [Exploits and exploit kits](intelligence/exploits-malware.md) -#### [Fileless threats](intelligence/fileless-threats.md) -#### [Macro malware](intelligence/macro-malware.md) -#### [Phishing](intelligence/phishing.md) -#### [Ransomware](intelligence/ransomware-malware.md) -#### [Rootkits](intelligence/rootkits-malware.md) -#### [Supply chain attacks](intelligence/supply-chain-malware.md) -#### [Tech support scams](intelligence/support-scams.md) -#### [Trojans](intelligence/trojans-malware.md) -#### [Unwanted software](intelligence/unwanted-software.md) -#### [Worms](intelligence/worms-malware.md) -### [How Microsoft identifies malware and PUA](intelligence/criteria.md) -### [Submit files for analysis](intelligence/submission-guide.md) -### [Safety Scanner download](intelligence/safety-scanner-download.md) -### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md) -#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md) -#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md) -#### [Coordinated malware eradication](intelligence/coordinated-malware-eradication.md) -### [Information for developers]() -#### [Software developer FAQ](intelligence/developer-faq.md) -#### [Software developer resources](intelligence/developer-resources.md) - -## [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md) -### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md) -### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md) -### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center/wdsc-windows-10-in-s-mode.md) -### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md) -### [Account protection](windows-defender-security-center/wdsc-account-protection.md) -### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md) -### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md) -### [Device security](windows-defender-security-center/wdsc-device-security.md) -### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md) -#### [Family options](windows-defender-security-center/wdsc-family-options.md) - -## [Microsoft Defender SmartScreen](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) -### [Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md) -### [Set up and use Microsoft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md) - - -## [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md) -### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md) -### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md) - -### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - - -## Windows Certifications - -### [FIPS 140 Validations](fips-140-validation.md) -### [Common Criteria Certifications](windows-platform-common-criteria.md) - - -## More Windows 10 security -### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) - -### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) - -### [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) - -### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) - -### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) - -### [Security auditing](auditing/security-auditing-overview.md) - -#### [Basic security audit policies](auditing/basic-security-audit-policies.md) -##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md) -##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md) -##### [View the security event log](auditing/view-the-security-event-log.md) - -##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md) -###### [Audit account logon events](auditing/basic-audit-account-logon-events.md) -###### [Audit account management](auditing/basic-audit-account-management.md) -###### [Audit directory service access](auditing/basic-audit-directory-service-access.md) -###### [Audit logon events](auditing/basic-audit-logon-events.md) -###### [Audit object access](auditing/basic-audit-object-access.md) -###### [Audit policy change](auditing/basic-audit-policy-change.md) -###### [Audit privilege use](auditing/basic-audit-privilege-use.md) -###### [Audit process tracking](auditing/basic-audit-process-tracking.md) -###### [Audit system events](auditing/basic-audit-system-events.md) - -#### [Advanced security audit policies](auditing/advanced-security-auditing.md) -##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) -##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) -###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) -###### [How to list XML elements in \](auditing/how-to-list-xml-elements-in-eventdata.md) - -###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) -####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) -####### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md) -####### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md) -####### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md) -####### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md) -####### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md) -####### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md) -####### [Monitor claim types](auditing/monitor-claim-types.md) - -###### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md) -####### [Audit Credential Validation](auditing/audit-credential-validation.md) -####### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md) -####### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md) -####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md) -####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md) -###### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md) -####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md) -####### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md) -####### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md) -###### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md) -####### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md) -####### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md) -####### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md) -###### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md) -###### [Audit Application Group Management](auditing/audit-application-group-management.md) -###### [Audit Computer Account Management](auditing/audit-computer-account-management.md) -####### [Event 4741 S: A computer account was created.](auditing/event-4741.md) -####### [Event 4742 S: A computer account was changed.](auditing/event-4742.md) -####### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md) -###### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md) -####### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md) -####### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md) -####### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md) -####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) -####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) -###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) -####### [Event 4782 S: The password hash of an account was accessed.](auditing/event-4782.md) -####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) -###### [Audit Security Group Management](auditing/audit-security-group-management.md) -####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) -####### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md) -####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md) -####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md) -####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md) -####### [Event 4764 S: A group�s type was changed.](auditing/event-4764.md) -####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md) -###### [Audit User Account Management](auditing/audit-user-account-management.md) -####### [Event 4720 S: A user account was created.](auditing/event-4720.md) -####### [Event 4722 S: A user account was enabled.](auditing/event-4722.md) -####### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md) -####### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md) -####### [Event 4725 S: A user account was disabled.](auditing/event-4725.md) -####### [Event 4726 S: A user account was deleted.](auditing/event-4726.md) -####### [Event 4738 S: A user account was changed.](auditing/event-4738.md) -####### [Event 4740 S: A user account was locked out.](auditing/event-4740.md) -####### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md) -####### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md) -####### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md) -####### [Event 4780 S: The ACL was set on accounts that are members of administrators groups.](auditing/event-4780.md) -####### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md) -####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md) -####### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md) -####### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md) -####### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md) -###### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md) -####### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md) -####### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md) -####### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md) -####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md) -###### [Audit PNP Activity](auditing/audit-pnp-activity.md) -####### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md) -####### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md) -####### [Event 6420 S: A device was disabled.](auditing/event-6420.md) -####### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md) -####### [Event 6422 S: A device was enabled.](auditing/event-6422.md) -####### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md) -####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md) -###### [Audit Process Creation](auditing/audit-process-creation.md) -####### [Event 4688 S: A new process has been created.](auditing/event-4688.md) -####### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md) -###### [Audit Process Termination](auditing/audit-process-termination.md) -####### [Event 4689 S: A process has exited.](auditing/event-4689.md) -###### [Audit RPC Events](auditing/audit-rpc-events.md) -####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md) -###### [Audit Token Right Adjusted](auditing/audit-token-right-adjusted.md) -####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md) -###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md) -####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md) -####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md) -####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md) -####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md) -####### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md) -####### [Event 4935 F: Replication failure begins.](auditing/event-4935.md) -####### [Event 4936 S: Replication failure ends.](auditing/event-4936.md) -####### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md) -###### [Audit Directory Service Access](auditing/audit-directory-service-access.md) -####### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md) -####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) -###### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md) -####### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md) -####### [Event 5137 S: A directory service object was created.](auditing/event-5137.md) -####### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md) -####### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md) -####### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md) -###### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md) -####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md) -####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md) -###### [Audit Account Lockout](auditing/audit-account-lockout.md) -####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) -###### [Audit User/Device Claims](auditing/audit-user-device-claims.md) -####### [Event 4626 S: User/Device claims information.](auditing/event-4626.md) -###### [Audit Group Membership](auditing/audit-group-membership.md) -####### [Event 4627 S: Group membership information.](auditing/event-4627.md) -###### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md) -###### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md) -###### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md) -###### [Audit Logoff](auditing/audit-logoff.md) -####### [Event 4634 S: An account was logged off.](auditing/event-4634.md) -####### [Event 4647 S: User initiated logoff.](auditing/event-4647.md) -###### [Audit Logon](auditing/audit-logon.md) -####### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md) -####### [Event 4625 F: An account failed to log on.](auditing/event-4625.md) -####### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md) -####### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md) -###### [Audit Network Policy Server](auditing/audit-network-policy-server.md) -###### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md) -####### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md) -####### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md) -####### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md) -####### [Event 4800 S: The workstation was locked.](auditing/event-4800.md) -####### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md) -####### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md) -####### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md) -####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md) -####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md) -####### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md) -###### [Audit Special Logon](auditing/audit-special-logon.md) -####### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md) -####### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md) -###### [Audit Application Generated](auditing/audit-application-generated.md) -###### [Audit Certification Services](auditing/audit-certification-services.md) -###### [Audit Detailed File Share](auditing/audit-detailed-file-share.md) -####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md) -###### [Audit File Share](auditing/audit-file-share.md) -####### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md) -####### [Event 5142 S: A network share object was added.](auditing/event-5142.md) -####### [Event 5143 S: A network share object was modified.](auditing/event-5143.md) -####### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md) -####### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md) -###### [Audit File System](auditing/audit-file-system.md) -####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -####### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md) -####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -####### [Event 5051: A file was virtualized.](auditing/event-5051.md) -####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -###### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md) -####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md) -####### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md) -####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md) -####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md) -####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md) -####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md) -####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md) -####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md) -####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md) -###### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md) -####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md) -####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md) -###### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md) -####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md) -###### [Audit Kernel Object](auditing/audit-kernel-object.md) -####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -###### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md) -####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md) -####### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md) -####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md) -####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md) -####### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md) -####### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md) -####### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md) -####### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md) -####### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md) -####### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md) -####### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md) -####### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md) -###### [Audit Registry](auditing/audit-registry.md) -####### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md) -####### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md) -####### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md) -####### [Event 4660 S: An object was deleted.](auditing/event-4660.md) -####### [Event 4657 S: A registry value was modified.](auditing/event-4657.md) -####### [Event 5039: A registry key was virtualized.](auditing/event-5039.md) -####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -###### [Audit Removable Storage](auditing/audit-removable-storage.md) -###### [Audit SAM](auditing/audit-sam.md) -####### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md) -###### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md) -####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md) -###### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md) -####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -####### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md) -####### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md) -####### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md) -####### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md) -####### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md) -####### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md) -####### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md) -####### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md) -####### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md) -####### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md) -###### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md) -####### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md) -####### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md) -####### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md) -####### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md) -####### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md) -####### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md) -####### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md) -####### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md) -####### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md) -####### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md) -####### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md) -###### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md) -####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md) -####### [Event 4704 S: A user right was assigned.](auditing/event-4704.md) -####### [Event 4705 S: A user right was removed.](auditing/event-4705.md) -####### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md) -####### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md) -####### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md) -###### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md) -###### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md) -####### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md) -####### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md) -####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md) -####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md) -####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md) -####### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md) -####### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md) -####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md) -####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md) -####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md) -####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md) -####### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md) -####### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md) -####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md) -###### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md) -####### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md) -####### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md) -####### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md) -####### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md) -####### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md) -####### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md) -####### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md) -####### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md) -####### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md) -####### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md) -####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md) -####### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md) -####### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md) -####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md) -####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md) -####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md) -###### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md) -####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) -####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) -####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -###### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md) -####### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md) -####### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md) -####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -###### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md) -####### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md) -###### [Audit IPsec Driver](auditing/audit-ipsec-driver.md) -###### [Audit Other System Events](auditing/audit-other-system-events.md) -####### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md) -####### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md) -####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md) -####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md) -####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md) -####### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md) -####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md) -####### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md) -####### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md) -####### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md) -####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md) -####### [Event 5058 S, F: Key file operation.](auditing/event-5058.md) -####### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md) -####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md) -####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md) -####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md) -####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md) -####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md) -####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md) -####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md) -####### [Event 6407: 1%.](auditing/event-6407.md) -####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md) -####### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md) -###### [Audit Security State Change](auditing/audit-security-state-change.md) -####### [Event 4608 S: Windows is starting up.](auditing/event-4608.md) -####### [Event 4616 S: The system time was changed.](auditing/event-4616.md) -####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md) -###### [Audit Security System Extension](auditing/audit-security-system-extension.md) -####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md) -####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md) -####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md) -####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md) -####### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md) -###### [Audit System Integrity](auditing/audit-system-integrity.md) -####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md) -####### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md) -####### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md) -####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md) -####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md) -####### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md) -####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md) -####### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md) -####### [Event 5060 F: Verification operation failed.](auditing/event-5060.md) -####### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md) -####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md) -####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md) -###### [Other Events](auditing/other-events.md) -####### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md) -####### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md) -####### [Event 1104 S: The security log is now full.](auditing/event-1104.md) -####### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md) -####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md) -###### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md) -###### [Registry (Global Object Access Auditing)](auditing/registry-global-object-access-auditing.md) -###### [File System (Global Object Access Auditing)](auditing/file-system-global-object-access-auditing.md) - - - - - -### [Security policy settings](security-policy-settings/security-policy-settings.md) -#### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md) -##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md) -#### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md) -#### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md) -##### [Account Policies](security-policy-settings/account-policies.md) -###### [Password Policy](security-policy-settings/password-policy.md) -####### [Enforce password history](security-policy-settings/enforce-password-history.md) -####### [Maximum password age](security-policy-settings/maximum-password-age.md) -####### [Minimum password age](security-policy-settings/minimum-password-age.md) -####### [Minimum password length](security-policy-settings/minimum-password-length.md) -####### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md) -####### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md) -###### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md) -####### [Account lockout duration](security-policy-settings/account-lockout-duration.md) -####### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md) -####### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md) -###### [Kerberos Policy](security-policy-settings/kerberos-policy.md) -####### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md) -####### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md) -####### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md) -####### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md) -####### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md) -##### [Audit Policy](security-policy-settings/audit-policy.md) -##### [Security Options](security-policy-settings/security-options.md) -###### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md) -###### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) -###### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md) -###### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) -###### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md) -###### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md) -###### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md) -###### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md) -###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md) -###### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md) -###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) -###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) -###### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md) -###### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md) -###### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md) -###### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md) -###### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md) -###### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md) -###### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md) -###### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md) -###### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) -###### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md) -###### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md) -###### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md) -###### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md) -###### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md) -###### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md) -###### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md) -###### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md) -###### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md) -###### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md) -###### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md) -###### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md) -###### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md) -###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) -###### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md) -###### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) -###### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md) -###### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md) -###### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md) -###### [SMBv1 Microsoft network client: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md) -###### [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md) -###### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md) -###### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md) -###### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md) -###### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md) -###### [SMBv1 Microsoft network server: Digitally sign communications (always)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md) -###### [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md) -###### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md) -###### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md) -###### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md) -###### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md) -###### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md) -###### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md) -###### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md) -###### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md) -###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md) -###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md) -###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) -###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) -###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md) -###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md) -###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) -###### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md) -###### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md) -###### [Network security: Configure encryption types allowed for Kerberos](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md) -###### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md) -###### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md) -###### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md) -###### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md) -###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md) -###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md) -###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) -###### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md) -###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md) -###### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md) -###### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md) -###### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) -###### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) -###### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md) -###### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md) -###### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md) -###### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md) -###### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md) -###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md) -###### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md) -###### [System objects: Strengthen default permissions of internal system objects (Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md) -###### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md) -###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md) -###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md) -###### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md) -###### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md) -###### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) -###### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md) -###### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md) -###### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) -###### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md) -###### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) -###### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md) -##### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md) -##### [User Rights Assignment](security-policy-settings/user-rights-assignment.md) -###### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md) -###### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md) -###### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md) -###### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md) -###### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md) -###### [Allow log on locally](security-policy-settings/allow-log-on-locally.md) -###### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md) -###### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md) -###### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md) -###### [Change the system time](security-policy-settings/change-the-system-time.md) -###### [Change the time zone](security-policy-settings/change-the-time-zone.md) -###### [Create a pagefile](security-policy-settings/create-a-pagefile.md) -###### [Create a token object](security-policy-settings/create-a-token-object.md) -###### [Create global objects](security-policy-settings/create-global-objects.md) -###### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md) -###### [Create symbolic links](security-policy-settings/create-symbolic-links.md) -###### [Debug programs](security-policy-settings/debug-programs.md) -###### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md) -###### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md) -###### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md) -###### [Deny log on locally](security-policy-settings/deny-log-on-locally.md) -###### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md) -###### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md) -###### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md) -###### [Generate security audits](security-policy-settings/generate-security-audits.md) -###### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md) -###### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md) -###### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md) -###### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md) -###### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md) -###### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md) -###### [Log on as a service](security-policy-settings/log-on-as-a-service.md) -###### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md) -###### [Modify an object label](security-policy-settings/modify-an-object-label.md) -###### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md) -###### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md) -###### [Profile single process](security-policy-settings/profile-single-process.md) -###### [Profile system performance](security-policy-settings/profile-system-performance.md) -###### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md) -###### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md) -###### [Restore files and directories](security-policy-settings/restore-files-and-directories.md) -###### [Shut down the system](security-policy-settings/shut-down-the-system.md) -###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md) -###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) - -### Windows security guidance for enterprises - -#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md) -##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md) -##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md) - -### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml new file mode 100644 index 0000000000..9e2e05229f --- /dev/null +++ b/windows/security/threat-protection/TOC.yml @@ -0,0 +1,1412 @@ +- name: Threat protection + href: index.md + items: + - name: Next-generation protection with Microsoft Defender Antivirus + items: + - name: Microsoft Defender Antivirus overview + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10 + - name: Evaluate Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus + - name: Configure Microsoft Defender Antivirus + items: + - name: Configure Microsoft Defender Antivirus features + href: /microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features + - name: Use Microsoft cloud-delivered protection + href: /microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus + items: + - name: Prevent security settings changes with tamper protection + href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Enable Block at first sight + href: /microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus + - name: Configure the cloud block timeout period + href: /microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus + - name: Configure behavioral, heuristic, and real-time protection + items: + - name: Configuration overview + href: /microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus + - name: Detect and block Potentially Unwanted Applications + href: /microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus + - name: Enable and configure always-on protection and monitoring + href: /microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus + - name: Antivirus on Windows Server + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server + - name: Antivirus compatibility + items: + - name: Compatibility charts + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility + - name: Use limited periodic antivirus scanning + href: /microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus + - name: Manage Microsoft Defender Antivirus in your business + items: + - name: Management overview + href: /microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus + - name: Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus + - name: Use Group Policy settings to manage Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus + - name: Use PowerShell cmdlets to manage Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus + - name: Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus + - name: Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus + - name: Deploy, manage updates, and report on Microsoft Defender Antivirus + items: + - name: Preparing to deploy + href: /microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus + - name: Deploy and enable Microsoft Defender Antivirus + href: /microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus + - name: Deployment guide for VDI environments + href: /microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus + - name: Report on antivirus protection + - name: Review protection status and alerts + href: /microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus + - name: Troubleshoot antivirus reporting in Update Compliance + href: /microsoft-365/security/defender-endpoint/troubleshoot-reporting + - name: Learn about the recent updates + href: /microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus + - name: Manage protection and security intelligence updates + href: /microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus + - name: Manage when protection updates should be downloaded and applied + href: /microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus + - name: Manage updates for endpoints that are out of date + href: /microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus + - name: Manage event-based forced updates + href: /microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus + - name: Manage updates for mobile devices and VMs + href: /microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus + - name: Customize, initiate, and review the results of scans and remediation + items: + - name: Configuration overview + href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus + - name: Configure and validate exclusions in antivirus scans + href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus + - name: Configure and validate exclusions based on file name, extension, and folder location + href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus + - name: Configure and validate exclusions for files opened by processes + href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus + - name: Configure antivirus exclusions Windows Server + href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus + - name: Common mistakes when defining exclusions + href: /microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus + - name: Configure scanning antivirus options + href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus + - name: Configure remediation for scans + href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus + - name: Configure scheduled scans + href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus + - name: Configure and run scans + href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus + - name: Review scan results + href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus + - name: Run and review the results of an offline scan + href: /microsoft-365/security/defender-endpoint//microsoft-defender-offline + - name: Restore quarantined files + href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus + - name: Manage scans and remediation + items: + - name: Management overview + href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus + - name: Configure and validate exclusions in antivirus scans + - name: Exclusions overview + href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus + - name: Configure and validate exclusions based on file name, extension, and folder location + href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus + - name: Configure and validate exclusions for files opened by processes + href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus + - name: Configure antivirus exclusions on Windows Server + href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus + - name: Configure scanning options + href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus + - name: Configure remediation for scans + href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus + items: + - name: Configure scheduled scans + href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus + - name: Configure and run scans + href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus + - name: Review scan results + href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus + - name: Run and review the results of an offline scan + href: /microsoft-365/security/defender-endpoint/microsoft-defender-offline + - name: Restore quarantined files + href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus + - name: Troubleshoot Microsoft Defender Antivirus + items: + - name: Troubleshoot Microsoft Defender Antivirus issues + href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus + - name: Troubleshoot Microsoft Defender Antivirus migration issues + href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating + - name: "Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint" + href: /microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus + - name: "Better together: Microsoft Defender Antivirus and Office 365" + href: /microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus + - name: Hardware-based isolation + items: + - name: Hardware-based isolation evaluation + href: microsoft-defender-application-guard/test-scenarios-md-app-guard.md + - name: Application isolation + items: + - name: Application guard overview + href: microsoft-defender-application-guard/md-app-guard-overview.md + - name: System requirements + href: microsoft-defender-application-guard/reqs-md-app-guard.md + - name: Install Microsoft Defender Application Guard + href: microsoft-defender-application-guard/install-md-app-guard.md + - name: Install Microsoft Defender Application Guard Extension + href: microsoft-defender-application-guard/md-app-guard-browser-extension.md + - name: Application control + href: windows-defender-application-control/windows-defender-application-control.md + items: + - name: Audit Application control policies + href: windows-defender-application-control/audit-windows-defender-application-control-policies.md + - name: System isolation + href: windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - name: System integrity + href: windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md + - name: Code integrity + href: device-guard/enable-virtualization-based-protection-of-code-integrity.md + - name: Network firewall + items: + - name: Network firewall overview + href: windows-firewall/windows-firewall-with-advanced-security.md + - name: Network firewall evaluation + href: windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md + - name: Security intelligence + href: intelligence/index.md + items: + - name: Understand malware & other threats + href: intelligence/understanding-malware.md + items: + - name: Prevent malware infection + href: intelligence/prevent-malware-infection.md + - name: Malware names + href: intelligence/malware-naming.md + - name: Coin miners + href: intelligence/coinminer-malware.md + - name: Exploits and exploit kits + href: intelligence/exploits-malware.md + - name: Fileless threats + href: intelligence/fileless-threats.md + - name: Macro malware + href: intelligence/macro-malware.md + - name: Phishing + href: intelligence/phishing.md + - name: Ransomware + href: intelligence/ransomware-malware.md + - name: Rootkits + href: intelligence/rootkits-malware.md + - name: Supply chain attacks + href: intelligence/supply-chain-malware.md + - name: Tech support scams + href: intelligence/support-scams.md + - name: Trojans + href: intelligence/trojans-malware.md + - name: Unwanted software + href: intelligence/unwanted-software.md + - name: Worms + href: intelligence/worms-malware.md + - name: How Microsoft identifies malware and PUA + href: intelligence/criteria.md + - name: Submit files for analysis + href: intelligence/submission-guide.md + - name: Safety Scanner download + href: intelligence/safety-scanner-download.md + - name: Industry collaboration programs + href: intelligence/cybersecurity-industry-partners.md + items: + - name: Virus information alliance + href: intelligence/virus-information-alliance-criteria.md + - name: Microsoft virus initiative + href: intelligence/virus-initiative-criteria.md + - name: Coordinated malware eradication + href: intelligence/coordinated-malware-eradication.md + - name: Information for developers + items: + - name: Software developer FAQ + href: intelligence/developer-faq.md + - name: Software developer resources + href: intelligence/developer-resources.md + - name: The Windows Security app + href: windows-defender-security-center/windows-defender-security-center.md + items: + - name: Customize the Windows Security app for your organization + href: windows-defender-security-center/wdsc-customize-contact-information.md + - name: Hide Windows Security app notifications + href: windows-defender-security-center/wdsc-hide-notifications.md + - name: Manage Windows Security app in Windows 10 in S mode + href: windows-defender-security-center/wdsc-windows-10-in-s-mode.md + - name: Virus and threat protection + href: windows-defender-security-center/wdsc-virus-threat-protection.md + - name: Account protection + href: windows-defender-security-center/wdsc-account-protection.md + - name: Firewall and network protection + href: windows-defender-security-center/wdsc-firewall-network-protection.md + - name: App and browser control + href: windows-defender-security-center/wdsc-app-browser-control.md + - name: Device security + href: windows-defender-security-center/wdsc-device-security.md + - name: Device performance and health + href: windows-defender-security-center/wdsc-device-performance-health.md + items: + - name: Family options + href: windows-defender-security-center/wdsc-family-options.md + - name: Microsoft Defender SmartScreen + href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + items: + - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings + href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md + - name: Set up and use Microsoft Defender SmartScreen on individual devices + href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md + - name: Windows Sandbox + href: windows-sandbox/windows-sandbox-overview.md + items: + - name: Windows Sandbox architecture + href: windows-sandbox/windows-sandbox-architecture.md + - name: Windows Sandbox configuration + href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md + - name: "Windows Defender Device Guard: virtualization-based security and WDAC" + href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - name: Windows Certifications + items: + - name: FIPS 140 Validations + href: fips-140-validation.md + - name: Common Criteria Certifications + href: windows-platform-common-criteria.md + - name: More Windows 10 security + items: + - name: Control the health of Windows 10-based devices + href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md + - name: Mitigate threats by using Windows 10 security features + href: overview-of-threat-mitigations-in-windows-10.md + - name: Override Process Mitigation Options to help enforce app-related security policies + href: override-mitigation-options-for-app-related-security-policies.md + - name: Use Windows Event Forwarding to help with intrusion detection + href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md + - name: Block untrusted fonts in an enterprise + href: block-untrusted-fonts-in-enterprise.md + - name: Security auditing + href: auditing/security-auditing-overview.md + items: + - name: Basic security audit policies + href: auditing/basic-security-audit-policies.md + items: + - name: Create a basic audit policy for an event category + href: auditing/create-a-basic-audit-policy-settings-for-an-event-category.md + - name: Apply a basic audit policy on a file or folder + href: auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md + - name: View the security event log + href: auditing/view-the-security-event-log.md + - name: Basic security audit policy settings + href: auditing/basic-security-audit-policy-settings.md + items: + - name: Audit account logon events + href: auditing/basic-audit-account-logon-events.md + - name: Audit account management + href: auditing/basic-audit-account-management.md + - name: Audit directory service access + href: auditing/basic-audit-directory-service-access.md + - name: Audit logon events + href: auditing/basic-audit-logon-events.md + - name: Audit object access + href: auditing/basic-audit-object-access.md + - name: Audit policy change + href: auditing/basic-audit-policy-change.md + - name: Audit privilege use + href: auditing/basic-audit-privilege-use.md + - name: Audit process tracking + href: auditing/basic-audit-process-tracking.md + - name: Audit system events + href: auditing/basic-audit-system-events.md + - name: Advanced security audit policies + href: auditing/advanced-security-auditing.md + items: + - name: Planning and deploying advanced security audit policies + href: auditing/planning-and-deploying-advanced-security-audit-policies.md + - name: Advanced security auditing FAQ + href: auditing/advanced-security-auditing-faq.md + items: + - name: Which editions of Windows support advanced audit policy configuration + href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md + - name: How to list XML elements in \ + href: auditing/how-to-list-xml-elements-in-eventdata.md + - name: Using advanced security auditing options to monitor dynamic access control objects + href: auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md + items: + - name: Monitor the central access policies that apply on a file server + href: auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md + - name: Monitor the use of removable storage devices + href: auditing/monitor-the-use-of-removable-storage-devices.md + - name: Monitor resource attribute definitions + href: auditing/monitor-resource-attribute-definitions.md + - name: Monitor central access policy and rule definitions + href: auditing/monitor-central-access-policy-and-rule-definitions.md + - name: Monitor user and device claims during sign-in + href: auditing/monitor-user-and-device-claims-during-sign-in.md + - name: Monitor the resource attributes on files and folders + href: auditing/monitor-the-resource-attributes-on-files-and-folders.md + - name: Monitor the central access policies associated with files and folders + href: auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md + - name: Monitor claim types + href: auditing/monitor-claim-types.md + - name: Advanced security audit policy settings + href: auditing/advanced-security-audit-policy-settings.md + items: + - name: Audit Credential Validation + href: auditing/audit-credential-validation.md + - name: "Event 4774 S, F: An account was mapped for logon." + href: auditing/event-4774.md + - name: "Event 4775 F: An account could not be mapped for logon." + href: auditing/event-4775.md + - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." + href: auditing/event-4776.md + - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." + href: auditing/event-4777.md + - name: Audit Kerberos Authentication Service + href: auditing/audit-kerberos-authentication-service.md + items: + - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." + href: auditing/event-4768.md + - name: "Event 4771 F: Kerberos pre-authentication failed." + href: auditing/event-4771.md + - name: "Event 4772 F: A Kerberos authentication ticket request failed." + href: auditing/event-4772.md + - name: Audit Kerberos Service Ticket Operations + href: auditing/audit-kerberos-service-ticket-operations.md + items: + - name: "Event 4769 S, F: A Kerberos service ticket was requested." + href: auditing/event-4769.md + - name: "Event 4770 S: A Kerberos service ticket was renewed." + href: auditing/event-4770.md + - name: "Event 4773 F: A Kerberos service ticket request failed." + href: auditing/event-4773.md + - name: Audit Other Account Logon Events + href: auditing/audit-other-account-logon-events.md + - name: Audit Application Group Management + href: auditing/audit-application-group-management.md + - name: Audit Computer Account Management + href: auditing/audit-computer-account-management.md + items: + - name: "Event 4741 S: A computer account was created." + href: auditing/event-4741.md + - name: "Event 4742 S: A computer account was changed." + href: auditing/event-4742.md + - name: "Event 4743 S: A computer account was deleted." + href: auditing/event-4743.md + - name: Audit Distribution Group Management + href: auditing/audit-distribution-group-management.md + items: + - name: "Event 4749 S: A security-disabled global group was created." + href: auditing/event-4749.md + - name: "Event 4750 S: A security-disabled global group was changed." + href: auditing/event-4750.md + - name: "Event 4751 S: A member was added to a security-disabled global group." + href: auditing/event-4751.md + - name: "Event 4752 S: A member was removed from a security-disabled global group." + href: auditing/event-4752.md + - name: "Event 4753 S: A security-disabled global group was deleted." + href: auditing/event-4753.md + - name: Audit Other Account Management Events + href: auditing/audit-other-account-management-events.md + items: + - name: "Event 4782 S: The password hash of an account was accessed." + href: auditing/event-4782.md + - name: "Event 4793 S: The Password Policy Checking API was called." + href: auditing/event-4793.md + - name: Audit Security Group Management + href: auditing/audit-security-group-management.md + items: + - name: "Event 4731 S: A security-enabled local group was created." + href: auditing/event-4731.md + - name: "Event 4732 S: A member was added to a security-enabled local group." + href: auditing/event-4732.md + - name: "Event 4733 S: A member was removed from a security-enabled local group." + href: auditing/event-4733.md + - name: "Event 4734 S: A security-enabled local group was deleted." + href: auditing/event-4734.md + - name: "Event 4735 S: A security-enabled local group was changed." + href: auditing/event-4735.md + - name: "Event 4764 S: A group�s type was changed." + href: auditing/event-4764.md + - name: "Event 4799 S: A security-enabled local group membership was enumerated." + href: auditing/event-4799.md + - name: Audit User Account Management + href: auditing/audit-user-account-management.md + items: + - name: "Event 4720 S: A user account was created." + href: auditing/event-4720.md + - name: "Event 4722 S: A user account was enabled." + href: auditing/event-4722.md + - name: "Event 4723 S, F: An attempt was made to change an account's password." + href: auditing/event-4723.md + - name: "Event 4724 S, F: An attempt was made to reset an account's password." + href: auditing/event-4724.md + - name: "Event 4725 S: A user account was disabled." + href: auditing/event-4725.md + - name: "Event 4726 S: A user account was deleted." + href: auditing/event-4726.md + - name: "Event 4738 S: A user account was changed." + href: auditing/event-4738.md + - name: "Event 4740 S: A user account was locked out." + href: auditing/event-4740.md + - name: "Event 4765 S: SID History was added to an account." + href: auditing/event-4765.md + - name: "Event 4766 F: An attempt to add SID History to an account failed." + href: auditing/event-4766.md + - name: "Event 4767 S: A user account was unlocked." + href: auditing/event-4767.md + - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." + href: auditing/event-4780.md + - name: "Event 4781 S: The name of an account was changed." + href: auditing/event-4781.md + - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." + href: auditing/event-4794.md + - name: "Event 4798 S: A user's local group membership was enumerated." + href: auditing/event-4798.md + - name: "Event 5376 S: Credential Manager credentials were backed up." + href: auditing/event-5376.md + - name: "Event 5377 S: Credential Manager credentials were restored from a backup." + href: auditing/event-5377.md + - name: Audit DPAPI Activity + href: auditing/audit-dpapi-activity.md + items: + - name: "Event 4692 S, F: Backup of data protection master key was attempted." + href: auditing/event-4692.md + - name: "Event 4693 S, F: Recovery of data protection master key was attempted." + href: auditing/event-4693.md + - name: "Event 4694 S, F: Protection of auditable protected data was attempted." + href: auditing/event-4694.md + - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." + href: auditing/event-4695.md + - name: Audit PNP Activity + href: auditing/audit-pnp-activity.md + items: + - name: "Event 6416 S: A new external device was recognized by the System." + href: auditing/event-6416.md + - name: "Event 6419 S: A request was made to disable a device." + href: auditing/event-6419.md + - name: "Event 6420 S: A device was disabled." + href: auditing/event-6420.md + - name: "Event 6421 S: A request was made to enable a device." + href: auditing/event-6421.md + - name: "Event 6422 S: A device was enabled." + href: auditing/event-6422.md + - name: "Event 6423 S: The installation of this device is forbidden by system policy." + href: auditing/event-6423.md + - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." + href: auditing/event-6424.md + - name: Audit Process Creation + href: auditing/audit-process-creation.md + items: + - name: "Event 4688 S: A new process has been created." + href: auditing/event-4688.md + - name: "Event 4696 S: A primary token was assigned to process." + href: auditing/event-4696.md + - name: Audit Process Termination + href: auditing/audit-process-termination.md + items: + - name: "Event 4689 S: A process has exited." + href: auditing/event-4689.md + - name: Audit RPC Events + href: auditing/audit-rpc-events.md + items: + - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." + href: auditing/event-5712.md + - name: Audit Token Right Adjusted + href: auditing/audit-token-right-adjusted.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: auditing/event-4703.md + - name: Audit Detailed Directory Service Replication + href: auditing/audit-detailed-directory-service-replication.md + items: + - name: "Event 4928 S, F: An Active Directory replica source naming context was established." + href: auditing/event-4928.md + - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." + href: auditing/event-4929.md + - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." + href: auditing/event-4930.md + - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." + href: auditing/event-4931.md + - name: "Event 4934 S: Attributes of an Active Directory object were replicated." + href: auditing/event-4934.md + - name: "Event 4935 F: Replication failure begins." + href: auditing/event-4935.md + - name: "Event 4936 S: Replication failure ends." + href: auditing/event-4936.md + - name: "Event 4937 S: A lingering object was removed from a replica." + href: auditing/event-4937.md + - name: Audit Directory Service Access + href: auditing/audit-directory-service-access.md + items: + - name: "Event 4662 S, F: An operation was performed on an object." + href: auditing/event-4662.md + - name: "Event 4661 S, F: A handle to an object was requested." + href: auditing/event-4661.md + - name: Audit Directory Service Changes + href: auditing/audit-directory-service-changes.md + items: + - name: "Event 5136 S: A directory service object was modified." + href: auditing/event-5136.md + - name: "Event 5137 S: A directory service object was created." + href: auditing/event-5137.md + - name: "Event 5138 S: A directory service object was undeleted." + href: auditing/event-5138.md + - name: "Event 5139 S: A directory service object was moved." + href: auditing/event-5139.md + - name: "Event 5141 S: A directory service object was deleted." + href: auditing/event-5141.md + - name: Audit Directory Service Replication + href: auditing/audit-directory-service-replication.md + items: + - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." + href: auditing/event-4932.md + - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." + href: auditing/event-4933.md + - name: Audit Account Lockout + href: auditing/audit-account-lockout.md + items: + - name: "Event 4625 F: An account failed to log on." + href: auditing/event-4625.md + - name: Audit User/Device Claims + href: auditing/audit-user-device-claims.md + items: + - name: "Event 4626 S: User/Device claims information." + href: auditing/event-4626.md + - name: Audit Group Membership + href: auditing/audit-group-membership.md + items: + - name: "Event 4627 S: Group membership information." + href: auditing/event-4627.md + - name: Audit IPsec Extended Mode + href: auditing/audit-ipsec-extended-mode.md + - name: Audit IPsec Main Mode + href: auditing/audit-ipsec-main-mode.md + - name: Audit IPsec Quick Mode + href: auditing/audit-ipsec-quick-mode.md + - name: Audit Logoff + href: auditing/audit-logoff.md + items: + - name: "Event 4634 S: An account was logged off." + href: auditing/event-4634.md + - name: "Event 4647 S: User initiated logoff." + href: auditing/event-4647.md + - name: Audit Logon + href: auditing/audit-logon.md + items: + - name: "Event 4624 S: An account was successfully logged on." + href: auditing/event-4624.md + - name: "Event 4625 F: An account failed to log on." + href: auditing/event-4625.md + - name: "Event 4648 S: A logon was attempted using explicit credentials." + href: auditing/event-4648.md + - name: "Event 4675 S: SIDs were filtered." + href: auditing/event-4675.md + - name: Audit Network Policy Server + href: auditing/audit-network-policy-server.md + - name: Audit Other Logon/Logoff Events + href: auditing/audit-other-logonlogoff-events.md + items: + - name: "Event 4649 S: A replay attack was detected." + href: auditing/event-4649.md + - name: "Event 4778 S: A session was reconnected to a Window Station." + href: auditing/event-4778.md + - name: "Event 4779 S: A session was disconnected from a Window Station." + href: auditing/event-4779.md + - name: "Event 4800 S: The workstation was locked." + href: auditing/event-4800.md + - name: "Event 4801 S: The workstation was unlocked." + href: auditing/event-4801.md + - name: "Event 4802 S: The screen saver was invoked." + href: auditing/event-4802.md + - name: "Event 4803 S: The screen saver was dismissed." + href: auditing/event-4803.md + - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." + href: auditing/event-5378.md + - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." + href: auditing/event-5632.md + - name: "Event 5633 S, F: A request was made to authenticate to a wired network." + href: auditing/event-5633.md + - name: Audit Special Logon + href: auditing/audit-special-logon.md + items: + - name: "Event 4964 S: Special groups have been assigned to a new logon." + href: auditing/event-4964.md + - name: "Event 4672 S: Special privileges assigned to new logon." + href: auditing/event-4672.md + - name: Audit Application Generated + href: auditing/audit-application-generated.md + - name: Audit Certification Services + href: auditing/audit-certification-services.md + - name: Audit Detailed File Share + href: auditing/audit-detailed-file-share.md + items: + - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." + href: auditing/event-5145.md + - name: Audit File Share + href: auditing/audit-file-share.md + items: + - name: "Event 5140 S, F: A network share object was accessed." + href: auditing/event-5140.md + - name: "Event 5142 S: A network share object was added." + href: auditing/event-5142.md + - name: "Event 5143 S: A network share object was modified." + href: auditing/event-5143.md + - name: "Event 5144 S: A network share object was deleted." + href: auditing/event-5144.md + - name: "Event 5168 F: SPN check for SMB/SMB2 failed." + href: auditing/event-5168.md + - name: Audit File System + href: auditing/audit-file-system.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: auditing/event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: auditing/event-4658.md + - name: "Event 4660 S: An object was deleted." + href: auditing/event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: auditing/event-4663.md + - name: "Event 4664 S: An attempt was made to create a hard link." + href: auditing/event-4664.md + - name: "Event 4985 S: The state of a transaction has changed." + href: auditing/event-4985.md + - name: "Event 5051: A file was virtualized." + href: auditing/event-5051.md + - name: "Event 4670 S: Permissions on an object were changed." + href: auditing/event-4670.md + - name: Audit Filtering Platform Connection + href: auditing/audit-filtering-platform-connection.md + items: + - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." + href: auditing/event-5031.md + - name: "Event 5150: The Windows Filtering Platform blocked a packet." + href: auditing/event-5150.md + - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: auditing/event-5151.md + - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." + href: auditing/event-5154.md + - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." + href: auditing/event-5155.md + - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." + href: auditing/event-5156.md + - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." + href: auditing/event-5157.md + - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." + href: auditing/event-5158.md + - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." + href: auditing/event-5159.md + - name: Audit Filtering Platform Packet Drop + href: auditing/audit-filtering-platform-packet-drop.md + items: + - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." + href: auditing/event-5152.md + - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: auditing/event-5153.md + - name: Audit Handle Manipulation + href: auditing/audit-handle-manipulation.md + items: + - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." + href: auditing/event-4690.md + - name: Audit Kernel Object + href: auditing/audit-kernel-object.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: auditing/event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: auditing/event-4658.md + - name: "Event 4660 S: An object was deleted." + href: auditing/event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: auditing/event-4663.md + - name: Audit Other Object Access Events + href: auditing/audit-other-object-access-events.md + items: + - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." + href: auditing/event-4671.md + - name: "Event 4691 S: Indirect access to an object was requested." + href: auditing/event-4691.md + - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." + href: auditing/event-5148.md + - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." + href: auditing/event-5149.md + - name: "Event 4698 S: A scheduled task was created." + href: auditing/event-4698.md + - name: "Event 4699 S: A scheduled task was deleted." + href: auditing/event-4699.md + - name: "Event 4700 S: A scheduled task was enabled." + href: auditing/event-4700.md + - name: "Event 4701 S: A scheduled task was disabled." + href: auditing/event-4701.md + - name: "Event 4702 S: A scheduled task was updated." + href: auditing/event-4702.md + - name: "Event 5888 S: An object in the COM+ Catalog was modified." + href: auditing/event-5888.md + - name: "Event 5889 S: An object was deleted from the COM+ Catalog." + href: auditing/event-5889.md + - name: "Event 5890 S: An object was added to the COM+ Catalog." + href: auditing/event-5890.md + - name: Audit Registry + href: auditing/audit-registry.md + items: + - name: "Event 4663 S: An attempt was made to access an object." + href: auditing/event-4663.md + - name: "Event 4656 S, F: A handle to an object was requested." + href: auditing/event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: auditing/event-4658.md + - name: "Event 4660 S: An object was deleted." + href: auditing/event-4660.md + - name: "Event 4657 S: A registry value was modified." + href: auditing/event-4657.md + - name: "Event 5039: A registry key was virtualized." + href: auditing/event-5039.md + - name: "Event 4670 S: Permissions on an object were changed." + href: auditing/event-4670.md + - name: Audit Removable Storage + href: auditing/audit-removable-storage.md + - name: Audit SAM + href: auditing/audit-sam.md + items: + - name: "Event 4661 S, F: A handle to an object was requested." + href: auditing/event-4661.md + - name: Audit Central Access Policy Staging + href: auditing/audit-central-access-policy-staging.md + items: + - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." + href: auditing/event-4818.md + - name: Audit Audit Policy Change + href: auditing/audit-audit-policy-change.md + items: + - name: "Event 4670 S: Permissions on an object were changed." + href: auditing/event-4670.md + - name: "Event 4715 S: The audit policy, SACL, on an object was changed." + href: auditing/event-4715.md + - name: "Event 4719 S: System audit policy was changed." + href: auditing/event-4719.md + - name: "Event 4817 S: Auditing settings on object were changed." + href: auditing/event-4817.md + - name: "Event 4902 S: The Per-user audit policy table was created." + href: auditing/event-4902.md + - name: "Event 4906 S: The CrashOnAuditFail value has changed." + href: auditing/event-4906.md + - name: "Event 4907 S: Auditing settings on object were changed." + href: auditing/event-4907.md + - name: "Event 4908 S: Special Groups Logon table modified." + href: auditing/event-4908.md + - name: "Event 4912 S: Per User Audit Policy was changed." + href: auditing/event-4912.md + - name: "Event 4904 S: An attempt was made to register a security event source." + href: auditing/event-4904.md + - name: "Event 4905 S: An attempt was made to unregister a security event source." + href: auditing/event-4905.md + - name: Audit Authentication Policy Change + href: auditing/audit-authentication-policy-change.md + items: + - name: "Event 4706 S: A new trust was created to a domain." + href: auditing/event-4706.md + - name: "Event 4707 S: A trust to a domain was removed." + href: auditing/event-4707.md + - name: "Event 4716 S: Trusted domain information was modified." + href: auditing/event-4716.md + - name: "Event 4713 S: Kerberos policy was changed." + href: auditing/event-4713.md + - name: "Event 4717 S: System security access was granted to an account." + href: auditing/event-4717.md + - name: "Event 4718 S: System security access was removed from an account." + href: auditing/event-4718.md + - name: "Event 4739 S: Domain Policy was changed." + href: auditing/event-4739.md + - name: "Event 4864 S: A namespace collision was detected." + href: auditing/event-4864.md + - name: "Event 4865 S: A trusted forest information entry was added." + href: auditing/event-4865.md + - name: "Event 4866 S: A trusted forest information entry was removed." + href: auditing/event-4866.md + - name: "Event 4867 S: A trusted forest information entry was modified." + href: auditing/event-4867.md + - name: Audit Authorization Policy Change + href: auditing/audit-authorization-policy-change.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: auditing/event-4703.md + - name: "Event 4704 S: A user right was assigned." + href: auditing/event-4704.md + - name: "Event 4705 S: A user right was removed." + href: auditing/event-4705.md + - name: "Event 4670 S: Permissions on an object were changed." + href: auditing/event-4670.md + - name: "Event 4911 S: Resource attributes of the object were changed." + href: auditing/event-4911.md + - name: "Event 4913 S: Central Access Policy on the object was changed." + href: auditing/event-4913.md + - name: Audit Filtering Platform Policy Change + href: auditing/audit-filtering-platform-policy-change.md + - name: Audit MPSSVC Rule-Level Policy Change + href: auditing/audit-mpssvc-rule-level-policy-change.md + items: + - name: "Event 4944 S: The following policy was active when the Windows Firewall started." + href: auditing/event-4944.md + - name: "Event 4945 S: A rule was listed when the Windows Firewall started." + href: auditing/event-4945.md + - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." + href: auditing/event-4946.md + - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." + href: auditing/event-4947.md + - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." + href: auditing/event-4948.md + - name: "Event 4949 S: Windows Firewall settings were restored to the default values." + href: auditing/event-4949.md + - name: "Event 4950 S: A Windows Firewall setting has changed." + href: auditing/event-4950.md + - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." + href: auditing/event-4951.md + - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." + href: auditing/event-4952.md + - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." + href: auditing/event-4953.md + - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." + href: auditing/event-4954.md + - name: "Event 4956 S: Windows Firewall has changed the active profile." + href: auditing/event-4956.md + - name: "Event 4957 F: Windows Firewall did not apply the following rule." + href: auditing/event-4957.md + - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." + href: auditing/event-4958.md + - name: Audit Other Policy Change Events + href: auditing/audit-other-policy-change-events.md + items: + - name: "Event 4714 S: Encrypted data recovery policy was changed." + href: auditing/event-4714.md + - name: "Event 4819 S: Central Access Policies on the machine have been changed." + href: auditing/event-4819.md + - name: "Event 4826 S: Boot Configuration Data loaded." + href: auditing/event-4826.md + - name: "Event 4909: The local policy settings for the TBS were changed." + href: auditing/event-4909.md + - name: "Event 4910: The group policy settings for the TBS were changed." + href: auditing/event-4910.md + - name: "Event 5063 S, F: A cryptographic provider operation was attempted." + href: auditing/event-5063.md + - name: "Event 5064 S, F: A cryptographic context operation was attempted." + href: auditing/event-5064.md + - name: "Event 5065 S, F: A cryptographic context modification was attempted." + href: auditing/event-5065.md + - name: "Event 5066 S, F: A cryptographic function operation was attempted." + href: auditing/event-5066.md + - name: "Event 5067 S, F: A cryptographic function modification was attempted." + href: auditing/event-5067.md + - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." + href: auditing/event-5068.md + - name: "Event 5069 S, F: A cryptographic function property operation was attempted." + href: auditing/event-5069.md + - name: "Event 5070 S, F: A cryptographic function property modification was attempted." + href: auditing/event-5070.md + - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." + href: auditing/event-5447.md + - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." + href: auditing/event-6144.md + - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." + href: auditing/event-6145.md + - name: Audit Sensitive Privilege Use + href: auditing/audit-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: auditing/event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: auditing/event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: auditing/event-4985.md + - name: Audit Non Sensitive Privilege Use + href: auditing/audit-non-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: auditing/event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: auditing/event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: auditing/event-4985.md + - name: Audit Other Privilege Use Events + href: auditing/audit-other-privilege-use-events.md + items: + - name: "Event 4985 S: The state of a transaction has changed." + href: auditing/event-4985.md + - name: Audit IPsec Driver + href: auditing/audit-ipsec-driver.md + - name: Audit Other System Events + href: auditing/audit-other-system-events.md + items: + - name: "Event 5024 S: The Windows Firewall Service has started successfully." + href: auditing/event-5024.md + - name: "Event 5025 S: The Windows Firewall Service has been stopped." + href: auditing/event-5025.md + - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." + href: auditing/event-5027.md + - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." + href: auditing/event-5028.md + - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." + href: auditing/event-5029.md + - name: "Event 5030 F: The Windows Firewall Service failed to start." + href: auditing/event-5030.md + - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." + href: auditing/event-5032.md + - name: "Event 5033 S: The Windows Firewall Driver has started successfully." + href: auditing/event-5033.md + - name: "Event 5034 S: The Windows Firewall Driver was stopped." + href: auditing/event-5034.md + - name: "Event 5035 F: The Windows Firewall Driver failed to start." + href: auditing/event-5035.md + - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." + href: auditing/event-5037.md + - name: "Event 5058 S, F: Key file operation." + href: auditing/event-5058.md + - name: "Event 5059 S, F: Key migration operation." + href: auditing/event-5059.md + - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." + href: auditing/event-6400.md + - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." + href: auditing/event-6401.md + - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." + href: auditing/event-6402.md + - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." + href: auditing/event-6403.md + - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." + href: auditing/event-6404.md + - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." + href: auditing/event-6405.md + - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." + href: auditing/event-6406.md + - name: "Event 6407: 1%." + href: auditing/event-6407.md + - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." + href: auditing/event-6408.md + - name: "Event 6409: BranchCache: A service connection point object could not be parsed." + href: auditing/event-6409.md + - name: Audit Security State Change + href: auditing/audit-security-state-change.md + items: + - name: "Event 4608 S: Windows is starting up." + href: auditing/event-4608.md + - name: "Event 4616 S: The system time was changed." + href: auditing/event-4616.md + - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." + href: auditing/event-4621.md + - name: Audit Security System Extension + href: auditing/audit-security-system-extension.md + items: + - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." + href: auditing/event-4610.md + - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." + href: auditing/event-4611.md + - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." + href: auditing/event-4614.md + - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." + href: auditing/event-4622.md + - name: "Event 4697 S: A service was installed in the system." + href: auditing/event-4697.md + - name: Audit System Integrity + href: auditing/audit-system-integrity.md + items: + - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." + href: auditing/event-4612.md + - name: "Event 4615 S: Invalid use of LPC port." + href: auditing/event-4615.md + - name: "Event 4618 S: A monitored security event pattern has occurred." + href: auditing/event-4618.md + - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." + href: auditing/event-4816.md + - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." + href: auditing/event-5038.md + - name: "Event 5056 S: A cryptographic self-test was performed." + href: auditing/event-5056.md + - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." + href: auditing/event-5062.md + - name: "Event 5057 F: A cryptographic primitive operation failed." + href: auditing/event-5057.md + - name: "Event 5060 F: Verification operation failed." + href: auditing/event-5060.md + - name: "Event 5061 S, F: Cryptographic operation." + href: auditing/event-5061.md + - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." + href: auditing/event-6281.md + - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." + href: auditing/event-6410.md + - name: Other Events + href: auditing/other-events.md + items: + - name: "Event 1100 S: The event logging service has shut down." + href: auditing/event-1100.md + - name: "Event 1102 S: The audit log was cleared." + href: auditing/event-1102.md + - name: "Event 1104 S: The security log is now full." + href: auditing/event-1104.md + - name: "Event 1105 S: Event log automatic backup." + href: auditing/event-1105.md + - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." + href: auditing/event-1108.md + - name: "Appendix A: Security monitoring recommendations for many audit events" + href: auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md + - name: Registry (Global Object Access Auditing) + href: auditing/registry-global-object-access-auditing.md + - name: File System (Global Object Access Auditing) + href: auditing/file-system-global-object-access-auditing.md + - name: Security policy settings + href: security-policy-settings/security-policy-settings.md + items: + - name: Administer security policy settings + href: security-policy-settings/administer-security-policy-settings.md + items: + - name: Network List Manager policies + href: security-policy-settings/network-list-manager-policies.md + - name: Configure security policy settings + href: security-policy-settings/how-to-configure-security-policy-settings.md + - name: Security policy settings reference + href: security-policy-settings/security-policy-settings-reference.md + items: + - name: Account Policies + href: security-policy-settings/account-policies.md + items: + - name: Password Policy + href: security-policy-settings/password-policy.md + items: + - name: Enforce password history + href: security-policy-settings/enforce-password-history.md + - name: Maximum password age + href: security-policy-settings/maximum-password-age.md + - name: Minimum password age + href: security-policy-settings/minimum-password-age.md + - name: Minimum password length + href: security-policy-settings/minimum-password-length.md + - name: Password must meet complexity requirements + href: security-policy-settings/password-must-meet-complexity-requirements.md + - name: Store passwords using reversible encryption + href: security-policy-settings/store-passwords-using-reversible-encryption.md + - name: Account Lockout Policy + href: security-policy-settings/account-lockout-policy.md + items: + - name: Account lockout duration + href: security-policy-settings/account-lockout-duration.md + - name: Account lockout threshold + href: security-policy-settings/account-lockout-threshold.md + - name: Reset account lockout counter after + href: security-policy-settings/reset-account-lockout-counter-after.md + - name: Kerberos Policy + href: security-policy-settings/kerberos-policy.md + items: + - name: Enforce user logon restrictions + href: security-policy-settings/enforce-user-logon-restrictions.md + - name: Maximum lifetime for service ticket + href: security-policy-settings/maximum-lifetime-for-service-ticket.md + - name: Maximum lifetime for user ticket + href: security-policy-settings/maximum-lifetime-for-user-ticket.md + - name: Maximum lifetime for user ticket renewal + href: security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md + - name: Maximum tolerance for computer clock synchronization + href: security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md + - name: Audit Policy + href: security-policy-settings/audit-policy.md + - name: Security Options + href: security-policy-settings/security-options.md + items: + - name: "Accounts: Administrator account status" + href: security-policy-settings/accounts-administrator-account-status.md + - name: "Accounts: Block Microsoft accounts" + href: security-policy-settings/accounts-block-microsoft-accounts.md + - name: "Accounts: Guest account status" + href: security-policy-settings/accounts-guest-account-status.md + - name: "Accounts: Limit local account use of blank passwords to console logon only" + href: security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md + - name: "Accounts: Rename administrator account" + href: security-policy-settings/accounts-rename-administrator-account.md + - name: "Accounts: Rename guest account" + href: security-policy-settings/accounts-rename-guest-account.md + - name: "Audit: Audit the access of global system objects" + href: security-policy-settings/audit-audit-the-access-of-global-system-objects.md + - name: "Audit: Audit the use of Backup and Restore privilege" + href: security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md + - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + href: security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md + - name: "Audit: Shut down system immediately if unable to log security audits" + href: security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md + - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "Devices: Allow undock without having to log on" + href: security-policy-settings/devices-allow-undock-without-having-to-log-on.md + - name: "Devices: Allowed to format and eject removable media" + href: security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md + - name: "Devices: Prevent users from installing printer drivers" + href: security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md + - name: "Devices: Restrict CD-ROM access to locally logged-on user only" + href: security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md + - name: "Devices: Restrict floppy access to locally logged-on user only" + href: security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md + - name: "Domain controller: Allow server operators to schedule tasks" + href: security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server signing requirements" + href: security-policy-settings/domain-controller-ldap-server-signing-requirements.md + - name: "Domain controller: Refuse machine account password changes" + href: security-policy-settings/domain-controller-refuse-machine-account-password-changes.md + - name: "Domain member: Digitally encrypt or sign secure channel data (always)" + href: security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md + - name: "Domain member: Digitally encrypt secure channel data (when possible)" + href: security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md + - name: "Domain member: Digitally sign secure channel data (when possible)" + href: security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md + - name: "Domain member: Disable machine account password changes" + href: security-policy-settings/domain-member-disable-machine-account-password-changes.md + - name: "Domain member: Maximum machine account password age" + href: security-policy-settings/domain-member-maximum-machine-account-password-age.md + - name: "Domain member: Require strong (Windows 2000 or later) session key" + href: security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md + - name: "Interactive logon: Display user information when the session is locked" + href: security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md + - name: "Interactive logon: Don't display last signed-in" + href: security-policy-settings/interactive-logon-do-not-display-last-user-name.md + - name: "Interactive logon: Don't display username at sign-in" + href: security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md + - name: "Interactive logon: Do not require CTRL+ALT+DEL" + href: security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md + - name: "Interactive logon: Machine account lockout threshold" + href: security-policy-settings/interactive-logon-machine-account-lockout-threshold.md + - name: "Interactive logon: Machine inactivity limit" + href: security-policy-settings/interactive-logon-machine-inactivity-limit.md + - name: "Interactive logon: Message text for users attempting to log on" + href: security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md + - name: "Interactive logon: Message title for users attempting to log on" + href: security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md + - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" + href: security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md + - name: "Interactive logon: Prompt user to change password before expiration" + href: security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md + - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" + href: security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md + - name: "Interactive logon: Require smart card" + href: security-policy-settings/interactive-logon-require-smart-card.md + - name: "Interactive logon: Smart card removal behavior" + href: security-policy-settings/interactive-logon-smart-card-removal-behavior.md + - name: "Microsoft network client: Digitally sign communications (always)" + href: security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" + href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" + href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md + - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" + href: security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md + - name: "Microsoft network server: Amount of idle time required before suspending session" + href: security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md + - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" + href: security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md + - name: "Microsoft network server: Digitally sign communications (always)" + href: security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" + href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" + href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md + - name: "Microsoft network server: Disconnect clients when logon hours expire" + href: security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md + - name: "Microsoft network server: Server SPN target name validation level" + href: security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md + - name: "Network access: Allow anonymous SID/Name translation" + href: security-policy-settings/network-access-allow-anonymous-sidname-translation.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts" + href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" + href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md + - name: "Network access: Do not allow storage of passwords and credentials for network authentication" + href: security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md + - name: "Network access: Let Everyone permissions apply to anonymous users" + href: security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md + - name: "Network access: Named Pipes that can be accessed anonymously" + href: security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md + - name: "Network access: Remotely accessible registry paths" + href: security-policy-settings/network-access-remotely-accessible-registry-paths.md + - name: "Network access: Remotely accessible registry paths and subpaths" + href: security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md + - name: "Network access: Restrict anonymous access to Named Pipes and Shares" + href: security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md + - name: "Network access: Restrict clients allowed to make remote calls to SAM" + href: security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md + - name: "Network access: Shares that can be accessed anonymously" + href: security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md + - name: "Network access: Sharing and security model for local accounts" + href: security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md + - name: "Network security: Allow Local System to use computer identity for NTLM" + href: security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md + - name: "Network security: Allow LocalSystem NULL session fallback" + href: security-policy-settings/network-security-allow-localsystem-null-session-fallback.md + - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" + href: security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md + - name: "Network security: Configure encryption types allowed for Kerberos" + href: security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md + - name: "Network security: Do not store LAN Manager hash value on next password change" + href: security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md + - name: "Network security: Force logoff when logon hours expire" + href: security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md + - name: "Network security: LAN Manager authentication level" + href: security-policy-settings/network-security-lan-manager-authentication-level.md + - name: "Network security: LDAP client signing requirements" + href: security-policy-settings/network-security-ldap-client-signing-requirements.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md + - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" + href: security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md + - name: "Network security: Restrict NTLM: Add server exceptions in this domain" + href: security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md + - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" + href: security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" + href: security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Incoming NTLM traffic" + href: security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: NTLM authentication in this domain" + href: security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" + href: security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md + - name: "Recovery console: Allow automatic administrative logon" + href: security-policy-settings/recovery-console-allow-automatic-administrative-logon.md + - name: "Recovery console: Allow floppy copy and access to all drives and folders" + href: security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md + - name: "Shutdown: Allow system to be shut down without having to log on" + href: security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md + - name: "Shutdown: Clear virtual memory pagefile" + href: security-policy-settings/shutdown-clear-virtual-memory-pagefile.md + - name: "System cryptography: Force strong key protection for user keys stored on the computer" + href: security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md + - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" + href: security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md + - name: "System objects: Require case insensitivity for non-Windows subsystems" + href: security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md + - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" + href: security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md + - name: "System settings: Optional subsystems" + href: security-policy-settings/system-settings-optional-subsystems.md + - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" + href: security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md + - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" + href: security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md + - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + href: security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md + - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md + - name: "User Account Control: Behavior of the elevation prompt for standard users" + href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md + - name: "User Account Control: Detect application installations and prompt for elevation" + href: security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md + - name: "User Account Control: Only elevate executables that are signed and validated" + href: security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md + - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" + href: security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md + - name: "User Account Control: Run all administrators in Admin Approval Mode" + href: security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md + - name: "User Account Control: Switch to the secure desktop when prompting for elevation" + href: security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md + - name: "User Account Control: Virtualize file and registry write failures to per-user locations" + href: security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md + - name: Advanced security audit policy settings + href: security-policy-settings/secpol-advanced-security-audit-policy-settings.md + - name: User Rights Assignment + href: security-policy-settings/user-rights-assignment.md + items: + - name: Access Credential Manager as a trusted caller + href: security-policy-settings/access-credential-manager-as-a-trusted-caller.md + - name: Access this computer from the network + href: security-policy-settings/access-this-computer-from-the-network.md + - name: Act as part of the operating system + href: security-policy-settings/act-as-part-of-the-operating-system.md + - name: Add workstations to domain + href: security-policy-settings/add-workstations-to-domain.md + - name: Adjust memory quotas for a process + href: security-policy-settings/adjust-memory-quotas-for-a-process.md + - name: Allow log on locally + href: security-policy-settings/allow-log-on-locally.md + - name: Allow log on through Remote Desktop Services + href: security-policy-settings/allow-log-on-through-remote-desktop-services.md + - name: Back up files and directories + href: security-policy-settings/back-up-files-and-directories.md + - name: Bypass traverse checking + href: security-policy-settings/bypass-traverse-checking.md + - name: Change the system time + href: security-policy-settings/change-the-system-time.md + - name: Change the time zone + href: security-policy-settings/change-the-time-zone.md + - name: Create a pagefile + href: security-policy-settings/create-a-pagefile.md + - name: Create a token object + href: security-policy-settings/create-a-token-object.md + - name: Create global objects + href: security-policy-settings/create-global-objects.md + - name: Create permanent shared objects + href: security-policy-settings/create-permanent-shared-objects.md + - name: Create symbolic links + href: security-policy-settings/create-symbolic-links.md + - name: Debug programs + href: security-policy-settings/debug-programs.md + - name: Deny access to this computer from the network + href: security-policy-settings/deny-access-to-this-computer-from-the-network.md + - name: Deny log on as a batch job + href: security-policy-settings/deny-log-on-as-a-batch-job.md + - name: Deny log on as a service + href: security-policy-settings/deny-log-on-as-a-service.md + - name: Deny log on locally + href: security-policy-settings/deny-log-on-locally.md + - name: Deny log on through Remote Desktop Services + href: security-policy-settings/deny-log-on-through-remote-desktop-services.md + - name: Enable computer and user accounts to be trusted for delegation + href: security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md + - name: Force shutdown from a remote system + href: security-policy-settings/force-shutdown-from-a-remote-system.md + - name: Generate security audits + href: security-policy-settings/generate-security-audits.md + - name: Impersonate a client after authentication + href: security-policy-settings/impersonate-a-client-after-authentication.md + - name: Increase a process working set + href: security-policy-settings/increase-a-process-working-set.md + - name: Increase scheduling priority + href: security-policy-settings/increase-scheduling-priority.md + - name: Load and unload device drivers + href: security-policy-settings/load-and-unload-device-drivers.md + - name: Lock pages in memory + href: security-policy-settings/lock-pages-in-memory.md + - name: Log on as a batch job + href: security-policy-settings/log-on-as-a-batch-job.md + - name: Log on as a service + href: security-policy-settings/log-on-as-a-service.md + - name: Manage auditing and security log + href: security-policy-settings/manage-auditing-and-security-log.md + - name: Modify an object label + href: security-policy-settings/modify-an-object-label.md + - name: Modify firmware environment values + href: security-policy-settings/modify-firmware-environment-values.md + - name: Perform volume maintenance tasks + href: security-policy-settings/perform-volume-maintenance-tasks.md + - name: Profile single process + href: security-policy-settings/profile-single-process.md + - name: Profile system performance + href: security-policy-settings/profile-system-performance.md + - name: Remove computer from docking station + href: security-policy-settings/remove-computer-from-docking-station.md + - name: Replace a process level token + href: security-policy-settings/replace-a-process-level-token.md + - name: Restore files and directories + href: security-policy-settings/restore-files-and-directories.md + - name: Shut down the system + href: security-policy-settings/shut-down-the-system.md + - name: Synchronize directory service data + href: security-policy-settings/synchronize-directory-service-data.md + - name: Take ownership of files or other objects + href: security-policy-settings/take-ownership-of-files-or-other-objects.md + - name: Windows security guidance for enterprises + items: + - name: Windows security baselines + href: windows-security-configuration-framework/windows-security-baselines.md + items: + - name: Security Compliance Toolkit + href: windows-security-configuration-framework/security-compliance-toolkit-10.md + - name: Get support + href: windows-security-configuration-framework/get-support-for-security-baselines.md + - name: Windows 10 Mobile security guide + href: windows-10-mobile-security-guide.md