mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
OS Security freshness
This commit is contained in:
Vinay Pamnani (from Dev Box)
@ -3,12 +3,12 @@ title: Block untrusted fonts in an enterprise
|
||||
description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature.
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: how-to
|
||||
ms.date: 12/22/2023
|
||||
ms.date: 07/10/2024
|
||||
---
|
||||
|
||||
# Block untrusted fonts in an enterprise
|
||||
|
||||
To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, we've created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%\Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
|
||||
To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, you can block untrusted fonts. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%\Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
|
||||
|
||||
## What does this mean for me?
|
||||
|
||||
@ -44,11 +44,11 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m
|
||||
**To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
|
||||
|
||||
1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
|
||||
2. Click **Enabled** to turn on the feature, and then click one of the following **Mitigation Options**:
|
||||
2. Select **Enabled** to turn on the feature, and then select one of the following **Mitigation Options**:
|
||||
- **Block untrusted fonts and log events.** Turns on the feature, blocking untrusted fonts and logging installation attempts to the event log.
|
||||
- **Do not block untrusted fonts.** Turns on the feature, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
|
||||
- **Log events without blocking untrusted fonts**. Turns on the feature, logging installation attempts to the event log, but not blocking untrusted fonts.
|
||||
3. Click **OK**.
|
||||
3. Select **OK**.
|
||||
|
||||
**To turn on and use the Blocking Untrusted Fonts feature through the registry**
|
||||
|
||||
@ -56,7 +56,7 @@ To turn this feature on, off, or to use audit mode:
|
||||
|
||||
1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
|
||||
2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
|
||||
3. Right click on the **MitigationOptions** key, and then click **Modify**. The **Edit QWORD (64-bit) Value** box opens.
|
||||
3. Right select on the **MitigationOptions** key, and then select **Modify**. The **Edit QWORD (64-bit) Value** box opens.
|
||||
4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
|
||||
- **To turn this feature on.** Type **1000000000000**.
|
||||
- **To turn this feature off.** Type **2000000000000**.
|
||||
@ -114,7 +114,7 @@ After you figure out the problematic fonts, you can try to fix your apps in two
|
||||
|
||||
**To fix your apps by installing the problematic fonts (recommended)**
|
||||
|
||||
On each computer with the app installed, right-click on the font name and click **Install**. The font should automatically install into your `%windir%\Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
|
||||
On each computer with the app installed, right-click on the font name and select **Install**. The font should automatically install into your `%windir%\Fonts` directory. If it doesn't, you need to manually copy the font files into the **Fonts** directory and run the installation from there.
|
||||
|
||||
**To fix your apps by excluding processes**
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: Override Process Mitigation Options
|
||||
description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: how-to
|
||||
ms.date: 12/22/2023
|
||||
ms.date: 07/10/2024
|
||||
---
|
||||
|
||||
# Override Process Mitigation Options to help enforce app-related security policies
|
||||
@ -13,10 +13,10 @@ Windows includes group policy-configurable "Process Mitigation Options" that add
|
||||
> [!IMPORTANT]
|
||||
> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization's required apps.
|
||||
|
||||
The Group Policy settings in this topic are related to three types of process mitigations. All three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are:
|
||||
The Group Policy settings in this article are related to three types of process mitigations. All three types are on by default for 64-bit applications, but by using the Group Policy settings described in this article, you can configure more protections. The types of process mitigations are:
|
||||
|
||||
- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention).
|
||||
- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
|
||||
- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as nonexecutable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention).
|
||||
- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they're compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
|
||||
- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](../../threat-protection/overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`.
|
||||
|
||||
The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
|
||||
@ -27,7 +27,7 @@ The following procedure describes how to use Group Policy to override individual
|
||||
|
||||
|
||||
|
||||
2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you'll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
|
||||
2. Select **Enabled**, and then in the **Options** area, select **Show** to open the **Show Contents** box, where you can add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this article.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> For each app you want to include, you must include:
|
||||
@ -45,14 +45,14 @@ Here's a visual representation of the bit flag locations for the various Process
|
||||
|
||||
Where the bit flags are read from right to left and are defined as:
|
||||
|
||||
| Flag | Bit location | Setting | Details |
|
||||
|------|--------------|-----------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| A | 0 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` | Turns on Data Execution Prevention (DEP) for child processes. |
|
||||
| B | 1 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` | Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
|
||||
| C | 2 | `PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` | Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
|
||||
| D | 8 | `PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` | Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section won't be loaded if relocations are required. |
|
||||
| E | 15 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` | Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
|
||||
| F | 16 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` | Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
|
||||
| Flag | Bit location | Setting | Details |
|
||||
|--|--|--|--|
|
||||
| A | 0 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` | Turns on Data Execution Prevention (DEP) for child processes. |
|
||||
| B | 1 | `PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` | Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept nonexecutable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
|
||||
| C | 2 | `PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` | Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
|
||||
| D | 8 | `PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` | Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section aren't loaded if relocations are required. |
|
||||
| E | 15 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` | Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
|
||||
| F | 16 | `PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` | Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
|
||||
|
||||
### Example
|
||||
|
||||
|
||||
@ -3,14 +3,14 @@ title: Use Windows Event Forwarding to help with intrusion detection
|
||||
description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: how-to
|
||||
ms.date: 12/22/2023
|
||||
ms.date: 07/10/2024
|
||||
---
|
||||
|
||||
# Use Windows Event Forwarding to help with intrusion detection
|
||||
|
||||
Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
|
||||
|
||||
Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
|
||||
Windows Event Forwarding (WEF) reads any operational or administrative event logged on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
|
||||
|
||||
To accomplish this functionality, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects more events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
|
||||
|
||||
@ -35,12 +35,12 @@ For the minimum recommended audit policy and registry system ACL settings, see [
|
||||
> [!NOTE]
|
||||
> These are only minimum values need to meet what the WEF subscription selects.
|
||||
|
||||
From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts' direction. All devices should have access to the Baseline subscription.
|
||||
From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription. This access would be determined by an algorithm or an analysts' direction. All devices should have access to the Baseline subscription.
|
||||
|
||||
This system of dual subscription means you would create two base subscriptions:
|
||||
|
||||
- **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines.
|
||||
- **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems.
|
||||
- **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines.
|
||||
- **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems.
|
||||
|
||||
Each using the respective event query below. For the Targeted subscription, enabling the "read existing events" option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
|
||||
|
||||
@ -58,7 +58,7 @@ The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channe
|
||||
|
||||
### Is WEF Push or Pull?
|
||||
|
||||
A WEF subscription can be configured to be pushed or pulled, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
|
||||
A WEF subscription can be configured to be pushed or pulled, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is preconfigured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
|
||||
|
||||
### Will WEF work over VPN or RAS?
|
||||
|
||||
@ -67,7 +67,7 @@ WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and sen
|
||||
### How is client progress tracked?
|
||||
|
||||
The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a
|
||||
WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it's active. This heartbeat value can be individually configured for each subscription.
|
||||
WEF client has no events to send, the WEF client connects periodically to send a Heartbeat to the WEC server to indicate it's active. This heartbeat value can be individually configured for each subscription.
|
||||
|
||||
### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
|
||||
|
||||
@ -130,19 +130,19 @@ For collector initiated subscriptions: The subscription contains the list of mac
|
||||
|
||||
### Can a client communicate to multiple WEF Event Collectors?
|
||||
|
||||
Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
|
||||
Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
|
||||
|
||||
### What are the WEC server's limitations?
|
||||
|
||||
There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions.
|
||||
|
||||
- **Disk I/O**. The WEC server doesn't process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive.
|
||||
- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This leniency means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server.
|
||||
- **Registry size**. For each unique device that connects to a WEF subscription, there's a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to an unmanageable size over time.
|
||||
- **Disk I/O**. The WEC server doesn't process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive.
|
||||
- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This leniency means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server.
|
||||
- **Registry size**. For each unique device that connects to a WEF subscription, there's a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to an unmanageable size over time.
|
||||
|
||||
- When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards.
|
||||
- At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions.
|
||||
- At >100,000 lifetime WEF sources, the registry won't be readable and the WEC server will likely have to be rebuilt.
|
||||
- When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards.
|
||||
- At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions.
|
||||
- At >100,000 lifetime WEF sources, the registry won't be readable and the WEC server will likely have to be rebuilt.
|
||||
|
||||
## Subscription information
|
||||
|
||||
@ -158,56 +158,56 @@ The subscription is essentially a collection of query statements applied to the
|
||||
|
||||
To gain the most value out of the baseline subscription, we recommend having the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system.
|
||||
|
||||
- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A - Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events.
|
||||
- Apply at least an Audit-Only AppLocker policy to devices.
|
||||
- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A - Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events.
|
||||
- Apply at least an Audit-Only AppLocker policy to devices.
|
||||
|
||||
- If you're already allowing or restricting events by using AppLocker, then this requirement is met.
|
||||
- AppLocker events contain useful information, such as file hash and digital signature information for executables and scripts.
|
||||
- If you're already allowing or restricting events by using AppLocker, then this requirement is met.
|
||||
- AppLocker events contain useful information, such as file hash and digital signature information for executables and scripts.
|
||||
|
||||
- Enable disabled event channels and set the minimum size for modern event files.
|
||||
- Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C - Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
|
||||
- Enable disabled event channels and set the minimum size for modern event files.
|
||||
- Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C - Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
|
||||
|
||||
The annotated event query can be found in the following. For more info, see [Appendix F - Annotated Suspect Subscription Event Query](#bkmk-appendixf).
|
||||
|
||||
- Anti-malware events from Microsoft Antimalware or Windows Defender. These events can be configured for any given anti-malware product easily if it writes to the Windows event log.
|
||||
- Anti-malware events from Windows Security. These events can be configured for any given anti-malware product easily if it writes to the Windows event log.
|
||||
- Security event log Process Create events.
|
||||
- AppLocker Process Create events (EXE, script, packaged App installation and execution).
|
||||
- Registry modification events. For more info, see [Appendix B - Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
|
||||
- OS startup and shutdown
|
||||
|
||||
- Startup events include operating system version, service pack level, QFE version, and boot mode.
|
||||
- Startup events include operating system version, service pack level, QFE version, and boot mode.
|
||||
|
||||
- Service install
|
||||
|
||||
- Includes what the name of the service, the image path, and who installed the service.
|
||||
- Includes what the name of the service, the image path, and who installed the service.
|
||||
|
||||
- Certificate Authority audit events
|
||||
|
||||
- These events are only applicable on systems with the Certificate Authority role installed.
|
||||
- Logs certificate requests and responses.
|
||||
- These events are only applicable on systems with the Certificate Authority role installed.
|
||||
- Logs certificate requests and responses.
|
||||
|
||||
- User profile events
|
||||
|
||||
- Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind.
|
||||
- Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind.
|
||||
|
||||
- Service start failure
|
||||
|
||||
- Failure codes are localized, so you have to check the message DLL for values.
|
||||
- Failure codes are localized, so you have to check the message DLL for values.
|
||||
|
||||
- Network share access events
|
||||
|
||||
- Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
|
||||
- Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
|
||||
|
||||
- System shutdown initiate requests
|
||||
|
||||
- Find out what initiated the restart of a device.
|
||||
- Find out what initiated the restart of a device.
|
||||
|
||||
- User-initiated interactive sign-out event
|
||||
- User-initiated interactive sign out event
|
||||
- Remote Desktop Services sessions connect, reconnect, or disconnect.
|
||||
- EMET events, if EMET is installed.
|
||||
- Event forwarding plugin events
|
||||
|
||||
- For monitoring WEF subscription operations, such as Partial Success events. This event is useful for diagnosing deployment issues.
|
||||
- For monitoring WEF subscription operations, such as Partial Success events. This event is useful for diagnosing deployment issues.
|
||||
|
||||
- Network share creation and deletion
|
||||
|
||||
@ -217,111 +217,111 @@ The annotated event query can be found in the following. For more info, see [App
|
||||
|
||||
- Sign-in sessions
|
||||
|
||||
- Sign-in success for interactive (local and Remote Interactive/Remote Desktop)
|
||||
- Sign-in success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
|
||||
- Sign-in success for batch sessions
|
||||
- Sign-in session close, which is sign-out events for non-network sessions.
|
||||
- Sign-in success for interactive (local and Remote Interactive/Remote Desktop)
|
||||
- Sign-in success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
|
||||
- Sign-in success for batch sessions
|
||||
- Sign-in session close, which is sign out events for non-network sessions.
|
||||
|
||||
- Windows Error Reporting (Application crash events only)
|
||||
|
||||
- This session can help detect early signs of intruder not familiar with enterprise environment using targeted malware.
|
||||
- This session can help detect early signs of intruder not familiar with enterprise environment using targeted malware.
|
||||
|
||||
- Event log service events
|
||||
|
||||
- Errors, start events, and stop events for the Windows Event Log service.
|
||||
- Errors, start events, and stop events for the Windows Event Log service.
|
||||
|
||||
- Event log cleared (including the Security Event Log)
|
||||
|
||||
- This event could indicate an intruder that is covering their tracks.
|
||||
- This event could indicate an intruder that is covering their tracks.
|
||||
|
||||
- Special privileges assigned to new sign in
|
||||
|
||||
- This assignation indicates that at the time of signing in, a user is either an Administrator or has the sufficient access to make themselves Administrator.
|
||||
- This assignation indicates that at the time of signing in, a user is either an Administrator or has the sufficient access to make themselves Administrator.
|
||||
|
||||
- Outbound Remote Desktop Services session attempts
|
||||
|
||||
- Visibility into potential beachhead for intruder
|
||||
- Visibility into potential beachhead for intruder
|
||||
|
||||
- System time changed
|
||||
- SMB Client (mapped drive connections)
|
||||
- Account credential validation
|
||||
|
||||
- Local accounts or domain accounts on domain controllers
|
||||
- Local accounts or domain accounts on domain controllers
|
||||
|
||||
- A user was added or removed from the local Administrators security group.
|
||||
- Crypto API private key accessed
|
||||
|
||||
- Associated with signing objects using the locally stored private key.
|
||||
- Associated with signing objects using the locally stored private key.
|
||||
|
||||
- Task Scheduler task creation and delete
|
||||
|
||||
- Task Scheduler allows intruders to run code at specified times as LocalSystem.
|
||||
- Task Scheduler allows intruders to run code at specified times as LocalSystem.
|
||||
|
||||
- Sign-in with explicit credentials
|
||||
|
||||
- Detect credential use changes by intruders to access more resources.
|
||||
- Detect credential use changes by intruders to access more resources.
|
||||
|
||||
- Smartcard card holder verification events
|
||||
|
||||
- This event detects when a smartcard is being used.
|
||||
- This event detects when a smartcard is being used.
|
||||
|
||||
### Suspect subscription
|
||||
|
||||
This subscription adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device.
|
||||
|
||||
- Sign-in session creation for network sessions
|
||||
- Sign-in session creation for network sessions
|
||||
|
||||
- Enables time-series analysis of network graphs.
|
||||
- Enables time-series analysis of network graphs.
|
||||
|
||||
- RADIUS and VPN events
|
||||
- RADIUS and VPN events
|
||||
|
||||
- Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment with remote IP address connecting to the enterprise.
|
||||
- Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment with remote IP address connecting to the enterprise.
|
||||
|
||||
- Crypto API X509 object and build chain events
|
||||
- Crypto API X509 object and build chain events
|
||||
|
||||
- Detects known bad certificate, CA, or sub-CA
|
||||
- Detects unusual process use of CAPI
|
||||
- Detects known bad certificate, CA, or sub-CA
|
||||
- Detects unusual process use of CAPI
|
||||
|
||||
- Groups assigned to local sign in
|
||||
- Groups assigned to local sign in
|
||||
|
||||
- Gives visibility to groups that enable account-wide access
|
||||
- Allows better planning for remediation efforts
|
||||
- Excludes well known, built-in system accounts.
|
||||
- Gives visibility to groups that enable account-wide access
|
||||
- Allows better planning for remediation efforts
|
||||
- Excludes well known, built-in system accounts.
|
||||
|
||||
- Sign-in session exit
|
||||
- Sign-in session exit
|
||||
|
||||
- Specific for network sign-in sessions.
|
||||
- Specific for network sign-in sessions.
|
||||
|
||||
- Client DNS lookup events
|
||||
- Client DNS lookup events
|
||||
|
||||
- Returns what process performed a DNS query and the results returned from the DNS server.
|
||||
- Returns what process performed a DNS query and the results returned from the DNS server.
|
||||
|
||||
- Process exit
|
||||
- Process exit
|
||||
|
||||
- Enables checking for processes terminating unexpectedly.
|
||||
- Enables checking for processes terminating unexpectedly.
|
||||
|
||||
- Local credential validation or signing in with explicit credentials
|
||||
- Local credential validation or signing in with explicit credentials
|
||||
|
||||
- Generated when the local SAM is authoritative for the account credentials being authenticated.
|
||||
- Noisy on domain controllers
|
||||
- On client devices, it's only generated when local accounts sign in.
|
||||
- Generated when the local SAM is authoritative for the account credentials being authenticated.
|
||||
- Noisy on domain controllers
|
||||
- On client devices, it's only generated when local accounts sign in.
|
||||
|
||||
- Registry modification audit events
|
||||
- Registry modification audit events
|
||||
|
||||
- Only when a registry value is being created, modified, or deleted.
|
||||
- Only when a registry value is being created, modified, or deleted.
|
||||
|
||||
- Wireless 802.1x authentication
|
||||
- Wireless 802.1x authentication
|
||||
|
||||
- Detect wireless connection with a peer MAC address
|
||||
- Detect wireless connection with a peer MAC address
|
||||
|
||||
- Windows PowerShell logging
|
||||
- Windows PowerShell logging
|
||||
|
||||
- Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell.
|
||||
- Includes Windows PowerShell remoting logging
|
||||
- Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell.
|
||||
- Includes Windows PowerShell remoting logging
|
||||
|
||||
- User Mode Driver Framework "Driver Loaded" event
|
||||
- User Mode Driver Framework "Driver Loaded" event
|
||||
|
||||
- Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver.
|
||||
- Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver.
|
||||
|
||||
## <a href="" id="bkmk-appendixa"></a>Appendix A - Minimum recommended minimum audit policy
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get support for security baselines
|
||||
description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles.
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: conceptual
|
||||
ms.date: 10/31/2023
|
||||
ms.date: 07/10/2024
|
||||
---
|
||||
|
||||
# Get Support
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
|
||||
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 07/11/2023
|
||||
ms.date: 07/10/2024
|
||||
ms.topic: conceptual
|
||||
---
|
||||
|
||||
@ -28,7 +28,7 @@ For example:
|
||||
[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
|
||||
|
||||
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
|
||||
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
|
||||
The wsusscn2.cab file contains the metadata of only security updates, update rollups, and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools, or drivers.
|
||||
|
||||
## More information
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Microsoft Security Compliance Toolkit Guide
|
||||
description: This article describes how to use Security Compliance Toolkit in your organization.
|
||||
ms.topic: conceptual
|
||||
ms.date: 10/31/2023
|
||||
ms.date: 07/10/2024
|
||||
---
|
||||
|
||||
# Microsoft Security Compliance Toolkit - How to use
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
title: Security baselines guide
|
||||
description: Learn how to use security baselines in your organization.
|
||||
ms.topic: conceptual
|
||||
ms.date: 07/11/2023
|
||||
ms.date: 07/10/2024
|
||||
---
|
||||
|
||||
# Security baselines
|
||||
@ -19,7 +19,7 @@ For more information, see the following blog post: [Sticking with well-known and
|
||||
|
||||
## What are security baselines?
|
||||
|
||||
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
|
||||
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital might focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
|
||||
|
||||
A security baseline is a group of Microsoft-recommended configuration settings that explains their security implication. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user