deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fixing spacing issues

Browse Source
This commit is contained in:
Brian Lich 2016-05-23 16:37:43 -07:00
parent 7535ffb5ab
commit a75ee08f72
16 changed files with 545 additions and 495 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
windows/keep-secure/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
View File

@ -2,82 +2,79 @@
title: Devices Restrict floppy access to locally logged-on user only (Windows 10) title: Devices Restrict floppy access to locally logged-on user only (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting. description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
ms.assetid: 92997910-da95-4c03-ae6f-832915423898 ms.assetid: 92997910-da95-4c03-ae6f-832915423898
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Devices: Restrict floppy access to locally logged-on user only # Devices: Restrict floppy access to locally logged-on user only
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting. Describes the best practices, location, values, and security considerations for the **Devices: Restrict floppy access to locally logged-on user only** security policy setting.
## Reference ## Reference
This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network. This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network.
The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data. The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data.
If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server.
### Possible values ### Possible values
- Enabled - Enabled
- Disabled - Disabled
- Not defined - Not defined
### Best practices ### Best practices
- Best practices are dependent on your security and user accessibility requirements for CD drives. - Best practices are dependent on your security and user accessibility requirements for CD drives.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined|
</colgroup> | Default Domain Controller Policy | Not defined|
<thead> | Stand-Alone Server Default Settings | Disabled|
<tr class="header"> | DC Effective Default Settings | Disabled|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings | Disabled|
<th align="left">Default value</th> | Client Computer Effective Default Settings | Disabled|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server.
### Countermeasure ### Countermeasure
Enable the **Devices: Restrict floppy access to locally logged-on user only** setting. Enable the **Devices: Restrict floppy access to locally logged-on user only** setting.
### Potential impact ### Potential impact
Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

9
windows/keep-secure/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
View File

@ -8,13 +8,20 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: brianlic-msft
--- ---
# Display a custom URL message when users try to run a blocked app # Display a custom URL message when users try to run a blocked app
**Applies to** **Applies to**
- Windows 10 - Windows 10
This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.
Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed. Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed.
To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission.
**To display a custom URL message when users try to run a blocked app** **To display a custom URL message when users try to run a blocked app**
1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). 1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC).
2. Navigate to the Group Policy Object (GPO) that you want to edit. 2. Navigate to the Group Policy Object (GPO) that you want to edit.
3. Right-click the GPO, and then click **Edit**. 3. Right-click the GPO, and then click **Edit**.
@ -22,5 +29,3 @@ To complete this procedure, you must have the **Edit Setting** permission to ed
5. In the details pane, double-click **Set a support web page link**. 5. In the details pane, double-click **Set a support web page link**.
6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box. 6. Click **Enabled**, and then type the URL of the custom Web page in the **Support Web page URL** box.
7. Click **OK** to apply the setting. 7. Click **OK** to apply the setting.
 
 

64
windows/keep-secure/dll-rules-in-applocker.md
View File

@ -2,64 +2,40 @@
title: DLL rules in AppLocker (Windows 10) title: DLL rules in AppLocker (Windows 10)
description: This topic describes the file formats and available default rules for the DLL rule collection. description: This topic describes the file formats and available default rules for the DLL rule collection.
ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# DLL rules in AppLocker # DLL rules in AppLocker
**Applies to** **Applies to**
- Windows 10 - Windows 10
This topic describes the file formats and available default rules for the DLL rule collection. This topic describes the file formats and available default rules for the DLL rule collection.
AppLocker defines DLL rules to include only the following file formats: AppLocker defines DLL rules to include only the following file formats:
- .dll - .dll
- .ocx - .ocx
The following table lists the default rules that are available for the DLL rule collection. The following table lists the default rules that are available for the DLL rule collection.
<table>
<colgroup> | Purpose | Name | User | Rule condition type |
<col width="25%" /> | - | - | - | - |
<col width="25%" /> | Allows members of the local Administrators group to run all DLLs | (Default Rule) All DLLs|
<col width="25%" /> | BUILTIN\Administrators | Path: *|
<col width="25%" /> | Allow all users to run DLLs in the Windows folder| (Default Rule) Microsoft Windows DLLs |
</colgroup> | Everyone | Path: %windir%\*|
<thead> | Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder|
<tr class="header"> | Everyone | Path: %programfiles%\*|
<th align="left">Purpose</th>
<th align="left">Name</th>
<th align="left">User</th>
<th align="left">Rule condition type</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Allows members of the local Administrators group to run all DLLs</p></td>
<td align="left"><p>(Default Rule) All DLLs</p></td>
<td align="left"><p>BUILTIN\Administrators</p></td>
<td align="left"><p>Path: *</p></td>
</tr>
<tr class="even">
<td align="left"><p>Allow all users to run DLLs in the Windows folder</p></td>
<td align="left"><p>(Default Rule) Microsoft Windows DLLs</p></td>
<td align="left"><p>Everyone</p></td>
<td align="left"><p>Path: %windir%\*</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Allow all users to run DLLs in the Program Files folder</p></td>
<td align="left"><p>(Default Rule) All DLLs located in the Program Files folder</p></td>
<td align="left"><p>Everyone</p></td>
<td align="left"><p>Path: %programfiles%\*</p></td>
</tr>
</tbody>
</table>
   
**Important**   >**Important:**  If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps
   
**Caution**   >**Caution:**  When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.
When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.
   
## Related topics ## Related topics
[Understanding AppLocker default rules](understanding-applocker-default-rules.md)
  - [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
 

11
windows/keep-secure/document-group-policy-structure-and-applocker-rule-enforcement.md
View File

@ -2,23 +2,31 @@
title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10)
description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
author: brianlic-msft author: brianlic-msft
ms.pagetype: security
--- ---
# Document the Group Policy structure and AppLocker rule enforcement # Document the Group Policy structure and AppLocker rule enforcement
**Applies to** **Applies to**
- Windows 10 - Windows 10
This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.
## Record your findings ## Record your findings
To complete this AppLocker planning document, you should first complete the following steps: To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md) 1. [Determine your application control objectives](determine-your-application-control-objectives.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column.
The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies. The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.
<table> <table>
<colgroup> <colgroup>
@ -111,6 +119,7 @@ The following table includes the sample data that was collected when you determi
</table> </table>
   
## Next steps ## Next steps
After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
- [Create your AppLocker planning document](create-your-applocker-planning-document.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md)

24
windows/keep-secure/document-your-application-control-management-processes.md
View File

@ -2,31 +2,46 @@
title: Document your application control management processes (Windows 10) title: Document your application control management processes (Windows 10)
description: This planning topic describes the AppLocker policy maintenance information to record for your design document. description: This planning topic describes the AppLocker policy maintenance information to record for your design document.
ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Document your application control management processes # Document your application control management processes
**Applies to** **Applies to**
- Windows 10 - Windows 10
This planning topic describes the AppLocker policy maintenance information to record for your design document. This planning topic describes the AppLocker policy maintenance information to record for your design document.
## Record your findings ## Record your findings
To complete this AppLocker planning document, you should first complete the following steps: To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md) 1. [Determine your application control objectives](determine-your-application-control-objectives.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md)
4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) 5. [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
The three key areas to determine for AppLocker policy management are: The three key areas to determine for AppLocker policy management are:
1. Support policy 1. Support policy
Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy.
2. Event processing 2. Event processing
Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis. Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis.
3. Policy maintenance 3. Policy maintenance
Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added. Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.
The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies. The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
<table style="width:100%;"> <table style="width:100%;">
<colgroup> <colgroup>
<col width="11%" /> <col width="11%" />
@ -125,9 +140,13 @@ The following table contains the added sample data that was collected when deter
</table> </table>
   
The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies. The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
**Event processing policy** **Event processing policy**
One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events.
The following table is an example of what to consider and record. The following table is an example of what to consider and record.
<table> <table>
<colgroup> <colgroup>
<col width="20%" /> <col width="20%" />
@ -210,7 +229,6 @@ The following table is an example of what to consider and record.
</table> </table>
   
## Next steps ## Next steps
After you have determined your application control management strategy for each of the business group's applications, the following task remains: After you have determined your application control management strategy for each of the business group's applications, the following task remains:
- [Create your AppLocker planning document](create-your-applocker-planning-document.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md)
 
 

26
windows/keep-secure/document-your-application-list.md
View File

@ -2,21 +2,30 @@
title: Document your app list (Windows 10) title: Document your app list (Windows 10)
description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. description: This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Document your app list # Document your app list
**Applies to** **Applies to**
- Windows 10 - Windows 10
This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies.
## Record your findings ## Record your findings
**Apps** **Apps**
Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*. Record the name of the app, whether it is signed as indicated by the publisher's name, and whether it is a mission critical, business productivity, optional, or personal app. Later, as you manage your rules, AppLocker displays this information in the format shown in the following example: *MICROSOFT OFFICE INFOPATH signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US*.
**Installation path** **Installation path**
Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices. Record the installation path of the apps. For example, Microsoft Office 2016 installs files to *%programfiles%\\Microsoft Office\\Office16\\*, which is *C:\\Program Files\\Microsoft Office\\Office16\\* on most devices.
The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules. The following table provides an example of how to list applications for each business group at the early stage of designing your application control policies. Eventually, as more planning information is added to the list, the information can be used to build AppLocker rules.
<table> <table>
<colgroup> <colgroup>
@ -81,29 +90,36 @@ The following table provides an example of how to list applications for each bus
</tbody> </tbody>
</table> </table>
   
**Note**   >**Note:**  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary.
   
**Event processing** **Event processing**
As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record:
- Will event forwarding be implemented for AppLocker events? - Will event forwarding be implemented for AppLocker events?
- What is the location of the AppLocker event collection? - What is the location of the AppLocker event collection?
- Should an event archival policy be implemented? - Should an event archival policy be implemented?
- Will the events be analyzed and how often? - Will the events be analyzed and how often?
- Should a security policy be in place for event collection? - Should a security policy be in place for event collection?
**Policy maintenance** **Policy maintenance**
As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record: As you create your list of apps, you need to consider how to manage and maintain the policies that you will eventually create. The following list is an example of what to consider and what to record:
- How will rules be updated for emergency app access and permanent access? - How will rules be updated for emergency app access and permanent access?
- How will apps be removed? - How will apps be removed?
- How many older versions of the same app will be maintained? - How many older versions of the same app will be maintained?
- How will new apps be introduced? - How will new apps be introduced?
## Next steps ## Next steps
After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns: After you have created the list of applications, the next step is to identify the rule collections, which will become the application control policies. This information can be added to the table under the following columns:
- Use default rule or define new rule condition - Use default rule or define new rule condition
- Allow or deny - Allow or deny
- GPO name - GPO name
To identify the rule collections, see the following topics: To identify the rule collections, see the following topics:
- [Select the types of rules to create](select-types-of-rules-to-create.md) - [Select the types of rules to create](select-types-of-rules-to-create.md)
- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
 
 

16
windows/keep-secure/document-your-applocker-rules.md
View File

@ -2,25 +2,35 @@
title: Document your AppLocker rules (Windows 10) title: Document your AppLocker rules (Windows 10)
description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. description: This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Document your AppLocker rules # Document your AppLocker rules
**Applies to** **Applies to**
- Windows 10 - Windows 10
This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.
## Record your findings ## Record your findings
To complete this AppLocker planning document, you should first complete the following steps: To complete this AppLocker planning document, you should first complete the following steps:
1. [Determine your application control objectives](determine-your-application-control-objectives.md) 1. [Determine your application control objectives](determine-your-application-control-objectives.md)
2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
3. [Select the types of rules to create](select-types-of-rules-to-create.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md)
Document the following items for each business group or organizational unit: Document the following items for each business group or organizational unit:
- Whether your organization will use the built-in default AppLocker rules to allow system files to run. - Whether your organization will use the built-in default AppLocker rules to allow system files to run.
- The types of rule conditions that you will use to create rules, stated in order of preference. - The types of rule conditions that you will use to create rules, stated in order of preference.
The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md). The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an app to run or deny permission for it to run. For info about these settings, see [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md).
<table style="width:100%;"> <table style="width:100%;">
<colgroup> <colgroup>
<col width="14%" /> <col width="14%" />
@ -101,9 +111,9 @@ The following table details sample data for documenting rule type and rule condi
</table> </table>
   
## Next steps ## Next steps
For each rule, determine whether to use the allow or deny option. Then, three tasks remain: For each rule, determine whether to use the allow or deny option. Then, three tasks remain:
- [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
- [Create your AppLocker planning document](create-your-applocker-planning-document.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md)
 
 

86
windows/keep-secure/domain-controller-allow-server-operators-to-schedule-tasks.md
View File

@ -2,87 +2,85 @@
title: Domain controller Allow server operators to schedule tasks (Windows 10) title: Domain controller Allow server operators to schedule tasks (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain controller: Allow server operators to schedule tasks # Domain controller: Allow server operators to schedule tasks
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain controller: Allow server operators to schedule tasks** security policy setting.
## Reference ## Reference
This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account. This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account.
**Note**  
This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool. >**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
   
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
### Possible values ### Possible values
- Enabled - Enabled
- Disabled - Disabled
- Not defined - Not defined
### Best practices ### Best practices
- Best practices for this policy are dependent on your security and operational requirements for task scheduling. - Best practices for this policy are dependent on your security and operational requirements for task scheduling.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined|
</colgroup> | Default Domain Controller Policy | Not defined |
<thead> | Stand-Alone Server Default Settings | Not defined|
<tr class="header"> | DC Effective Default Settings | Not defined|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings | Not defined|
<th align="left">Default value</th> | Client Computer Effective Default Settings | Not defined|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Command-line tools ### Command-line tools
The **at** command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the **at** command. The **at** command schedules commands and programs to run on a computer at a specified time and date. The Schedule service must be running to use the **at** command.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
Tasks that run under the context of the Local System account can affect resources that are at a higher privilege level than the user account that scheduled the task. Tasks that run under the context of the Local System account can affect resources that are at a higher privilege level than the user account that scheduled the task.
### Countermeasure ### Countermeasure
Disable the **Domain controller: Allow server operators to schedule tasks** setting. Disable the **Domain controller: Allow server operators to schedule tasks** setting.
### Potential impact ### Potential impact
The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

85
windows/keep-secure/domain-controller-ldap-server-signing-requirements.md
View File

@ -2,86 +2,83 @@
title: Domain controller LDAP server signing requirements (Windows 10) title: Domain controller LDAP server signing requirements (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain controller: LDAP server signing requirements # Domain controller: LDAP server signing requirements
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting.
## Reference ## Reference
This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.
Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult.
This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL.
If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected.
**Caution**  
If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server. >**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
   
### Possible values ### Possible values
- None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it. - None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it.
- Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use. - Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use.
- Not defined. - Not defined.
### Best practices ### Best practices
- It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. - It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined|
</colgroup> | Default Domain Controller Policy | Not defined|
<thead> | Stand-Alone Server Default Settings | Not defined|
<tr class="header"> | DC Effective Default Settings | None|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings | None|
<th align="left">Default value</th> | Client Computer Effective Default Settings | None|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>None</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>None</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>None</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult.
### Countermeasure ### Countermeasure
Configure the **Domain controller: LDAP server signing requirements** setting to **Require signature**. Configure the **Domain controller: LDAP server signing requirements** setting to **Require signature**.
### Potential impact ### Potential impact
Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers. Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

84
windows/keep-secure/domain-controller-refuse-machine-account-password-changes.md
View File

@ -2,83 +2,83 @@
title: Domain controller Refuse machine account password changes (Windows 10) title: Domain controller Refuse machine account password changes (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain controller: Refuse machine account password changes # Domain controller: Refuse machine account password changes
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain controller: Refuse machine account password changes** security policy setting.
## Reference ## Reference
This policy setting enables or disables blocking a domain controller from accepting password change requests for machine accounts. By default, devices joined to the domain change their machine account passwords every 30 days. If enabled, the domain controller will refuse machine account password change requests. This policy setting enables or disables blocking a domain controller from accepting password change requests for machine accounts. By default, devices joined to the domain change their machine account passwords every 30 days. If enabled, the domain controller will refuse machine account password change requests.
### Possible values ### Possible values
- Enabled - Enabled
When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password. When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
- Disabled - Disabled
When disabled, this setting allows a domain controller to accept any changes to a machine account's password. When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
- Not defined - Not defined
Same as Disabled. Same as Disabled.
### Best practices ### Best practices
- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain. - Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined|
</colgroup> | Default Domain Controller Policy | Not defined|
<thead> | Stand-Alone Server Default Settings | Not defined|
<tr class="header"> | DC Effective Default Settings | Disabled|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings | Disabled|
<th align="left">Default value</th> | Client Computer Effective Default Settings | Not applicable|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack. If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack.
### Countermeasure ### Countermeasure
Disable the **Domain controller: Refuse machine account password changes** setting. Disable the **Domain controller: Refuse machine account password changes** setting.
### Potential impact ### Potential impact
None. This is the default configuration. None. This is the default configuration.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

105
windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
View File

@ -2,103 +2,114 @@
title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10) title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting.
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain member: Digitally encrypt or sign secure channel data (always) # Domain member: Digitally encrypt or sign secure channel data (always)
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt or sign secure channel data (always)** security policy setting.
## Reference ## Reference
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is
transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- Domain member: Digitally encrypt or sign secure channel data (always) - Domain member: Digitally encrypt or sign secure channel data (always)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains. To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains.
To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data. To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data.
Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting. Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Possible values ### Possible values
- Enabled - Enabled
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure
channel traffic.
- Disabled - Disabled
The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies: The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies:
1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) 1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) 2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
- Not defined - Not defined
### Best practices ### Best practices
- Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**. - Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
**Note**  
You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications. >**Note:**  You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
   
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined|
</colgroup> | Default Domain Controller Policy | Enabled |
<thead> | Stand-Alone Server Default Settings | Enabled|
<tr class="header"> | DC Effective Default Settings | Enabled|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings | Enabled|
<th align="left">Default value</th> | Client Computer Effective Default Settings | Enabled|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy ### Group Policy
Distribution of this policy through Group Policy overrides the Local Security Policy setting. Distribution of this policy through Group Policy overrides the Local Security Policy setting.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure ### Countermeasure
Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data. Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data.
- **Domain member: Digitally encrypt or sign secure channel data (always)** - **Domain member: Digitally encrypt or sign secure channel data (always)**
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
### Potential impact ### Potential impact
Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

98
windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
View File

@ -2,99 +2,107 @@
title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10) title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting.
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain member: Digitally encrypt secure channel data (when possible) # Domain member: Digitally encrypt secure channel data (when possible)
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain member: Digitally encrypt secure channel data (when possible)** security policy setting.
## Reference ## Reference
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over
the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Possible values ### Possible values
- Enabled - Enabled
The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted. The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted.
- Disabled - Disabled
The domain member will not attempt to negotiate secure channel encryption. The domain member will not attempt to negotiate secure channel encryption.
**Note**  
If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten. >**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
   
- Not defined - Not defined
### Best practices ### Best practices
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
- Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**. - Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**. - Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined|
</colgroup> | Default Domain Controller Policy | Enabled|
<thead> | Stand-Alone Server Default Settings | Enabled|
<tr class="header"> | DC Effective Default Settings | Enabled|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings| Enabled|
<th align="left">Default value</th> | Client Computer Effective Default Settings | Enabled|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy ### Group Policy
Distribution of this policy through Group Policy does not override the Local Security Policy setting. Distribution of this policy through Group Policy does not override the Local Security Policy setting.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure ### Countermeasure
Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data: Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- **Domain member: Digitally encrypt secure channel data (when possible)** - **Domain member: Digitally encrypt secure channel data (when possible)**
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
### Potential impact ### Potential impact
Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller. Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

95
windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
View File

@ -2,100 +2,105 @@
title: Domain member Digitally sign secure channel data (when possible) (Windows 10) title: Domain member Digitally sign secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting.
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain member: Digitally sign secure channel data (when possible) # Domain member: Digitally sign secure channel data (when possible)
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain member: Digitally sign secure channel data (when possible)** security policy setting.
## Reference ## Reference
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the
secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- Domain member: Digitally sign secure channel data (when possible) - Domain member: Digitally sign secure channel data (when possible)
Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Possible values ### Possible values
- Enabled - Enabled
The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.
- Disabled - Disabled
Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled.
- Not defined - Not defined
### Best practices ### Best practices
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**. - Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**. - Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**. - Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
**Note**   >**Note:**  You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
   
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined|
</colgroup> | Default Domain Controller Policy | Enabled |
<thead> | Stand-Alone Server Default Settings | Enabled|
<tr class="header"> | DC Effective Default Settings | Enabled|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings| Enabled|
<th align="left">Default value</th> | Client Computer Effective Default Settings | Enabled|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy ### Group Policy
Distribution of this policy through Group Policy does not override the Local Security Policy setting. Distribution of this policy through Group Policy does not override the Local Security Policy setting.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure ### Countermeasure
Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible. Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible.
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- **Domain member: Digitally sign secure channel data (when possible)** - **Domain member: Digitally sign secure channel data (when possible)**
### Potential impact ### Potential impact
Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

83
windows/keep-secure/domain-member-disable-machine-account-password-changes.md
View File

@ -2,82 +2,79 @@
title: Domain member Disable machine account password changes (Windows 10) title: Domain member Disable machine account password changes (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain member: Disable machine account password changes # Domain member: Disable machine account password changes
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain member: Disable machine account password changes** security policy setting.
## Reference ## Reference
The **Domain member: Disable machine account password changes** policy setting determines whether a domain member periodically changes its machine account password. Setting its value to **Enabled** prevents the domain member from changing the machine account password. Setting it to **Disabled** allows the domain member to change the machine account password as specified by the value of the [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) policy setting, which is every 30 days by default. The **Domain member: Disable machine account password changes** policy setting determines whether a domain member periodically changes its machine account password. Setting its value to **Enabled** prevents the domain member from changing the machine account password. Setting it to **Disabled** allows the domain member to change the machine account password as specified by the value of the [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) policy setting, which is every 30 days by default.
By default, devices that belong to a domain are automatically required to change the passwords for their accounts every 30 days. Devices that are no longer able to automatically change their machine password are at risk of a malicious user determining the password for the system's domain account. By default, devices that belong to a domain are automatically required to change the passwords for their accounts every 30 days. Devices that are no longer able to automatically change their machine password are at risk of a malicious user determining the password for the system's domain account.
Verify that the **Domain member: Disable machine account password changes** option is set to **Disabled**. Verify that the **Domain member: Disable machine account password changes** option is set to **Disabled**.
### Possible values ### Possible values
- Enabled - Enabled
- Disabled - Disabled
### Best practices ### Best practices
1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. 1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions.
2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain. 2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Disabled |
</colgroup> | Default Domain Controller Policy | Disabled|
<thead> | Stand-Alone Server Default Settings | Disabled|
<tr class="header"> | DC Effective Default Settings | Disabled|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings | Disabled|
<th align="left">Default value</th> | Client Computer Effective Default Settings | Disabled|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
### Countermeasure ### Countermeasure
Verify that the **Domain member: Disable machine account password changes** setting is configured to **Disabled**. Verify that the **Domain member: Disable machine account password changes** setting is configured to **Disabled**.
### Potential impact ### Potential impact
None. This is the default configuration. None. This is the default configuration.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

82
windows/keep-secure/domain-member-maximum-machine-account-password-age.md
View File

@ -2,81 +2,77 @@
title: Domain member Maximum machine account password age (Windows 10) title: Domain member Maximum machine account password age (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain member: Maximum machine account password age # Domain member: Maximum machine account password age
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain member: Maximum machine account password age** security policy setting.
## Reference ## Reference
The **Domain member: Maximum machine account password age** policy setting determines the maximum allowable age for a machine account password. The **Domain member: Maximum machine account password age** policy setting determines the maximum allowable age for a machine account password.
In Active Directorybased domains, each device has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to **0** so that the device no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts. In Active Directorybased domains, each device has an account and password, just like every user. By default, the domain members automatically change their domain password every 30 days. Increasing this interval significantly, or setting it to **0** so that the device no longer change their passwords, gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts.
### Possible values ### Possible values
- User-defined number of days between 0 and 999 - User-defined number of days between 0 and 999
- Not defined. - Not defined.
### Best practices ### Best practices
1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. 1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
2. Some organizations pre-build devices and then store them for later use or ship them to remote locations. If the machine's account has expired, it will no longer be able to authenticate with the domain. Devices that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. 2. Some organizations pre-build devices and then store them for later use or ship them to remote locations. If the machine's account has expired, it will no longer be able to authenticate with the domain. Devices that cannot authenticate with the domain must be removed from the domain and rejoined to it. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO | Default value |
<col width="50%" /> | - | - |
<col width="50%" /> | Default Domain Policy | Not defined |
</colgroup> | Default Domain Controller Policy | Not defined|
<thead> | Stand-Alone Server Default Settings | 30 days|
<tr class="header"> | DC Effective Default Settings | 30 days|
<th align="left">Server type or GPO</th> | Member Server Effective Default Settings|30 days|
<th align="left">Default value</th> | Client Computer Effective Default Settings | 30 days|
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>30 days</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
In Active Directorybased domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
In Active Directorybased domains, each device has an account and password, just as every user does. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their
passwords, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
### Countermeasure ### Countermeasure
Configure the **Domain member: Maximum machine account password age** setting to 30 days. Configure the **Domain member: Maximum machine account password age** setting to 30 days.
### Potential impact ### Potential impact
None. This is the default configuration. None. This is the default configuration.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)
 

91
windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
View File

@ -2,88 +2,95 @@
title: Domain member Require strong (Windows 2000 or later) session key (Windows 10) title: Domain member Require strong (Windows 2000 or later) session key (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting. description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting.
ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
ms.pagetype: security
ms.prod: W10 ms.prod: W10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security
author: brianlic-msft author: brianlic-msft
--- ---
# Domain member: Require strong (Windows 2000 or later) session key # Domain member: Require strong (Windows 2000 or later) session key
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting. Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting.
## Reference ## Reference
The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys.
Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected.
### Possible values ### Possible values
- Enabled - Enabled
When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server. When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server.
- Disabled - Disabled
Allows 64-bit session keys to be used. Allows 64-bit session keys to be used.
- Not defined. - Not defined.
### Best practices ### Best practices
- It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. - It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled.
### Location ### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values ### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page. The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup> | Server type or GPO
<col width="50%" /> | Default value
<col width="50%" /> | - | - |
</colgroup> | Default Domain Policy | Not defined |
<thead> | Default Domain Controller Policy | Not defined|
<tr class="header"> | Stand-Alone Server Default Settings | Disabled|
<th align="left">Server type or GPO</th> | DC Effective Default Settings | Disabled|
<th align="left">Default value</th> | Member Server Effective Default Settings | Disabled|
</tr> | Client Computer Effective Default Settings | Disabled|
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
   
## Policy management ## Policy management
This section describes features and tools that are available to help you manage this policy. This section describes features and tools that are available to help you manage this policy.
### Restart requirement ### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy ### Group Policy
Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled. You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled.
## Security considerations ## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability ### Vulnerability
Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000. Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000.
Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.) Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)
### Countermeasure ### Countermeasure
Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting. Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting.
If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled. If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled.
### Potential impact ### Potential impact
Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled. Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled.
## Related topics ## Related topics
[Security Options](security-options.md)
  - [Security Options](security-options.md)