mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-20 01:07:23 +00:00
first edit pass
This commit is contained in:
jborsecnik
parent
323e951400
commit
a857874b90
@ -105,7 +105,8 @@ An organization's domain and OU structure provide a fundamental starting point f
|
||||
|
||||
In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats.
|
||||
|
||||
>**Important:** Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
|
||||
> [!IMPORTANT]
|
||||
> Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
|
||||
|
||||
For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](https://go.microsoft.com/fwlink/p/?LinkId=163432).
|
||||
|
||||
@ -152,15 +153,20 @@ Security and auditing requirements and audit event volume can vary considerably
|
||||
- If the computers are servers, desktop computers, or portable computers.
|
||||
- The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager.
|
||||
|
||||
>**Note:** If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
|
||||
> [!NOTE]
|
||||
> For more information about auditing:
|
||||
> - In Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052).
|
||||
> - In SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434).
|
||||
> - In SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
|
||||
|
||||
- The operating system versions.
|
||||
|
||||
>**Note:** The operating system version determines which auditing options are available and the volume of audit event data.
|
||||
> [!NOTE]
|
||||
> The operating system version determines which auditing options are available and the volume of audit event data.
|
||||
|
||||
- The business value of the data.
|
||||
|
||||
For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network.
|
||||
For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public Internet or even to regular users on the organization's network.
|
||||
|
||||
The following table illustrates an analysis of computers in an organization.
|
||||
|
||||
@ -173,9 +179,9 @@ The following table illustrates an analysis of computers in an organization.
|
||||
|
||||
### Regulatory requirements
|
||||
|
||||
Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations.
|
||||
Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with and verify compliance with these regulations.
|
||||
|
||||
For more info, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
|
||||
For more information, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
|
||||
|
||||
## <a href="" id="bkmk-2"></a>Mapping the security audit policy to groups of users, computers, and resources in your organization
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10)
|
||||
description: Best practices and more for the security policy setting, Network Security Allow PKU2U authentication requests to this computer to use online identities.
|
||||
description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting.
|
||||
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
@ -22,18 +22,18 @@ ms.date: 04/19/2017
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
|
||||
This article describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
|
||||
|
||||
## Reference
|
||||
|
||||
Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs.
|
||||
|
||||
When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
|
||||
When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
|
||||
|
||||
> [!Note]
|
||||
> The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.
|
||||
> The ability to link online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
|
||||
|
||||
This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later.
|
||||
This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later.
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -41,18 +41,18 @@ This policy is not configured by default on domain-joined devices. This would di
|
||||
|
||||
This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
|
||||
|
||||
> [!Note]
|
||||
> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server.
|
||||
> [!NOTE]
|
||||
> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fail. To resolve this, enable PKU2U on the server.
|
||||
|
||||
- **Disabled**
|
||||
|
||||
This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
|
||||
|
||||
- Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices
|
||||
- ***Not set***. Not configuring this policy prevents online IDs from being used to authenticate the user. This option is the default on domain-joined devices.
|
||||
|
||||
### Best practices
|
||||
|
||||
Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate.
|
||||
Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate.
|
||||
|
||||
### Location
|
||||
|
||||
@ -60,7 +60,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
|
||||
|
||||
### Default values
|
||||
|
||||
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
The following table lists the effective default values for this policy. Default values are also listed on the policy’s property page.
|
||||
|
||||
| Server type or Group Policy Object (GPO) | Default value |
|
||||
| - | - |
|
||||
@ -73,20 +73,20 @@ The following table lists the actual and effective default values for this polic
|
||||
|
||||
## Security considerations
|
||||
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
|
||||
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies.
|
||||
Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this setup is beneficial for workgroups or home groups, in a domain-joined environment it might circumvent your established security policies.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Set this policy to Disabled or do not configure this security policy for domain-joined devices.
|
||||
Set this policy to *Disabled* or don't configure this security policy for domain-joined devices.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices
|
||||
If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which force users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This allows users to share resources between devices.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Security Options](security-options.md)
|
||||
- [Security options](security-options.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user