mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 20:33:42 +00:00
Merge branch 'master' into av-test
This commit is contained in:
Beth Levin
@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: aadake
|
||||
ms.date: 12/08/2018
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# Kernel DMA Protection for Thunderbolt™ 3
|
||||
@ -38,17 +38,17 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and
|
||||
|
||||
## How Windows protects against DMA drive-by attacks
|
||||
|
||||
Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping).
|
||||
Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.
|
||||
Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
|
||||
Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping).
|
||||
Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.
|
||||
By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
|
||||
|
||||
## User experience
|
||||
|
||||
|
||||
|
||||
A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked.
|
||||
Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged.
|
||||
The devices will continue to function normally if the user locks the screen or logs out of the system.
|
||||
A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked.
|
||||
Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged.
|
||||
The peripheral will continue to function normally if the user locks the screen or logs out of the system.
|
||||
|
||||
## System compatibility
|
||||
|
||||
@ -88,7 +88,7 @@ For systems that do not support Kernel DMA Protection, please refer to the [BitL
|
||||
## Frequently asked questions
|
||||
|
||||
### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
|
||||
In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
|
||||
In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
|
||||
|
||||
### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
|
||||
No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
|
||||
@ -108,10 +108,13 @@ In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Co
|
||||
### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
|
||||
No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping.
|
||||
|
||||
### How can an enterprise enable the “External device enumeration” policy?
|
||||
The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM):
|
||||
### How can an enterprise enable the External device enumeration policy?
|
||||
The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
|
||||
|
||||
The policy can be enabled by using:
|
||||
|
||||
- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
|
||||
- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
|
||||
- Mobile Device Management (MDM): [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -17,6 +17,7 @@ ms.date: 11/29/2018
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2019
|
||||
|
||||
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
|
||||
|
||||
@ -38,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu
|
||||
|
||||
### Automatic initialization of the TPM with Windows 10
|
||||
|
||||
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
|
||||
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
|
||||
|
||||
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
|
||||
|
||||
@ -69,18 +70,18 @@ Some things that you can check on the device are:
|
||||
- Is SecureBoot supported and enabled?
|
||||
|
||||
> [!NOTE]
|
||||
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
|
||||
## Supported versions for device health attestation
|
||||
|
||||
| TPM version | Windows 10 | Windows Server 2016 |
|
||||
|-------------|-------------|---------------------|
|
||||
| TPM 1.2 | >= ver 1607 | >= ver 1607 |
|
||||
| TPM 2.0 | X | X |
|
||||
| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 |
|
||||
|-------------|-------------|---------------------|---------------------|
|
||||
| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes |
|
||||
| TPM 2.0 | Yes | Yes | Yes |
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: justinha
|
||||
ms.author: justinha
|
||||
ms.date: 05/30/2018
|
||||
ms.date: 12/18/2018
|
||||
ms.localizationpriority: medium
|
||||
---
|
||||
|
||||
@ -104,7 +104,7 @@ This table provides info about the most common problems you might encounter whil
|
||||
<li>SavedGames</li>
|
||||
</ul>
|
||||
</td>
|
||||
<td>WIP isn’t turned on for employees in your organization.</td>
|
||||
<td>WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. </td>
|
||||
<td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# 4672(S): Special privileges assigned to new logon.
|
||||
@ -18,7 +18,7 @@ ms.date: 04/19/2017
|
||||
|
||||
|
||||
<img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" />
|
||||
|
||||
</br>
|
||||
***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
|
||||
|
||||
***Event Description:***
|
||||
@ -125,7 +125,7 @@ You typically will see many of these events in the event log, because every logo
|
||||
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
|
||||
| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE |
|
||||
| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
|
||||
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
|
||||
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
|
||||
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
|
||||
| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
|
||||
| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
|
||||
|
||||
@ -8,56 +8,57 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
ms.author: justinha
|
||||
author: justinha
|
||||
ms.date: 11/15/2018
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# How to control USB devices and other removable media using Intune
|
||||
# How to control USB devices and other removable media using Windows Defender ATP
|
||||
|
||||
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
Windows Defender ATP provides multiple monitoring and control features for USB peripherals to help prevent threats in unauthorized peripherals from compromising your devices:
|
||||
|
||||
You can configure Intune settings to reduce threats from removable storage such as USB devices, including:
|
||||
1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
|
||||
- [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
|
||||
- The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
|
||||
- [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
|
||||
|
||||
2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
|
||||
- Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
|
||||
|
||||
- [Block unwanted removeable storage](#block-unwanted-removable-storage)
|
||||
- [Protect allowed removable storage](#protect-allowed-removable-storage)
|
||||
3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral:
|
||||
- Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
|
||||
- Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
|
||||
|
||||
Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
|
||||
We recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
|
||||
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
|
||||
You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted.
|
||||
>[!NOTE]
|
||||
>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks.
|
||||
|
||||
> [!NOTE]
|
||||
> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device.
|
||||
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
|
||||
|
||||
## Block unwanted removeable storage
|
||||
## Prevent threats from removable storage
|
||||
|
||||
Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
|
||||
|
||||
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
|
||||
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
|
||||
### Enable Windows Defender Antivirus Scanning
|
||||
|
||||
|
||||
Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
|
||||
|
||||
3. Use the following settings:
|
||||
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
|
||||
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
|
||||
|
||||
- Name: Windows 10 Device Configuration
|
||||
- Description: Block removeable storage and USB connections
|
||||
- Platform: Windows 10 and later
|
||||
- Profile type: Device restrictions
|
||||
>[!NOTE]
|
||||
>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**.
|
||||
|
||||
|
||||
<!-- Need to build out point in the precedeing note.
|
||||
-->
|
||||
|
||||
4. Click **Configure** > **General**.
|
||||
### Block untrusted and unsigned processes on USB peripherals
|
||||
|
||||
5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**.
|
||||
|
||||
|
||||
|
||||
6. Click **OK** to close **General** settings and **Device restrictions**.
|
||||
|
||||
7. Click **Create** to save the profile.
|
||||
|
||||
Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies.
|
||||
|
||||
## Protect allowed removable storage
|
||||
End-users might plug in removable devices that are infected with malware.
|
||||
To prevent infections, a company can block USB files that are unsigned or untrusted.
|
||||
Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
|
||||
This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
|
||||
With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
|
||||
Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
|
||||
|
||||
These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
|
||||
|
||||
@ -73,7 +74,7 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
|
||||
- Platform: Windows 10 or later
|
||||
- Profile type: Endpoint protection
|
||||
|
||||
|
||||
|
||||
|
||||
4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
|
||||
|
||||
@ -83,4 +84,104 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
|
||||
|
||||
6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**.
|
||||
|
||||
7. Click **Create** to save the profile.
|
||||
7. Click **Create** to save the profile.
|
||||
|
||||
### Protect against Direct Memory Access (DMA) attacks
|
||||
|
||||
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
|
||||
|
||||
1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
|
||||
|
||||
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
|
||||
|
||||
Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
|
||||
|
||||
2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
|
||||
|
||||
- [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess)
|
||||
- [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
|
||||
|
||||
|
||||
## Detect plug and play connected events
|
||||
|
||||
You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
|
||||
For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
|
||||
Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
|
||||
|
||||
## Respond to threats
|
||||
|
||||
Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
|
||||
|
||||
>[!Note]
|
||||
>Always test and refine these settings with a pilot group of users and devices first before applying them in production.
|
||||
|
||||
The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
|
||||
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
|
||||
|
||||
| Control | Description |
|
||||
|----------|-------------|
|
||||
| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
|
||||
| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
|
||||
| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
|
||||
|
||||
>[!Note]
|
||||
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
|
||||
|
||||
### Block installation and usage of removable storage
|
||||
|
||||
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
|
||||
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
|
||||
|
||||
|
||||
|
||||
3. Use the following settings:
|
||||
|
||||
- Name: Type a name for the profile
|
||||
- Description: Type a description
|
||||
- Platform: Windows 10 and later
|
||||
- Profile type: Device restrictions
|
||||
|
||||
|
||||
|
||||
4. Click **Configure** > **General**.
|
||||
|
||||
5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only.
|
||||
|
||||
|
||||
|
||||
6. Click **OK** to close **General** settings and **Device restrictions**.
|
||||
|
||||
7. Click **Create** to save the profile.
|
||||
|
||||
### Only allow installation and usage of specifically approved peripherals
|
||||
|
||||
Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring [DeviceInstallation policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation).
|
||||
For example, this custom profile allows installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0".
|
||||
|
||||
|
||||
|
||||
Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
|
||||
|
||||
For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses).
|
||||
Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings).
|
||||
|
||||
### Prevent installation of specifically prohibited peripherals
|
||||
|
||||
Windows Defender ATP also blocks installation and usage of prohibited peripherals with a custom profile in Intune.
|
||||
For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0", and applies to USB devices with matching hardware IDs that are already installed.
|
||||
|
||||
|
||||
|
||||
For a SyncML example that prevents installation of specific device IDs, see [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids). To prevent specific device classes, see [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
|
||||
- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
|
||||
- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)
|
||||
- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
|
||||
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
|
||||
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
|
||||
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 44 KiB After Width: | Height: | Size: 44 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 38 KiB |
@ -13,9 +13,9 @@ ms.date: 08/01/2018
|
||||
# Microsoft Safety Scanner
|
||||
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
|
||||
|
||||
- [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733)
|
||||
- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733)
|
||||
|
||||
- [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732)
|
||||
- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
|
||||
|
||||
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
|
||||
|
||||
|
||||
@ -0,0 +1,8 @@
|
||||
---
|
||||
author: jasongerend
|
||||
ms.author: jgerend
|
||||
ms.date: 1/4/2019
|
||||
ms.topic: include
|
||||
ms.prod: w10
|
||||
---
|
||||
Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles.
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/2018
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
|
||||
# SMBv1 Microsoft network client: Digitally sign communications (always)
|
||||
@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/2018
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
# SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
|
||||
|
||||
@ -29,7 +29,7 @@ If server-side SMB signing is required, a client computer will not be able to es
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/201
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
|
||||
# SMB v1 Microsoft network server: Digitally sign communications (always)
|
||||
@ -33,7 +33,7 @@ If server-side SMB signing is required, a client device will not be able to esta
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/2018
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
|
||||
# SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
|
||||
@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: jsuther1974
|
||||
ms.date: 11/28/2018
|
||||
ms.date: 01/08/2019
|
||||
---
|
||||
|
||||
# Windows Defender Application Control
|
||||
@ -38,7 +38,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
|
||||
## WDAC System Requirements
|
||||
|
||||
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016.
|
||||
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune.
|
||||
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
|
||||
Group Policy or Intune can be used to distribute WDAC policies.
|
||||
|
||||
## New and changed functionality
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/16/2017
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# Configure HP ArcSight to pull Windows Defender ATP alerts
|
||||
@ -51,10 +51,10 @@ This section guides you in getting the necessary information to set and use the
|
||||
|
||||
You can generate these tokens from the **SIEM integration** setup section of the portal.
|
||||
|
||||
## Install and configure HP ArcSight SmartConnector
|
||||
## Install and configure HP ArcSight FlexConnector
|
||||
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
|
||||
|
||||
1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
|
||||
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
|
||||
|
||||
2. Follow the installation wizard through the following tasks:
|
||||
- Introduction
|
||||
@ -66,7 +66,7 @@ The following steps assume that you have completed all the required steps in [Be
|
||||
|
||||
You can keep the default values for each of these tasks or modify the selection to suit your requirements.
|
||||
|
||||
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example:
|
||||
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example:
|
||||
|
||||
- WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
|
||||
|
||||
|
||||
@ -10,7 +10,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/02/2018
|
||||
ms.date: 12/14/2018
|
||||
---
|
||||
|
||||
# Onboard servers to the Windows Defender ATP service
|
||||
@ -109,7 +109,15 @@ Agent Resource | Ports
|
||||
| winatp-gw-aue.microsoft.com |443 |
|
||||
|
||||
## Windows Server, version 1803 and Windows Server 2019
|
||||
To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
|
||||
To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
|
||||
|
||||
Supported tools include:
|
||||
- Local script
|
||||
- Group Policy
|
||||
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
|
||||
- VDI onboarding scripts for non-persistent machines
|
||||
|
||||
For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
|
||||
|
||||
1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
@ -58,9 +58,6 @@ Review the following details to verify minimum system requirements:
|
||||
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
|
||||
|
||||
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
|
||||
|
||||
>[!NOTE]
|
||||
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
|
||||
|
||||
- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 11/27/2018
|
||||
ms.date: 12/19/2018
|
||||
---
|
||||
|
||||
# Customize attack surface reduction rules
|
||||
@ -47,7 +47,7 @@ Rule description | GUID
|
||||
-|:-:|-
|
||||
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
||||
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
|
||||
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
||||
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
|
||||
Reference in New Issue
Block a user