mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 03:43:39 +00:00
Merge pull request #3592 from MicrosoftDocs/dansimp-strongbad
<strong> tags causing loc issues. replacing w <b>
This commit is contained in:
Tina Burden
GitHub
@ -470,7 +470,7 @@ Each default local account in Active Directory has a number of account settings
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p>Account is trusted for delegation</p></td>
|
||||
<td><p>Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the <strong>Delegation</strong> tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the <strong>setspn</strong> command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.</p></td>
|
||||
<td><p>Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the <b>Delegation</b> tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the <b>setspn</b> command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Account is sensitive and cannot be delegated</p></td>
|
||||
@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
|
||||
<td><p>Use DES encryption types for this account</p></td>
|
||||
<td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
|
||||
<div class="alert">
|
||||
<strong>Note</strong><br/><p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see <a href="https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx" data-raw-source="[Hunting down DES in order to securely deploy Kerberos](https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx)">Hunting down DES in order to securely deploy Kerberos</a>.</p>
|
||||
<b>Note</b><br/><p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see <a href="https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx" data-raw-source="[Hunting down DES in order to securely deploy Kerberos](https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx)">Hunting down DES in order to securely deploy Kerberos</a>.</p>
|
||||
</div>
|
||||
<div>
|
||||
|
||||
@ -656,8 +656,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p><strong>Windows Update Setting</strong></p></td>
|
||||
<td><p><strong>Configuration</strong></p></td>
|
||||
<td><p><b>Windows Update Setting</b></p></td>
|
||||
<td><p><b>Configuration</b></p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p>Allow Automatic Updates immediate installation</p></td>
|
||||
|
||||
@ -297,9 +297,9 @@ The following table shows the Group Policy and registry settings that are used t
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p><strong>No.</strong></p></td>
|
||||
<td><p><strong>Setting</strong></p></td>
|
||||
<td><p><strong>Detailed Description</strong></p></td>
|
||||
<td><p><b>No.</b></p></td>
|
||||
<td><p><b>Setting</b></p></td>
|
||||
<td><p><b>Detailed Description</b></p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p></p></td>
|
||||
@ -334,7 +334,7 @@ The following table shows the Group Policy and registry settings that are used t
|
||||
<tr class="even">
|
||||
<td><p>3</p></td>
|
||||
<td><p>Registry key</p></td>
|
||||
<td><p><strong>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</strong></p></td>
|
||||
<td><p><b>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</b></p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td><p></p></td>
|
||||
@ -444,9 +444,9 @@ The following table shows the Group Policy settings that are used to deny networ
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td><p><strong>No.</strong></p></td>
|
||||
<td><p><strong>Setting</strong></p></td>
|
||||
<td><p><strong>Detailed Description</strong></p></td>
|
||||
<td><p><b>No.</b></p></td>
|
||||
<td><p><b>Setting</b></p></td>
|
||||
<td><p><b>Detailed Description</b></p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td><p></p></td>
|
||||
|
||||
@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
|
||||
| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
|
||||
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
|
||||
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
|
||||
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. </p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
|
||||
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><b>Important:</b><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. </p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
|
||||
@ -133,5 +133,5 @@ The following table lists qualifications for Windows 10, version 1703, which are
|
||||
|
||||
| Protections for Improved Security | Description | Security Benefits
|
||||
|---|---|---|
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><b>Notes:</b><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
|
||||
|
||||
@ -84,7 +84,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
|
||||
1. In the **Custom OMA-URI Settings** blade, Click **Add**.
|
||||
1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where <b>*tenant ID*</b> is your Azure Active Directory tenant ID from step 2.
|
||||
1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
|
||||
1. Click **OK** to save the row configuration. Click **OK** to close the <strong>Custom OMA-URI Settings blade. Click **Create</strong> to save the profile.
|
||||
1. Click **OK** to save the row configuration. Click **OK** to close the <b>Custom OMA-URI Settings blade. Click **Create</b> to save the profile.
|
||||
|
||||
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ ms.reviewer:
|
||||
---
|
||||
# Windows Hello for Business Provisioning
|
||||
<span id="windows-hello-for-business-provisioning" />
|
||||
<strong>Applies to:</strong>
|
||||
<b>Applies to:</b>
|
||||
- Windows 10
|
||||
|
||||
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
|
||||
|
||||
@ -187,7 +187,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
|
||||
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
|
||||
2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
|
||||
3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
|
||||
4. On the **Extensions** tab, click **Add**. Type <strong>http://crl.[domainname]/cdp/</strong> in **location**. For example, *<http://crl.corp.contoso.com/cdp/>* or *<http://crl.contoso.com/cdp/>* (do not forget the trailing forward slash).
|
||||
4. On the **Extensions** tab, click **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**. For example, *<http://crl.corp.contoso.com/cdp/>* or *<http://crl.contoso.com/cdp/>* (do not forget the trailing forward slash).
|
||||
|
||||
5. Select **\<CaName>** from the **Variable** list and click **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
|
||||
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
|
||||
@ -225,7 +225,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
|
||||
|
||||
Validate your new CRL distribution point is working.
|
||||
|
||||
1. Open a web browser. Navigate to <strong>http://crl.[yourdomain].com/cdp</strong>. You should see two files created from publishing your new CRL.
|
||||
1. Open a web browser. Navigate to <b>http://crl.[yourdomain].com/cdp</b>. You should see two files created from publishing your new CRL.
|
||||
|
||||
|
||||
### Reissue domain controller certificates
|
||||
|
||||
@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security
|
||||
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
|
||||
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
|
||||
| **Helps prevent** | N/A | <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul> | <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul> |
|
||||
| **Credentials supported from the remote desktop client device** | <ul><li><strong>Signed on</strong> credentials <li> <strong>Supplied</strong> credentials<li> <strong>Saved</strong> credentials </ul> | <ul><li> <strong>Signed on</strong> credentials only | <ul><li><strong>Signed on</strong> credentials<li><strong>Supplied</strong> credentials<li><strong>Saved</strong> credentials</ul> |
|
||||
| **Credentials supported from the remote desktop client device** | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> | <ul><li> <b>Signed on</b> credentials only | <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul> |
|
||||
| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
|
||||
| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. |
|
||||
| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
|
||||
|
||||
@ -270,7 +270,7 @@ To better understand each component, review the table below:
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
The slider will never turn UAC completely off. If you set it to <strong>Never notify</strong>, it will:
|
||||
The slider will never turn UAC completely off. If you set it to <b>Never notify</b>, it will:
|
||||
|
||||
- Keep the UAC service running.
|
||||
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
|
||||
|
||||
Reference in New Issue
Block a user