Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the whitelist of accounts. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md new file mode 100644 index 0000000000..f6dcdfddf4 --- /dev/null +++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md @@ -0,0 +1,70 @@ +--- +title: Assign Security Group Filters to the GPO (Windows 10) +description: Assign Security Group Filters to the GPO +ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Assign Security Group Filters to the GPO + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. + +>**Important:** This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones. + + + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs. + +In this topic: + +- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo) + +- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo) + +## To allow members of a group to apply a GPO + +Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO. + +1. Open the Group Policy Management console. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**. + + >**Note:** You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. + +4. Click **Add**. + +5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. + +## To prevent members of a group from applying a GPO + +Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain. + +1. Open the Group Policy Management console. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. In the details pane, click the **Delegation** tab. + +4. Click **Advanced**. + +5. Under the **Group or user names** list, click **Add**. + +6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. + +7. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**. + +8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**. + +9. The group appears in the list with **Custom** permissions. diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index be3326efee..5aa153c7ac 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -2,35 +2,37 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Account Lockout **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. + +Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts. Account lockout events are essential for understanding user activity and detecting potential attacks. -Event volume: Low +**Event volume**: Low. -Default setting: Success +This subcategory failure logon attempts, when account was already locked out. -| Event ID | Event message | -| - | - | -| 4625 | An account failed to log on. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. | +| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. | +| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. | + +**Events List:** + +- [4625](event-4625.md)(F): An account failed to log on. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index 3aa2716aa8..fa461c2535 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -2,39 +2,37 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Application Generated **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). -The following events can generate audit activity: +Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx). -- Creation, deletion, or initialization of an application client context -- Application operations +Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012. -Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application. +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. | +| Member Server | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. | +| Workstation | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. | -Event volume: Depends on the installed app's use of the Windows Auditing APIs +**Events List:** -Default: Not configured +## 4665: An attempt was made to create an application client context. -| Event ID | Event message | -| - | - | -| 4665 | An attempt was made to create an application client context. | -| 4666 | An application attempted an operation: | -| 4667 | An application client context was deleted. | - -## Related topics +## 4666: An application attempted an operation. + +## 4667: An application client context was deleted. + +## 4668: An application was initialized. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index 76cdabda54..7991c5a92d 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -2,42 +2,49 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Application Group Management **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed. -Application group management tasks include: +Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions. -- An application group is created, changed, or deleted. -- A member is added to or removed from an application group. +[Application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx). -Event volume: Low +Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------| +| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. | +| Member Server | - | - | - | - | This subcategory is outside the scope of this document. | +| Workstation | - | - | - | - | This subcategory is outside the scope of this document. | -| Event ID | Event message | -| - | - | -| 4783 | A basic application group was created. | -| 4784 | A basic application group was changed. | -| 4785 | A member was added to a basic application group. | -| 4786 | A member was removed from a basic application group. | -| 4787 | A non-member was added to a basic application group. | -| 4788 | A non-member was removed from a basic application group. | -| 4789 | A basic application group was deleted. | -| 4790 | An LDAP query group was created. | - -## Related topics +## 4783(S): A basic application group was created. + +## 4784(S): A basic application group was changed. + +## 4785(S): A member was added to a basic application group. + +## 4786(S): A member was removed from a basic application group. + +## 4787(S): A non-member was added to a basic application group. + +## 4788(S): A non-member was removed from a basic application group. + +## 4789(S): A basic application group was deleted. + +## 4790(S): An LDAP query group was created. + +## 4791(S): An LDAP query group was changed. + +## 4792(S): An LDAP query group was deleted. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index de2aca1b0a..3baaef2ff0 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -2,54 +2,79 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Audit Policy Change **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy. + +Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy. + +**Event volume**: Low. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | Changes to audit policy that are audited include: -- Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**). -- Changing the system audit policy. -- Registering and unregistering security event sources. -- Changing per-user audit settings. -- Changing the value of **CrashOnAuditFail**. -- Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key). +- Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command). + +- Changing the system audit policy. + +- Registering and unregistering security event sources. + +- Changing per-user audit settings. + +- Changing the value of CrashOnAuditFail. + +- Changing audit settings on an object (for example, modifying the system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) for a file or registry key). + +> **Note** [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change. - > **Note:** SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change. - - Changing anything in the Special Groups list. -> **Important:** Changes to the audit policy are critical security events. - -Event volume: Low +The following events will be enabled with Success auditing in this subcategory: -Default: Success +- 4902(S): The Per-user audit policy table was created. -| Event ID | Event message | -| - | - | -| 4715 | The audit policy (SACL) on an object was changed. | -| 4719 | System audit policy was changed. | -| 4817 | Auditing settings on an object were changed.
**Note: ** This event is logged only on computers running the supported versions of the Windows operating system. | -| 4902 | The Per-user audit policy table was created. | -| 4904 | An attempt was made to register a security event source. | -| 4905 | An attempt was made to unregister a security event source. | -| 4906 | The CrashOnAuditFail value has changed. | -| 4907 | Auditing settings on object were changed. | -| 4908 | Special Groups Logon table modified. | -| 4912 | Per User Audit Policy was changed. | - -## Related topics +- 4907(S): Auditing settings on object were changed. + +- 4904(S): An attempt was made to register a security event source. + +- 4905(S): An attempt was made to unregister a security event source. + +All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting. + +**Events List:** + +- [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed. + +- [4719](event-4719.md)(S): System audit policy was changed. + +- [4817](event-4817.md)(S): Auditing settings on object were changed. + +- [4902](event-4902.md)(S): The Per-user audit policy table was created. + +- [4906](event-4906.md)(S): The CrashOnAuditFail value has changed. + +- [4907](event-4907.md)(S): Auditing settings on object were changed. + +- [4908](event-4908.md)(S): Special Groups Logon table modified. + +- [4912](event-4912.md)(S): Per User Audit Policy was changed. + +- [4904](event-4904.md)(S): An attempt was made to register a security event source. + +- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index 712e480800..3096a5187c 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -2,55 +2,75 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Authentication Policy Change **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy. + +Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy. Changes made to authentication policy include: - Creation, modification, and removal of forest and domain trusts. -- Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**. - > **Note:** The audit event is logged when the policy is applied, not when settings are modified by the administrator. - -- When any of the following user rights is granted to a user or group: - - **Access this computer from the network** - - **Allow logon locally** - - **Allow logon through Remote Desktop** - - **Logon as a batch job** - - **Logon as a service** +- Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy. + +- When any of the following user logon rights is granted to a user or group: + + - Access this computer from the network + + - Allow logon locally + + - Allow logon through Remote Desktop + + - Logon as a batch job + + - Logon as a service + - Namespace collision, such as when an added trust collides with an existing namespace name. This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups. -Event volume: Low +**Event volume**: Low. -Default: Success +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4670](event-4670.md)(S): Permissions on an object were changed + +- [4706](event-4706.md)(S): A new trust was created to a domain. + +- [4707](event-4707.md)(S): A trust to a domain was removed. + +- [4716](event-4716.md)(S): Trusted domain information was modified. + +- [4713](event-4713.md)(S): Kerberos policy was changed. + +- [4717](event-4717.md)(S): System security access was granted to an account. + +- [4718](event-4718.md)(S): System security access was removed from an account. + +- [4739](event-4739.md)(S): Domain Policy was changed. + +- [4864](event-4864.md)(S): A namespace collision was detected. + +- [4865](event-4865.md)(S): A trusted forest information entry was added. + +- [4866](event-4866.md)(S): A trusted forest information entry was removed. + +- [4867](event-4867.md)(S): A trusted forest information entry was modified. -| Event ID | Event message | -| - | - | -| 4713 | Kerberos policy was changed. | -| 4716 | Trusted domain information was modified. | -| 4717 | System security access was granted to an account. | -| 4718 | System security access was removed from an account. | -| 4739 | Domain Policy was changed. | -| 4864 | A namespace collision was detected. | -| 4865 | A trusted forest information entry was added. | -| 4866 | A trusted forest information entry was removed. | -| 4867 | A trusted forest information entry was modified. | - -## Related topics - - - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index 7e426a2044..bb16d06124 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -2,39 +2,41 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Authorization Policy Change **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. -Authorization policy changes that can be audited include: +Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects. -- Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory. -- Changing the Encrypting File System (EFS) policy. +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.
Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.
Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.
Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -Event volume: Very high +**Events List:** -Default: Not configured +- [4703](event-4703.md)(S): A user right was adjusted. -| Event ID | Event message | -| - | - | -| 4704 | A user right was assigned. | -| 4705 | A user right was removed. | -| 4706 | A new trust was created to a domain. | -| 4707 | A trust to a domain was removed. | -| 4714 | Encrypted data recovery policy was changed. | - -## Related topics +- [4704](event-4704.md)(S): A user right was assigned. + +- [4705](event-4705.md)(S): A user right was removed. + +- [4670](event-4670.md)(S): Permissions on an object were changed. + +- [4911](event-4911.md)(S): Resource attributes of the object were changed. + +- [4913](event-4913.md)(S): Central Access Policy on the object was changed. + +**Event volume**: Medium. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index 28539eb491..d2c7077220 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -2,30 +2,39 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Central Access Policy Staging **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy. -Event volume: Medium +Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object. -Default: Not configured +If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows: -| Event ID | Event message | -| - | - | -| 4818 | Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy | - -## Related topics +- Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access. + +- Failure audits, when configured, record access attempts when: + + - The current central access policy does not grant access, but the proposed policy grants access. + + - A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index f5aa0959d7..c41330e98c 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -1,77 +1,118 @@ --- title: Audit Certification Services (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. +description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Certification Services **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. -Examples of AD CS operations include: +Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. + +Examples of AD CS operations include: + +- AD CS starts, shuts down, is backed up, or is restored. -- AD CS starts, shuts down, is backed up, or is restored. - Certificate revocation list (CRL)-related tasks are performed. + - Certificates are requested, issued, or revoked. -- Certificate manager settings for AD CS are changed. + +- Certificate manager settings for AD CS are changed. + - The configuration and properties of the certification authority (CA) are changed. -- AD CS templates are modified. + +- AD CS templates are modified. + - Certificates are imported. + - A CA certificate is published to Active Directory Domain Services. + - Security permissions for AD CS role services are modified. + - Keys are archived, imported, or retrieved. + - The OCSP Responder Service is started or stopped. Monitoring these operational events is important to ensure that AD CS role services are functioning properly. -Event volume: Low to medium on servers that host AD CS role services +**Event volume: Low to medium on servers that provide AD CS role services.** -Default: Not configured +Role-specific subcategories are outside the scope of this document. -| Event ID | Event message | -| - | - | -| 4868 | The certificate manager denied a pending certificate request. | -| 4869 | Certificate Services received a resubmitted certificate request. | -| 4870 | Certificate Services revoked a certificate. | -| 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). | -| 4872 | Certificate Services published the certificate revocation list (CRL). | -| 4873 | A certificate request extension changed. | -| 4874 | One or more certificate request attributes changed. | -| 4875 | Certificate Services received a request to shut down. | -| 4876 | Certificate Services backup started. | -| 4877 | Certificate Services backup completed. | -| 4878 | Certificate Services restore started. | -| 4879 | Certificate Services restore completed. | -| 4880 | Certificate Services started. | -| 4881 | Certificate Services stopped. | -| 4882 | The security permissions for Certificate Services changed. | -| 4883 | Certificate Services retrieved an archived key. | -| 4884 | Certificate Services imported a certificate into its database. | -| 4885 | The audit filter for Certificate Services changed. | -| 4886 | Certificate Services received a certificate request. | -| 4887 | Certificate Services approved a certificate request and issued a certificate. | -| 4888 | Certificate Services denied a certificate request. | -| 4889 | Certificate Services set the status of a certificate request to pending. | -| 4890 | The certificate manager settings for Certificate Services changed. | -| 4891 | A configuration entry changed in Certificate Services. | -| 4892 | A property of Certificate Services changed. | -| 4893 | Certificate Services archived a key. | -| 4894 | Certificate Services imported and archived a key. | -| 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. | -| 4896 | One or more rows have been deleted from the certificate database. | -| 4897 | Role separation enabled: | -| 4898 | Certificate Services loaded a template. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | +| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | +| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. | + +## 4868: The certificate manager denied a pending certificate request. + +## 4869: Certificate Services received a resubmitted certificate request. + +## 4870: Certificate Services revoked a certificate. + +## 4871: Certificate Services received a request to publish the certificate revocation list (CRL). + +## 4872: Certificate Services published the certificate revocation list (CRL). + +## 4873: A certificate request extension changed. + +## 4874: One or more certificate request attributes changed. + +## 4875: Certificate Services received a request to shut down. + +## 4876: Certificate Services backup started. + +## 4877: Certificate Services backup completed. + +## 4878: Certificate Services restore started. + +## 4879: Certificate Services restore completed. + +## 4880: Certificate Services started. + +## 4881: Certificate Services stopped. + +## 4882: The security permissions for Certificate Services changed. + +## 4883: Certificate Services retrieved an archived key. + +## 4884: Certificate Services imported a certificate into its database. + +## 4885: The audit filter for Certificate Services changed. + +## 4886: Certificate Services received a certificate request. + +## 4887: Certificate Services approved a certificate request and issued a certificate. + +## 4888: Certificate Services denied a certificate request. + +## 4889: Certificate Services set the status of a certificate request to pending. + +## 4890: The certificate manager settings for Certificate Services changed. + +## 4891: A configuration entry changed in Certificate Services. + +## 4892: A property of Certificate Services changed. + +## 4893: Certificate Services archived a key. + +## 4894: Certificate Services imported and archived a key. + +## 4895: Certificate Services published the CA certificate to Active Directory Domain Services. + +## 4896: One or more rows have been deleted from the certificate database. + +## 4897: Role separation enabled. + +## 4898: Certificate Services loaded a template. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index f336c85c74..c127ebd500 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -2,34 +2,39 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Computer Account Management **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. + +Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted. This policy setting is useful for tracking account-related changes to computers that are members of a domain. -Event volume: Low +**Event volume**: Low on domain controllers. -Default: Not configured +This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. -| Event ID | Event message | -| - | - | -| 4741 | A computer account was created. | -| 4742 | A computer account was changed. | -| 4743 | A computer account was deleted. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.
Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.
Typically volume of these events is low on domain controllers.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. | +| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. | + +**Events List:** + +- [4741](event-4741.md)(S): A computer account was created. + +- [4742](event-4742.md)(S): A computer account was changed. + +- [4743](event-4743.md)(S): A computer account was deleted. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index fdacd0aa43..5e54e23875 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -2,42 +2,51 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Credential Validation **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. + +Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials as follows: - For domain accounts, the domain controller is authoritative. + - For local accounts, the local computer is authoritative. -Event volume: High on domain controllers +**Event volume**: -Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they -may occur in conjunction with or on separate computers from Logon and Logoff events. +- High on domain controllers. -Default: Not configured +- Low on member servers and workstations. -| Event ID | Event message | -| - | - | -| 4774 | An account was mapped for logon. | -| 4775 | An account could not be mapped for logon. | -| 4776 | The domain controller attempted to validate the credentials for an account. | -| 4777 | The domain controller failed to validate the credentials for an account. | - -## Related topics +Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events. + +The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication.
IF – We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.
We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. | +| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.
We recommend Success auditing, to keep track of authentication events by local accounts.
We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. | +| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.
We recommend Success auditing, to keep track of authentication events by local accounts.
We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. | + +**Events List:** + +- [4774](event-4774.md)(S): An account was mapped for logon. + +- [4775](event-4775.md)(F): An account could not be mapped for logon. + +- [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account. + +- [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md index 295527e35e..19aef271fa 100644 --- a/windows/keep-secure/audit-detailed-directory-service-replication.md +++ b/windows/keep-secure/audit-detailed-directory-service-replication.md @@ -6,35 +6,43 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: brianlic-msft +author: Mir0sh --- # Audit Detailed Directory Service Replication **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. + +Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. This audit subcategory can be useful to diagnose replication issues. -Event volume: These events can create a very high volume of event data. +**Event volume**: These events can create a very high volume of event data on domain controllers. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. | +| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | +| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Event ID | Event message | -| - | - | -| 4928 | An Active Directory replica source naming context was established. | -| 4929 | An Active Directory replica source naming context was removed. | -| 4930 | An Active Directory replica source naming context was modified. | -| 4931 | An Active Directory replica destination naming context was modified. | -| 4934 | Attributes of an Active Directory object were replicated. | -| 4935 | Replication failure begins. | -| 4936 | Replication failure ends. | -| 4937 | A lingering object was removed from a replica. | - -## Related topics +**Events List:** + +- [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established. + +- [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed. + +- [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified. + +- [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified. + +- [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated. + +- [4935](event-4935.md)(F): Replication failure begins. + +- [4936](event-4936.md)(S): Replication failure ends. + +- [4937](event-4937.md)(S): A lingering object was removed from a replica. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index 4d0294c79c..436399addb 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -2,33 +2,41 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Detailed File Share **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder. -The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. -> **Note:** There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - -Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy +Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder. -Default: Not configured +The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. -| Event ID | Event message | -| - | - | -| 5145 | A network share object was checked to see whether the client can be granted desired access. | - -## Related topics +There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. + +**Event volume**: + +- High on file servers. + +- High on domain controllers because of SYSVOL network access required by Group Policy. + +- Low on member servers and workstations. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. | +| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | +| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. | + +**Events List:** + +- [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 2c88e66d93..039b10f684 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -1,34 +1,36 @@ --- title: Audit Directory Service Access (Windows 10) -description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. +description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Directory Service Access **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. -These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems. -> **Important:** Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings. - -Event volume: High on servers running AD DS role services; none on client computers +Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. -Default: Not configured +**Event volume**: High on servers running AD DS role services. -| Event ID | Event message | -| - | - | -| 4662 | An operation was performed on an object. | - -## Related topics +This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. | +| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | +| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | + +**Events List:** + +- [4662](event-4662.md)(S, F): An operation was performed on an object. + +- [4661](event-4661.md)(S, F): A handle to an object was requested. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index 18b22defe5..67d519f452 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -1,49 +1,48 @@ --- title: Audit Directory Service Changes (Windows 10) -description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). +description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Directory Service Changes **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). -The types of changes that are reported are: +Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). -- Create -- Delete -- Modify -- Move -- Undelete +Auditing of directory service objects can provide information about the old and new properties of the objects that were changed. -Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. +Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. -> **Important:** Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy. +This subcategory only logs events on domain controllers. -Event volume: High on domain controllers; none on client computers +**Event volume**: High on domain controllers. -Default: Not configured +This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted. -| Event ID | Event message | -| - | - | -| 5136 | A directory service object was modified. | -| 5137 | A directory service object was created. | -| 5138 | A directory service object was undeleted. | -| 5139 | A directory service object was moved. | -| 5141 | A directory service object was deleted. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects.
This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | +| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | + +**Events List:** + +- [5136](event-5136.md)(S): A directory service object was modified. + +- [5137](event-5137.md)(S): A directory service object was created. + +- [5138](event-5138.md)(S): A directory service object was undeleted. + +- [5139](event-5139.md)(S): A directory service object was moved. + +- [5141](event-5141.md)(S): A directory service object was deleted. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index 8dde61d22d..de877d1d2d 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -2,31 +2,33 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Directory Service Replication **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. -Event volume: Medium on domain controllers; none on client computers +Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends. -Default: Not configured +**Event volume**: Medium on domain controllers. -| Event ID | Event Message | -| - | - | -| 4932 | Synchronization of a replica of an Active Directory naming context has begun. | -| 4933 | Synchronization of a replica of an Active Directory naming context has ended. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. | +| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | +| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | + +**Events List:** + +- [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun. + +- [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index 80cfcea450..b140fd81cc 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -2,51 +2,69 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Distribution Group Management **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks. -Tasks for distribution-group management that can be audited include: +Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks. -- A distribution group is created, changed, or deleted. -- A member is added to or removed from a distribution group. +This subcategory generates events only on domain controllers. -This subcategory to which this policy belongs is logged only on domain controllers. -> **Note:** Distribution groups cannot be used to manage access control permissions. - -Event volume: Low +**Event volume**: Low on domain controllers. -Default: Not configured +This subcategory allows you to audit events generated by changes to distribution groups such as the following: -| Event ID | Event message | -| - | - | -| 4744 | A security-disabled local group was created. | -| 4745 | A security-disabled local group was changed. | -| 4746 | A member was added to a security-disabled local group. | -| 4747 | A member was removed from a security-disabled local group. | -| 4748 | A security-disabled local group was deleted. | -| 4749 | A security-disabled global group was created. | -| 4750 | A security-disabled global group was changed. | -| 4751 | A member was added to a security-disabled global group. | -| 4752 | A member was removed from a security-disabled global group. | -| 4753 | A security-disabled global group was deleted. | -| 4759 | A security-disabled universal group was created. | -| 4760 | A security-disabled universal group was changed. | -| 4761 | A member was added to a security-disabled universal group. | -| 4762 | A member was removed from a security-disabled universal group. | +- Distribution group is created, changed, or deleted. - ## Related topics +- Member is added or removed from a distribution group. + +If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.
Typically volume of these events is low on domain controllers.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. | +| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. | + +**Events List:** + +- [4749](event-4749.md)(S): A security-disabled global group was created. + +- [4750](event-4750.md)(S): A security-disabled global group was changed. + +- [4751](event-4751.md)(S): A member was added to a security-disabled global group. + +- [4752](event-4752.md)(S): A member was removed from a security-disabled global group. + +- [4753](event-4753.md)(S): A security-disabled global group was deleted. + +**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index 30db4c39a8..a17a929770 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -2,37 +2,37 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit DPAPI Activity **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). -DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720). -Event volume: Low +Audit [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx)). -Default: Not configured +**Event volume**: Low. -If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista. +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. | +| Member Server | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. | +| Workstation | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. | -| Event ID | Event message | -| - | - | -| 4692 | Backup of data protection master key was attempted. | -| 4693 | Recovery of data protection master key was attempted. | -| 4694 | Protection of auditable protected data was attempted. | -| 4695 | Unprotection of auditable protected data was attempted. | - -## Related resource +**Events List:** + +- [4692](event-4692.md)(S, F): Backup of data protection master key was attempted. + +- [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted. + +- [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted. + +- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted. -- [Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index af74a0b2a8..05c490cf67 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -2,39 +2,49 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit File Share **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed. -Audit events are not generated when shares are created, deleted, or when share permissions change. -> **Note:** There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited. - +Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. + +There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited. + Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. -Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing) +**Event volume**: -Default: Not configured +- High on file servers. -| Event ID | Event message | -| - |- | -| 5140 | A network share object was accessed.
**Note:** This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. | -| 5142 | A network share object was added. | -| 5143 | A network share object was modified. | -| 5144 | A network share object was deleted. | -| 5168 | SPN check for SMB/SMB2 failed. | - -## Related topics +- High on domain controllers because of SYSVOL network access required by Group Policy. + +- Low on member servers and workstations. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing for domain controllers, because it’s important to track deletion, creation, and modification events for network shares.
We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. | +| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects.
We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. | +| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects.
We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. | + +**Events List:** + +- [5140](event-5140.md)(S, F): A network share object was accessed. + +- [5142](event-5142.md)(S): A network share object was added. + +- [5143](event-5143.md)(S): A network share object was modified. + +- [5144](event-5144.md)(S): A network share object was deleted. + +- [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 1ddb1c3d49..ea941fc892 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -2,39 +2,57 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy -ms.pagetype: security ms.sitesec: library -author: brianlic-msft +author: Mir0sh --- # Audit File System **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 + + +Audit File System determines whether the operating system generates audit events when users attempt to access file system objects. + +Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects. -Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring. -Event volume: Varies, depending on how file system SACLs are configured +**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured. -No audit events are generated for the default file system SACLs. +No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. -Default: Not configured +This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions. -| Event ID | Event message | -| - | - | -| 4664 | An attempt was made to create a hard link. | -| 4985 | The state of a transaction has changed. | -| 5051 | A file was virtualized. | - -## Related topics +Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific file system objects.
Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. | +| Member Server | IF | IF | IF | IF | | +| Workstation | IF | IF | IF | IF | | + +**Events List:** + +- [4656](event-4656.md)(S, F): A handle to an object was requested. + +- [4658](event-4658.md)(S): The handle to an object was closed. + +- [4660](event-4660.md)(S): An object was deleted. + +- [4663](event-4663.md)(S): An attempt was made to access an object. + +- [4664](event-4664.md)(S): An attempt was made to create a hard link. + +- [4985](event-4985.md)(S): The state of a transaction has changed. + +- [5051](event-5051.md)(-): A file was virtualized. + +- [4670](event-4670.md)(S): Permissions on an object were changed. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index 4b8c95c652..96d8bbd8c3 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -2,48 +2,51 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Filtering Platform Connection **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. + +Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx). Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). -This security policy enables you to audit the following types of actions: +This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications. -- The Windows Firewall service blocks an application from accepting incoming connections on the network. -- The Windows Filtering Platform allows or blocks a connection. -- The Windows Filtering Platform permits or blocks a bind to a local port. -- The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port. +**Event volume**: High. -Event volume: High +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. | +| Member Server | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. | +| Workstation | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. | -Default: Not configured +**Events List:** -| Event ID | Event message | -| - | - | -| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. | -| 5140 | A network share object was accessed. | -| 5150 | The Windows Filtering Platform blocked a packet. | -| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. | -| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. | -| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. | -| 5156 | The Windows Filtering Platform has allowed a connection. | -| 5157 | The Windows Filtering Platform has blocked a connection. | -| 5158 | The Windows Filtering Platform has permitted a bind to a local port. | -| 5159 | The Windows Filtering Platform has blocked a bind to a local port. | - -## Related topics +- [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. + +- [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet. + +- [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet. + +- [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. + +- [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. + +- [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection. + +- [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection. + +- [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port. + +- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index 96935fa8b7..093fd674de 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -2,35 +2,37 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Filtering Platform Packet Drop **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. + +Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx). Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). -A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network. +A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network. -Event volume: High +**Event volume**: High. -Default setting: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. | +| Member Server | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. | +| Workstation | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. | -| Event ID | Event message | -| - | - | -| 5152 | The Windows Filtering Platform blocked a packet. | -| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. | - -## Related topics +**Events List:** + +- [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet. + +- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index 10c8a9459b..ec8d3374dd 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -2,224 +2,117 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Filtering Platform Policy Change **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. + +Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following: + +- IPsec services status. + +- Changes to IPsec policy settings. + +- Changes to Windows Filtering Platform Base Filtering Engine policy settings. + +- Changes to WFP providers and engine. Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). -This security policy setting determines whether the operating system generates audit events for: +This subcategory is outside the scope of this document. -- IPsec services status. -- Changes to IPsec settings. -- Status and changes to the Windows Filtering Platform engine and providers. -- IPsec Policy Agent service activities. +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------| +| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. | +| Member Server | - | - | - | - | This subcategory is outside the scope of this document. | +| Workstation | - | - | - | - | This subcategory is outside the scope of this document. | -Event volume: Low +## 4709(S): IPsec Services was started. -Default: Not configured +## 4710(S): IPsec Services was disabled. -
| Event ID | -Event message | -
|---|---|
4709 |
-IPsec Services was started. |
-
4710 |
-IPsec Services was disabled. |
-
4711 |
-May contain any one of the following: -
|
-
4712 |
-IPsec Services encountered a potentially serious failure. |
-
5040 |
-A change has been made to IPsec settings. An Authentication Set was added. |
-
5041 |
-A change has been made to IPsec settings. An Authentication Set was modified. |
-
5042 |
-A change has been made to IPsec settings. An Authentication Set was deleted. |
-
5043 |
-A change has been made to IPsec settings. A Connection Security Rule was added. |
-
5044 |
-A change has been made to IPsec settings. A Connection Security Rule was modified. |
-
5045 |
-A change has been made to IPsec settings. A Connection Security Rule was deleted. |
-
5046 |
-A change has been made to IPsec settings. A Crypto Set was added. |
-
5047 |
-A change has been made to IPsec settings. A Crypto Set was modified. |
-
5048 |
-A change has been made to IPsec settings. A Crypto Set was deleted. |
-
5440 |
-The following callout was present when the Windows Filtering Platform Base Filtering Engine started. |
-
5441 |
-The following filter was present when the Windows Filtering Platform Base Filtering Engine started. |
-
5442 |
-The following provider was present when the Windows Filtering Platform Base Filtering Engine started. |
-
5443 |
-The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. |
-
5444 |
-The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. |
-
5446 |
-A Windows Filtering Platform callout has been changed. |
-
5448 |
-A Windows Filtering Platform provider has been changed. |
-
5449 |
-A Windows Filtering Platform provider context has been changed. |
-
5450 |
-A Windows Filtering Platform sub-layer has been changed. |
-
5456 |
-PAStore Engine applied Active Directory storage IPsec policy on the computer. |
-
5457 |
-PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. |
-
5458 |
-PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. |
-
5459 |
-PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. |
-
5460 |
-PAStore Engine applied local registry storage IPsec policy on the computer. |
-
5461 |
-PAStore Engine failed to apply local registry storage IPsec policy on the computer. |
-
5462 |
-PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. |
-
5463 |
-PAStore Engine polled for changes to the active IPsec policy and detected no changes. |
-
5464 |
-PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. |
-
5465 |
-PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. |
-
5466 |
-PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. |
-
5467 |
-PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. |
-
5468 |
-PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. |
-
5471 |
-PAStore Engine loaded local storage IPsec policy on the computer. |
-
5472 |
-PAStore Engine failed to load local storage IPsec policy on the computer. |
-
5473 |
-PAStore Engine loaded directory storage IPsec policy on the computer. |
-
5474 |
-PAStore Engine failed to load directory storage IPsec policy on the computer. |
-
5477 |
-PAStore Engine failed to add quick mode filter. |
-
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4627](event-4627.md)(S): Group membership information. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index 6b9fb9ab21..c1a20800e5 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -2,37 +2,37 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Handle Manipulation **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed. -Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL. +Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions. -> **Important:** Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md). - +**Event volume**: High. -Event volume: High, depending on how SACLs are configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. | +| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. | +| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. | -Default: Not configured +**Events List:** -| Event ID | Event message | -| - | - | -| 4656 | A handle to an object was requested. | -| 4658 | The handle to an object was closed. | -| 4690 | An attempt was made to duplicate a handle to an object. | - -## Related topics +- [4658](event-4658.md)(S): The handle to an object was closed. + +- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object. + +## 4658(S): The handle to an object was closed. + +This event doesn’t generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index dbe0ede32c..628d86b063 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -2,53 +2,65 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit IPsec Driver **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver. -The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver: +Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following: -- Startup and shutdown of IPsec services. -- Packets dropped due to integrity-check failure. -- Packets dropped due to replay-check failure. -- Packets dropped due to being in plaintext. -- Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.) -- Failure to process IPsec filters. +- Startup and shutdown of the IPsec services. + +- Network packets dropped due to integrity check failure. + +- Network packets dropped due to replay check failure. + +- Network packets dropped due to being in plaintext. + +- Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. + +- Inability to process IPsec filters. A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems. Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. -Event volume: Medium +This subcategory is outside the scope of this document. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | +| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | +| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | -| Event ID | Event message | -| - | - | -| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. | -| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. | -| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. | -| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. | -| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. | -| 5478 | IPsec Services has started successfully. | -| 5479 | IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | -| 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. | -| 5483 | IPsec Services failed to initialize RPC server. IPsec Services could not be started. | -| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | -| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. | - -## Related topics +## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. + +## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. + +## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. + +## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. + +## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. + +## 5478(S): IPsec Services has started successfully. + +## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. + +## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. + +## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started. + +## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. + +## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index 5030fc74a2..83cc51ddc1 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -2,41 +2,41 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit IPsec Extended Mode **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. -IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. +Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. -AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. -AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications. +Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting. -Event volume: High +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | +| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | +| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | -Default: Not configured +## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. -| Event ID | Event message | -| - | - | -| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | -| 4979 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. | -| 4980 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: | -| 4981 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. | -| 4982 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. | -| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. | -| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. | - -## Related topics +## 4979: IPsec Main Mode and Extended Mode security associations were established. + +## 4980: IPsec Main Mode and Extended Mode security associations were established. + +## 4981: IPsec Main Mode and Extended Mode security associations were established. + +## 4982: IPsec Main Mode and Extended Mode security associations were established. + +## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. + +## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 872af92c04..d06d0749d0 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -2,42 +2,45 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit IPsec Main Mode **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. -IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. -AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation. -Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities. +Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. -Event volume: High +Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | +| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | +| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | -| Event ID | Event message | -| - | - | -| 4646 | Security ID: %1 | -| 4650 | An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. | -| 4651 | An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. | -| 4652 | An IPsec Main Mode negotiation failed.
**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. | -| 4653 | An IPsec Main Mode negotiation failed.
**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. | -| 4655 | An IPsec Main Mode security association ended. | -| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | -| 5049 | An IPsec Security Association was deleted. | -| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. | - -## Related topics +## 4646: Security ID: %1 + +## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. + +## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. + +## 4652: An IPsec Main Mode negotiation failed. + +## 4653: An IPsec Main Mode negotiation failed. + +## 4655: An IPsec Main Mode security association ended. + +## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. + +## 5049: An IPsec Security Association was deleted. + +## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index 8a3446cb65..6259aa5962 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -2,36 +2,33 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit IPsec Quick Mode **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. -IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. -AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation. -Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange. +Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. -Event volume: High +Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | +| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | +| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | -| Event ID | Event message | -|- |- | -| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.| -| 5451 | An IPsec Quick Mode security association was established.| -| 5452 | An IPsec Quick Mode security association ended.| - -## Related topics +## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. + +## 5451: An IPsec Quick Mode security association was established. + +## 5452: An IPsec Quick Mode security association ended. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index f8665de37e..0565b58eef 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -2,35 +2,39 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Kerberos Authentication Service **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. + +Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts. -Event volume: High on Kerberos Key Distribution Center servers +**Event volume**: High on Kerberos Key Distribution Center servers. -Default: Not configured +This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the user’s password has expired. -| Event ID | Event message | -| - | - | -| 4768 | A Kerberos authentication ticket (TGT) was requested. | -| 4771 | Kerberos preauthentication failed. | -| 4772 | A Kerberos authentication ticket request failed. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.
We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts.
Expected volume is high on domain controllers. | +| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | +| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | + +**Events List:** + +- [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested. + +- [4771](event-4771.md)(F): Kerberos pre-authentication failed. + +- [4772](event-4772.md)(F): A Kerberos authentication ticket request failed. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index 4e3a1976d6..5b9d7f1874 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -2,37 +2,39 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Kerberos Service Ticket Operations **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests. + +Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests. Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity. -Event volume: +**Event volume**: Very High on Kerberos Key Distribution Center servers. -- High on a domain controller that is in a Key Distribution Center (KDC) -- Low on domain members +This subcategory contains events about issued TGSs and failed TGS requests. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.
IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. | +| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | +| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Event ID | Event message | -| - | - | -| 4769 | A Kerberos service ticket was requested. | -| 4770 | A Kerberos service ticket was renewed. | - -## Related topics +**Events List:** + +- [4769](event-4769.md)(S, F): A Kerberos service ticket was requested. + +- [4770](event-4770.md)(S): A Kerberos service ticket was renewed. + +- [4773](event-4773.md)(F): A Kerberos service ticket request failed. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index 6600a97c21..9815bc9a13 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -2,40 +2,45 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Kernel Object **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. -Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers. +Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. -Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled. +Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers. -> **Note:** The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects. - -Event volume: High if you have enabled one of the Global Object Access Auditing settings +Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled. + +The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/en-us/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects. + +**Event volume**: High. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. | +| Member Server | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. | +| Workstation | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. | + +**Events List:** + +- [4656](event-4656.md)(S, F): A handle to an object was requested. + +- [4658](event-4658.md)(S): The handle to an object was closed. + +- [4660](event-4660.md)(S): An object was deleted. + +- [4663](event-4663.md)(S): An attempt was made to access an object. -Default setting: Not configured -| Event ID | Event message | -| - | - | -| 4659 | A handle to an object was requested with intent to delete. | -| 4660 | An object was deleted. | -| 4661 | A handle to an object was requested. | -| 4663 | An attempt was made to access an object. | - -## Related topics -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index 56970b2562..152a1a0770 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -2,38 +2,41 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Logoff **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated. + +Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated. These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to. -> **Note: ** There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. - +There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. + Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated. -Event volume: Low +**Event volume**: Low. -Default: Success +This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. -| Event ID | Event message | -| - | - | -| 4634 | An account was logged off. | -| 4647 | User initiated logoff. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4634](event-4634.md)(S): An account was logged off. + +- [4647](event-4647.md)(S): User initiated logoff. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index bd363a9eb0..99a4cb6528 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -2,44 +2,53 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Logon **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer. + +Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer. These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed. The following events are recorded: - Logon success and failure. -- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command. + +- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command. + - Security identifiers (SIDs) are filtered. Logon events are essential to tracking user activity and detecting potential attacks. -Event volume: Low on a client computer; medium on a domain controller or network server +**Event volume**: -Default: Success for client computers; success and failure for servers +- Low on a client computer. -| Event ID | Event message | -| - | - | -| 4624 | An account was successfully logged on. | -| 4625 | An account failed to log on. | -| 4648 | A logon was attempted using explicit credentials. | -| 4675 | SIDs were filtered. | - -## Related topics +- Medium on a domain controllers or network servers. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.
Failure events will show you failed logon attempts and the reason why these attempts failed. | +| Member Server | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.
Failure events will show you failed logon attempts and the reason why these attempts failed. | +| Workstation | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.
Failure events will show you failed logon attempts and the reason why these attempts failed. | + +**Events List:** + +- [4624](event-4624.md)(S): An account was successfully logged on. + +- [4625](event-4625.md)(F): An account failed to log on. + +- [4648](event-4648.md)(S): A logon was attempted using explicit credentials. + +- [4675](event-4675.md)(S): SIDs were filtered. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index ab8412a168..7ac4228370 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -2,54 +2,73 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit MPSSVC Rule-Level Policy Change **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). + +Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include: - Active policies when the Windows Firewall service starts. + - Changes to Windows Firewall rules. + - Changes to the Windows Firewall exception list. + - Changes to Windows Firewall settings. + - Rules ignored or not applied by the Windows Firewall service. + - Changes to Windows Firewall Group Policy settings. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. -Event volume: Low +**Event volume**: Medium. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.
Failure events may help to identify configuration problems with Windows Firewall rules or settings. | +| Member Server | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.
Failure events may help to identify configuration problems with Windows Firewall rules or settings. | +| Workstation | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.
Failure events may help to identify configuration problems with Windows Firewall rules or settings. | -| Event ID | Event message | -| - | - | -| 4944 | The following policy was active when the Windows Firewall started. | -| 4945 | A rule was listed when the Windows Firewall started. | -| 4946 | A change has been made to Windows Firewall exception list. A rule was added. | -| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. | -| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. | -| 4949 | Windows Firewall settings were restored to the default values. | -| 4950 | A Windows Firewall setting has changed. | -| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. | -| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. | -| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. | -| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. | -| 4956 | Windows Firewall has changed the active profile. | -| 4957 | Windows Firewall did not apply the following rule: | -| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: | - -## Related topics +**Events List:** + +- [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started. + +- [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started. + +- [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added. + +- [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified. + +- [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted. + +- [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values. + +- [4950](event-4950.md)(S): A Windows Firewall setting has changed. + +- [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. + +- [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. + +- [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule. + +- [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied. + +- [4956](event-4956.md)(S): Windows Firewall has changed the active profile. + +- [4957](event-4957.md)(F): Windows Firewall did not apply the following rule: + +- [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index f98d7f0579..f1cdad1e90 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -2,40 +2,53 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Network Policy Server **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). + +Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. + +If you configure this subcategory, an audit event is generated for each IAS and NAP user access request. + +This subcategory generates events only if NAS or IAS role is installed on the server. NAP events can be used to help understand the overall health of the network. -Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers +**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS). -Default: Success and failure +Role-specific subcategories are outside the scope of this document. -| Event ID | Event message | -| - | - | -| 6272 | Network Policy Server granted access to a user. | -| 6273 | Network Policy Server denied access to a user. | -| 6274 | Network Policy Server discarded the request for a user. | -| 6275 | Network Policy Server discarded the accounting request for a user. | -| 6276 | Network Policy Server quarantined a user. | -| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. | -| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. | -| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. | -| 6280 | Network Policy Server unlocked the user account. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | +| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | +| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role cannot be installed on client OS. | + +## 6272: Network Policy Server granted access to a user. + +## 6273: Network Policy Server denied access to a user. + +## 6274: Network Policy Server discarded the request for a user. + +## 6275: Network Policy Server discarded the accounting request for a user. + +## 6276: Network Policy Server quarantined a user. + +## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. + +## 6278: Network Policy Server granted full access to a user because the host met the defined health policy. + +## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts. + +## 6280: Network Policy Server unlocked the user account. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index 45dd5b1a2c..ebc770c912 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -1,68 +1,84 @@ --- -title: Audit Non-Sensitive Privilege Use (Windows 10) +title: Audit Non Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- -# Audit Non-Sensitive Privilege Use +# Audit Non Sensitive Privilege Use **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. -The following privileges are non-sensitive: +Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: -- **Access Credential Manager as a trusted caller** -- **Access this computer from the network** -- **Add workstations to domain** -- **Adjust memory quotas for a process** -- **Allow log on locally** -- **Allow log on through Terminal Services** -- **Bypass traverse checking** -- **Change the system time** -- **Create a page file** -- **Create global objects** -- **Create permanent shared objects** -- **Create symbolic links** -- **Deny access to this computer from the network** -- **Deny log on as a batch job** -- **Deny log on as a service** -- **Deny log on locally** -- **Deny log on through Terminal Services** -- **Force shutdown from a remote system** -- **Increase a process working set** -- **Increase scheduling priority** -- **Lock pages in memory** -- **Log on as a batch job** -- **Log on as a service** -- **Modify an object label** -- **Perform volume maintenance tasks** -- **Profile single process** -- **Profile system performance** -- **Remove computer from docking station** -- **Shut down the system** -- **Synchronize directory service data** +- Access Credential Manager as a trusted caller + +- Add workstations to domain + +- Adjust memory quotas for a process + +- Bypass traverse checking + +- Change the system time + +- Change the time zone + +- Create a page file + +- Create global objects + +- Create permanent shared objects + +- Create symbolic links + +- Force shutdown from a remote system + +- Increase a process working set + +- Increase scheduling priority + +- Lock pages in memory + +- Modify an object label + +- Perform volume maintenance tasks + +- Profile single process + +- Profile system performance + +- Remove computer from docking station + +- Shut down the system + +- Synchronize directory service data + +This subcategory also contains informational events from filesystem Transaction Manager. If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts. -Event volume: Very high +**Event volume**: Very High. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | +| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | +| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | + +**Events List:** + +- [4673](event-4673.md)(S, F): A privileged service was called. + +- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object. + +- [4985](event-4985.md)(S): The state of a transaction has changed. -Default: Not configured -| Event ID | Event message | -| - | - | -| 4672 | Special privileges assigned to new logon. | -| 4673 | A privileged service was called. | -| 4674 | An operation was attempted on a privileged object. | - -## Related topics -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index 4511233562..194e56d11b 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -2,53 +2,27 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Other Account Logon Events **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. -Examples can include the following: +**General Subcategory Information:** -- Remote Desktop session disconnections -- New Remote Desktop sessions -- Locking and unlocking a workstation -- Invoking a screen saver -- Dismissing a screen saver -- Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice +This auditing subcategory does not contain any events. It is intended for future use. - > **Note:** This condition could be caused by a network misconfiguration. - -- Access to a wireless network granted to a user or computer account -- Access to a wired 802.1x network granted to a user or computer account +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | +| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | +| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. | -Event volume: Varies, depending on system use - -Default: Not configured - -| Event ID | Event message | -| - | - | -| 4649 | A replay attack was detected. | -| 4778 | A session was reconnected to a Window Station. | -| 4779 | A session was disconnected from a Window Station. | -| 4800 | The workstation was locked. | -| 4801 | The workstation was unlocked. | -| 4802 | The screen saver was invoked. | -| 4803 | The screen saver was dismissed. | -| 5378 | The requested credentials delegation was disallowed by policy. | -| 5632 | A request was made to authenticate to a wireless network. | -| 5633 | A request was made to authenticate to a wired network. | - -## Related topics - -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index 48fecc4788..20b82aa409 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -2,38 +2,39 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Other Account Management Events **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events. -Events can be generated for user account management auditing when: +Audit Other Account Management Events determines whether the operating system generates user account management audit events. -- The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data. -- The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied. -- Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**. -> **Note:** These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator. - -Event volume: Low +**Event volume:** Typically Low on all types of computers. -Default: Not configured +This subcategory allows you to audit next events: -| Event ID | Event message | -| - | - | -| 4782 | The password hash for an account was accessed. | -| 4793 | The Password Policy Checking API was called. | - -## Related topics +- The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration. + +- The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4782](event-4782.md)(S): The password hash an account was accessed. + +- [4793](event-4793.md)(S): The Password Policy Checking API was called. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index 5b9c517af5..cceda79c69 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -2,50 +2,65 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Other Logon/Logoff Events **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events. + +Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. These other logon or logoff events include: - A Remote Desktop session connects or disconnects. + - A workstation is locked or unlocked. + - A screen saver is invoked or dismissed. + - A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration. -- A user is granted access to a wireless network. It can either be a user account or the computer account. -- A user is granted access to a wired 802.1x network. It can either be a user account or the computer account. + +- A user is granted access to a wireless network. It can be either a user account or the computer account. + +- A user is granted access to a wired 802.1x network. It can be either a user account or the computer account. Logon events are essential to understanding user activity and detecting potential attacks. -Event volume: Low +**Event volume**: Low. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | +| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | +| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | -| Event ID | Event message | -| - | - | -| 4649 | A replay attack was detected. | -| 4778 | A session was reconnected to a Window Station. | -| 4779 | A session was disconnected from a Window Station. | -| 4800 | The workstation was locked. | -| 4801 | The workstation was unlocked. | -| 4802 | The screen saver was invoked. | -| 4803 | The screen saver was dismissed. | -| 5378 | The requested credentials delegation was disallowed by policy. | -| 5632 | A request was made to authenticate to a wireless network. | -| 5633 | A request was made to authenticate to a wired network. | - -## Related topics +**Events List:** + +- [4649](event-4649.md)(S): A replay attack was detected. + +- [4778](event-4778.md)(S): A session was reconnected to a Window Station. + +- [4779](event-4779.md)(S): A session was disconnected from a Window Station. + +- [4800](event-4800.md)(S): The workstation was locked. + +- [4801](event-4801.md)(S): The workstation was unlocked. + +- [4802](event-4802.md)(S): The screen saver was invoked. + +- [4803](event-4803.md)(S): The screen saver was dismissed. + +- [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy. + +- [5632](event-5632.md)(S): A request was made to authenticate to a wireless network. + +- [5633](event-5633.md)(S): A request was made to authenticate to a wired network. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md index 3d453c1927..4501674589 100644 --- a/windows/keep-secure/audit-other-object-access-events.md +++ b/windows/keep-secure/audit-other-object-access-events.md @@ -2,55 +2,53 @@ title: Audit Other Object Access Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Other Object Access Events **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. -For scheduler jobs, the following actions are audited: +Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests. -- Job created. -- Job deleted. -- Job enabled. -- Job disabled. -- Job updated. +**Event volume**: Low. -For COM+ objects, the following actions are audited: +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | +| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | +| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | -- Catalog object added. -- Catalog object updated. -- Catalog object deleted. +**Events List:** -Event volume: Low +- [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS. -Default: Not configured +- [4691](event-4691.md)(S): Indirect access to an object was requested. -| Event ID | Event message | -| - | - | -| 4671 | An application attempted to access a blocked ordinal through the TBS. | -| 4691 | Indirect access to an object was requested. | -| 4698 | A scheduled task was created. | -| 4699 | A scheduled task was deleted. | -| 4700 | A scheduled task was enabled. | -| 4701 | A scheduled task was disabled. | -| 4702 | A scheduled task was updated. | -| 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. | -| 5149 | The DoS attack has subsided and normal processing is being resumed. | -| 5888 | An object in the COM+ Catalog was modified. | -| 5889 | An object was deleted from the COM+ Catalog. | -| 5890 | An object was added to the COM+ Catalog. | - -## Related topics +- [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. + +- [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed. + +- [4698](event-4698.md)(S): A scheduled task was created. + +- [4699](event-4699.md)(S): A scheduled task was deleted. + +- [4700](event-4700.md)(S): A scheduled task was enabled. + +- [4701](event-4701.md)(S): A scheduled task was disabled. + +- [4702](event-4702.md)(S): A scheduled task was updated. + +- [5888](event-5888.md)(S): An object in the COM+ Catalog was modified. + +- [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog. + +- [5890](event-5890.md)(S): An object was added to the COM+ Catalog. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md index 5ef649bca4..81cb8c52aa 100644 --- a/windows/keep-secure/audit-other-policy-change-events.md +++ b/windows/keep-secure/audit-other-policy-change-events.md @@ -2,50 +2,61 @@ title: Audit Other Policy Change Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Other Policy Change Events **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. -These other activities in the Policy Change category that can be audited include: +Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. -- Trusted Platform Module (TPM) configuration changes. -- Kernel-mode cryptographic self tests. -- Cryptographic provider operations. -- Cryptographic context operations or modifications. +**Event volume**: Low. -Event volume: Low +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. | +| Member Server | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. | +| Workstation | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. | -Default: Not configured +**Events List:** -| Event ID | Event message | -| - | - | -| 4670 | Permissions on an object were changed. | -| 4909 | The local policy settings for the TBS were changed. | -| 4910 | The group policy settings for the TBS were changed. | -| 5063 | A cryptographic provider operation was attempted. | -| 5064 | A cryptographic context operation was attempted. | -| 5065 | A cryptographic context modification was attempted. | -| 5066 | A cryptographic function operation was attempted. | -| 5067 | A cryptographic function modification was attempted. | -| 5068 | A cryptographic function provider operation was attempted. | -| 5069 | A cryptographic function property operation was attempted. | -| 5070 | A cryptographic function property modification was attempted. | -| 5447 | A Windows Filtering Platform filter has been changed. | -| 6144 | Security policy in the group policy objects has been applied successfully. | -| 6145 | One or more errors occurred while processing security policy in the group policy objects. | - -## Related topics +- [4714](event-4714.md)(S): Encrypted data recovery policy was changed. + +- [4819](event-4819.md)(S): Central Access Policies on the machine have been changed. + +- [4826](event-4826.md)(S): Boot Configuration Data loaded. + +- [4909](event-4909.md)(-): The local policy settings for the TBS were changed. + +- [4910](event-4910.md)(-): The group policy settings for the TBS were changed. + +- [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted. + +- [5064](event-5064.md)(S, F): A cryptographic context operation was attempted. + +- [5065](event-5065.md)(S, F): A cryptographic context modification was attempted. + +- [5066](event-5066.md)(S, F): A cryptographic function operation was attempted. + +- [5067](event-5067.md)(S, F): A cryptographic function modification was attempted. + +- [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted. + +- [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted. + +- [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted. + +- [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed. + +- [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully. + +- [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md index 5babb23a8a..a411c1b6b4 100644 --- a/windows/keep-secure/audit-other-privilege-use-events.md +++ b/windows/keep-secure/audit-other-privilege-use-events.md @@ -2,21 +2,31 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Other Privilege Use Events **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 + + +This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| +| Domain Controller | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. | +| Member Server | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. | +| Workstation | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. | + +**Events List:** + +- [4985](event-4674.md)(S): The state of a transaction has changed. + -This security policy setting is not used. -## Related topics -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md index 3bb668bd64..91f62b06de 100644 --- a/windows/keep-secure/audit-other-system-events.md +++ b/windows/keep-secure/audit-other-system-events.md @@ -2,59 +2,87 @@ title: Audit Other System Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events. ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Other System Events **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events. + +Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures. + +Audit Other System Events determines whether the operating system audits various system events. The system events in this category include: - Startup and shutdown of the Windows Firewall service and driver. + - Security policy processing by the Windows Firewall service. + - Cryptography key file and migration operations. -> **Important:** Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats. - -Event volume: Low +- BranchCache events. -Default: Success and failure +**Event volume**: Low. -| Event ID | Event message | -| - | - | -| 5024 | The Windows Firewall Service has started successfully. | -| 5025 | The Windows Firewall Service has been stopped. | -| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. | -| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. | -| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. | -| 5030 | The Windows Firewall Service failed to start. | -| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.| -| 5033 | The Windows Firewall Driver has started successfully. | -| 5034 | The Windows Firewall Driver has been stopped. | -| 5035 | The Windows Firewall Driver failed to start. | -| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating.| -| 5058 | Key file operation. | -| 5059 | Key migration operation.| -| 6400 | BranchCache: Received an incorrectly formatted response while discovering availability of content.| -| 6401 | BranchCache: Received invalid data from a peer. Data discarded. | -| 6402 | BranchCache: The message to the hosted cache offering it data is incorrectly formatted.| -| 6403 | BranchCache: The hosted cache sent an incorrectly formatted response to the client. | -| 6404 | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.| -| 6405 | BranchCache: %2 instance(s) of event id %1 occurred. | -| 6406 | %1 registered to Windows Firewall to control filtering for the following: %2| -| 6407 | 1% | -| 6408 | Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. | +| Member Server | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. | +| Workstation | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. | + +**Events List:** + +- [5024](event-5024.md)(S): The Windows Firewall Service has started successfully. + +- [5025](event-5025.md)(S): The Windows Firewall Service has been stopped. + +- [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. + +- [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. + +- [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. + +- [5030](event-5030.md)(F): The Windows Firewall Service failed to start. + +- [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. + +- [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully. + +- [5034](event-5034.md)(S): The Windows Firewall Driver was stopped. + +- [5035](event-5035.md)(F): The Windows Firewall Driver failed to start. + +- [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating. + +- [5058](event-5058.md)(S, F): Key file operation. + +- [5059](event-5059.md)(S, F): Key migration operation. + +- [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. + +- [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded. + +- [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. + +- [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. + +- [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. + +- [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred. + +- [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2 + +- [6407](event-6407.md)(-): 1% + +- [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 + +- [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md index c80884e78c..bef34f8715 100644 --- a/windows/keep-secure/audit-pnp-activity.md +++ b/windows/keep-secure/audit-pnp-activity.md @@ -2,32 +2,45 @@ title: Audit PNP Activity (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit PNP Activity **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device. -A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered. +Audit PNP Activity determines when Plug and Play detects an external device. -Event volume: Varies, depending on how the computer is used +A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered. -Default: Not configured +**Event volume**: Varies, depending on how the computer is used. Typically Low. -| Event ID | Event message | -| - | - | -| 6416 | A new external device was recognized by the system. | - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [6416](event-6416.md)(S): A new external device was recognized by the System + +- [6419](event-6419.md)(S): A request was made to disable a device + +- [6420](event-6420.md)(S): A device was disabled. + +- [6421](event-6421.md)(S): A request was made to enable a device. + +- [6422](event-6422.md)(S): A device was enabled. + +- [6423](event-6423.md)(S): The installation of this device is forbidden by system policy. + +- [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md index c9c6d41c57..9616b172bf 100644 --- a/windows/keep-secure/audit-process-creation.md +++ b/windows/keep-secure/audit-process-creation.md @@ -2,34 +2,37 @@ title: Audit Process Creation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Process Creation **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts). + +Audit Process Creation determines whether the operating system generates audit events when a process is created (starts). These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process. -Event volume: Low to medium, depending on system usage +**Event volume**: Low to Medium, depending on system usage. -Default: Not configured +This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited. -| Event ID | Event message | -| - | - | -| 4688 | A new process has been created.| -| 4696 | A primary token was assigned to a process.| - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4688](event-4688.md)(S): A new process has been created. + +- [4696](event-4696.md)(S): A primary token was assigned to process. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index 9f4fde6d86..493f39cc30 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -2,37 +2,35 @@ title: Audit Process Termination (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process. ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Process Termination **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process. + +Audit Process Termination determines whether the operating system generates audit events when process has exited. Success audits record successful attempts and Failure audits record unsuccessful attempts. -If you do not configure this policy setting, no audit event is generated when a process ends. - This policy setting can help you track user activity and understand how the computer is used. -Event volume: Varies, depending on how the computer is used +**Event volume**: Low to Medium, depending on system usage. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Event ID | Event message | -| - | - | -| 4689 | A process has exited. | +**Events List:** -## Related topics +- [4689](event-4689.md)(S): A process has exited. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md index 2f58eb5560..ad25025bc9 100644 --- a/windows/keep-secure/audit-registry.md +++ b/windows/keep-secure/audit-registry.md @@ -2,37 +2,45 @@ title: Audit Registry (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects. ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Registry **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects. -Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. +Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. -If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching -SACL. +If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL. -Event volume: Low to medium, depending on how registry SACLs are configured +**Event volume**: Low to Medium, depending on how registry SACLs are configured. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific registry objects.
Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. | +| Member Server | IF | IF | IF | IF | | +| Workstation | IF | IF | IF | IF | | -| Event ID | Event message | -| - | - | -| 4657 | A registry value was modified. | -| 5039 | A registry key was virtualized. | - -## Related topics +**Events List:** + +- [4663](event-4663.md)(S): An attempt was made to access an object. + +- [4656](event-4656.md)(S, F): A handle to an object was requested. + +- [4658](event-4658.md)(S): The handle to an object was closed. + +- [4660](event-4660.md)(S): An object was deleted. + +- [4657](event-4657.md)(S): A registry value was modified. + +- [5039](event-5039.md)(-): A registry key was virtualized. + +- [4670](event-4670.md)(S): Permissions on an object were changed. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index cdfc2b415e..de2555c64a 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -2,128 +2,35 @@ title: Audit Removable Storage (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Removable Storage **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive. -Event volume: Low +Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | This subcategory will help identify when and which files or folders were accessed or modified on removable devices.
It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.
You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed.
We recommend Failure auditing to track failed access attempts. | +| Member Server | Yes | Yes | Yes | Yes | | +| Workstation | Yes | Yes | Yes | Yes | | + +**Events List:** + +- [4656](event-4656.md)(S, F): A handle to an object was requested. + +- [4658](event-4658.md)(S): The handle to an object was closed. + +- [4663](event-4663.md)(S): An attempt was made to access an object. -Default: Not configured -
| Event ID | -Event message | -
|---|---|
4663 |
-An attempt was made to access an object. -Subject: -Security ID: %1 -Account Name: %2 -Account Domain: %3 -Logon ID: %4 -Object: -Object Server: %5 -Object Type: %6 -Object Name: %7 -Handle ID: %8 -Process Information: -Process ID: %11 -Process Name: %12 -Access Request Information: -Accesses: %9 -Access Mask: %10 |
-
4659 |
-A handle to an object was requested with intent to delete. -Subject: -Security ID: %1 -Account Name: %2 -Account Domain: %3 -Logon ID: %4 -Object: -Object Server: %5 -Object Type: %6 -Object Name: %7 -Handle ID: %8 -Process Information: -Process ID: %13 -Access Request Information: -Transaction ID: %9 -Accesses: %10 -Access Mask: %11 -Privileges Used for Access Check: %12 |
-
4818 |
-Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. -Subject: -Security ID: %1 -Account Name: %2 -Account Domain: %3 -Logon ID: %4 -Object: -Object Server: %5 -Object Type: %6 -Object Name: %7 -Handle ID: %8 -Process Information: -Process ID: %9 -Process Name: %10 -Current Central Access Policy results: -Access Reasons: %11 -Proposed Central Access Policy results that differ from the current Central Access Policy results: -Access Reasons: %12 |
-
4656 |
-A handle to an object was requested. -Subject: -Security ID: %1 -Account Name: %2 -Account Domain: %3 -Logon ID: %4 -Object: -Object Server: %5 -Object Type: %6 -Object Name: %7 -Handle ID: %8 -Resource Attributes: %17 -Process Information: -Process ID: %15 -Process Name: %16 -Access Request Information: -Transaction ID: %9 -Accesses: %10 -Access Reasons: %11 -Access Mask: %12 -Privileges Used for Access Check: %13 -Restricted SID Count: %14 |
-
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4731](event-4731.md)(S): A security-enabled local group was created. + +- [4732](event-4732.md)(S): A member was added to a security-enabled local group. + +- [4733](event-4733.md)(S): A member was removed from a security-enabled local group. + +- [4734](event-4734.md)(S): A security-enabled local group was deleted. + +- [4735](event-4735.md)(S): A security-enabled local group was changed. + +- [4764](event-4764.md)(S): A group’s type was changed. + +- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated. + +**4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.” Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply. + +**4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.” Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. + +**4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.” Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply. + +**4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply. + +**4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.” Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply. + +**4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply. + +**4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. + +**4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply. + +**4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply. + +**4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. + +**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md index e8c184b3e0..54492ea27c 100644 --- a/windows/keep-secure/audit-security-state-change.md +++ b/windows/keep-secure/audit-security-state-change.md @@ -2,44 +2,37 @@ title: Audit Security State Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Security State Change **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system. -Changes in the security state of the operating system include: +Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time. -- System startup and shutdown. -- Change of system time. -- System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**. +**Event volume**: Low. - > **Important:** Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**. - -System startup and shutdown events are important for understanding system usage. +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -Event volume: Low +**Events List:** -Default: Success +- [4608](event-4608.md)(S): Windows is starting up. -| Event ID | Event message summary | Minimum requirement | -| - | - | - | -| 4608 | Windows is starting up. | Windows Vista, Windows Server 2008 | -| 4609 | Windows is shutting down. | Windows Vista, Windows Server 2008 | -| 4616 | The system time was changed.| Windows Vista, Windows Server 2008 | -| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.| Windows Vista, Windows Server 2008 | - -## Related topics +- [4616](event-4616.md)(S): The system time was changed. + +- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail. + +>**Note** Event **4609(S): Windows is shutting down** currently doesn’t generate. It is a defined event, but it is never invoked by the operating system. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md index 428a0d685c..b340e3efe0 100644 --- a/windows/keep-secure/audit-security-system-extension.md +++ b/windows/keep-secure/audit-security-system-extension.md @@ -2,43 +2,47 @@ title: Audit Security System Extension (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions. ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Security System Extension **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions. + +Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events. Changes to security system extensions in the operating system include the following activities: -- A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM. + +- Security extension code is loaded (for example, an authentication, notification, or security package). Security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM. + - A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -> **Important:** Attempts to install or load security system extensions or services are critical system events that could indicate a security breach. - -Event volume: Low +Attempts to install or load security system extensions or services are critical system events that could indicate a security breach. -These events are expected to appear more on a domain controller than on client computers or member servers. +**Event volume**: Low. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Event ID | Event message | -| - | - | -| 4610 | An authentication package has been loaded by the Local Security Authority. | -| 4611 | A trusted logon process has been registered with the Local Security Authority.| -| 4614 | A notification package has been loaded by the Security Account Manager. | -| 4622 | A security package has been loaded by the Local Security Authority. | -| 4697 | A service was installed in the system. | - -## Related topics +**Events List:** + +- [4610](event-4610.md)(S): An authentication package has been loaded by the Local Security Authority. + +- [4611](event-4611.md)(S): A trusted logon process has been registered with the Local Security Authority. + +- [4614](event-4614.md)(S): A notification package has been loaded by the Security Account Manager. + +- [4622](event-4622.md)(S): A security package has been loaded by the Local Security Authority. + +- [4697](event-4697.md)(S): A service was installed in the system. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index 718aa00bd9..220187fc5b 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -2,51 +2,70 @@ title: Audit Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Sensitive Privilege Use **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. -Actions that can be audited include: -- A privileged service is called. -- One of the following privileges is called: - - **Act as part of the operating system** - - **Back up files and directories** - - **Create a token object** - - **Debug programs** - - **Enable computer and user accounts to be trusted for delegation** - - **Generate security audits** - - **Impersonate a client after authentication** - - **Load and unload device drivers** - - **Manage auditing and security log** - - **Modify firmware environment values** - - **Replace a process-level token** - - **Restore files and directories** - - **Take ownership of files or other objects** +Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges: + +- Act as part of the operating system + +- Back up files and directories + +- Restore files and directories + +- Create a token object + +- Debug programs + +- Enable computer and user accounts to be trusted for delegation + +- Generate security audits + +- Impersonate a client after authentication + +- Load and unload device drivers + +- Manage auditing and security log + +- Modify firmware environment values + +- Replace a process-level token + +- Take ownership of files or other objects + +The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](https://technet.microsoft.com/en-us/library/jj852206.aspx)” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded. + +This subcategory also contains informational events from the file system Transaction Manager. If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts. -Event volume: High +**Event volume**: High. -Default: Not configured +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. | +| Member Server | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. | +| Workstation | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. | + +**Events List:** + +- [4673](event-4673.md)(S, F): A privileged service was called. + +- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object. + +- [4985](event-4985.md)(S): The state of a transaction has changed. + +>**Note** For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory. -| Event ID | Event message | -| - | - | -| 4672 | Special privileges assigned to new logon.| -| 4673 | A privileged service was called. | -| 4674 | An operation was attempted on a privileged object.| - -## Related topics -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md index f4bad313c7..2838689d0f 100644 --- a/windows/keep-secure/audit-special-logon.md +++ b/windows/keep-secure/audit-special-logon.md @@ -2,38 +2,43 @@ title: Audit Special Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit Special Logon **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. -This security policy setting determines whether the operating system generates audit events when: +Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances. -- A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. -- A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183). +This subcategory allows you to audit events generated by special logons such as the following: -Users holding special privileges can potentially make changes to the system. We recommend that you track their activity. +- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. -Event volume: Low +- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. -Default: Success +**Event volume**: -| Event ID | Event message | -| - | - | -| 4964 | Special groups have been assigned to a new logon.| - -## Related topics +- Low on a client computer. + +- Medium on a domain controllers or network servers. + +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4964](event-4964.md)(S): Special groups have been assigned to a new logon. + +- [4672](event-4672.md)(S): Special privileges assigned to new logon. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md index 38fd5a5ce5..90bbb22cde 100644 --- a/windows/keep-secure/audit-system-integrity.md +++ b/windows/keep-secure/audit-system-integrity.md @@ -2,51 +2,67 @@ title: Audit System Integrity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit System Integrity **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem. + +Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. Activities that violate the integrity of the security subsystem include the following: - Audited events are lost due to a failure of the auditing system. + - A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space. + - A remote procedure call (RPC) integrity violation is detected. + - A code integrity violation with an invalid hash value of an executable file is detected. + - Cryptographic tasks are performed. -> **Important:** Violations of security subsystem integrity are critical and could indicate a potential security attack. - -Event volume: Low +Violations of security subsystem integrity are critical and could indicate a potential security attack. -Default: Success and failure +**Event volume**: Low. -| Event ID | Event message | -| - | - | -| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. | -| 4615 | Invalid use of LPC port. | -| 4618 | A monitored security event pattern has occurred.| -| 4816 | RPC detected an integrity violation while decrypting an incoming message.| -| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.| -| 5056 | A cryptographic self-test was performed. | -| 5057 | A cryptographic primitive operation failed.| -| 5060 | Verification operation failed. | -| 5061 | Cryptographic operation. | -| 5062 | A kernel-mode cryptographic self-test was performed.| -| 6281 | Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.| - -## Related topics +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. | +| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. | +| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. | + +**Events List:** + +- [4612](event-4612.md)(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. + +- [4615](event-4615.md)(S): Invalid use of LPC port. + +- [4618](event-4618.md)(S): A monitored security event pattern has occurred. + +- [4816](event-4816.md)(S): RPC detected an integrity violation while decrypting an incoming message. + +- [5038](event-5038.md)(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. + +- [5056](event-5056.md)(S): A cryptographic self-test was performed. + +- [5062](event-5062.md)(S): A kernel-mode cryptographic self-test was performed. + +- [5057](event-5057.md)(F): A cryptographic primitive operation failed. + +- [5060](event-5060.md)(F): Verification operation failed. + +- [5061](event-5061.md)(S, F): Cryptographic operation. + +- [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. + +- [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md index a763d8ea76..e641522e84 100644 --- a/windows/keep-secure/audit-user-account-management.md +++ b/windows/keep-secure/audit-user-account-management.md @@ -2,56 +2,81 @@ title: Audit User Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed. ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit User Account Management **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed. -Tasks that are audited for user account management include: +Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed. + +**Event volume**: Low. + +This policy setting allows you to audit changes to user accounts. Events include the following: + +- A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked. + +- A user account’s password is set or changed. + +- A security identifier (SID) is added to the SID History of a user account, or fails to be added. + +- The Directory Services Restore Mode password is configured. + +- Permissions on administrative user accounts are changed. + +- A user's local group membership was enumerated. -- A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. -- A user account password is set or changed. -- Security identifier (SID) history is added to a user account. -- The Directory Services Restore Mode password is set. -- Permissions are changed on accounts that are members of administrator groups. - Credential Manager credentials are backed up or restored. -This policy setting is essential for tracking events that involve provisioning and managing user accounts. +Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer accounts. -Event volume: Low +| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | +|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Domain Controller | Yes | Yes | Yes | Yes | This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on.
We recommend Failure auditing, mostly to see invalid password change and reset attempts for domain accounts, DSRM account password change failures, and failed SID History add attempts. | +| Member Server | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.
We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. | +| Workstation | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.
We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. | -Default: Success +**Events List:** -| Event ID | Event message | -| - | - | -| 4720 | A user account was created. | -| 4722 | A user account was enabled. | -| 4723 | An attempt was made to change an account's password.| -| 4724 | An attempt was made to reset an account's password. | -| 4725 | A user account was disabled. | -| 4726 | A user account was deleted. | -| 4738 | A user account was changed. | -| 4740 | A user account was locked out.| -| 4765 | SID History was added to an account.| -| 4766 | An attempt to add SID History to an account failed.| -| 4767 | A user account was unlocked. | -| 4780 | The ACL was set on accounts which are members of administrators groups.| -| 4781 | The name of an account was changed: | -| 4794 | An attempt was made to set the Directory Services Restore Mode.| -| 5376 | Credential Manager credentials were backed up. | -| 5377 | Credential Manager credentials were restored from a backup.| - -## Related topics +- [4720](event-4720.md)(S): A user account was created. + +- [4722](event-4722.md)(S): A user account was enabled. + +- [4723](event-4723.md)(S, F): An attempt was made to change an account's password. + +- [4724](event-4724.md)(S, F): An attempt was made to reset an account's password. + +- [4725](event-4725.md)(S): A user account was disabled. + +- [4726](event-4726.md)(S): A user account was deleted. + +- [4738](event-4738.md)(S): A user account was changed. + +- [4740](event-4740.md)(S): A user account was locked out. + +- [4765](event-4765.md)(S): SID History was added to an account. + +- [4766](event-4766.md)(F): An attempt to add SID History to an account failed. + +- [4767](event-4767.md)(S): A user account was unlocked. + +- [4780](event-4780.md)(S): The ACL was set on accounts which are members of administrators groups. + +- [4781](event-4781.md)(S): The name of an account was changed. + +- [4794](event-4794.md)(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. + +- [4798](event-4798.md)(S): A user's local group membership was enumerated. + +- [5376](event-5376.md)(S): Credential Manager credentials were backed up. + +- [5377](event-5377.md)(S): Credential Manager credentials were restored from a backup. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index e5576c4bdf..69c9dc94c2 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -2,63 +2,39 @@ title: Audit User/Device Claims (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +author: Mir0sh --- # Audit User/Device Claims **Applies to** -- Windows 10 +- Windows 10 +- Windows Server 2016 -This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims. -Event volume: +Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. -Default: Not configured +For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -
| Event ID | -Event message | -
|---|---|
4626 |
-User / Device claims information. -Subject: -Security ID: %1 -Account Name: %2 -Account Domain: %3 -Logon ID: %4 -Logon Type:%9 -New Logon: -Security ID: %5 -Account Name: %6 -Account Domain: %7 -Logon ID: %8 -Event in sequence: %10 of %11 -User Claims: %12 -Device Claims: %13 -The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. -The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). -The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. -This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. |
-
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | + +**Events List:** + +- [4626](event-4626.md)(S): User/Device claims information. -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md new file mode 100644 index 0000000000..3863b0cf74 --- /dev/null +++ b/windows/keep-secure/basic-firewall-policy-design.md @@ -0,0 +1,66 @@ +--- +title: Basic Firewall Policy Design (Windows 10) +description: Basic Firewall Policy Design +ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Basic Firewall Policy Design + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. + +The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped. + +Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted. + +Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy: + +- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device. + +- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you. + + For example, when you install a server role, the appropriate firewall rules are created and enabled automatically. + +- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization. + + For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. + +With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. + +>**Caution:** Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. + +By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later. + +If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. + +Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. + +An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation. + +After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization. + +>**Important:** If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. + +The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules. + +For more information about this design: + +- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md). + +- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md). + +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). + +- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md). + +- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md). + +**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md) diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md new file mode 100644 index 0000000000..66865b93a6 --- /dev/null +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -0,0 +1,28 @@ +--- +title: Boundary Zone GPOs (Windows 10) +description: Boundary Zone GPOs +ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Boundary Zone GPOs + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. + +>**Note:** If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. + +This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone. + +The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. + +In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed. + +- [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md) diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md new file mode 100644 index 0000000000..b44e15fdc1 --- /dev/null +++ b/windows/keep-secure/boundary-zone.md @@ -0,0 +1,63 @@ +--- +title: Boundary Zone (Windows 10) +description: Boundary Zone +ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Boundary Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. + +Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device. + +The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it. + +Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. + + + +The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. + +You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. + +Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. + +## GPO settings for boundary zone servers running at least Windows Server 2008 + + +The boundary zone GPO for devices running at least Windows Server 2008 should include the following: + +- IPsec default settings that specify the following options: + + 1. Exempt all ICMP traffic from IPsec. + + 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. + + 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.. + + If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. + + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. + +- The following connection security rules: + + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + + - A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication. + +- A registry policy that includes the following values: + + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + + >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) + +**Next: **[Encryption Zone](encryption-zone.md) diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md new file mode 100644 index 0000000000..8b5e59db2e --- /dev/null +++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md @@ -0,0 +1,52 @@ +--- +title: Certificate-based Isolation Policy Design Example (Windows 10) +description: Certificate-based Isolation Policy Design Example +ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Certificate-based Isolation Policy Design Example + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). + +One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information. + +## Design requirements + +One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate. + +A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed. + +In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server. + +The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate. + +The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design. + +The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates. + +**Other traffic notes:** + +- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device. + +## Design details + +Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization. + +The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules. + +When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. + +By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member. + +Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device. + +**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md new file mode 100644 index 0000000000..8d0483f776 --- /dev/null +++ b/windows/keep-secure/certificate-based-isolation-policy-design.md @@ -0,0 +1,40 @@ +--- +title: Certificate-based Isolation Policy Design (Windows 10) +description: Certificate-based Isolation Policy Design +ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Certificate-based Isolation Policy Design + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. + +Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol. + +To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows. + +The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain. + +For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner. + +For more info about this design: + +- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). + +- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). + +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). + +- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md). + +- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md). + +**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 3c88804390..dba679a5fa 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,7 +16,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| -| [Windows security baselines](security-baselines.md) | New | +| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New | +| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics | +| [Windows security baselines](windows-security-baselines.md) | New | ## May 2016 diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md new file mode 100644 index 0000000000..156957d053 --- /dev/null +++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md @@ -0,0 +1,56 @@ +--- +title: Change Rules from Request to Require Mode (Windows 10) +description: Change Rules from Request to Require Mode +ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Change Rules from Request to Require Mode + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode) + +- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices) + +## To convert a rule from request to require mode + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Connection Security Rules**. + +3. In the details pane, double-click the connection security rule that you want to modify. + +4. Click the **Authentication** tab. + +5. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**. + +## To apply the modified GPOs to the client devices + +1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt: + + ``` syntax + gpupdate /force + ``` + +2. To verify that the modified GPO is correctly applied to the client devices, you can run the following command: + + ``` syntax + gpresult /r /scope computer + ``` + +3. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device. diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md new file mode 100644 index 0000000000..979ef0e243 --- /dev/null +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -0,0 +1,26 @@ +--- +title: Checklist Configuring Basic Firewall Settings (Windows 10) +description: Checklist Configuring Basic Firewall Settings +ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Configuring Basic Firewall Settings + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. + +**Checklist: Configuring firewall defaults and settings** + +| Task | Reference | +| - | - | +| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| +| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) | +| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md new file mode 100644 index 0000000000..a3cd9303ca --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -0,0 +1,43 @@ +--- +title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10) +description: Checklist Configuring Rules for an Isolated Server Zone +ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Configuring Rules for an Isolated Server Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). + +In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. + +Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. + +The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server. + +**Checklist: Configuring rules for isolated servers** + +| Task | Reference | +| - | - | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Create a rule that requests authentication for all network traffic.
**Important:** Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | + +Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md new file mode 100644 index 0000000000..f954a6f45e --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -0,0 +1,40 @@ +--- +title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10) +description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone +ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). + +The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. + +**Checklist: Configuring rules for isolated servers** + +| Task | Reference | +| - | - | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) | +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) | +| Create a rule that requests authentication for all inbound network traffic.
**Important:** Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) | +| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| + +Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md new file mode 100644 index 0000000000..898aff61c0 --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -0,0 +1,32 @@ +--- +title: Checklist Configuring Rules for the Boundary Zone (Windows 10) +description: Checklist Configuring Rules for the Boundary Zone +ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Configuring Rules for the Boundary Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. + +Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. + +**Checklist: Configuring boundary zone rules** + +This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. + +| Task | Reference | +| - | - | +| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | +| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md new file mode 100644 index 0000000000..8bf35ebe8e --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -0,0 +1,33 @@ +--- +title: Checklist Configuring Rules for the Encryption Zone (Windows 10) +description: Checklist Configuring Rules for the Encryption Zone +ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Configuring Rules for the Encryption Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. + +Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. + +**Checklist: Configuring encryption zone rules** + +This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. + +| Task | Reference | +| - | - | +| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md new file mode 100644 index 0000000000..41375ddbad --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -0,0 +1,37 @@ +--- +title: Checklist Configuring Rules for the Isolated Domain (Windows 10) +description: Checklist Configuring Rules for the Isolated Domain +ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Configuring Rules for the Isolated Domain + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. + +**Checklist: Configuring isolated domain rules** + +| Task | Reference | +| - | - | +| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| + + +Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md new file mode 100644 index 0000000000..b846638c4e --- /dev/null +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -0,0 +1,43 @@ +--- +title: Checklist Creating Group Policy Objects (Windows 10) +description: Checklist Creating Group Policy Objects +ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Creating Group Policy Objects + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. + +The checklists for firewall, domain isolation, and server isolation include a link to this checklist. + +## About membership groups + +For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. + +## About exclusion groups + +A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. + +You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. + +**Checklist: Creating Group Policy objects** + +| Task | Reference | +| - | - | +| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| +| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | +| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | +| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | +| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) | +| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md new file mode 100644 index 0000000000..16681cba2a --- /dev/null +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -0,0 +1,39 @@ +--- +title: Checklist Creating Inbound Firewall Rules (Windows 10) +description: Checklist Creating Inbound Firewall Rules +ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Creating Inbound Firewall Rules + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This checklist includes tasks for creating firewall rules in your GPOs. + +**Checklist: Creating inbound firewall rules** + +| Task | Reference | +| - | - | +| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| +| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| +| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| +| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)| + + + + + + + + + + + diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md new file mode 100644 index 0000000000..22b8d892c8 --- /dev/null +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -0,0 +1,39 @@ +--- +title: Checklist Creating Outbound Firewall Rules (Windows 10) +description: Checklist Creating Outbound Firewall Rules +ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Creating Outbound Firewall Rules + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This checklist includes tasks for creating outbound firewall rules in your GPOs. + +>**Important:** By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. + +**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +| Task | Reference | +| - | - | +| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| +| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)| + + + + + + + + + + + diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md new file mode 100644 index 0000000000..bd5a21cdb8 --- /dev/null +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -0,0 +1,33 @@ +--- +title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10) +description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone +ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. + +**Checklist: Configuring isolated server zone client rules** + +| Task | Reference | +| - | - | +| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md new file mode 100644 index 0000000000..f72a945895 --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -0,0 +1,36 @@ +--- +title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) +description: Checklist Implementing a Basic Firewall Policy Design +ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Implementing a Basic Firewall Policy Design + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. + +>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. + +The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). + + **Checklist: Implementing a basic firewall policy design** + +| Task | Reference | +| - | - | +| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| +| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| +| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| +| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md new file mode 100644 index 0000000000..1cab0a3744 --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -0,0 +1,30 @@ +--- +title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10) +description: Checklist Implementing a Certificate-based Isolation Policy Design +ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Implementing a Certificate-based Isolation Policy Design + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. + +>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist + +**Checklist: Implementing certificate-based authentication** + +| Task | Reference | +| - | - | +| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | +| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| | +| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| +| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| +| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md new file mode 100644 index 0000000000..a57af52e9a --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -0,0 +1,34 @@ +--- +title: Checklist Implementing a Domain Isolation Policy Design (Windows 10) +description: Checklist Implementing a Domain Isolation Policy Design +ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Implementing a Domain Isolation Policy Design + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. + +>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. + +The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). + +**Checklist: Implementing a domain isolation policy design** + +| Task | Reference | +| - | - | +| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Domain Isolation Policy Design](domain-isolation-policy-design.md)
[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | +| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| +| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| +| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| +| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| +| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| +| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md new file mode 100644 index 0000000000..e4ed2e3d00 --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -0,0 +1,33 @@ +--- +title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10) +description: Checklist Implementing a Standalone Server Isolation Policy Design +ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Checklist: Implementing a Standalone Server Isolation Policy Design + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). + +This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. + +>**Note:** Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. + +**Checklist: Implementing a standalone server isolation policy design** + +| Task | Reference | +| - | - | +| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Server Isolation Policy Design](server-isolation-policy-design.md)
[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
[Planning Server Isolation Zones](planning-server-isolation-zones.md) | +| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| +| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| +| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| +| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| +| According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/keep-secure/configure-authentication-methods.md b/windows/keep-secure/configure-authentication-methods.md new file mode 100644 index 0000000000..c637681093 --- /dev/null +++ b/windows/keep-secure/configure-authentication-methods.md @@ -0,0 +1,75 @@ +--- +title: Configure Authentication Methods (Windows 10) +description: Configure Authentication Methods +ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security + +author: brianlic-msft +--- + +# Configure Authentication Methods + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. + +>**Note:** If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To configure authentication methods** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec Settings** tab, click **Customize**. + +4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following: + + 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default. + + 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. + + 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. + + 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. + + 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. + + 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + + The first authentication method can be one of the following: + + - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. + + - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. + + - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes. + + If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + + The second authentication method can be one of the following: + + - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. + + - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule. + + If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + + >**Important:** Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + +5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor. diff --git a/windows/keep-secure/configure-data-protection-quick-mode-settings.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md new file mode 100644 index 0000000000..1b0e5489ab --- /dev/null +++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md @@ -0,0 +1,62 @@ +--- +title: Configure Data Protection (Quick Mode) Settings (Windows 10) +description: Configure Data Protection (Quick Mode) Settings +ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Configure Data Protection (Quick Mode) Settings + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To configure quick mode settings** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec Settings** tab, click **Customize**. + +4. In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**. + +5. If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone. + +6. If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following: + + 1. From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**. + + 2. Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT). + + 3. In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value. + + 4. Click **OK** to save your algorithm combination settings. + + 5. After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on. + +7. Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following: + + 1. From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**. + + 2. Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following: + + 3. Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT. + + 4. Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only. + + 5. Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. + + 6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value. + +8. Click **OK** three times to save your settings. diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md new file mode 100644 index 0000000000..a3687db1b5 --- /dev/null +++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -0,0 +1,38 @@ +--- +title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10) +description: Configure Group Policy to Autoenroll and Deploy Certificates +ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Configure Group Policy to Autoenroll and Deploy Certificates + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. + +**Administrative credentials** + +To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group. + +**To configure Group Policy to autoenroll certificates** + +1. Open the Group Policy Management console. + +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. + +3. In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**. + +4. Double-click **Certificate Services Client - Auto-Enrollment**. + +5. In the **Properties** dialog box, change **Configuration Model** to **Enabled**. + +6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**. + +7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed. diff --git a/windows/keep-secure/configure-key-exchange-main-mode-settings.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md new file mode 100644 index 0000000000..097d29b877 --- /dev/null +++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md @@ -0,0 +1,62 @@ +--- +title: Configure Key Exchange (Main Mode) Settings (Windows 10) +description: Configure Key Exchange (Main Mode) Settings +ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Configure Key Exchange (Main Mode) Settings + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To configure key exchange settings** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec Settings** tab, click **Customize**. + +4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**. + +5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following: + + **Important** + In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices. + + Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected. + + **Note** + When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select. + + 1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**. + + 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**. + + >**Caution:** We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only. + + 3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. + +6. From the list on the right, select the key exchange algorithm that you want to use. + + >**Caution:** We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only. + +7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key. + + >**Note:** You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance. + +8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key. + +9. Click **OK** three times to save your settings. diff --git a/windows/keep-secure/configure-the-rules-to-require-encryption.md b/windows/keep-secure/configure-the-rules-to-require-encryption.md new file mode 100644 index 0000000000..cdc97d2167 --- /dev/null +++ b/windows/keep-secure/configure-the-rules-to-require-encryption.md @@ -0,0 +1,53 @@ +--- +title: Configure the Rules to Require Encryption (Windows 10) +description: Configure the Rules to Require Encryption +ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Configure the Rules to Require Encryption + +If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To modify an authentication request rule to also require encryption** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Connection Security Rules**. + +3. In the details pane, double-click the connection security rule you want to modify. + +4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**. + +5. In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**. + +6. Click the **IPsec Settings** tab. + +7. Under **IPsec defaults**, click **Customize**. + +8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**. + +9. Click **Require encryption for all connection security rules that use these settings**. + + This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone. + +10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). + + **Note** + Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. + + Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell. + + For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) + +11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. + +12. Click **OK** three times to save your changes. diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md new file mode 100644 index 0000000000..0784a64b85 --- /dev/null +++ b/windows/keep-secure/configure-the-windows-firewall-log.md @@ -0,0 +1,53 @@ +--- +title: Configure the Windows Firewall Log (Windows 10) +description: Configure the Windows Firewall Log +ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security + +author: brianlic-msft +--- + +# Configure the Windows Firewall Log + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log) + +## To configure the Windows Firewall log + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. + +3. For each network location type (Domain, Private, Public), perform the following steps. + + 1. Click the tab that corresponds to the network location type. + + 2. Under **Logging**, click **Customize**. + + 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. + + >**Important:** The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file. + + 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. + + 5. No logging occurs until you set one of following two options: + + - To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**. + + - To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**. + + 6. Click **OK** twice. diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md new file mode 100644 index 0000000000..89b5eb68e9 --- /dev/null +++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md @@ -0,0 +1,48 @@ +--- +title: Configure the Workstation Authentication Certificate Template (Windows 10) +description: Configure the Workstation Authentication Certificate Template +ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Configure the Workstation Authentication Certificate Template + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. + +**Administrative credentials** + +## To configure the workstation authentication certificate template and autoenrollment +To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group. + + +1. On the device where AD CS is installed, open the Certification Authority console. + +2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**. + +3. In the details pane, click the **Workstation Authentication** template. + +4. On the **Action** menu, click **Duplicate Template**. In the **Duplicate Template** dialog box, select the template version that is appropriate for your deployment, and then click **OK**. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select **Windows Server 2003**. + +5. On the **General** tab, in **Template display name**, type a new name for the certificate template, such as **Domain Isolation Workstation Authentication Template**. + +6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**. + +7. Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048. + +8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**. + + >**Note:** If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate. + +9. Close the Certificate Templates Console. + +10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. + +11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**. diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md new file mode 100644 index 0000000000..b4990058e6 --- /dev/null +++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -0,0 +1,46 @@ +--- +title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10) +description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked +ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console. + +>**Caution:** If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. + +We recommend that you do not enable these settings until you have created and tested the required rules. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. + +3. For each network location type (Domain, Private, Public), perform the following steps. + + 1. Click the tab that corresponds to the network location type. + + 2. Under **Settings**, click **Customize**. + + 3. Under **Firewall settings**, change **Display a notification** to **No**. + + 4. Under **Rule merging**, change **Apply local firewall rules** to **No**. + + 5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. + + 6. Click **OK** twice. diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md new file mode 100644 index 0000000000..0423277e45 --- /dev/null +++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md @@ -0,0 +1,48 @@ +--- +title: Confirm That Certificates Are Deployed Correctly (Windows 10) +description: Confirm That Certificates Are Deployed Correctly +ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: securit +author: brianlic-msft +--- + +# Confirm That Certificates Are Deployed Correctly + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. + +In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +- [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device) + +- [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed) + +## To refresh Group Policy on a device + + From an elevated command prompt, run the following command: + +``` syntax +gpupdate /target:computer /force +``` + +After Group Policy is refreshed, you can see which GPOs are currently applied to the device. + +## To verify that a certificate is installed + +1. Open the Cerificates console. + +2. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**. + + The CA that you created appears in the list. diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md new file mode 100644 index 0000000000..694250fe3b --- /dev/null +++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md @@ -0,0 +1,50 @@ +--- +title: Copy a GPO to Create a New GPO (Windows 10) +description: Copy a GPO to Create a New GPO +ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Copy a GPO to Create a New GPO + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. + +**To make a copy of a GPO** + +1. Open the Group Policy Management console. + +2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. + +3. In the details pane, right-click the GPO you want to copy, and then click **Copy**. + +4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. + +5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. + +6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. + +7. To rename it, right-click the GPO, and then click **Rename**. + +8. Type the new name, and then press ENTER. + +9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. + +10. In the confirmation dialog box, click **OK**. + +11. Click **Add**. + +12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. + +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md new file mode 100644 index 0000000000..6aeb64d983 --- /dev/null +++ b/windows/keep-secure/create-a-group-account-in-active-directory.md @@ -0,0 +1,42 @@ +--- +title: Create a Group Account in Active Directory (Windows 10) +description: Create a Group Account in Active Directory +ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create a Group Account in Active Directory + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new group accounts. + +**To add a new membership group in Active Directory** + +1. Open the Active Directory Users and Computers console. + +2. In the navigation pane, select the container in which you want to store your group. This is typically the **Users** container under the domain. + +3. Click **Action**, click **New**, and then click **Group**. + +4. In the **Group name** text box, type the name for your new group. + + >**Note:** Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups. + +5. In the **Description** text box, enter a description of the purpose of this group. + +6. In the **Group scope** section, select either **Global** or **Universal**, depending on your Active Directory forest structure. If your group must include computers from multiple domains, then select **Universal**. If all of the members are from the same domain, then select **Global**. + +7. In the **Group type** section, click **Security**. + +8. Click **OK** to save your group. diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md new file mode 100644 index 0000000000..42a0e5ae62 --- /dev/null +++ b/windows/keep-secure/create-a-group-policy-object.md @@ -0,0 +1,44 @@ +--- +title: Create a Group Policy Object (Windows 10) +description: Create a Group Policy Object +ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create a Group Policy Object + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To create a new GPO, use the Active Directory Users and Computers MMC snap-in. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. + +To create a new GPO + +1. Open the Group Policy Management console. + +2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. + +3. Click **Action**, and then click **New**. + +4. In the **Name** text box, type the name for your new GPO. + + >**Note:** Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. + +5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**. + +6. If your GPO will not contain any user settings, then you can improve performance by disabling the **User Configuration** section of the GPO. To do this, perform these steps: + + 1. In the navigation pane, click the new GPO. + + 2. In the details pane, click the **Details** tab. + + 3. Change the **GPO Status** to **User configuration settings disabled**. diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md new file mode 100644 index 0000000000..b0a4ec1118 --- /dev/null +++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md @@ -0,0 +1,63 @@ +--- +title: Create an Authentication Exemption List Rule (Windows 10) +description: Create an Authentication Exemption List Rule +ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Authentication Exemption List Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. + +**Important** +Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list. + + + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To create a rule that exempts specified hosts from authentication** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Connection Security Rules**. + +3. Click **Action**, and then click **New Rule**. + +4. On the **Rule Type** page of the New Connection Security Rule Wizard, click **Authentication exemption**, and then click **Next**. + +5. On the **Exempt Computers** page, to create a new exemption, click **Add**. To modify an existing exemption, click it, and then click **Edit**. + +6. In the **IP Address** dialog box, do one of the following: + + - To add a single IP address, click **This IP address or subnet**, type the IP address of the host in the text box, and then click **OK**. + + - To add an entire subnet by address, click **This IP address or subnet**, and then type the IP address of the subnet, followed by a forward slash (/) and the number of bits in the corresponding subnet mask. For example, **10.50.0.0/16** represents the class B subnet that begins with address 10.50.0.1, and ends with address **10.50.255.254**. Click **OK** when you are finished. + + - To add the local device’s subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**. + + >**Note:** If you select the local subnet from the list rather than typing the subnet address in manually, the device automatically adjusts the active local subnet to match the device’s current IP address. + + - To add a discrete range of addresses that do not correspond to a subnet, click **This IP address range**, type the beginning and ending IP addresses in the **From** and **To** text boxes, and then click **OK**. + + - To exempt all of the remote hosts that the local device uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**. + +7. Repeat steps 5 and 6 for each exemption that you need to create. + +8. Click **Next** when you have created all of the exemptions. + +9. On the **Profile** page, check the profile for each network location type to which this set of exemptions applies, and then click **Next**. + + >**Caution:** If all of the exemptions are on the organization’s network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate. + +10. On the **Name** page, type the name of the exemption rule, type a description, and then click **Finish**. diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md new file mode 100644 index 0000000000..1c947f68f9 --- /dev/null +++ b/windows/keep-secure/create-an-authentication-request-rule.md @@ -0,0 +1,84 @@ +--- +title: Create an Authentication Request Rule (Windows 10) +description: Create an Authentication Request Rule +ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Authentication Request Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To create the authentication request rule + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. + +3. On the **Rule Type** page, select **Isolation**, and then click **Next**. + +4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**. + + >**Caution:** Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. + +5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP). + + 1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure. + + 2. **Computer and User (Kerberos V5)**. Selecting this option tells the device to request authentication of both the device and the currently logged-on user by using their domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + 3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. + + 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + + The **First authentication method** can be one of the following: + + - **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. + + - **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + + - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. + + If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + + The **Second authentication method** can be one of the following: + + - **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1. + + - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. + + - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + + If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. + + >**Important:** Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + +6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. + +7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. + + - On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network. + + - On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. + + Click **Next**. + +8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. + + The new rule appears in the list of connection security rules. diff --git a/windows/keep-secure/create-an-inbound-icmp-rule.md b/windows/keep-secure/create-an-inbound-icmp-rule.md new file mode 100644 index 0000000000..f76bba3007 --- /dev/null +++ b/windows/keep-secure/create-an-inbound-icmp-rule.md @@ -0,0 +1,62 @@ +--- +title: Create an Inbound ICMP Rule (Windows 10) +description: Create an Inbound ICMP Rule +ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Inbound ICMP Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see: + +- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) + +- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) + +To create an inbound ICMP rule + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + +5. On the **Program** page, click **All programs**, and then click **Next**. + +6. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each. + +7. Click **Customize**. + +8. In the **Customize ICMP Settings** dialog box, do one of the following: + + - To allow all ICMP network traffic, click **All ICMP types**, and then click **OK**. + + - To select one of the predefined ICMP types, click **Specific ICMP types**, and then select each type in the list that you want to allow. Click **OK**. + + - To select an ICMP type that does not appear in the list, click **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, click **Add**, and then select the newly created entry from the list. Click **OK** + +9. Click **Next**. + +10. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +11. On the **Action** page, select **Allow the connection**, and then click **Next**. + +12. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + +13. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md new file mode 100644 index 0000000000..e2a911293f --- /dev/null +++ b/windows/keep-secure/create-an-inbound-port-rule.md @@ -0,0 +1,62 @@ +--- +title: Create an Inbound Port Rule (Windows 10) +description: Create an Inbound Port Rule +ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Inbound Port Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see: + +- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) + +- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) + +**To create an inbound port rule** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + + >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +5. On the **Program** page, click **All programs**, and then click **Next**. + + >**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. + +6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. + + If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall. + + To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. + + When you have configured the protocols and ports, click **Next**. + +7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +8. On the **Action** page, select **Allow the connection**, and then click **Next**. + +9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + >**Note:** If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +10. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md new file mode 100644 index 0000000000..51524c047d --- /dev/null +++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md @@ -0,0 +1,71 @@ +--- +title: Create an Inbound Program or Service Rule (Windows 10) +description: Create an Inbound Program or Service Rule +ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Inbound Program or Service Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. + +>**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To create an inbound firewall rule for a program or service + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + + >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +5. On the **Program** page, click **This program path**. + +6. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly. + +7. Do one of the following: + + - If the executable file contains a single program, click **Next**. + + - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**. + + - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**. + + **Important** + To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: + + **sc** **qsidtype** *<ServiceName>* + + If the result is **NONE**, then a firewall rule cannot be applied to that service. + + To set a SID type on a service, run the following command: + + **sc** **sidtype** *<Type> <ServiceName>* + + In the preceding command, the value of *<Type>* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**. + +8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**. + +9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +10. On the **Action** page, select **Allow the connection**, and then click **Next**. + +11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + +12. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/keep-secure/create-an-outbound-port-rule.md b/windows/keep-secure/create-an-outbound-port-rule.md new file mode 100644 index 0000000000..98c85d581c --- /dev/null +++ b/windows/keep-secure/create-an-outbound-port-rule.md @@ -0,0 +1,52 @@ +--- +title: Create an Outbound Port Rule (Windows 10) +description: Create an Outbound Port Rule +ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Outbound Port Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To create an outbound port rule + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Outbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Outbound Rule wizard, click **Custom**, and then click **Next**. + + >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +5. On the **Program** page, click **All programs**, and then click **Next**. + +6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number. + + If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it. + + To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. + + When you have configured the protocols and ports, click **Next**. + +7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +8. On the **Action** page, select **Block the connection**, and then click **Next**. + +9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + +10. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md new file mode 100644 index 0000000000..342e863ffd --- /dev/null +++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md @@ -0,0 +1,56 @@ +--- +title: Create an Outbound Program or Service Rule (Windows 10) +description: Create an Outbound Program or Service Rule +ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Outbound Program or Service Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To create an outbound firewall rule for a program or service + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Outbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Outbound Rule Wizard, click **Custom**, and then click **Next**. + + >**Note:** Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +5. On the **Program** page, click **This program path**. + +6. Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly. + +7. Do one of the following: + + - If the executable file contains a single program, click **Next**. + + - If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**. + + - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**. + +8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](create-an-outbound-port-rule.md). When you have configured the protocol and port options, click **Next**. + +9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +10. On the **Action** page, select **Block the connection**, and then click **Next**. + +11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + +12. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc.md b/windows/keep-secure/create-inbound-rules-to-support-rpc.md new file mode 100644 index 0000000000..0ba04d529e --- /dev/null +++ b/windows/keep-secure/create-inbound-rules-to-support-rpc.md @@ -0,0 +1,89 @@ +--- +title: Create Inbound Rules to Support RPC (Windows 10) +description: Create Inbound Rules to Support RPC +ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create Inbound Rules to Support RPC + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see: + +- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) + +- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) + +In this topic: + +- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service) + +- [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services) + +## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + +5. On the **Program** page, click **This Program Path**, and then type **%systemroot%\\system32\\svchost.exe**. + +6. Click **Customize**. + +7. In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**. + +8. On the warning about Windows service-hardening rules, click **Yes**. + +9. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**. + +10. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**. + +11. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +12. On the **Action** page, select **Allow the connection**, and then click **Next**. + +13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + +14. On the **Name** page, type a name and description for your rule, and then click **Finish**. + + +## To create a rule to allow inbound network traffic to RPC-enabled network services + +1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**. + +2. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + +3. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**. + +4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service does not appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box. + +5. Click **OK**, and then click **Next**. + +6. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**. + +7. For **Local port**, select **RPC Dynamic Ports**, and then click **Next**. + +8. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +9. On the **Action** page, select **Allow the connection**, and then click **Next**. + +10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + +11. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md new file mode 100644 index 0000000000..f4b066d3e1 --- /dev/null +++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md @@ -0,0 +1,94 @@ +--- +title: Create WMI Filters for the GPO (Windows 10) +description: Create WMI Filters for the GPO +ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create WMI Filters for the GPO + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. + +- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows) + +- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo) + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system. + +## To create a WMI filter that queries for a specified version of Windows + +1. Open the Group Policy Management console. + +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**. + +3. Click **Action**, and then click **New**. + +4. In the **Name** text box, type the name of the WMI filter. + + >**Note:** Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention. + +5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description. + +6. Click **Add**. + +7. Leave the **Namespace** value set to **root\\CIMv2**. + +8. In the **Query** text box, type: + + ``` syntax + select * from Win32_OperatingSystem where Version like "6.%" + ``` + + This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". To specify multiple versions, combine them with or, as shown in the following: + + ``` syntax + ... where Version like "6.1%" or Version like "6.2%" + ``` + + To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. + + The following clause returns **true** for all devices that are not domain controllers: + + ``` syntax + ... where ProductType="1" or ProductType="3" + ``` + + The following complete query returns **true** for all devices running Windows 8, and returns **false** for any server operating system or any other client operating system. + + ``` syntax + select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1" + ``` + + The following query returns **true** for any device running Windows Server 2012, except domain controllers: + + ``` syntax + select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3" + ``` + +9. Click **OK** to save the query to the filter. + +10. Click **Save** to save your completed filter. + +## To link a WMI filter to a GPO + +After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs. + +1. Open theGroup Policy Management console. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. Under **WMI Filtering**, select the correct WMI filter from the list. + +4. Click **Yes** to accept the filter. diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md new file mode 100644 index 0000000000..144252b206 --- /dev/null +++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -0,0 +1,47 @@ +--- +title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10) +description: Designing a Windows Firewall with Advanced Security Strategy +ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Designing a Windows Firewall with Advanced Security Strategy + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. + +- [Gathering the Information You Need](gathering-the-information-you-need.md) + +- [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md) + +The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design. + +- What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs? + +- What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs? + +- What traffic on the network cannot be protected by IPsec because the devices or devices sending or receiving the traffic do not support IPsec? + +- For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required? + +- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use. + +- Which devices must be able to accept unsolicited inbound connections from devices that are not part of the domain? + +- Which devices contain data that must be encrypted when exchanged with another computer? + +- Which devices contain sensitive data to which access must be restricted to specifically authorized users and devices? + +- Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall? + + +This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide. + +**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md) diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md new file mode 100644 index 0000000000..8bbd75608d --- /dev/null +++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md @@ -0,0 +1,139 @@ +--- +title: Determining the Trusted State of Your Devices (Windows 10) +description: Determining the Trusted State of Your Devices +ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Determining the Trusted State of Your Devices + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. + +>**Note:** In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk. + +## Trust states + + +To understand this concept, consider the four basic states that apply to devices in a typical IT infrastructure. These states are (in order of risk, lowest risk first): + +- Trusted + +- Trustworthy + +- Known, untrusted + +- Unknown, untrusted + +The remainder of this section defines these states and how to determine which devices in your organization belong in each state. + +### Trusted state + +Classifying a device as trusted means that the device's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network. + +When a device is considered trusted, other trusted devices can reasonably assume that the device will not initiate a malicious act. For example, trusted devices can expect that other trusted devices will not run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. + +Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status. + +A possible list of technology requirements might include the following: + +- **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008. + +- **Domain membership.** A trusted device will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member devices by using Group Policy. + +- **Management client.** All trusted devices must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Configuration Manager is one such management system with an appropriate client. + +- **Antivirus software.** All trusted devices will run antivirus software that is configured to check for and automatically update the latest virus signature files daily. + +- **File system.** All trusted devices will be configured to use the NTFS file system. + +- **BIOS settings.** All trusted portable devices will be configured to use a BIOS-level password that is under the management of the IT support team. + +- **Password requirements.** Trusted clients must use strong passwords. + +It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status. + +A device that continues to meet all these security requirements can be considered trusted. However it is possible that most devices that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which devices can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. + +### Trustworthy state + +It is useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes. + +For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration). + +Generally, trustworthy devices fall into one of the following two groups: + +- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk does not meet this requirement. + +- **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require: + + - **Operating system upgrade required.** If the device's current operating system cannot support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state. + + - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active. + + - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device. + + - **Device replacement required.** This category is reserved for devices that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a device that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device). + +Use these groups to assign costs for implementing the solution on the devices that require upgrades. + +### Known, untrusted state + +During the process of categorizing an organization's devices, you will identify some devices that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: + +- **Financial.** The funding is not available to upgrade the hardware or software for this device. + +- **Political.** The device must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation. + +- **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system. + +There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: + +- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). + +- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually cannot achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device is not a part of a trusted domain. + +- **Devices in an untrusted domain.** A device that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when devices are not in a trusted domain. + +### Unknown, untrusted state + +The unknown, untrusted state should be considered the default state for all devices. Because devices in this state have a configuration that is unknown, you can assign no trust to them. All planning for devices in this state must assume that the device is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the devices in this state can have on their organizations. + +## Capturing upgrade costs for current devices + + +The final step in this part of the process is to record the approximate cost of upgrading the devices to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions: + +- Does the device meet the minimum hardware requirements necessary for isolation? + +- Does the device meet the minimum software requirements necessary for isolation? + +- What configuration changes must be made to integrate this device into the isolation solution? + +- What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state? + +By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It is important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. + +The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state. + +| Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | +| - | - | - | - | - | - | +| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware is not compatible with newer versions of Windows.| $??| +| SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??| + +In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher. + +The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. + +With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. + +The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. + +**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md new file mode 100644 index 0000000000..88e67e80c4 --- /dev/null +++ b/windows/keep-secure/documenting-the-zones.md @@ -0,0 +1,27 @@ +--- +title: Documenting the Zones (Windows 10) +description: Documenting the Zones +ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Documenting the Zones + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: + +| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group | +| - | - | - | - | - | - | +| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware not compatible with newer versions of Windows.| $??| Isolated domain| +| SERVER002 | Yes| No| Join trusted domain, upgrade from Windows Server 2008 to at least Windows Server 2012| No antivirus software present.| $??| Encryption| +| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)| +| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary| + +**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md new file mode 100644 index 0000000000..2bfcf9cbc8 --- /dev/null +++ b/windows/keep-secure/domain-isolation-policy-design-example.md @@ -0,0 +1,58 @@ +--- +title: Domain Isolation Policy Design Example (Windows 10) +description: Domain Isolation Policy Design Example +ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Domain Isolation Policy Design Example + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. + +## Design Requirements + +In addition to the basic protection provided by the firewall rules in the previous design example, you might want to implement domain isolation to provide another layer of security to their networked devices. You can create firewall and connection security rules that use authentication to reduce the risk of communicating with untrusted and potentially hostile devices. + +The following illustration shows the traffic protection needed for this design example. + + + +1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. + +2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which are not members of Woodgrove Bank's domain. + +3. Client devices can initiate non-authenticated outbound communications with devices that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. + +4. Devices in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain. + +**Other traffic notes:** + +- All of the design requirements described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced. + +## Design Details + +Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices on its network. + +Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. + +The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, simply add the device's account in the appropriate group. + +- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. + +- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that cannot participate in domain isolation, such as a DHCP server running UNIX, is added to this group. + +- **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the devices that are part of the boundary group able to receive unsolicited inbound traffic from untrusted devices. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication. + +- **CG\_DOMISO\_ENCRYPTION**. This group contains the computer accounts for all the devices that require all inbound and outbound traffic to be both authenticated and encrypted. Members of the group receive a GPO that configures connection security and firewall rules to require both authentication and encryption on all inbound and outbound traffic. + +>**Note:** If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. + +**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md) diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md new file mode 100644 index 0000000000..da2564242b --- /dev/null +++ b/windows/keep-secure/domain-isolation-policy-design.md @@ -0,0 +1,64 @@ +--- +title: Domain Isolation Policy Design (Windows 10) +description: Domain Isolation Policy Design +ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Domain Isolation Policy Design + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. + +This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After implementing the new rules, your devices reject unsolicited network traffic from devices that are not members of the isolated domain. + +The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. + +By using connection security rules based on IPsec, you provide a logical barrier between devices even if they are connected to the same physical network segment. + +The design is shown in the following illustration, with the arrows that show the permitted communication paths. + + + +Characteristics of this design, as shown in the diagram, include the following: + +- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This includes unauthenticated traffic to devices that are not in the isolated domain. Devices that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). + +- Boundary zone (area B) - Devices in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted devices, such as clients on the Internet. + + Devices in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a device that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated. + + Because boundary zone devices are exposed to network traffic from untrusted and potentially hostile devices, they must be carefully managed and secured. Put only the devices that must be accessed by external devices in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member devices. + +- Trusted non-domain members (area C) - Devices on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices. + +- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. + +After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. + +>**Important:** This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. + +This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. + +In order to expand the isolated domain to include Devices that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). + +For more info about this design: + +- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). + +- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md). + +- Before completing the design, gather the info described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). + +- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). + +- For a list of tasks that you can use to deploy your domain isolation policy design, see [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). + +**Next:** [Server Isolation Policy Design](server-isolation-policy-design.md) diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md new file mode 100644 index 0000000000..fe16701837 --- /dev/null +++ b/windows/keep-secure/enable-predefined-inbound-rules.md @@ -0,0 +1,36 @@ +--- +title: Enable Predefined Inbound Rules (Windows 10) +description: Enable Predefined Inbound Rules +ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Enable Predefined Inbound Rules + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To deploy predefined firewall rules that allow inbound network traffic for common network functions + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. + +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. + +6. On the **Action** page, select **Allow the connection**, and then click **Finish**. diff --git a/windows/keep-secure/enable-predefined-outbound-rules.md b/windows/keep-secure/enable-predefined-outbound-rules.md new file mode 100644 index 0000000000..1691399b8a --- /dev/null +++ b/windows/keep-secure/enable-predefined-outbound-rules.md @@ -0,0 +1,38 @@ +--- +title: Enable Predefined Outbound Rules (Windows 10) +description: Enable Predefined Outbound Rules +ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Enable Predefined Outbound Rules + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To deploy predefined firewall rules that block outbound network traffic for common network functions + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Outbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. + +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They are all selected by default. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. + +6. On the **Action** page, select **Block the connection**, and then click **Finish**. + + The selected rules are added to the GPO. diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md new file mode 100644 index 0000000000..dcb49121a4 --- /dev/null +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -0,0 +1,22 @@ +--- +title: Encryption Zone GPOs (Windows 10) +description: Encryption Zone GPOs +ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Encryption Zone GPOs + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. + +The GPO is only for server versions of Windows. Client devices are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. + +- [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md) diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md new file mode 100644 index 0000000000..f6fd2aacd4 --- /dev/null +++ b/windows/keep-secure/encryption-zone.md @@ -0,0 +1,62 @@ +--- +title: Encryption Zone (Windows 10) +description: Encryption Zone +ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Encryption Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. + +To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted. + +You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. + +Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. + +## GPO settings for encryption zone servers running at least Windows Server 2008 + + +The GPO for devices that are running at least Windows Server 2008 should include the following: + +- IPsec default settings that specify the following options: + + 1. Exempt all ICMP traffic from IPsec. + + 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. + + 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + + If any NAT devices are present on your networks, use ESP encapsulation.. + + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. + +- The following connection security rules: + + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + + - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy. + + **Important** + Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + + + +- A registry policy that includes the following values: + + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + + >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + +- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. + +**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md) diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md new file mode 100644 index 0000000000..35a8444e6e --- /dev/null +++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -0,0 +1,27 @@ +--- +title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10) +description: Evaluating Windows Firewall with Advanced Security Design Examples +ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Evaluating Windows Firewall with Advanced Security Design Examples + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. + +- [Firewall Policy Design Example](firewall-policy-design-example.md) + +- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) + +- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) + +- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) + diff --git a/windows/keep-secure/event-1100.md b/windows/keep-secure/event-1100.md new file mode 100644 index 0000000000..3a1a897cf0 --- /dev/null +++ b/windows/keep-secure/event-1100.md @@ -0,0 +1,73 @@ +--- +title: 1100(S) The event logging service has shut down. (Windows 10) +description: Describes security event 1100(S) The event logging service has shut down. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 1100(S): The event logging service has shut down. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Event Log service has shut down.
+
+It also generates during normal system shutdown.
+
+This event doesn’t generate during emergency system reset.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows Security audit log was cleared.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates every time Windows security log becomes full and new event log file was created.
+
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx)”.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Other Events](other-events.md)
+
+***Event Description:***
+
+This event generates when event logging service encountered an error while processing an incoming event.
+
+It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
+
+For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
+
+
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
+
+- We recommend monitoring for all events of this type and checking what the cause of the error was.
+
diff --git a/windows/keep-secure/event-4608.md b/windows/keep-secure/event-4608.md
new file mode 100644
index 0000000000..92e9691726
--- /dev/null
+++ b/windows/keep-secure/event-4608.md
@@ -0,0 +1,67 @@
+---
+title: 4608(S) Windows is starting up. (Windows 10)
+description: Describes security event 4608(S) Windows is starting up.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4608(S): Windows is starting up.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
+
+It typically generates during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source.
+
+At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
+
+A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
+
+You typically see these events during operating system startup or user logon and authentication actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx).
+
+In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx).
+
+Password Filters are DLLs that are loaded or called when passwords are set or changed.
+
+Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
+
+***Event Description:***
+
+This event generates every time system time was changed.
+
+This event is always logged regardless of the "Audit Security State Change" sub-category setting.
+
+You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Name** \[Type = UnicodeString\] \[Version 1\]**:** full path and the name of the executable for the process.
+
+**Previous Time** \[Type = FILETIME\]: previous time in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
+
+- Y - years
+
+- M - months
+
+- D - days
+
+- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
+
+- h - hours
+
+- m - minutes
+
+- s - seconds
+
+- n - fractional seconds
+
+- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
+
+**New Time** \[Type = FILETIME\]: new time that was set in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
+
+- Y - years
+
+- M - months
+
+- D - days
+
+- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
+
+- h - hours
+
+- m - minutes
+
+- s - seconds
+
+- n - fractional seconds
+
+- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
+
+## Security Monitoring Recommendations
+
+For 4616(S): The system time was changed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.
+
+- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service.
+
+
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4618.md b/windows/keep-secure/event-4618.md
new file mode 100644
index 0000000000..e9b106a0b3
--- /dev/null
+++ b/windows/keep-secure/event-4618.md
@@ -0,0 +1,97 @@
+---
+title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
+description: Describes security event 4618(S) A monitored security event pattern has occurred.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4618(S): A monitored security event pattern has occurred.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+This event can be generated (invoked) only externally using the following command:
+
+**%windir%\\system32\\rundll32 %windir%\\system32\\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount Duration**
+
+Account must have **SeAuditPrivilege** (Generate security audits) to be able to generate this event.
+
+- **UserSid** is resolved when viewing the event in event viewer.
+
+- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
+
+- If a field doesn’t match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
+
+- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
+
+- Parameters are space delimited, even if a parameter is enclosed in double-quotes.
+
+- Here are the expected data types for the parameters:
+
+| Parameter | Expected Data Type |
+|--------------|--------------------------------------------------|
+| OrgEventID | Ulong |
+| ComputerName | String |
+| UserSid | SID (in string format) |
+| UserName | String |
+| UserDomain | String |
+| UserLogonID | Luid (a ULongLong converted to Hex in the event) |
+| EventCount | Ulong |
+| Duration | String |
+
+
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates every time [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
+
+Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
+
+Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
+
+It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/en-us/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
+
+- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+**Detailed Authentication Information:**
+
+- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+
+ - **NTLM** – NTLM-family Authentication
+
+ - **Kerberos** – Kerberos authentication.
+
+ - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
+
+- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“New Logon\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“New Logon\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“New Logon\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“New Logon\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. + +- If “**Restricted Admin**” mode must be used for logons by certain accounts, use this event to monitor logons by “**New Logon\\Security ID**” in relation to “**Logon Type**”=10 and “**Restricted Admin Mode**”=”Yes”. If “**Restricted Admin Mode**”=”No” for these accounts, trigger an alert. + +- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with “**Elevated Token**”=”Yes”. + +- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with “**Virtual Account**”=”Yes”. + +- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event. + +- If your organization restricts logons in the following ways, you can use this event to monitor accordingly: + + - If the user account **“New Logon\\Security ID”** should never be used to log on from the specific **Computer:**. + + - If **New Logon\\Security ID** credentials should not be used from **Workstation Name** or **Source Network Address**. + + - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses. + + - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**. + + - If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM. + + - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length. + +- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for **Process Name**. + +- If you have a trusted logon processes list, monitor for a **Logon Process** that is not from the list. + diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md new file mode 100644 index 0000000000..9a040ff053 --- /dev/null +++ b/windows/keep-secure/event-4625.md @@ -0,0 +1,289 @@ +--- +title: 4625(F) An account failed to log on. (Windows 10) +description: Describes security event 4625(F) An account failed to log on. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4625(F): An account failed to log on. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
+
+It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
+
+- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+**Detailed Authentication Information:**
+
+- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+
+ - **NTLM** – NTLM-family Authentication
+
+ - **Kerberos** – Kerberos authentication.
+
+ - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
+
+- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | +| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | + diff --git a/windows/keep-secure/event-4626.md b/windows/keep-secure/event-4626.md new file mode 100644 index 0000000000..83fa8fe837 --- /dev/null +++ b/windows/keep-secure/event-4626.md @@ -0,0 +1,181 @@ +--- +title: 4626(S) User/Device claims information. (Windows 10) +description: Describes security event 4626(S) User/Device claims information. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4626(S): User/Device claims information. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User/Device Claims](audit-user-device-claims.md)
+
+***Event Description:***
+
+This event generates for new account logons and contains user/device claims which were associated with a new logon session.
+
+This event does not generate if the user/device doesn’t have claims.
+
+For computer account logons you will also see device claims listed in the “**User Claims**” field.
+
+You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
+
+This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Group Membership](audit-group-membership.md)
+
+***Event Description:***
+
+This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
+
+You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
+
+Multiple events are generated if the group membership information cannot fit in a single security audit event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event shows that logon session was terminated and no longer exists.
+
+The main difference between “[4647](event-4647.md): User initiated logoff.” and 4647 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Logoff](audit-logoff.md)
+
+***Event Description:***
+
+This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
+
+The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
+
+4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
+
+It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Logon](audit-logon.md)
+
+***Event Description:***
+
+This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
+
+This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
+
+It is also a routine event which periodically occurs during normal operating system activity.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Network Information:**
+
+- **Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+- **Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+
+ - 0 for interactive logons.
+
+## Security Monitoring Recommendations
+
+For 4648(S): A logon was attempted using explicit credentials.
+
+The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**”
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the whitelist. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.
For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. | + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- If **Subject\\Security ID** should not know or use credentials for **Account Whose Credentials Were Used\\Account Name**, monitor this event. + +- If credentials for **Account Whose Credentials Were Used\\Account Name** should not be used from **Network Information\\Network Address**, monitor this event. + +- Check that **Network Information\\Network Address** is from internal IP address list. For example, if you know that a specific account (for example, a service account) should be used only from specific IP addresses, you can monitor for all events where **Network Information\\Network Address** is not one of the allowed IP addresses. + diff --git a/windows/keep-secure/event-4649.md b/windows/keep-secure/event-4649.md new file mode 100644 index 0000000000..50ea622c1b --- /dev/null +++ b/windows/keep-secure/event-4649.md @@ -0,0 +1,79 @@ +--- +title: 4649(S) A replay attack was detected. (Windows 10) +description: Describes security event 4649(S) A replay attack was detected. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4649(S): A replay attack was detected. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client. + +Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB\_AP\_ERR\_REPEAT. You can read more about this in [RFC-1510](http://www.ietf.org/rfc/rfc1510.txt). One potential cause for this is a misconfigured network device between the client and server that could send the same packet(s) repeatedly. + +There is no example of this event in this document. + +***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) + +***Event Schema:*** + +*A replay attack was detected.* + +*Subject:* + +> *Security ID:%1* +> +> *Account Name:%2* +> +> *Account Domain:%3* +> +> *Logon ID:%4* + +*Credentials Which Were Replayed:* + +> *Account Name:%5* +> +> *Account Domain:%6* + +*Process Information:* + +> *Process ID:%12* +> +> *Process Name:%13* + +*Network Information:* + +> *Workstation Name:%10* + +*Detailed Authentication Information:* + +> *Request Type:%7* +> +> *Logon Process:%8* +> +> *Authentication Package:%9* +> +> *Transited Services:%11* + +*This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration."* + +***Required Server Roles:*** Active Directory domain controller. + +***Minimum OS Version:*** Windows Server 2008. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +For 4649(S): A replay attack was detected. + +- This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated. + diff --git a/windows/keep-secure/event-4656.md b/windows/keep-secure/event-4656.md new file mode 100644 index 0000000000..b7e3893812 --- /dev/null +++ b/windows/keep-secure/event-4656.md @@ -0,0 +1,277 @@ +--- +title: 4656(S, F) A handle to an object was requested. (Windows 10) +description: Describes security event 4656(S, F) A handle to an object was requested. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4656(S, F): A handle to an object was requested. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+If access was declined, a Failure event is generated.
+
+This event generates only if the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights.
+
+This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+***Event XML***:
+```
+- 
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
+
+| Access | Hexadecimal Value,Schema Value | Description | +|---------------------------------------------------------------------------------------|-------------------------------------|----------------| +| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +> Table 14. File System objects access rights. + +- **Access Reasons** \[Type = UnicodeString\] \[Version 1\]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply. + +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table. + + + +- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: + +| Privilege Name | User Right Group Policy Name | Description | +|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. + +## Security Monitoring Recommendations + +For 4656(S, F): A handle to an object was requested. + +For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level. + +For other types of objects, the following recommendations apply. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- If **Object Name** is a sensitive or critical object for which you need to monitor any access attempt, monitor all [4656](event-4656.md) events. + +- If **Object Name** is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4656](event-4656.md) events with the corresponding **Access Request Information\\Accesses** values. + +- If you need to monitor files and folders with specific Resource Attribute values, monitor for all [4656](event-4656.md) events with specific **Resource Attributes** field values. + + For file system objects, we recommend that you monitor these **Access Request Information\\Accesses** rights (especially for Failure events): + + - WriteData (or AddFile) + + - AppendData (or AddSubdirectory or CreatePipeInstance) + + - WriteEA + + - DeleteChild + + - WriteAttributes + + - DELETE + + - WRITE\_DAC + + - WRITE\_OWNER + diff --git a/windows/keep-secure/event-4657.md b/windows/keep-secure/event-4657.md new file mode 100644 index 0000000000..5b669ccb0d --- /dev/null +++ b/windows/keep-secure/event-4657.md @@ -0,0 +1,179 @@ +--- +title: 4657(S) A registry value was modified. (Windows 10) +description: Describes security event 4657(S) A registry value was modified. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4657(S): A registry value was modified. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified.
+
+This event generates only if “Set Value" auditing is set in registry key’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Change Information:**
+
+- **Old Value Type** \[Type = UnicodeString\]**:** old type of changed registry key value. Registry key value types:
+
+| Value Type | Description |
+|-----------------|-------------------------|
+| REG\_SZ | String |
+| REG\_BINARY | Binary |
+| REG\_DWORD | DWORD (32-bit) Value |
+| REG\_QWORD | QWORD (64-bit) Value |
+| REG\_MULTI\_SZ | Multi-String Value |
+| REG\_EXPAND\_SZ | Expandable String Value |
+
+- **Old Value** \[Type = UnicodeString\]: old value for changed registry key value.
+
+- **New Value Type** \[Type = UnicodeString\]**:** new type of changed registry key value. See table above for possible values.
+
+- **New Value** \[Type = UnicodeString\]: new value for changed registry key value.
+
+## Security Monitoring Recommendations
+
+For 4657(S): A registry value was modified.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If **Object Name** is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all [4657](event-4657.md) events.
+
+- If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.
+
diff --git a/windows/keep-secure/event-4658.md b/windows/keep-secure/event-4658.md
new file mode 100644
index 0000000000..3de6b3da02
--- /dev/null
+++ b/windows/keep-secure/event-4658.md
@@ -0,0 +1,132 @@
+---
+title: 4658(S) The handle to an object was closed. (Windows 10)
+description: Describes security event 4658(S) The handle to an object was closed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4658(S): The handle to an object was closed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Handle Manipulation](audit-handle-manipulation.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4658(S): The handle to an object was closed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
+
+- This event can be used to track all actions or operations related to a specific object handle.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4660.md b/windows/keep-secure/event-4660.md
new file mode 100644
index 0000000000..901bc15ae8
--- /dev/null
+++ b/windows/keep-secure/event-4660.md
@@ -0,0 +1,133 @@
+---
+title: 4660(S) An object was deleted. (Windows 10)
+description: Describes security event 4660(S) An object was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4660(S): An object was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), and [Audit Registry](audit-registry.md)
+
+***Event Description:***
+
+This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
+
+This event generates only if “Delete" auditing is set in object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
+
+This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
+
+The advantage of this event is that it’s generated only during real delete operations. In contrast, “4663(S): An attempt was made to access an object” also generates during other actions, such as object renaming.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 4660(S): An object was deleted.
+
+- This event doesn’t contains the name of deleted object (only **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object.” events with DELETE access to track object deletion actions.
+
+- For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
+
diff --git a/windows/keep-secure/event-4661.md b/windows/keep-secure/event-4661.md
new file mode 100644
index 0000000000..278c77f651
--- /dev/null
+++ b/windows/keep-secure/event-4661.md
@@ -0,0 +1,220 @@
+---
+title: 4661(S, F) A handle to an object was requested. (Windows 10)
+description: Describes security event 4661(S, F) A handle to an object was requested.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4661(S, F): A handle to an object was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategories:*** [Audit Directory Service Access](audit-directory-service-access.md) and [Audit SAM](audit-sam.md)
+
+***Event Description:***
+
+This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.
+
+If access was declined, then Failure event is generated.
+
+This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML***: +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
+
+ This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory. + +- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. + +## Security Monitoring Recommendations + +For 4661(S, F): A handle to an object was requested. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. + diff --git a/windows/keep-secure/event-4662.md b/windows/keep-secure/event-4662.md new file mode 100644 index 0000000000..83640072e0 --- /dev/null +++ b/windows/keep-secure/event-4662.md @@ -0,0 +1,248 @@ +--- +title: 4662(S, F) An operation was performed on an object. (Windows 10) +description: Describes security event 4662(S, F) An operation was performed on an object. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4662(S, F): An operation was performed on an object. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Directory Service Access](audit-directory-service-access.md)
+
+***Event Description:***
+
+This event generates every time when an operation was performed on an Active Directory object.
+
+This event generates only if appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL.
+
+If operation failed then Failure event will be generated.
+
+You will get one 4662 for each operation type which was performed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
The right to perform an operation controlled by an extended access right. | +| 0x10000 | DELETE | The right to delete the object.
DELETE also generated when object was moved. | +| 0x20000 | READ\_CONTROL | The right to read data from the security descriptor of the object, not including the data in the SACL. | +| 0x40000 | WRITE\_DAC | The right to modify the discretionary access-control list (DACL) in the object security descriptor. | +| 0x80000 | WRITE\_OWNER | The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users. | +| 0x100000 | SYNCHRONIZE | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. | +| 0x1000000 | ADS\_RIGHT\_ACCESS\_SYSTEM\_SECURITY | The right to get or set the SACL in the object security descriptor. | +| 0x80000000 | ADS\_RIGHT\_GENERIC\_READ | The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container. | +| 0x40000000 | ADS\_RIGHT\_GENERIC\_WRITE | The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object. | +| 0x20000000 | ADS\_RIGHT\_GENERIC\_EXECUTE | The right to read permissions on, and list the contents of, a container object. | +| 0x10000000 | ADS\_RIGHT\_GENERIC\_ALL | The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right. | + +> Table 9. Active Directory Access Codes and Rights. + +- **Properties** \[Type = UnicodeString\]: first part is the type of access that was used. Typically has the same value as **Accesses** field. + + Second part is a tree of **GUID** values of Active Directory classes or property sets, for which operation was performed. + +> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. + +To translate this GUID, use the following procedure: + +- Perform the following LDAP search using LDP.exe tool: + + - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX + + - Filter: (&(objectClass=\*)(schemaIDGUID=GUID)) + + - Perform the following operations with the GUID before using it in a search request: + + - We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2 + + - Take first 3 sections bf967a86-0de6-11d0. + + - For each of these 3 sections you need to change (Invert) the order of bytes, like this 867a96bf-e60d-d011 + + - Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-00aa003049e2 + + - Delete - : 867a96bfe60dd011a28500aa003049e2 + + - Divide bytes with backslashes: \\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2 + + - Filter example: (&(objectClass=\*)(schemaIDGUID=\\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2)) + + - Scope: Subtree + + - Attributes: schemaIDGUID + +
+
+Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: {91e647de-d96f-4b70-9557-d63ff4f3ccd8}
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
{b3f93023-9239-4f7c-b99c-6745d87adbc2}
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} | Computer
Private-Information property set
ms-PKI-RoamingTimeStamp
ms-PKI-DPAPIMasterKeys
ms-PKI-AccountCredentials | + +**Additional Information:** + +- **Parameter 1** \[Type = UnicodeString\]**:** there is no information about this field in this document. + +- **Parameter 2** \[Type = UnicodeString\]**:** there is no information about this field in this document. + +## Security Monitoring Recommendations + +For 4662(S, F): An operation was performed on an object. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If you need to monitor operations attempts to specific Active Directory classes, monitor for **Object Type** field with specific class name. For example, we recommend that you monitor all operations attempts to **domainDNS** class. + +- If you need to monitor operations attempts to specific Active Directory objects, monitor for **Object Name** field with specific object name. For example, we recommend that you monitor all operations attempts to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object. + +- Some access types are more important to monitor, for example: + + - Write Property + + - Control Access + + - DELETE + + - WRITE\_DAC + + - WRITE\_OWNER + + You can decide to monitor these (or one of these) access types for specific Active Directory objects. To do so, monitor for **Accesses** field with specific access type. + +- If you need to monitor operations attempts to specific Active Directory properties, monitor for **Properties** field with specific property GUID. + +- Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations. + diff --git a/windows/keep-secure/event-4663.md b/windows/keep-secure/event-4663.md new file mode 100644 index 0000000000..46cdac8cb0 --- /dev/null +++ b/windows/keep-secure/event-4663.md @@ -0,0 +1,223 @@ +--- +title: 4663(S) An attempt was made to access an object. (Windows 10) +description: Describes security event 4663(S) An attempt was made to access an object. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4663(S): An attempt was made to access an object. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
+
+***Event Description:***
+
+This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
+
+This event generates only if object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use.
+
+The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Process Information:**
+
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that accessed the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+
+
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Access Request Information:**
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were used by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
+
+| Access | Hex Value,Schema Value | Description | +|----------------------------------------------------------------------------------------|-----------------------------|---------------------| +| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +> Table 15. File System objects access rights. + +- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table. + +## Security Monitoring Recommendations + +For 4663(S): An attempt was made to access an object. + +For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level. + +For other types of objects, the following recommendations apply. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If you have critical file system objects for which you need to monitor all access attempts, monitor this event for **Object Name**. + +- If you have critical file system objects for which you need to monitor certain access attempts (for example, write actions), monitor this event for **Object Name** in relation to **Access Request Information\\Accesses**. + +- If you have file system objects with specific attributes, for which you need to monitor access attempts, monitor this event for **Resource Attributes**. + +- If **Object Name** is a sensitive or critical registry key for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4663](event-4663.md) events with the corresponding **Access Request Information\\Accesses**. + + + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- For file system objects, we recommend that you monitor for these **Access Request Information\\Accesses** rights: + + - WriteData (or AddFile) + + - AppendData (or AddSubdirectory or CreatePipeInstance) + + - WriteEA + + - DeleteChild + + - WriteAttributes + + - DELETE + + - WRITE\_DAC + + - WRITE\_OWNER + diff --git a/windows/keep-secure/event-4664.md b/windows/keep-secure/event-4664.md new file mode 100644 index 0000000000..a62808d16d --- /dev/null +++ b/windows/keep-secure/event-4664.md @@ -0,0 +1,109 @@ +--- +title: 4664(S) An attempt was made to create a hard link. (Windows 10) +description: Describes security event 4664(S) An attempt was made to create a hard link. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4664(S): An attempt was made to create a hard link. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit File System](audit-file-system.md)
+
+***Event Description:***
+
+This event generates when an NTFS hard link was successfully created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Registry](audit-registry.md), [Audit Authentication Policy Change](audit-authentication-policy-change.md), and [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
+
+This event does not generate if the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed.
+
+Before this event can generate, certain ACEs might need to be set in the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Permissions Change:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
+
+- SeTcbPrivilege - Act as part of the operating system
+
+- SeBackupPrivilege - Back up files and directories
+
+- SeCreateTokenPrivilege - Create a token object
+
+- SeDebugPrivilege - Debug programs
+
+- SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
+
+- SeAuditPrivilege - Generate security audits
+
+- SeImpersonatePrivilege - Impersonate a client after authentication
+
+- SeLoadDriverPrivilege - Load and unload device drivers
+
+- SeSecurityPrivilege - Manage auditing and security log
+
+- SeSystemEnvironmentPrivilege - Modify firmware environment values
+
+- SeAssignPrimaryTokenPrivilege - Replace a process-level token
+
+- SeRestorePrivilege - Restore files and directories,
+
+- SeTakeOwnershipPrivilege - Take ownership of files or other objects
+
+You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | + +## Security Monitoring Recommendations + +For 4672(S): Special privileges assigned to new logon. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. + +- If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for example, SeDebugPrivilege), use this event to monitor for those “**Privileges**.” + + + +- If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event. + diff --git a/windows/keep-secure/event-4673.md b/windows/keep-secure/event-4673.md new file mode 100644 index 0000000000..5282a6658e --- /dev/null +++ b/windows/keep-secure/event-4673.md @@ -0,0 +1,196 @@ +--- +title: 4673(S, F) A privileged service was called. (Windows 10) +description: Describes security event 4673(S, F) A privileged service was called. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4673(S, F): A privileged service was called. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt was made to perform privileged system service operations.
+
+This event generates, for example, when **SeSystemtimePrivilege**, **SeCreateGlobalPrivilege**, or **SeTcbPrivilege** privilege was used.
+
+Failure event generates when service call attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Service Request Information**:
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** | +|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege:
**Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege:
**Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege:
**Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege:
**Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege:
**Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege:
**Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege:
**Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege:
**Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege:
**Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege:
**Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege:
**Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege:
**Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege:
**Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege:
**Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege:
**Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege:
**Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege:
**Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege:
**Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege:
**Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | **SeUndockPrivilege:
**Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | + +| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | +|-------------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
**Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | **SeAuditPrivilege:
**Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege:
**Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | **SeDebugPrivilege:
**Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | **SeImpersonatePrivilege:
**Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege:
**Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege:
**Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | **SeTcbPrivilege:
**Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| Audit Sensitive Privilege Use | **SeEnableDelegationPrivilege:
**Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | + +## Security Monitoring Recommendations + +For 4673(S, F): A privileged service was called. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. + +- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.” + +- If you need to monitor events related to specific Windows security services or functions (“**Service\\Service Name**”), for example **LsaRegisterLogonProcess()**, monitor this event for the corresponding “**Service\\Service Name**.” + + + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + +- For a specific “**Subject\\Security ID**,” if there is a defined list of allowed privileges, monitor for “**Privileges**” that it should not be able to use. + +- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.” + +- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.” + diff --git a/windows/keep-secure/event-4674.md b/windows/keep-secure/event-4674.md new file mode 100644 index 0000000000..41518d4e2b --- /dev/null +++ b/windows/keep-secure/event-4674.md @@ -0,0 +1,224 @@ +--- +title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10) +description: Describes security event 4674(S, F) An operation was attempted on a privileged object. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4674(S, F): An operation was attempted on a privileged object. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
+
+This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
+
+Failure event generates when operation attempt fails.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Requested Operation**:
+
+- **Desired Access** \[Type = UnicodeString\]: The desired access mask. This mask depends on **Object Server** and **Object Type** parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If **Desired Access** is not presented, then this parameter will have “**0**” value.
+
+- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
+
+| **Subcategory of event** | **Privilege Name: User Right Group Policy Name** | **Description** | +|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege:
**Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege:
**Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege:
**Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege:
**Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege:
**Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege:
**Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege:
**Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege:
**Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege:
**Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege:
**Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege:
**Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege:
**Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege:
**Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege:
**Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege:
**Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege:
**Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege:
**Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege:
**Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege:
**Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | **SeUndockPrivilege:
**Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | + +| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | +|-------------------------------|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
**Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | **SeAuditPrivilege:
**Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | **SeBackupPrivilege:
**Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege:
**Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | **SeDebugPrivilege:
**Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | **SeImpersonatePrivilege:
**Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege:
**Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege:
**Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | **SeRestorePrivilege:
**Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| Audit Sensitive Privilege Use | **SeSecurityPrivilege:
**Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. | +| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege:
**Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | **SeTakeOwnershipPrivilege:
**Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | + +## Security Monitoring Recommendations + +For 4674(S, F): An operation was attempted on a privileged object. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. + + + +- If you need to monitor events related to specific Windows subsystems (“**Object Server**”), for example **LSA** or **Security Account Manager**, monitor this event for the corresponding “**Object Server**.” + +- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.” + +- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + + + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” + + + +- If you know that specific “**Subject\\Security ID**” should only be able to use the privileges in a pre-defined list, monitor for events in which “**Subject\\Security ID**” used “**Privileges**” that are not on that list. + + + +- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.” + +- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.” + diff --git a/windows/keep-secure/event-4675.md b/windows/keep-secure/event-4675.md new file mode 100644 index 0000000000..dc8a19e120 --- /dev/null +++ b/windows/keep-secure/event-4675.md @@ -0,0 +1,61 @@ +--- +title: 4675(S) SIDs were filtered. (Windows 10) +description: Describes security event 4675(S) SIDs were filtered. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4675(S): SIDs were filtered. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +This event generates when SIDs were filtered for specific Active Directory trust. + +See more information about SID filtering here:
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a new process starts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
+
+- **Token Elevation Type** \[Type = UnicodeString\]**: **
+
+ - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
+
+ - **TokenElevationTypeFull (2):** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
+
+ - **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
+
+- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx) which was assigned to the new process. Can have one of the following values:
+
+| SID | RID | RID label | Meaning |
+|--------------|------------|----------------------------------------------|------------------------|
+| S-1-16-0 | 0x00000000 | SECURITY\_MANDATORY\_UNTRUSTED\_RID | Untrusted. |
+| S-1-16-4096 | 0x00001000 | SECURITY\_MANDATORY\_LOW\_RID | Low integrity. |
+| S-1-16-8192 | 0x00002000 | SECURITY\_MANDATORY\_MEDIUM\_RID | Medium integrity. |
+| S-1-16-8448 | 0x00002100 | SECURITY\_MANDATORY\_MEDIUM\_PLUS\_RID | Medium high integrity. |
+| S-1-16-12288 | 0X00003000 | SECURITY\_MANDATORY\_HIGH\_RID | High integrity. |
+| S-1-16-16384 | 0x00004000 | SECURITY\_MANDATORY\_SYSTEM\_RID | System integrity. |
+| S-1-16-20480 | 0x00005000 | SECURITY\_MANDATORY\_PROTECTED\_PROCESS\_RID | Protected process. |
+
+- **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable “Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events” group policy to include command line in process creation events:
+
+ 
+
+ By default **Process Command Line** field is empty.
+
+## Security Monitoring Recommendations
+
+For 4688(S): A new process has been created.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** for names that don’t comply with naming conventions. | + +- If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value. + +- You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + +- If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.” + +- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. + +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** Typically this means that UAC is disabled for this account for some reason. + +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** This means that a user ran a program using administrative privileges. + +- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. + +- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event. + diff --git a/windows/keep-secure/event-4689.md b/windows/keep-secure/event-4689.md new file mode 100644 index 0000000000..e5f97fe698 --- /dev/null +++ b/windows/keep-secure/event-4689.md @@ -0,0 +1,119 @@ +--- +title: 4689(S) A process has exited. (Windows 10) +description: Describes security event 4689(S) A process has exited. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4689(S): A process has exited. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Process Termination](audit-process-termination.md)
+
+***Event Description:***
+
+This event generates every time a process has exited.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md)(S): A new process has been created” **New Process ID** on this computer.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the executable name of the exited/terminated process.
+
+- **Exit Status** \[Type = HexInt32\]**:** hexadecimal exit code of exited/terminated process. This exit code is unique for every application, check application documentation for more details. The exit code value for a process reflects the specific convention implemented by the application developer for that process.
+
+## Security Monitoring Recommendations
+
+For 4689(S): A process has exited.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a critical processes list for the computer, with the requirement that these processes must always run and not stop, you can monitor **Process Name** field in [4689](event-4689.md) events for these process names.
+
diff --git a/windows/keep-secure/event-4690.md b/windows/keep-secure/event-4690.md
new file mode 100644
index 0000000000..d7ac11d773
--- /dev/null
+++ b/windows/keep-secure/event-4690.md
@@ -0,0 +1,118 @@
+---
+title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)
+description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4690(S): An attempt was made to duplicate a handle to an object.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Handle Manipulation](audit-handle-manipulation.md)
+
+***Event Description:***
+
+This event generates if an attempt was made to duplicate a handle to an object.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+**New Handle Information:**
+
+- **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
+
+- **Target Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Target Handle ID**. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+
+## Security Monitoring Recommendations
+
+For 4690(S): An attempt was made to duplicate a handle to an object.
+
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
+
+- This event can be used to track all actions or operations related to a specific object handle.
+
diff --git a/windows/keep-secure/event-4691.md b/windows/keep-secure/event-4691.md
new file mode 100644
index 0000000000..ba22553755
--- /dev/null
+++ b/windows/keep-secure/event-4691.md
@@ -0,0 +1,135 @@
+---
+title: 4691(S) Indirect access to an object was requested. (Windows 10)
+description: Describes security event 4691(S) Indirect access to an object was requested.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4691(S): Indirect access to an object was requested.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event indicates that indirect access to an object was requested.
+
+These events are generated for [ALPC Ports](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964738(v=vs.85).aspx) access request actions.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+**Access Request Information:**
+
+- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use 
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that a backup is attempted for the [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
+
+Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+
+This event also generates every time a new DPAPI Master Key is generated, for example.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key backup operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
+
+***Event Description:***
+
+This event generates every time that recovery is attempted for a [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key.
+
+While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Failure event generates when a Master Key restore operation fails for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
+
+***Event Description:***
+
+This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
+
+***IMPORTANT*:** this event is deprecated starting from Windows 7 and Windows 2008 R2.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]: full path and the name of the executable for the process which ran the new process with new security token.
+
+**Target Process:**
+
+- **Target Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the new process with new security token. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Target Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
+
+**New Token Information:**
+
+- **Security ID** \[Type = SID\]**:** SID of account through which the security token will be assigned to the new process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
+
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+
+- **Account Name** \[Type = UnicodeString\]**:** the name of the account through which the security token will be assigned to the new process.
+
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+
+ - Domain NETBIOS name example: CONTOSO
+
+ - Lowercase full domain name: contoso.local
+
+ - Uppercase full domain name: CONTOSO.LOCAL
+
+ - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+
+## Security Monitoring Recommendations
+
+For 4696(S): A primary token was assigned to process.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Subject\\Security ID”** or **“New Token Information\\Security ID”** for names that don’t comply with naming conventions. | + +- If you have a pre-defined “**Process Name**” or “**Target Process Name**” for the process reported in this event, monitor all events with “**Process Name**” or “**Target Process Name**” not equal to your defined value. + +- You can monitor to see if “**Process Name**” or “**Target Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). + +- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**” or “**Target Process Name**”. + +- It can be uncommon if process runs using local account. + diff --git a/windows/keep-secure/event-4697.md b/windows/keep-secure/event-4697.md new file mode 100644 index 0000000000..0213aa9f0a --- /dev/null +++ b/windows/keep-secure/event-4697.md @@ -0,0 +1,156 @@ +--- +title: 4697(S) A service was installed in the system. (Windows 10) +description: Describes security event 4697(S) A service was installed in the system. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4697(S): A service was installed in the system. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
+
+***Event Description:***
+
+This event generates when new service was installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Service File Name** \[Type = UnicodeString\]: This is the fully rooted path to the file that the Service Control Manager will execute to start the service. If command-line parameters are specified as part of the image path, those are logged.
+
+ Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events.
+
+- **Service Type** \[Type = HexInt32\]: Indicates the [type](https://msdn.microsoft.com/en-us/library/tfdtdw0e(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
+
+| Value | Service Type | Description |
+|-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0x1 | Kernel Driver | A Kernel device driver such as a hard disk or other low-level hardware device driver. |
+| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
+| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
+| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
+| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.(see:
(see:
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a new scheduled task is created.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx).”
+
+## Security Monitoring Recommendations
+
+For 4698(S): A scheduled task was created.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
+
+- Monitor for new tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
+
+- In the new task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
+
diff --git a/windows/keep-secure/event-4699.md b/windows/keep-secure/event-4699.md
new file mode 100644
index 0000000000..a1c58890d6
--- /dev/null
+++ b/windows/keep-secure/event-4699.md
@@ -0,0 +1,110 @@
+---
+title: 4699(S) A scheduled task was deleted. (Windows 10)
+description: Describes security event 4699(S) A scheduled task was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4699(S): A scheduled task was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task was deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the deleted task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4699(S): A scheduled task was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- We recommend monitoring all scheduled task deletion events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions. However, this event does not often happen.
+
+- Monitor for deleted tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node. Deletion of such tasks can be a sign of malicious activity.
+
+- If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for [4699](event-4699.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4700.md b/windows/keep-secure/event-4700.md
new file mode 100644
index 0000000000..fa5a54c164
--- /dev/null
+++ b/windows/keep-secure/event-4700.md
@@ -0,0 +1,106 @@
+---
+title: 4700(S) A scheduled task was enabled. (Windows 10)
+description: Describes security event 4700(S) A scheduled task was enabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4700(S): A scheduled task was enabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the enabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4700(S): A scheduled task was enabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4701.md b/windows/keep-secure/event-4701.md
new file mode 100644
index 0000000000..5c1cafe14f
--- /dev/null
+++ b/windows/keep-secure/event-4701.md
@@ -0,0 +1,106 @@
+---
+title: 4701(S) A scheduled task was disabled. (Windows 10)
+description: Describes security event 4701(S) A scheduled task was disabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4701(S): A scheduled task was disabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time a scheduled task is disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the disabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4701(S): A scheduled task was disabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**.
+
diff --git a/windows/keep-secure/event-4702.md b/windows/keep-secure/event-4702.md
new file mode 100644
index 0000000000..3d0071fd39
--- /dev/null
+++ b/windows/keep-secure/event-4702.md
@@ -0,0 +1,108 @@
+---
+title: 4702(S) A scheduled task was updated. (Windows 10)
+description: Describes security event 4702(S) A scheduled task was updated.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4702(S): A scheduled task was updated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates every time scheduled task was updated/changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Task New Content** \[Type = UnicodeString\]: the new [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) for the updated task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+
+## Security Monitoring Recommendations
+
+For 4702(S): A scheduled task was updated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Monitor for updated scheduled tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
+
+- In the updated scheduled task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
+
diff --git a/windows/keep-secure/event-4703.md b/windows/keep-secure/event-4703.md
new file mode 100644
index 0000000000..4b6ac99faa
--- /dev/null
+++ b/windows/keep-secure/event-4703.md
@@ -0,0 +1,194 @@
+---
+title: 4703(S) A user right was adjusted. (Windows 10)
+description: Describes security event 4703(S) A user right was adjusted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4703(S): A user right was adjusted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
+Token privileges provide the ability to take certain system-level actions that you only need to do at particular moments. For example, anybody can restart a computer, but the operating system doesn’t enable that privilege by default. Instead, the privilege is enabled when you click **Shutdown**. You can check the current state of the user’s token privileges using the **whoami /priv** command:
+
+
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+
+
+- **Enabled Privileges** \[Type = UnicodeString\]**:** the list of enabled user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
+
+| Privilege Name | User Right Group Policy Name | Description |
+|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +**Disabled Privileges** \[Type = UnicodeString\]**:** the list of disabled user rights. See possible values in the table above. + +## Security Monitoring Recommendations + +For 4703(S): A user right was adjusted. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | +| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4704.md b/windows/keep-secure/event-4704.md new file mode 100644 index 0000000000..ee98fd4712 --- /dev/null +++ b/windows/keep-secure/event-4704.md @@ -0,0 +1,156 @@ +--- +title: 4704(S) A user right was assigned. (Windows 10) +description: Describes security event 4704(S) A user right was assigned. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4704(S): A user right was assigned. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was assigned to an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + + +## Security Monitoring Recommendations + +For 4704(S): A user right was assigned. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. | +| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the “**New Right\\User Right**” to your list of user rights, to see whether the right should be assigned to **“Target Account\\Account Name**.” Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, your list of restricted rights might say that only administrative accounts should have **SeAuditPrivilege**. As another example, your list might say that no accounts should have **SeTcbPrivilege** or **SeDebugPrivilege**. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4705.md b/windows/keep-secure/event-4705.md new file mode 100644 index 0000000000..7a5f1008fc --- /dev/null +++ b/windows/keep-secure/event-4705.md @@ -0,0 +1,155 @@ +--- +title: 4705(S) A user right was removed. (Windows 10) +description: Describes security event 4705(S) A user right was removed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4705(S): A user right was removed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local user right policy is changed and user right was removed from an account.
+
+You will see unique event for every user.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +## Security Monitoring Recommendations + +For 4705(S): A user right was removed. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user rights policies, for example, a whitelist of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.
For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.
As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. | +| **User rights that should be restricted**: You might have a list of user rights that you want to monitor. | Monitor this event and compare the **“Removed Right”** to your list of restricted rights.
Monitor this event to discover the removal of a right that should never have been granted (for example, SeTcbPrivilege), so that you can investigate further. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md new file mode 100644 index 0000000000..c6eba5f6a8 --- /dev/null +++ b/windows/keep-secure/event-4706.md @@ -0,0 +1,149 @@ +--- +title: 4706(S) A new trust was created to a domain. (Windows 10) +description: Describes security event 4706(S) A new trust was created to a domain. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4706(S): A new trust was created to a domain. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a new trust was created to a domain.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | + +- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: + + - Enabled + + - Disabled + +## Security Monitoring Recommendations + +For 4706(S): A new trust was created to a domain. + +- Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4707.md b/windows/keep-secure/event-4707.md new file mode 100644 index 0000000000..9a77188b80 --- /dev/null +++ b/windows/keep-secure/event-4707.md @@ -0,0 +1,104 @@ +--- +title: 4707(S) A trust to a domain was removed. (Windows 10) +description: Describes security event 4707(S) A trust to a domain was removed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4707(S): A trust to a domain was removed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when a domain trust was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when [Kerberos policy](https://technet.microsoft.com/en-us/library/cc782061(v=ws.10).aspx) was changed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
To convert the **KerProxy** to minutes you need to:
Convert the value to decimal value.
Divide value by 600000000. | +| KerMaxR | 1. Maximum lifetime for user ticket renewal.
To convert the **KerProxy** to days you need to:
Convert the value to decimal value.
Divide value by 864000000000. | +| KerMaxT | 1. Maximum lifetime for user ticket.
To convert the **KerMaxT** to hours you need to:
Convert the value to decimal value.
Divide value by 36000000000. | +| KerMinT | 1. Maximum lifetime for service ticket.
To convert the **KerMinT** to minutes you need to:
Convert the value to decimal value.
Divide value by 600000000. | +| KerOpts | - Enforce user logon restrictions:
0x80 – Enabled
0x0 - Disabled | + +This event shows changes in “Kerberos policy”. Here is location of Kerberos policies in Group Policy management console: + +
+
+## Security Monitoring Recommendations
+
+For 4713(S): Kerberos policy was changed.
+
+- Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4714.md b/windows/keep-secure/event-4714.md
new file mode 100644
index 0000000000..0531957676
--- /dev/null
+++ b/windows/keep-secure/event-4714.md
@@ -0,0 +1,73 @@
+---
+title: 4714(S) Encrypted data recovery policy was changed. (Windows 10)
+description: Describes security event 4714(S) Encrypted data recovery policy was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4714(S): Encrypted data recovery policy was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](https://technet.microsoft.com/en-us/library/cc700811.aspx)) has changed.
+
+This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](https://technet.microsoft.com/en-us/library/cc778208(v=ws.10).aspx) was changed for the computer or device.
+
+In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](https://msdn.microsoft.com/en-us/library/cc232284.aspx) registry value is changed during a Group Policy update.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local audit policy security descriptor changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trust was modified.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](http://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](http://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016 Technical Preview
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | + +- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: + + - Enabled + + - Disabled + + If this attribute was not changed, then it will have “**-**“ value or its old value. + +## Security Monitoring Recommendations + +For 4716(S): Trusted domain information was modified. + +- Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4717.md b/windows/keep-secure/event-4717.md new file mode 100644 index 0000000000..dbe74fada2 --- /dev/null +++ b/windows/keep-secure/event-4717.md @@ -0,0 +1,130 @@ +--- +title: 4717(S) System security access was granted to an account. (Windows 10) +description: Describes security event 4717(S) System security access was granted to an account. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4717(S): System security access was granted to an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was granted to an account.
+
+You will see unique event for every user if logon user rights were granted to multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. | +| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**). | Monitor this event and compare the **“Access Right”** to your list of restricted rights. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4718.md b/windows/keep-secure/event-4718.md new file mode 100644 index 0000000000..44f5fc4624 --- /dev/null +++ b/windows/keep-secure/event-4718.md @@ -0,0 +1,130 @@ +--- +title: 4718(S) System security access was removed from an account. (Windows 10) +description: Describes security event 4718(S) System security access was removed from an account. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4718(S): System security access was removed from an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was removed from an account.
+
+You will see unique event for every user if logon user rights were removed for multiple accounts.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.
As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. | +| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**).
**“Deny” rights that should not be removed**: Your organization might use “Deny” rights that should not be removed, for example, SeDenyRemoteInteractiveLogonRight. | - Monitor this event and compare the **“Access Right”** to your list of restricted rights.
Monitor this event to discover the removal of a right that should never have been granted, so that you can investigate further.
You can also monitor this event to discover the removal of “Deny” rights. When these rights are removed, it could be an approved action, done by mistake, or part of malicious activity. These rights include:
SeDenyNetworkLogonRight:
SeDenyBatchLogonRight
SeDenyServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyRemoteInteractiveLogonRight | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4719.md b/windows/keep-secure/event-4719.md new file mode 100644 index 0000000000..7a274992c8 --- /dev/null +++ b/windows/keep-secure/event-4719.md @@ -0,0 +1,163 @@ +--- +title: 4719(S) System audit policy was changed. (Windows 10) +description: Describes security event 4719(S) System audit policy was changed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4719(S): System audit policy was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the computer's audit policy changes.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Changes:** changes which were made for **“Subcategory”**. Possible values:
+
+ - Success removed
+
+ - Failure removed
+
+ - Success added
+
+ - Failure added
+
+ It can be also a combination of any of the items above, separated by coma.
+
+## Security Monitoring Recommendations
+
+For 4719(S): System audit policy was changed.
+
+- Monitor for all events of this type, especially on high value assets or computers, because any change in local audit policy should be planned. If this action was not planned, investigate the reason for the change.
+
diff --git a/windows/keep-secure/event-4720.md b/windows/keep-secure/event-4720.md
new file mode 100644
index 0000000000..157b9b01a3
--- /dev/null
+++ b/windows/keep-secure/event-4720.md
@@ -0,0 +1,288 @@
+---
+title: 4720(S) A user account was created. (Windows 10)
+description: Describes security event 4720(S) A user account was created.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4720(S): A user account was created.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new user object is created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Account Enabled | +| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. | +| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled | +| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. | +| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled | +| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. | +| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled | +| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | +| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled | +| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | +| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled | +| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled | +| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled | +| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled | +| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled | +| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled | +| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled | +| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled | +| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled | +| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. | +| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled | +| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | + +For new, manually created, domain or local user accounts typical flags are: + +- Account Disabled + +- 'Password Not Required' - Enabled + +- 'Normal Account' – Enabled + + After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags: + +- 'Password Not Required' – Disabled + +- Account Enabled + + + +- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”. + +- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new user object. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will typically see “**<value not set>**” value for new manually created user accounts in event 4720. For new local accounts this field is not applicable and typically has value “**All**”. + +**Additional Information:** + +- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”. + +## Security Monitoring Recommendations + +For 4720(S): A user account was created. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- Some organizations monitor every [4720](event-4720.md) event. + +- Consider whether to track the following fields and values: + +| **Field and value to track** | **Reason to track** | +|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **SAM Account Name** is empty or - | This field must contain the user account name. If it is empty or **-**, it might indicate an anomaly. | +| **User Principal Name** is empty or - | Typically this field should not be empty for new user accounts. If it is empty or **-**, it might indicate an anomaly. | +| **Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not - | Typically these fields are **-** for new user accounts. Other values might indicate an anomaly and should be monitored.
For local accounts these fields should display **<value not set>**. | +| **Password Last Set** is **<never>** | This typically means this is a manually created user account, which you might need to monitor. | +| **Password Last Set** is a time in the future | This might indicate an anomaly. | +| **Account Expires** is not **<never>** | Typically this field is **<never>** for new user accounts. Other values might indicate an anomaly and should be monitored. | +| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. | +| **Allowed To Delegate To** is not - | Typically this field is **-** for new user accounts. Other values might indicate an anomaly and should be monitored. | +| **Old UAC Value** is not 0x0 | Typically this field is **0x0** for new user accounts. Other values might indicate an anomaly and should be monitored. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | +| **Logon Hours** value other than **<value not set>** or** “All”** | This should always be **<value not set>** for new domain user accounts, and **“All”** for new local user accounts. | + +- Consider whether to track the following user account control flags: + +| **User account control flag to track** | **Information about the flag** | +|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Normal Account'** – Disabled | Should not be disabled for user accounts. | +| **'Encrypted Text Password Allowed'** – Enabled
**'Smartcard Required'** – Enabled
**'Not Delegated'** – Enabled
**'Use DES Key Only'** – Enabled
**'Don't Require Preauth'** – Enabled
**'Trusted To Authenticate For Delegation'** – Enabled | By default, these flags should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. | +| **'Server Trust Account'** – Enabled | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts. | +| **'Don't Expire Password'** – Enabled | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. | +| **'Trusted For Delegation'** – Enabled | By default, this flag should not be enabled for new user accounts created with the “Active Directory Users and Computers” snap-in. It is enabled by default only for new domain controllers. | + diff --git a/windows/keep-secure/event-4722.md b/windows/keep-secure/event-4722.md new file mode 100644 index 0000000000..6c96fd0b4a --- /dev/null +++ b/windows/keep-secure/event-4722.md @@ -0,0 +1,123 @@ +--- +title: 4722(S) A user account was enabled. (Windows 10) +description: Describes security event 4722(S) A user account was enabled. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4722(S): A user account was enabled. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is enabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user attempts to change his or her password.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if new password fails to meet the password policy.
+
+For local accounts, a Failure event generates if new password fails to meet the password policy or old password is wrong.
+
+For domain accounts if old password was wrong, then “[4771](event-4771.md): Kerberos pre-authentication failed” or “[4776](event-4776.md): The computer attempted to validate the credentials for an account” will be generated on domain controller if specific subcategories were enabled on it.
+
+Typically you will see 4723 events with the same **Subject\\Security ID** and **Target Account\\Security ID** fields, which is normal behavior.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time an account attempted to reset the password for another account.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For domain accounts, a Failure event generates if the new password fails to meet the password policy.
+
+A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.
+
+This event also generates if a computer account reset procedure was performed.
+
+For local accounts, a Failure event generates if the new password fails to meet the local password policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user or computer object is disabled.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object was deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-enabled (security) local group was created.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every added member you will get separate 4732 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4732 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes).
Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | +| **Mismatch between type of account (user or computer) and the group it was added to**: You might want to monitor to ensure that a computer account was not added to a group intended for users, or a user account was not added to a group intended for computers. | Monitor the type of account added to the group to see if it matches what the group is intended for. | + diff --git a/windows/keep-secure/event-4733.md b/windows/keep-secure/event-4733.md new file mode 100644 index 0000000000..b2de4567ac --- /dev/null +++ b/windows/keep-secure/event-4733.md @@ -0,0 +1,164 @@ +--- +title: 4733(S) A member was removed from a security-enabled local group. (Windows 10) +description: Describes security event 4733(S) A member was removed from a security-enabled local group. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4733(S): A member was removed from a security-enabled local group. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from security-enabled (security) local group.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For every removed member you will get separate 4733 event.
+
+You will typically see “[4735](event-4735.md): A security-enabled local group was changed.” event without any changes in it prior to 4733 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value local or domain security groups:** You might have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes).
Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on. | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value local or domain security groups. | +| **Local or domain security groups with required members**: You might need to ensure that for certain local or domain security groups, particular members are never removed. | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4734.md b/windows/keep-secure/event-4734.md new file mode 100644 index 0000000000..023be2969c --- /dev/null +++ b/windows/keep-secure/event-4734.md @@ -0,0 +1,126 @@ +--- +title: 4734(S) A security-enabled local group was deleted. (Windows 10) +description: Describes security event 4734(S) A security-enabled local group was deleted. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4734(S): A security-enabled local group was deleted. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-enabled (security) local group is deleted.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time a security-enabled (security) local group is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4735 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time user object is changed.
+
+This event generates on domain controllers, member servers, and workstations.
+
+For each change, a separate 4738 event will be generated.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
+
+Some changes do not invoke a 4738 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
**User Principal Name**
**Home Directory**
**Home Drive**
**Script Path**
**Profile Path**
**User Workstations**
**Password Last Set**
**Account Expires**
**Primary Group ID
Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. | +| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. | +| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | + +- Consider whether to track the following user account control flags: + +| **User account control flag to track** | **Information about the flag** | +|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Normal Account'** – Disabled | Should not be disabled for user accounts. | +| **'Password Not Required'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account. | +| **'Encrypted Text Password Allowed'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account. | +| **'Server Trust Account'** – Enabled | Should never be enabled for user accounts. Applies only to domain controller (computer) accounts. | +| **'Don't Expire Password'** – Enabled | Should be monitored for critical accounts, or all accounts if your organization does not allow this flag. | +| **'Smartcard Required'** – Enabled | Should be monitored for critical accounts. | +| **'Password Not Required'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Encrypted Text Password Allowed'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Don't Expire Password'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Smartcard Required'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Trusted For Delegation'** – Enabled | Means that Kerberos Constraint or Unconstraint delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted For Delegation'** – Disabled | Means that Kerberos Constraint or Unconstraint delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Trusted To Authenticate For Delegation'** – Enabled | Means that Protocol Transition delegation was enabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Not Delegated'** – Enabled | Means that **Account is sensitive and cannot be delegated** was checked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Not Delegated'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” Means that **Account is sensitive and cannot be delegated** was unchecked for the user account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Use DES Key Only'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account’s Kerberos authentication. | +| **'Don't Require Preauth'** – Enabled | Should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication. | +| **'Use DES Key Only'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | +| **'Don't Require Preauth'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” | + diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md new file mode 100644 index 0000000000..b5873a99e3 --- /dev/null +++ b/windows/keep-secure/event-4739.md @@ -0,0 +1,226 @@ +--- +title: 4739(S) Domain Policy was changed. (Windows 10) +description: Describes security event 4739(S) Domain Policy was changed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4739(S): Domain Policy was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when one of the following changes was made to local computer security policy:
+
+- Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified.
+
+- Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified.
+
+- "Network security: Force logoff when logon hours expire" group policy setting was changed.
+
+- Domain functional level was changed or some other attributes changed (see details in event description).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled. | +| 1 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Disabled.
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled. | +| 16 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled.
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Disabled. | +| 17 | \\Security Settings\\Account Policies\\Password Policy\\Store passwords using reversible encryption - Enabled.
\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements – Enabled. | + +- **Min. Password Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Minimum password length” group policy. Numeric value. + +- **Password History Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Enforce password history” group policy. Numeric value. + +- **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](https://technet.microsoft.com/en-us/library/dd391926(v=ws.10).aspx) domain attribute was modified. Numeric value. + +- **Mixed Domain Mode** \[Type = UnicodeString\]: there is no information about this field in this document. + +- **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](https://msdn.microsoft.com/en-us/library/cc223742.aspx) domain attribute was modified. Numeric value. Possible values: + +| Value | Identifier | Domain controller operating systems that are allowed in the domain | +|-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | DS\_BEHAVIOR\_WIN2000 | Windows 2000 Server operating system
Windows Server 2003 operating system
Windows Server 2008 operating system
Windows Server 2008 R2 operating system
Windows Server 2012 operating system
Windows Server 2012 R2 operating system
Windows Server 2016 Technical Preview operating system | +| 1 | DS\_BEHAVIOR\_WIN2003\_WITH\_MIXED\_DOMAINS | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 2 | DS\_BEHAVIOR\_WIN2003 | Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 3 | DS\_BEHAVIOR\_WIN2008 | Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 4 | DS\_BEHAVIOR\_WIN2008R2 | Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 5 | DS\_BEHAVIOR\_WIN2012 | Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 6 | DS\_BEHAVIOR\_WIN2012R2 | Windows Server 2012 R2
Windows Server 2016 Technical Preview | +| 7 | DS\_BEHAVIOR\_WINTHRESHOLD | Windows Server 2016 Technical Preview | + +- **OEM Information** \[Type = UnicodeString\]: there is no information about this field in this document. + +**Additional Information:** + +- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: + +| Privilege Name | User Right Group Policy Name | Description | +|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +## Security Monitoring Recommendations + +For 4739(S): Domain Policy was changed. + +- Any settings changes to “**Account Lockout Policy**”, “**Password Policy**”, or “**Network security: Force logoff when logon hours expire**”, plus any **domain functional level and attributes** changes that are reported by this event, must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4740.md b/windows/keep-secure/event-4740.md new file mode 100644 index 0000000000..7ab01449c8 --- /dev/null +++ b/windows/keep-secure/event-4740.md @@ -0,0 +1,121 @@ +--- +title: 4740(S) A user account was locked out. (Windows 10) +description: Describes security event 4740(S) A user account was locked out. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4740(S): A user account was locked out. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is locked out.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a new computer object is created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Account Enabled | +| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. | +| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled
'Home Directory Required' - Disabled | +| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. | +| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled
'Password Not Required' - Disabled | +| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. | +| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password.
Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled
'Encrypted Text Password Allowed' - Enabled | +| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. | +| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled
'Normal Account' - Enabled | +| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. | +| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled
'Workstation Trust Account' - Enabled | +| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled
'Server Trust Account' - Disabled | +| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account.
Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled
'Don't Expire Password' - Enabled | +| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled
'MNS Logon Account' - Enabled | +| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled
'Smartcard Required' - Enabled | +| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled
'Trusted For Delegation' - Disabled | +| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled
'Not Delegated' - Enabled | +| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled
'Use DES Key Only' - Enabled | +| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on.
Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled
'Don't Require Preauth' - Enabled | +| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. | +| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled
'Trusted To Authenticate For Delegation' - Enabled | +| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. | + +> Table 7. User’s or Computer’s account UAC flags. + +- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. + +- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see **<value not set>** value for new created computer accounts in event 4741. + +- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“. + +- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation**:** + + HOST/Win81.contoso.local + + RestrictedKrbHost/Win81.contoso.local + + HOST/WIN81 + + RestrictedKrbHost/WIN81 + +**Additional Information:** + +- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: + +| Privilege Name | User Right Group Policy Name | Description | +|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | +| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | +| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Delegation** setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | +| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | +| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | +| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | +| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | +| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | +| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | + +> Table 8. User Privileges. + +## Security Monitoring Recommendations + +For 4741(S): A computer account was created. + +> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). + +- If your information security monitoring policy requires you to monitor computer account creation, monitor this event. + +- Consider whether to track the following fields and values: + +| **Field and value to track** | **Reason to track** | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **SAM Account Name**: empty or - | This field must contain the computer account name. If it is empty or **-**, it might indicate an anomaly. | +| **Display Name** is not -
**User Principal Name** is not -
**Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not -
**AllowedToDelegateTo** is not - | Typically these fields are **-** for new computer accounts. Other values might indicate an anomaly and should be monitored. | +| **Password Last Set** is **<never>** | This typically means this is a manually created computer account, which you might need to monitor. | +| **Account Expires** is not **<never>** | Typically this field is **<never>** for new computer accounts. Other values might indicate an anomaly and should be monitored. | +| **Primary Group ID** is any value other than 515. | Typically, the **Primary Group ID** value is one of the following:
**516** for domain controllers
**521** for read only domain controllers (RODCs)
**515** for servers and workstations (domain computers)
If the **Primary Group ID** is 516 or 521, it is a new domain controller or RODC, and the event should be monitored.
If the value is not 516, 521, or 515, it is not a typical value and should be monitored. | +| **Old UAC Value** is not 0x0 | Typically this field is **0x0** for new computer accounts. Other values might indicate an anomaly and should be monitored. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | +| **Logon Hours** value other than **<value not set>** | This should always be **<value not set>** for new computer accounts. | + +- Consider whether to track the following account control flags: + +| **User account control flag to track** | **Information about the flag** | +|--------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Encrypted Text Password Allowed'** – Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Server Trust Account'** – Enabled | Should be enabled **only** for domain controllers. | +| **'Don't Expire Password'** – Enabled | Should not be enabled for new computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. | +| **'Smartcard Required'** – Enabled | Should not be enabled for new computer accounts. | +| **'Trusted For Delegation'** – Enabled | Should not be enabled for new member servers and workstations. It is enabled by default for new domain controllers. | +| **'Not Delegated'** – Enabled | Should not be enabled for new computer accounts. | +| **'Use DES Key Only'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Don't Require Preauth'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Trusted To Authenticate For Delegation'** – Enabled | Should not be enabled for new computer accounts by default. | + diff --git a/windows/keep-secure/event-4742.md b/windows/keep-secure/event-4742.md new file mode 100644 index 0000000000..b09dba8333 --- /dev/null +++ b/windows/keep-secure/event-4742.md @@ -0,0 +1,295 @@ +--- +title: 4742(S) A computer account was changed. (Windows 10) +description: Describes security event 4742(S) A computer account was changed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4742(S): A computer account was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is changed.
+
+This event generates only on domain controllers.
+
+You might see the same values for **Subject**\\**Security ID** and **Computer Account That Was Changed**\\**Security ID** in this event. This usually happens when you reboot a computer after adding it to the domain (the change takes effect after the reboot).
+
+For each change, a separate 4742 event will be generated.
+
+Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
+
+You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
+
+***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
**User Principal Name** is not -
**Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not -
**Account Expires** is not -
**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. | +| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. | +| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:
**516** for domain controllers
**521** for read only domain controllers (RODCs)
**515** for servers and workstations (domain computers)
Other values should be monitored. | +| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | + +- Consider whether to track the following account control flags: + +| **User account control flag to track** | **Information about the flag** | +|---------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **'Password Not Required'** – Enabled | Should not be set for computer accounts. Computer accounts typically require a password by default, except manually created computer objects. | +| **'Encrypted Text Password Allowed'** – Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Server Trust Account'** – Enabled | Should be enabled **only** for domain controllers. | +| **'Server Trust Account'** – Disabled | Should **not** be disabled for domain controllers. | +| **'Don't Expire Password'** – Enabled | Should not be enabled for computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. | +| **'Smartcard Required'** – Enabled | Should not be enabled for computer accounts. | +| **'Trusted For Delegation'** – Enabled | Means that Kerberos Constraint or Unconstraint delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted For Delegation'** – Disabled | Means that Kerberos Constraint or Unconstraint delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Trusted To Authenticate For Delegation'** – Enabled | Means that Protocol Transition delegation was enabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. | +| **'Not Delegated'** – Enabled | Means that **Account is sensitive and cannot be delegated** was selected for the computer account. For computer accounts, this flag cannot be set using the graphical interface. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. | +| **'Use DES Key Only'** – Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | +| **'Don't Require Preauth'** - Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. | + diff --git a/windows/keep-secure/event-4743.md b/windows/keep-secure/event-4743.md new file mode 100644 index 0000000000..42f7e90f14 --- /dev/null +++ b/windows/keep-secure/event-4743.md @@ -0,0 +1,118 @@ +--- +title: 4743(S) A computer account was deleted. (Windows 10) +description: Describes security event 4743(S) A computer account was deleted. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4743(S): A computer account was deleted. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
+
+***Event Description:***
+
+This event generates every time a computer object is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new security-disabled (distribution) global group was created.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is changed.
+
+This event generates only on domain controllers.
+
+Some changes do not invoke a 4750 event, for example, changes made using the Active Directory Users and Computers management console in **Managed By** tab in group account properties.
+
+If you change the name of the group (SAM Account Name), you also get “[4781](event-4781.md): The name of an account was changed” if “[Audit User Account Management](audit-user-account-management.md)” subcategory success auditing is enabled.
+
+If you change the group type, you get a change event from the new group type auditing subcategory instead of 4750. If you need to monitor for group type changes, it is better to monitor for “[4764](event-4764.md): A group’s type was changed.” These events are generated for any group type when group type is changed. “[Audit Security Group Management](audit-security-group-management.md)” subcategory success auditing must be enabled.
+
+From 4750 event you can get information about changes of **sAMAccountName** and **sIDHistory** attributes or you will see that something changed, but will not be able to see what exactly changed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time a new member was added to a security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every added member you will get separate 4751 event.
+
+You will typically see “[4750](event-4750.md): A security-disabled global group was changed.” event without any changes in it prior to 4751 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the addition of new members (or for other changes). | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4752.md b/windows/keep-secure/event-4752.md new file mode 100644 index 0000000000..28d38b44a5 --- /dev/null +++ b/windows/keep-secure/event-4752.md @@ -0,0 +1,152 @@ +--- +title: 4752(S) A member was removed from a security-disabled global group. (Windows 10) +description: Describes security event 4752(S) A member was removed from a security-disabled global group. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4752(S): A member was removed from a security-disabled global group. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time member was removed from the security-disabled (distribution) global group.
+
+This event generates only on domain controllers.
+
+For every removed member you will get separate 4752 event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Typically, this event is used as an informational event, to be reviewed if needed. | +| **High-value distribution groups:** You might have a list of critical distribution groups in the organization, and need to specifically monitor these groups for the removal of members (or for other changes). | Monitor this event with the “**Group\\Group Name”** values that correspond to the high-value distribution groups. | +| **Distribution groups with required members**: You might need to ensure that for certain distribution groups, particular members are never removed. | Monitor this event with the “**Group\\Group Name”** that corresponds to the group of interest, and the **“Member\\Security ID”** of the members who should not be removed. | +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + diff --git a/windows/keep-secure/event-4753.md b/windows/keep-secure/event-4753.md new file mode 100644 index 0000000000..5cc018f286 --- /dev/null +++ b/windows/keep-secure/event-4753.md @@ -0,0 +1,124 @@ +--- +title: 4753(S) A security-disabled global group was deleted. (Windows 10) +description: Describes security event 4753(S) A security-disabled global group was deleted. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4753(S): A security-disabled global group was deleted. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Distribution Group Management](audit-distribution-group-management.md)
+
+***Event Description:***
+
+This event generates every time security-disabled (distribution) global group is deleted.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates every time group’s type is changed.
+
+This event generates for both security and distribution groups.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user account is unlocked.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
+
+This event generates only on domain controllers.
+
+If TGT issue fails then you will see Failure event with **Result Code** field not equal to “**0x0**”.
+
+This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. | + +> Table 2. Kerberos ticket flags. + +> **Note** [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels. + +- **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event. + +| Code | Code Name | Description | Possible causes | +|------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x0 | KDC\_ERR\_NONE | No error | No errors were found. | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in KDC database has expired | No information. | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in KDC database has expired | No information. | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested Kerberos version number not supported | No information. | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesn’t exist. | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. | +| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future.
It also can occur if there is a time difference between the client and the KDC. | +| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. | +| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction. | +| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.
The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list | +| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. | +| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Client’s credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | +| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | +| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | +| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | +| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.
There is an account mismatch during protocol transition. | +| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.
The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.
See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages.
This error also generated if use of UDP protocol is being attempted with User-to-User authentication. | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.
The authentication data was modified in transit by a hardware or software error, or by an attacker.
The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.
The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. | +| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. | +| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. | +| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. | +| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes have not propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | +| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | +| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. | +| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | +| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. | +| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. | + +> Table 3. TGT/TGS issue error codes. + +- **Ticket Encryption Type** \[Type = HexInt32\]: the cryptographic suite that was used for issued TGT. + + + +## Table 4. Kerberos encryption types + +| Type | Type Name | Description | +|-----------------------------------------------------------------|-------------------------|-----------------------------------------------------------------------------------| +| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | + + +- **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request. + + +## Table 5. Kerberos Pre-Authentication types. + +| Type | Type Name | Description | +|------------------------------------------------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | - | Logon without Pre-Authentication. | +| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. | +| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. | +| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. | +| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. | +| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients. | +| - | | This type shows in Audit Failure events. | + +**Certificate Information:** + +- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of the Certification Authority that issued the smart card certificate. Populated in **Issued by** field in certificate. + +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. + +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. + +## Security Monitoring Recommendations + +For 4768(S, F): A Kerberos authentication ticket (TGT) was requested. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the whitelist. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. | + +- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. + +- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the whitelist, generate the alert. + +- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller. + +- All [4768](event-4768.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection. + +- Also consider monitoring the fields shown in the following table, to discover the issues listed: + +| **Field** | **Issue to discover** | +|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Certificate Issuer Name** | Certification authority name is not from your PKI infrastructure. | +| **Certificate Issuer Name** | Certification authority name is not authorized to issue smart card authentication certificates. | +| **Pre-Authentication Type** | Value is **0**, which means that pre-authentication was not used. All accounts should use Pre-Authentication, except accounts configured with “Do not require Kerberos preauthentication,” which is a security risk. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Ticket Encryption Type** | Value is **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types). | +| **Ticket Encryption Type** | Starting with Windows Vista and Windows Server 2008, monitor for values **other than 0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms. For more information, see [Table 4. Kerberos encryption types](#kerberos-encryption-types). | +| **Result Code** | **0x6** (The username doesn't exist), if you see, for example N events in last N minutes. This can be an indicator of account enumeration attack, especially for highly critical accounts. | +| **Result Code** | **0x7** (Server not found in Kerberos database). This error can occur if the domain controller cannot find the server's name in Active Directory. | +| **Result Code** | **0x8** (Multiple principal entries in KDC database). This will help you to find duplicate SPNs faster. | +| **Result Code** | **0x9** (The client or server has a null key (master key)). This error can help you to identify problems with Kerberos authentication faster. | +| **Result Code** | **0xA** (Ticket (TGT) not eligible for postdating). Microsoft systems should not request postdated tickets. These events could help identify anomaly activity. | +| **Result Code** | **0xC** (Requested start time is later than end time), if you see, for example N events in last N minutes. This can be an indicator of an account compromise attempt, especially for highly critical accounts. | +| **Result Code** | **0xE** (KDC has no support for encryption type). In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. Monitor for these events because this should not happen in a standard Active Directory environment. | +| **Result Code** | **0xF** (KDC has no support for checksum type). Monitor for these events because this should not happen in a standard Active Directory environment. | +| **Result Code** | **0x12** (Client's credentials have been revoked), if you see, for example N events in last N minutes. This can be an indicator of anomaly activity or brute-force attack, especially for highly critical accounts. | +| **Result Code** | **0x1F** (Integrity check on decrypted field failed). The authenticator was encrypted with something other than the session key. The result is that the KDC cannot decrypt the TGT. The modification of the message could be the result of an attack or it could be because of network noise. | +| **Result Code** | **0x22** (The request is a replay). This error indicates that a specific authenticator showed up twice—the KDC has detected that this session ticket duplicates one that it has already received. It could be a sign of attack attempt. | +| **Result Code** | **0x29** (Message stream modified and checksum didn't match). The authentication data was encrypted with the wrong key for the intended server. The authentication data was modified in transit by a hardware or software error, or by an attacker. Monitor for these events because this should not happen in a standard Active Directory environment. | +| **Result Code** | **0x3C** (Generic error). This error can help you more quickly identify problems with Kerberos authentication. | +| **Result Code** | **0x3E** (The client trust failed or is not implemented). This error helps you identify logon attempts with revoked certificates and the situations when the root Certification Authority that issued the smart card certificate (through a chain) is not trusted by a domain controller. | +| **Result Code** | **0x3F**, **0x40**, **0x41** errors. These errors can help you more quickly identify smart-card related problems with Kerberos authentication. | + diff --git a/windows/keep-secure/event-4769.md b/windows/keep-secure/event-4769.md new file mode 100644 index 0000000000..ecb3b28900 --- /dev/null +++ b/windows/keep-secure/event-4769.md @@ -0,0 +1,287 @@ +--- +title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10) +description: Describes security event 4769(S, F) A Kerberos service ticket was requested. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4769(S, F): A Kerberos service ticket was requested. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.
+
+This event generates only on domain controllers.
+
+If TGS issue fails then you will see Failure event with **Failure Code** field not equal to “**0x0**”.
+
+You will typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. +## Table 4. Kerberos encryption types | + +- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. + +| Type | Type Name | Description | +|--------------------------|-------------------------|-----------------------------------------------------------------------------------| +| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | + +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event: + +| Code | Code Name | Description | Possible causes | +|------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x0 | KDC\_ERR\_NONE | No error | No errors were found. | +| 0x1 | KDC\_ERR\_NAME\_EXP | Client's entry in KDC database has expired | No information. | +| 0x2 | KDC\_ERR\_SERVICE\_EXP | Server's entry in KDC database has expired | No information. | +| 0x3 | KDC\_ERR\_BAD\_PVNO | Requested Kerberos version number not supported | No information. | +| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. | +| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. | +| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesn’t exist. | +| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. | +| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. | +| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. | +| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future.
It also can occur if there is a time difference between the client and the KDC. | +| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. | +| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction. | +| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.
The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list | +| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. | +| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. | +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. | +| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Client’s credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. | +| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. | +| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. | +| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. | +| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | +| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | +| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | +| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | +| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | +| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | +| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | +| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. | +| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. | +| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.
There is an account mismatch during protocol transition. | +| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the server’s timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. | +| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. | +| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.
The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.
See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages.
This error also generated if use of UDP protocol is being attempted with User-to-User authentication. | +| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.
The authentication data was modified in transit by a hardware or software error, or by an attacker.
The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.
The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. | +| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | +| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. | +| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. | +| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. | +| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. | +| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. | +| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. | +| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | +| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | +| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes have not propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. | +| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | +| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. | +| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | +| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. | +| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. | +| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. | +| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. | +| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. | + +- **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used. + +> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. + +## Security Monitoring Recommendations + +For 4769(S, F): A Kerberos service ticket was requested. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Account Information\\Account Name”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the accounts that should never be used. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Account Information\\Account Name”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. | + +- If you know that **Account Name** should never request any tickets for (that is, never get access to) a particular computer account or service account, monitor for [4769](event-4769.md) events with the corresponding **Account Name** and **Service ID** fields. + +- You can track all [4769](event-4769.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. + +- If you know that **Account Name** should be able to request tickets (should be used) only from a known whitelist of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** is not from your whitelist of IP addresses, generate the alert. + +- All **Client Address** = ::1 means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to domain controllers, monitor events with **Client Address** = ::1 and any **Account Name** outside the whitelist. + +- All [4769](event-4769.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection. + +- Monitor for a **Ticket Encryption Type** of **0x1** or **0x3**, which means the DES algorithm was used. DES should not be in use, because of low security and known vulnerabilities. It is disabled by default starting from Windows 7 and Windows Server 2008 R2. + +- Starting with Windows Vista and Windows Server 2008, monitor for a **Ticket Encryption Type** other than **0x11 and 0x12**. These are the expected values, starting with these operating systems, and represent AES-family algorithms. + +- If you have a list of important **Failure Codes**, monitor for these codes. + diff --git a/windows/keep-secure/event-4770.md b/windows/keep-secure/event-4770.md new file mode 100644 index 0000000000..1c353eb67f --- /dev/null +++ b/windows/keep-secure/event-4770.md @@ -0,0 +1,183 @@ +--- +title: 4770(S) A Kerberos service ticket was renewed. (Windows 10) +description: Describes security event 4770(S) A Kerberos service ticket was renewed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4770(S): A Kerberos service ticket was renewed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
+
+***Event Description:***
+
+This event generates for every Ticket Granting Service (TGS) ticket renewal.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. | + +- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used in renewed TGS. + +| Type | Type Name | Description | +|--------------------------|-------------------------|-----------------------------------------------------------------------------------| +| 0x1 | DES-CBC-CRC | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x3 | DES-CBC-MD5 | Disabled by default starting from Windows 7 and Windows Server 2008 R2. | +| 0x11 | AES128-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x12 | AES256-CTS-HMAC-SHA1-96 | Supported starting from Windows Server 2008 and Windows Vista. | +| 0x17 | RC4-HMAC | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | +| 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | + + +## Security Monitoring Recommendations + +For 4770(S): A Kerberos service ticket was renewed. + +- This event typically has informational only purpose. + diff --git a/windows/keep-secure/event-4771.md b/windows/keep-secure/event-4771.md new file mode 100644 index 0000000000..ae81985175 --- /dev/null +++ b/windows/keep-secure/event-4771.md @@ -0,0 +1,226 @@ +--- +title: 4771(F) Kerberos pre-authentication failed. (Windows 10) +description: Describes security event 4771(F) Kerberos pre-authentication failed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4771(F): Kerberos pre-authentication failed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
+
+***Event Description:***
+
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+
+This event generates only on domain controllers.
+
+This event is not generated if “Do not require Kerberos preauthentication” option is set for the account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+The most common values:
+
+- 0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
+
+- 0x40810000 - Forwardable, Renewable, Canonicalize
+
+- 0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
+
+| Bit | Flag Name | Description |
+|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 0 | Reserved | - |
+| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
+| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
+| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
+| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
+| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
+| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
+| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
+| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
+| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
+| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
+| 14 | Request-anonymous | KILE not use this flag. |
+| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 16-25 | Unused | - |
+| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honorthe DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | +| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | +| 28 | Enc-tkt-in-skey | No information. | +| 29 | Unused | - | +| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. | + +> Table 6. Kerberos ticket flags. + +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal failure code of failed TGT issue operation. The table below contains the list of the most common error codes for this event: + +| Code | Code Name | Description | Possible causes | +|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | +| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | +| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | + +- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request. + + +## Table 5. Kerberos Pre-Authentication types. + +| Type | Type Name | Description | +|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | - | Logon without Pre-Authentication. | +| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. | +| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. | +| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. | +| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | +| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. | +| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients. | +| - | | This type shows in Audit Failure events. | + +**Certificate Information:** + +- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events. + +- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. + +- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events. + +## Security Monitoring Recommendations + +For 4771(F): Kerberos pre-authentication failed. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the whitelist. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. + +- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the whitelist, generate the alert. + +- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller. + +- All [4771](event-4771.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection. + +- Also monitor the fields shown in the following table, to discover the issues listed: + +| **Field** | **Issue to discover** | +|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | +| **Result Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. | +| **Result Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. | + diff --git a/windows/keep-secure/event-4772.md b/windows/keep-secure/event-4772.md new file mode 100644 index 0000000000..cc22ebd0d0 --- /dev/null +++ b/windows/keep-secure/event-4772.md @@ -0,0 +1,21 @@ +--- +title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10) +description: Describes security event 4772(F) A Kerberos authentication ticket request failed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4772(F): A Kerberos authentication ticket request failed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead. + +***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) + diff --git a/windows/keep-secure/event-4773.md b/windows/keep-secure/event-4773.md new file mode 100644 index 0000000000..d1edccab49 --- /dev/null +++ b/windows/keep-secure/event-4773.md @@ -0,0 +1,21 @@ +--- +title: 4773(F) A Kerberos service ticket request failed. (Windows 10) +description: Describes security event 4773(F) A Kerberos service ticket request failed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4773(F): A Kerberos service ticket request failed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead. + +***Subcategory:*** [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md) + diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md new file mode 100644 index 0000000000..2b626f9576 --- /dev/null +++ b/windows/keep-secure/event-4774.md @@ -0,0 +1,41 @@ +--- +title: 4774(S) An account was mapped for logon. (Windows 10) +description: Describes security event 4774(S) An account was mapped for logon. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4774(S): An account was mapped for logon. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +It appears that this event never occurs. + +***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) + +***Event Schema:*** + +*An account was mapped for logon.* + +*Authentication Package:%1* + +*Account UPN:%2* + +*Mapped Name:%3* + +***Required Server Roles:*** no information. + +***Minimum OS Version:*** no information. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +- There is no recommendation for this event in this document. + diff --git a/windows/keep-secure/event-4775.md b/windows/keep-secure/event-4775.md new file mode 100644 index 0000000000..f02523531c --- /dev/null +++ b/windows/keep-secure/event-4775.md @@ -0,0 +1,39 @@ +--- +title: 4775(F) An account could not be mapped for logon. (Windows 10) +description: Describes security event 4775(F) An account could not be mapped for logon. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4775(F): An account could not be mapped for logon. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +It appears that this event never occurs. + +***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) + +***Event Schema:*** + +*An account could not be mapped for logon.* + +*Authentication Package:%1* + +*Account Name:%2* + +***Required Server Roles:*** no information. + +***Minimum OS Version:*** no information. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +- There is no recommendation for this event in this document. + diff --git a/windows/keep-secure/event-4776.md b/windows/keep-secure/event-4776.md new file mode 100644 index 0000000000..c244914722 --- /dev/null +++ b/windows/keep-secure/event-4776.md @@ -0,0 +1,148 @@ +--- +title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) +description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4776(S, F): The computer attempted to validate the credentials for an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md)
+
+***Event Description:***
+
+This event generates every time that a credential validation occurs using NTLM authentication.
+
+This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
+
+It shows successful and unsuccessful credential validation attempts.
+
+It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) is not presented in this event.
+
+If a credential validation attempt fails, you will see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
+
+The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
+
+For monitoring local account logon attempts, it is better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
+
+This event also generates when a workstation unlock event occurs.
+
+This event does *not* generate when a domain account logs on locally to a domain controller.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Some of the potential causes for this:
An invalid username and/or password was used
[LAN Manager Authentication Level](https://technet.microsoft.com/en-us/library/jj852207.aspx) mismatch between the source and target computers. | +| 0xC000006F | Account logon outside authorized hours. | +| 0xC0000070 | Account logon from unauthorized workstation. | +| 0xC0000071 | Account logon with expired password. | +| 0xC0000072 | Account logon to account disabled by administrator. | +| 0xC0000193 | Account logon with expired account. | +| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. | +| 0xC0000234 | Account logon with account locked. | +| 0xc0000371 | The local account store does not contain secret material for the specified account. | +| 0x0 | No errors. | + +> Table 1. Winlogon Error Codes. + +## Security Monitoring Recommendations + +For 4776(S, F): The computer attempted to validate the credentials for an account. + +| **Type of monitoring required** | **Recommendation** | +|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the whitelist. | +| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | + +- If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. + +- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored. + +- If a local account should be used only locally (for example, network logon or terminal services logon is not allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values. + +- Consider tracking the following errors for the reasons listed: + +| **Error to track** | **What the error might indicate** | +|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| +| **User logon with misspelled or bad user account** | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. | +| **User logon with misspelled or bad password** | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. | +| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. | +| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. | +| **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. | +| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. | +| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. | + diff --git a/windows/keep-secure/event-4777.md b/windows/keep-secure/event-4777.md new file mode 100644 index 0000000000..7a985dae86 --- /dev/null +++ b/windows/keep-secure/event-4777.md @@ -0,0 +1,21 @@ +--- +title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10) +description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4777(F): The domain controller failed to validate the credentials for an account. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead. + +***Subcategory:*** [Audit Credential Validation](audit-credential-validation.md) + diff --git a/windows/keep-secure/event-4778.md b/windows/keep-secure/event-4778.md new file mode 100644 index 0000000000..ff3e197630 --- /dev/null +++ b/windows/keep-secure/event-4778.md @@ -0,0 +1,137 @@ +--- +title: 4778(S) A session was reconnected to a Window Station. (Windows 10) +description: Describes security event 4778(S) A session was reconnected to a Window Station. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4778(S): A session was reconnected to a Window Station. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Additional Information:**
+
+- **Client Name** \[Type = UnicodeString\]: computer name from which the user was reconnected. Has “**Unknown”** value for console session.
+
+- **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the user was reconnected.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+ - Has “**LOCAL**” value for console session.
+
+## Security Monitoring Recommendations
+
+For 4778(S): A session was reconnected to a Window Station.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console. + +- If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring). + +- If a specific computer or device (**Client Name** or **Client Address**) should never connect to this computer (**Computer**), monitor for any event with that **Client Name** or **Client Address**. + +- Check that **Additional Information\\Client Address** is from internal IP addresses list. + diff --git a/windows/keep-secure/event-4779.md b/windows/keep-secure/event-4779.md new file mode 100644 index 0000000000..2dfd8ef4ab --- /dev/null +++ b/windows/keep-secure/event-4779.md @@ -0,0 +1,139 @@ +--- +title: 4779(S) A session was disconnected from a Window Station. (Windows 10) +description: Describes security event 4779(S) A session was disconnected from a Window Station. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4779(S): A session was disconnected from a Window Station. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+
+This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Additional Information:**
+
+- **Client Name** \[Type = UnicodeString\]: machine name from which the session was disconnected. Has “**Unknown”** value for console session.
+
+
+
+- **Client Address** \[Type = UnicodeString\]: IP address of the computer from which the session was disconnected.
+
+ - IPv6 address or ::ffff:IPv4 address of a client.
+
+ - ::1 or 127.0.0.1 means localhost.
+
+
+
+ - Has “**LOCAL**” value for console session.
+
+## Security Monitoring Recommendations
+
+For 4779(S): A session was disconnected from a Window Station.
+
+| **Type of monitoring required** | **Recommendation** |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | +| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | +| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | +| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. | +| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | +| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | +| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.
For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.
If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. | +| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | + +- If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with **Session Name** = Console. + +- If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring). + +- To ensure that connections are made only from your internal IP address list, monitor the **Additional Information\\Client Address** in this event. + diff --git a/windows/keep-secure/event-4780.md b/windows/keep-secure/event-4780.md new file mode 100644 index 0000000000..f90b4a900a --- /dev/null +++ b/windows/keep-secure/event-4780.md @@ -0,0 +1,59 @@ +--- +title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10) +description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4780(S): The ACL was set on accounts which are members of administrators groups. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. + +For some reason, this event doesn’t generate on some OS versions. + +***Subcategory:*** [Audit User Account Management](audit-user-account-management.md) + +***Event Schema:*** + +*The ACL was set on accounts which are members of administrators groups.* + +*Subject:* + +> *Security ID:%4* +> +> *Account Name:%5* +> +> *Account Domain:%6* +> +> *Logon ID:%7* + +*Target Account:* + +> *Security ID:%3* +> +> *Account Name:%1* +> +> *Account Domain:%2* + +*Additional Information:* + +> *Privileges:%8* + +***Required Server Roles:*** Active Directory domain controller. + +***Minimum OS Version:*** Windows Server 2008. + +***Event Versions:*** 0. + +## Security Monitoring Recommendations + +- Monitor for this event and investigate why the object’s ACL was changed. + diff --git a/windows/keep-secure/event-4781.md b/windows/keep-secure/event-4781.md new file mode 100644 index 0000000000..34064992de --- /dev/null +++ b/windows/keep-secure/event-4781.md @@ -0,0 +1,127 @@ +--- +title: 4781(S) The name of an account was changed. (Windows 10) +description: Describes security event 4781(S) The name of an account was changed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4781(S): The name of an account was changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time a user or computer account name (**sAMAccountName** attribute) is changed.
+
+For user accounts, this event generates on domain controllers, member servers, and workstations.
+
+For computer accounts, this event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx).
+
+Typically **“Subject\\Security ID”** is the SYSTEM account.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Account Management Events](audit-other-account-management-events.md)
+
+***Event Description:***
+
+This event generates each time the [Password Policy Checking API](https://msdn.microsoft.com/en-us/library/aa370661(VS.85).aspx) is called.
+
+The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
+
+This event, for example, generates during Directory Services Restore Mode ([DSRM](http://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password.
+
+This event generates on the computer where Password Policy Checking API was called.
+
+Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many 4793 events on a SQL Server.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.
+
+This event generates only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates a user's security-enabled local groups on a computer or device.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4798(S): A user's local group membership was enumerated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have high value domain or local accounts for which you need to monitor each enumeration of their group membership, or any access attempt, monitor events with the **“Subject\\Security ID”** that corresponds to the high value account or accounts.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
diff --git a/windows/keep-secure/event-4799.md b/windows/keep-secure/event-4799.md
new file mode 100644
index 0000000000..2084212f59
--- /dev/null
+++ b/windows/keep-secure/event-4799.md
@@ -0,0 +1,135 @@
+---
+title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10)
+description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4799(S): A security-enabled local group membership was enumerated.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Security Group Management](audit-security-group-management.md)
+
+***Event Description:***
+
+This event generates when a process enumerates the members of a security-enabled local group on the computer or device.
+
+This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4799(S): A security-enabled local group membership was enumerated.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you have a list of critical local security groups in the organization, and need to specifically monitor these groups for any access (in this case, enumeration of group membership), monitor events with the “**Group\\Group Name”** values that correspond to the critical local security groups. Examples of critical local groups are built-in local administrators, built-in backup operators, and so on.
+
+- If you need to monitor each time the membership is enumerated for a local or domain security group, to see who enumerated the membership and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
+
diff --git a/windows/keep-secure/event-4800.md b/windows/keep-secure/event-4800.md
new file mode 100644
index 0000000000..3eb3482649
--- /dev/null
+++ b/windows/keep-secure/event-4800.md
@@ -0,0 +1,101 @@
+---
+title: 4800(S) The workstation was locked. (Windows 10)
+description: Describes security event 4800(S) The workstation was locked.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4800(S): The workstation was locked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when a workstation was locked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4800(S): The workstation was locked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a machine was locked, and which account was used to lock it.
+
diff --git a/windows/keep-secure/event-4801.md b/windows/keep-secure/event-4801.md
new file mode 100644
index 0000000000..b0b69a6e24
--- /dev/null
+++ b/windows/keep-secure/event-4801.md
@@ -0,0 +1,101 @@
+---
+title: 4801(S) The workstation was unlocked. (Windows 10)
+description: Describes security event 4801(S) The workstation was unlocked.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4801(S): The workstation was unlocked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when workstation was unlocked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4801(S): The workstation was unlocked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a machine was unlocked, and which account was used to unlock it.
+
diff --git a/windows/keep-secure/event-4802.md b/windows/keep-secure/event-4802.md
new file mode 100644
index 0000000000..691f558b08
--- /dev/null
+++ b/windows/keep-secure/event-4802.md
@@ -0,0 +1,101 @@
+---
+title: 4802(S) The screen saver was invoked. (Windows 10)
+description: Describes security event 4802(S) The screen saver was invoked.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4802(S): The screen saver was invoked.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was invoked.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4802(S): The screen saver was invoked.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a screen saver was invoked on a machine, and which account invoked it.
+
diff --git a/windows/keep-secure/event-4803.md b/windows/keep-secure/event-4803.md
new file mode 100644
index 0000000000..8cfb6407c8
--- /dev/null
+++ b/windows/keep-secure/event-4803.md
@@ -0,0 +1,101 @@
+---
+title: 4803(S) The screen saver was dismissed. (Windows 10)
+description: Describes security event 4803(S) The screen saver was dismissed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4803(S): The screen saver was dismissed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event is generated when screen saver was dismissed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4803(S): The screen saver was dismissed.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Typically this is an informational event, and can give you information about when a screen saver was dismissed on a machine, and which account dismissed it.
+
diff --git a/windows/keep-secure/event-4816.md b/windows/keep-secure/event-4816.md
new file mode 100644
index 0000000000..846e37ddf7
--- /dev/null
+++ b/windows/keep-secure/event-4816.md
@@ -0,0 +1,43 @@
+---
+title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)
+description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This message generates if RPC detected an integrity violation while decrypting an incoming message.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*RPC detected an integrity violation while decrypting an incoming message.*
+
+*Peer Name: %1*
+
+*Protocol Sequence: %2*
+
+*Security Error: %3*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
diff --git a/windows/keep-secure/event-4817.md b/windows/keep-secure/event-4817.md
new file mode 100644
index 0000000000..c1bc5e42d5
--- /dev/null
+++ b/windows/keep-secure/event-4817.md
@@ -0,0 +1,246 @@
+---
+title: 4817(S) Auditing settings on object were changed. (Windows 10)
+description: Describes security event 4817(S) Auditing settings on object were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4817(S): Auditing settings on object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [Global Object Access Auditing](https://technet.microsoft.com/en-us/library/dd772630(v=ws.10).aspx) policy is changed on a computer.
+
+Separate events will be generated for “Registry” and “File system” policy changes.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Central Policy Staging](audit-central-access-policy-staging.md)
+
+***Event Description:***
+
+This event generates when Dynamic Access Control Proposed [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) is enabled and access was not granted by Proposed Central Access Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Current Central Access Policy results:**
+
+- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:+REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS. + +The possible REQUESTED\_ACCESS values are listed in the table below. + +## Table of file access codes + +| Access | Hexadecimal Value | Description | +|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA | 0x8 | The right to read extended file attributes. | +| WriteEA | 0x10 | The right to write extended file attributes. | +| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80 | The right to read file attributes. | +| WriteAttributes | 0x100 | The right to write file attributes. | +| DELETE | 0x10000 | The right to delete the object. | +| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000
| The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +- RESULT: + + - Granted by + + - Denied by + + - Granted by ACE on parent folder + + - Not granted due to missing – after this sentence you will typically see missing user rights, for example SeSecurityPrivilege. + + - Unknown or unchecked + +- ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS: + + - Ownership – if access was granted because of ownership of an object. + + - User Right name, for example SeSecurityPrivilege. + + - The [Security Descriptor Definition Language](event-5145.md#sddl-values-for-access-control-entry) (SDDL) value for the Access Control Entry (ACE) that granted or denied access. + +**Proposed Central Access Policy results that differ from the current Central Access Policy results:** + +- **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Proposed Central Access Policy. Here you will see only ***denied*** requests. The format of the result is:
+ +REQUESTED\_ACCESS: NOT Granted by RULE\_NAME Rule. + +The possible REQUESTED\_ACCESS values are listed in the table below: + +| Access | Hexadecimal Value | Description | +|-------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA | 0x8 | The right to read extended file attributes. | +| WriteEA | 0x10 | The right to write extended file attributes. | +| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80 | The right to read file attributes. | +| WriteAttributes | 0x100 | The right to write file attributes. | +| DELETE | 0x10000 | The right to delete the object. | +| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000
| The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +- RULE\_NAME: the name of Central Access Rule which denied the access. + +## Security Monitoring Recommendations + +For 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. + +- This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic Access Control. + diff --git a/windows/keep-secure/event-4819.md b/windows/keep-secure/event-4819.md new file mode 100644 index 0000000000..b9311464ea --- /dev/null +++ b/windows/keep-secure/event-4819.md @@ -0,0 +1,135 @@ +--- +title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10) +description: Describes security event 4819(S) Central Access Policies on the machine have been changed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4819(S): Central Access Policies on the machine have been changed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates when [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on the machine have been changed.
+
+For example, it generates when a new [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) was applied to the machine via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time system starts and load current [Boot Configuration Data](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653287(v=vs.85).aspx) (BCD) settings.
+
+This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when new trusted forest information entry was added.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 2 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. | +| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | +| 4 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | + +- **Top Level Name** \[Type = UnicodeString\]: the name of the new trusted forest information entry. + +- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”. + +## Security Monitoring Recommendations + +For 4865(S): A trusted forest information entry was added. + +- Any changes related to Active Directory forest trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4866.md b/windows/keep-secure/event-4866.md new file mode 100644 index 0000000000..1fc701f4d1 --- /dev/null +++ b/windows/keep-secure/event-4866.md @@ -0,0 +1,150 @@ +--- +title: 4866(S) A trusted forest information entry was removed. (Windows 10) +description: Describes security event 4866(S) A trusted forest information entry was removed. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4866(S): A trusted forest information entry was removed. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates when the trusted forest information entry was removed.
+
+This event is generated only on domain controllers.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 2 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. | +| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | +| 4 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | + +- **Top Level Name** \[Type = UnicodeString\]: the name of the removed trusted forest information entry. + +- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”. + +## Security Monitoring Recommendations + +For 4866(S): A trusted forest information entry was removed. + +- Any changes related to Active Directory forest trusts (especially trust removal) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4867.md b/windows/keep-secure/event-4867.md new file mode 100644 index 0000000000..57fc10f7da --- /dev/null +++ b/windows/keep-secure/event-4867.md @@ -0,0 +1,152 @@ +--- +title: 4867(S) A trusted forest information entry was modified. (Windows 10) +description: Describes security event 4867(S) A trusted forest information entry was modified. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4867(S): A trusted forest information entry was modified. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
+
+***Event Description:***
+
+This event generates the trusted forest information entry was modified.
+
+This event is generated only on domain controllers.
+
+This event contains new values only, it doesn’t contains old values and it doesn’t show you which trust attributes were modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
ForestTrustTopLevelName | The top-level name trust record is disabled during initial creation. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 2 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled by the domain administrator. | +| | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | +| 4 | ForestTrustTopLevelNameEx
ForestTrustTopLevelName | The top-level name trust record is disabled due to a conflict. | +| | ForestTrustDomainInfo | The domain information trust record is disabled by the domain administrator. | +| 8 | ForestTrustDomainInfo | The domain information trust record is disabled due to a conflict. | + +- **Top Level Name** \[Type = UnicodeString\]: the name of the modified trusted forest information entry. + +- **DNS Name** \[Type = UnicodeString\]: DNS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **NetBIOS Name** \[Type = UnicodeString\]: NetBIOS name of the trust partner. This parameter might not be captured in the event, and in that case appears as “-”. + +- **Domain SID** \[Type = SID\]: SID of the trust partner. This parameter might not be captured in the event, and in that case appears as “NULL SID”. + +## Security Monitoring Recommendations + +For 4867(S): A trusted forest information entry was modified. + +- Any changes in Active Directory forest trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. + diff --git a/windows/keep-secure/event-4902.md b/windows/keep-secure/event-4902.md new file mode 100644 index 0000000000..f8979e200f --- /dev/null +++ b/windows/keep-secure/event-4902.md @@ -0,0 +1,80 @@ +--- +title: 4902(S) The Per-user audit policy table was created. (Windows 10) +description: Describes security event 4902(S) The Per-user audit policy table was created. +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: Mir0sh +--- + +# 4902(S): The Per-user audit policy table was created. + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates during system startup if Per-user audit policy is defined on the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Policy ID** \[Type = HexInt64\]: unique per-User Audit Policy hexadecimal identifier.
+
+## Security Monitoring Recommendations
+
+For 4902(S): The Per-user audit policy table was created.
+
+- If you don’t expect to see any per-User Audit Policies enabled on specific computers (**Computer**), monitor for these events.
+
+- If you don’t use per-User Audit Policies in your network, monitor for these events.
+
+- Typically this is an informational event and has little to no security relevance.
+
diff --git a/windows/keep-secure/event-4904.md b/windows/keep-secure/event-4904.md
new file mode 100644
index 0000000000..85d903d952
--- /dev/null
+++ b/windows/keep-secure/event-4904.md
@@ -0,0 +1,132 @@
+---
+title: 4904(S) An attempt was made to register a security event source. (Windows 10)
+description: Describes security event 4904(S) An attempt was made to register a security event source.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4904(S): An attempt was made to register a security event source.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a new [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is registered.
+
+You can typically see this event during system startup, if specific roles (Internet Information Services, for example) are installed in the system.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Event Source:**
+
+- **Source Name** \[Type = UnicodeString\]: the name of registered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+
+
+
+- **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of registered security event source.
+
+## Security Monitoring Recommendations
+
+For 4904(S): An attempt was made to register a security event source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a pre-defined list of allowed security event sources for specific computers or computer types, then you can use this event and check whether “**Event Source\\Source Name**”is in your defined list.
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-4905.md b/windows/keep-secure/event-4905.md
new file mode 100644
index 0000000000..1bc58fabcc
--- /dev/null
+++ b/windows/keep-secure/event-4905.md
@@ -0,0 +1,132 @@
+---
+title: 4905(S) An attempt was made to unregister a security event source. (Windows 10)
+description: Describes security event 4905(S) An attempt was made to unregister a security event source.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4905(S): An attempt was made to unregister a security event source.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time a [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is unregistered.
+
+You typically see this event if specific roles were removed, for example, Internet Information Services.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Event Source:**
+
+- **Source Name** \[Type = UnicodeString\]: the name of unregistered security event source. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+
+
+
+- **Event Source ID** \[Type = HexInt64\]: the unique hexadecimal identifier of unregistered security event source.
+
+## Security Monitoring Recommendations
+
+For 4905(S): An attempt was made to unregister a security event source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+
+- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+
+- If you have a list of critical security event sources which should never have been unregistered, then you can use this event and check the “**Event Source\\Source Name**.”
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-4906.md b/windows/keep-secure/event-4906.md
new file mode 100644
index 0000000000..b7e82beaac
--- /dev/null
+++ b/windows/keep-secure/event-4906.md
@@ -0,0 +1,81 @@
+---
+title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10)
+description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4906(S): The CrashOnAuditFail value has changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time **CrashOnAuditFail** audit flag value was modified.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about **CrashOnAuditFail** flag can be found [here](https://technet.microsoft.com/en-us/library/cc963220.aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates when the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) of an object (for example, a registry key or file) was changed.
+
+This event doesn't generate for Active Directory objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Auditing Settings:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Special Groups logon table was modified.
+
+This event also generates during system startup.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+More information about Special Groups auditing can be found here:
+
++ +***Event XML:*** +``` +-
+
+## Security Monitoring Recommendations
+
+For 4908(S): Special Groups Logon table modified.
+
+- If you use the Special Groups feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use the Special Groups feature, then this event should be always monitored because it indicates use of the Special Groups feature outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4909.md b/windows/keep-secure/event-4909.md
new file mode 100644
index 0000000000..f3f6b7d90e
--- /dev/null
+++ b/windows/keep-secure/event-4909.md
@@ -0,0 +1,21 @@
+---
+title: 4909(-) The local policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4909(-) The local policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4909(-): The local policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4910.md b/windows/keep-secure/event-4910.md
new file mode 100644
index 0000000000..bf7110033f
--- /dev/null
+++ b/windows/keep-secure/event-4910.md
@@ -0,0 +1,21 @@
+---
+title: 4910(-) The group policy settings for the TBS were changed. (Windows 10)
+description: Describes security event 4910(-) The group policy settings for the TBS were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4910(-): The group policy settings for the TBS were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
diff --git a/windows/keep-secure/event-4911.md b/windows/keep-secure/event-4911.md
new file mode 100644
index 0000000000..20a174c857
--- /dev/null
+++ b/windows/keep-secure/event-4911.md
@@ -0,0 +1,282 @@
+---
+title: 4911(S) Resource attributes of the object were changed. (Windows 10)
+description: Describes security event 4911(S) Resource attributes of the object were changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4911(S): Resource attributes of the object were changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when [resource attributes](http://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
+
+Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Resource Attributes:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old resource attributes.
+
+ For example: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
+
+ - Impact\_MS: Resource Property ***ID***.
+
+ - 3000: Recourse Property ***Value***.
+
+
+
+> If no resource attributes were set to the object, then SDDL will not contain any attributes, for example “**S:AI**”.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
+
+***Event Description:***
+
+This event generates every time [Per User Audit Policy](http://windowsitpro.com/systems-management/user-auditing-28-jun-2005) was changed.
+
+This event is always logged regardless of the "Audit Policy Change" sub-category setting.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Changes** \[Type = UnicodeString\]**:** changes which were made for the subcategory. Possible values are:
+
+ - Success include removed
+
+ - Success include added
+
+ - Failure include removed
+
+ - Failure include added
+
+ - Success exclude removed
+
+ - Success exclude added
+
+ - Failure exclude removed
+
+ - Failure exclude added
+
+## Security Monitoring Recommendations
+
+For 4912(S): Per User Audit Policy was changed.
+
+- If you use the Per-user audit feature, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
+
+- If you don’t use the Per-user audit feature, then this event should be always monitored because it indicates use of the Per-user audit feature outside of your standard procedures.
+
diff --git a/windows/keep-secure/event-4913.md b/windows/keep-secure/event-4913.md
new file mode 100644
index 0000000000..96a27d5f9f
--- /dev/null
+++ b/windows/keep-secure/event-4913.md
@@ -0,0 +1,288 @@
+---
+title: 4913(S) Central Access Policy on the object was changed. (Windows 10)
+description: Describes security event 4913(S) Central Access Policy on the object was changed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4913(S): Central Access Policy on the object was changed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
+
+***Event Description:***
+
+This event generates when a [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on a file system object is changed.
+
+This event always generates, regardless of the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+**Central Policy ID:**
+
+- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
+
+ SDDL contains Central Access Policy SID, here is an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name you need to do the following:
+
+1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container.
+
+2. Open object’s “**Properties**”.
+
+3. Find “**msAuthz-CentralAccessPolicyID**” attribute.
+
+4. Convert hexadecimal value to SID (string). Here you can see more information about how to perform this action: 
+
+> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
+
+- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time a new Active Directory replica source naming context is established.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: 
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was removed.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica source naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time Active Directory replica destination naming context was modified.
+
+Failure event generates if an error occurs (**Status Code** != 0).
+
+It is not possible to understand what exactly was modified from this event.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has begun.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Replication](audit-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates every time synchronization of a replica of an Active Directory naming context has ended.
+
+Failure event occurs when synchronization of a replica of an Active Directory naming context failed.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
+
+***Event Description:***
+
+This event generates when Active Directory replication failure begins.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows Windows Firewall settings that were in effect when the Windows Firewall service started.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy.
+
+**Allow Unicast Responses to Multicast/Broadcast Traffic** \[Type = UnicodeString\]:
+
+- **Enabled** - if “**Allow unicast response:**” Settings configuration was set to “Yes” for “Public” profile.
+
+- **Disabled** - if “**Allow unicast response:**” Settings configuration was set to “No” for “Public” profile.
+
+
+
+**Security Logging:**
+
+- **Log Dropped Packets** \[Type = UnicodeString\]:
+
+ - **Enabled** – if “**Log dropped packets:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+- **Log Successful Connections** \[Type = UnicodeString\]:
+
+ - **Enabled** - if “**Log successful connections:**” Logging configuration was set to “Yes” for “Public” profile.
+
+ - **Disabled** - if “**Log dropped packets:**” Logging configuration was set to “No” for “Public” profile.
+
+
+
+## Security Monitoring Recommendations
+
+For 4944(S): The following policy was active when the Windows Firewall started.
+
+- If you have a standard or baseline for Windows Firewall settings defined for **Public** profile (which can be the same as for Domain, for example), monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- Unfortunately this event shows configuration only for **Public** profile, but you can still compare all the settings with your organization's Windows Firewall baseline for Public profile on different computers and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4945.md b/windows/keep-secure/event-4945.md
new file mode 100644
index 0000000000..fb0731ead7
--- /dev/null
+++ b/windows/keep-secure/event-4945.md
@@ -0,0 +1,91 @@
+---
+title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10)
+description: Describes security event 4945(S) A rule was listed when the Windows Firewall started.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4945(S): A rule was listed when the Windows Firewall started.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall service starts.
+
+This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile.
+
+This event generates per rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4945(S): A rule was listed when the Windows Firewall started.
+
+- Typically this event has an informational purpose.
+
+- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same.
+
diff --git a/windows/keep-secure/event-4946.md b/windows/keep-secure/event-4946.md
new file mode 100644
index 0000000000..0fea17268d
--- /dev/null
+++ b/windows/keep-secure/event-4946.md
@@ -0,0 +1,101 @@
+---
+title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10)
+description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when new rule was locally added to Windows Firewall.
+
+This event doesn't generate when new rule was added via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
+
+- This event can be helpful in case you want to monitor all creations of new Firewall rules which were done locally.
+
diff --git a/windows/keep-secure/event-4947.md b/windows/keep-secure/event-4947.md
new file mode 100644
index 0000000000..3103502558
--- /dev/null
+++ b/windows/keep-secure/event-4947.md
@@ -0,0 +1,101 @@
+---
+title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10)
+description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was modified.
+
+This event doesn't generate when Firewall rule was modified via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
+
+- This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally.
+
diff --git a/windows/keep-secure/event-4948.md b/windows/keep-secure/event-4948.md
new file mode 100644
index 0000000000..8193b2ec9f
--- /dev/null
+++ b/windows/keep-secure/event-4948.md
@@ -0,0 +1,101 @@
+---
+title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10)
+description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall rule was deleted.
+
+This event doesn't generate when the rule was deleted via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
+
+- This event can be helpful in case you want to monitor all deletions of Firewall rules which were done locally.
+
diff --git a/windows/keep-secure/event-4949.md b/windows/keep-secure/event-4949.md
new file mode 100644
index 0000000000..0b8194ac9e
--- /dev/null
+++ b/windows/keep-secure/event-4949.md
@@ -0,0 +1,67 @@
+---
+title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10)
+description: Describes security event 4949(S) Windows Firewall settings were restored to the default values.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4949(S): Windows Firewall settings were restored to the default values.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall settings were locally restored to the default configuration.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall local setting was changed.
+
+This event doesn't generate when Windows Firewall setting was changed via Group Policy.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Value** \[Type = UnicodeString\]: new value of modified setting.
+
+## Security Monitoring Recommendations
+
+For 4950(S): A Windows Firewall setting has changed.
+
+- If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
+
+- This event can be helpful in case you want to monitor all changes in Windows Firewall settings which were done locally.
+
diff --git a/windows/keep-secure/event-4951.md b/windows/keep-secure/event-4951.md
new file mode 100644
index 0000000000..82cf1bbeb8
--- /dev/null
+++ b/windows/keep-secure/event-4951.md
@@ -0,0 +1,103 @@
+---
+title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10)
+description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
+
+If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
+
+The only solution is to remove the incompatible rule, and then deploy a compatible rule.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4952.md b/windows/keep-secure/event-4952.md
new file mode 100644
index 0000000000..06e7cc5bc5
--- /dev/null
+++ b/windows/keep-secure/event-4952.md
@@ -0,0 +1,51 @@
+---
+title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)
+description: Describes security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
+
+If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.
+
+The only solution is to remove the incompatible rule, and then deploy a compatible rule.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Schema:***
+
+*Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.*
+
+*%t*
+
+*Profile:%t%1*
+
+*Partially Ignored Rule:*
+
+*%tID:%t%2*
+
+*%tName:%t%3*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4953.md b/windows/keep-secure/event-4953.md
new file mode 100644
index 0000000000..5f4046b134
--- /dev/null
+++ b/windows/keep-secure/event-4953.md
@@ -0,0 +1,104 @@
+---
+title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10)
+description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4953(F): Windows Firewall ignored a rule because it could not be parsed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason.
+
+It can happen if Windows Firewall rule registry entry was corrupted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+## Security Monitoring Recommendations
+
+For 4953(F): Windows Firewall ignored a rule because it could not be parsed.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4954.md b/windows/keep-secure/event-4954.md
new file mode 100644
index 0000000000..313eef1046
--- /dev/null
+++ b/windows/keep-secure/event-4954.md
@@ -0,0 +1,67 @@
+---
+title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10)
+description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates every time Windows Firewall group policy is changed, locally or from Active Directory Group Policy.
+
+This event generates every time local Group Policy is refreshed, even if no Windows Firewall settings were modified or presented.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall has changed the active profile.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Name** \[Type = UnicodeString\]: the name of the rule which was not applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+
+
+
+**Error Information:**
+
+- **Reason** \[Type = UnicodeString\]: the reason why the rule was not applied.
+
+## Security Monitoring Recommendations
+
+For 4957(F): Windows Firewall did not apply the following rule.
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4958.md b/windows/keep-secure/event-4958.md
new file mode 100644
index 0000000000..aec78e8144
--- /dev/null
+++ b/windows/keep-secure/event-4958.md
@@ -0,0 +1,43 @@
+---
+title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10)
+description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
+
+***Event Schema:***
+
+*Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
+Rule Information:
+%tID:%t%1
+%tName:%t%2
+Error Information:
+%tError:%t%3
+%tReason:%t%4*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.
+
diff --git a/windows/keep-secure/event-4964.md b/windows/keep-secure/event-4964.md
new file mode 100644
index 0000000000..96d32ccc21
--- /dev/null
+++ b/windows/keep-secure/event-4964.md
@@ -0,0 +1,159 @@
+---
+title: 4964(S) Special groups have been assigned to a new logon. (Windows 10)
+description: Describes security event 4964(S) Special groups have been assigned to a new logon.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 4964(S): Special groups have been assigned to a new logon.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+
+***Event Description:***
+
+This event occurs when an account that is a member of any defined [Special Group](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md), [Audit Other Privilege Use Events](audit-other-privilege-use-events.md), and [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
+
+***Event Description:***
+
+This is an informational event from file system [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx).
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+## Security Monitoring Recommendations
+
+For 4985(S): The state of a transaction has changed.
+
+- This event typically has no security relevance and used for [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx) troubleshooting.
+
diff --git a/windows/keep-secure/event-5024.md b/windows/keep-secure/event-5024.md
new file mode 100644
index 0000000000..c06e33a285
--- /dev/null
+++ b/windows/keep-secure/event-5024.md
@@ -0,0 +1,69 @@
+---
+title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10)
+description: Describes security event 5024(S) The Windows Firewall Service has started successfully.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5024(S): The Windows Firewall Service has started successfully.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall (MpsSvc) service has been stopped.
+
+This event is typically logged during operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5028](event-5028.md)(S): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This error indicates one of two situations, low memory resources or Windows Firewall group policy registry corruption.
+
+Typically if this event occurs it indicates that Windows Firewall service was not able to start.
+
+It typically occurs with “[5027](event-5027.md)(S): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.”
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
+
+If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) layer, because by default this layer is denying any incoming connections.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) has started successfully.
+
+This event is typically logged during operating system startup process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when Windows Firewall driver (Windows Firewall Authorization Driver service) was stopped.
+
+This event is NOT logged during the operating system shutdown process.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+You can see these events, for example, during certificate renewal or export operations using KSP.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Key File Operation Information:**
+
+- **File Path** \[Type = UnicodeString\]: full path and filename of the key file on which the operation was performed.
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Examples:
+
+ - Write persisted key to file.
+
+ - Read persisted key from file.
+
+ - Delete key file.
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5058(S, F): Key file operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”**) or a specific **“Operation”**, such as **“Delete key file”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-5059.md b/windows/keep-secure/event-5059.md
new file mode 100644
index 0000000000..3a1b397f62
--- /dev/null
+++ b/windows/keep-secure/event-5059.md
@@ -0,0 +1,156 @@
+---
+title: 5059(S, F) Key migration operation. (Windows 10)
+description: Describes security event 5059(S, F) Key migration operation.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5059(S, F): Key migration operation.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Description:***
+
+This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Additional Information:**
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Examples:
+
+ - “**Export of persistent cryptographic key.**” – typically generates during key read operations, which means that the key was taken for read purposes. But it also generates during real key export operations (export certificate with private key, for example).
+
+ - “**Import of persistent cryptographic key.**” – key import operation was performed (import certificate with private key, for example).
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5059(S, F): Key migration operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Export of persistent cryptographic key”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+-
+
diff --git a/windows/keep-secure/event-5060.md b/windows/keep-secure/event-5060.md
new file mode 100644
index 0000000000..b568ea571b
--- /dev/null
+++ b/windows/keep-secure/event-5060.md
@@ -0,0 +1,75 @@
+'---
+title: 5060(F) Verification operation failed. (Windows 10)
+description: Describes security event 5060(F) Verification operation failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5060(F): Verification operation failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in case of CNG verification operation failure.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+- 
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Description:***
+
+This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+
+- Microsoft Software Key Storage Provider
+
+- Microsoft Smart Card Key Storage Provider
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Key Type** \[Type = UnicodeString\]: can have one of the following values:
+
+ - “User key.” – user’s cryptographic key.
+
+ - “Machine key.” – machine’s cryptographic key.
+
+**Cryptographic Operation:**
+
+- **Operation** \[Type = UnicodeString\]: performed operation. Possible values:
+
+ - Open Key. – open existing cryptographic key.
+
+ - Create Key. – create new cryptographic key.
+
+ - Delete Key. – delete existing cryptographic key.
+
+ - Sign hash. – cryptographic signing operation.
+
+ - Secret agreement.
+
+ - Key Derivation. – key derivation operation.
+
+ - Encrypt. – encryption operation.
+
+ - Decrypt. – decryption operation.
+
+- **Return Code** \[Type = HexInt32\]: has “**0x0**” value for Success events. For failure events, provides a hexadecimal error code number.
+
+## Security Monitoring Recommendations
+
+For 5061(S, F): Cryptographic operation.
+
+- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Delete Key”**, create monitoring rules and use this event as an information source.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
diff --git a/windows/keep-secure/event-5062.md b/windows/keep-secure/event-5062.md
new file mode 100644
index 0000000000..4f1aa57c3f
--- /dev/null
+++ b/windows/keep-secure/event-5062.md
@@ -0,0 +1,39 @@
+---
+title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10)
+description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5062(S): A kernel-mode cryptographic self-test was performed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event occurs rarely, and in some situations may be difficult to reproduce.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*A kernel-mode cryptographic self test was performed.*
+
+*Module:%1*
+
+*Return Code:%2*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- Typically this event is required for detailed monitoring of CNG-related actions with cryptographic keys. If you need to monitor or troubleshoot actions related to specific cryptographic keys and operations, review this event to see if it provides the information you need.
+
diff --git a/windows/keep-secure/event-5063.md b/windows/keep-secure/event-5063.md
new file mode 100644
index 0000000000..9a0a83c802
--- /dev/null
+++ b/windows/keep-secure/event-5063.md
@@ -0,0 +1,69 @@
+---
+title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10)
+description: Describes security event 5063(S, F) A cryptographic provider operation was attempted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5063(S, F): A cryptographic provider operation was attempted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions.
+
+This event generates when cryptographic provider was registered or unregistered.
+
+For more information about Cryptographic Next Generation (CNG) visit these pages:
+
+- 
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is modified.
+
+To generate this event, the modified object must have an appropriate entry in [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Write”** action auditing for specific attributes.
+
+For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is created.
+
+This event only generates if the parent object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx).
+
+This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is moved.
+
+This event only generates if the destination object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was accessed.
+
+This event generates once per session, when first access attempt was made.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Directory Service Changes](audit-directory-service-changes.md)
+
+***Event Description:***
+
+This event generates every time an Active Directory object is deleted.
+
+This event only generates if the deleted object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Delete”** action, auditing for specific objects.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Correlation ID** \[Type = GUID\]: multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events from current subcategory with the same **Correlation ID**, for example “[5137](event-5137.md): A directory service object was created.” and “[5139](event-5139.md): A directory service object was moved.”
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+- **Application Correlation ID** \[Type = UnicodeString\]: always has “**-**“ value. Not in use.
+
+## Security Monitoring Recommendations
+
+For 5141(S): A directory service object was deleted.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
+
+- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
+
diff --git a/windows/keep-secure/event-5142.md b/windows/keep-secure/event-5142.md
new file mode 100644
index 0000000000..418a6387f7
--- /dev/null
+++ b/windows/keep-secure/event-5142.md
@@ -0,0 +1,106 @@
+---
+title: 5142(S) A network share object was added. (Windows 10)
+description: Describes security event 5142(S) A network share object was added.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5142(S): A network share object was added.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was added.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object was modified.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+
+- **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **New Maxusers** \[Type = HexInt32\]**:** new hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
+
+- **Old ShareFlags** \[Type = HexInt32\]: old hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+
+
+- **New ShareFlags** \[Type = HexInt32\]: new hexadecimal value of “**Offline Settings**” caching settings window flags.
+
+- **Old SD** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
+
+> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+
+> Example:
+
+> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
+
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+> See the list of possible values in the table below:
+
+| Value | Description | Value | Description |
+|-------|--------------------------------------|-------|---------------------------------|
+| "AO" | Account operators | "PA" | Group Policy administrators |
+| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
+| "AN" | Anonymous logon | "LA" | Local administrator |
+| "AU" | Authenticated users | "LG" | Local guest |
+| "BA" | Built-in administrators | "LS" | Local service account |
+| "BG" | Built-in guests | "SY" | Local system |
+| "BO" | Backup operators | "NU" | Network logon user |
+| "BU" | Built-in users | "NO" | Network configuration operators |
+| "CA" | Certificate server administrators | "NS" | Network service account |
+| "CG" | Creator group | "PO" | Printer operators |
+| "CO" | Creator owner | "PS" | Personal self |
+| "DA" | Domain administrators | "PU" | Power users |
+| "DC" | Domain computers | "RS" | RAS servers group |
+| "DD" | Domain controllers | "RD" | Terminal server users |
+| "DG" | Domain guests | "RE" | Replicator |
+| "DU" | Domain users | "RC" | Restricted code |
+| "EA" | Enterprise administrators | "SA" | Schema administrators |
+| "ED" | Enterprise domain controllers | "SO" | Server operators |
+| "WD" | Everyone | "SU" | Service logon user |
+
+- *G*: = Primary Group.
+- *D*: = DACL Entries.
+- *S*: = SACL Entries.
+
+*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
+
+Example: D:(A;;FA;;;WD)
+
+- entry\_type:
+
+“D” - DACL
+
+“S” - SACL
+
+- inheritance\_flags:
+
+"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+
+"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
+
+- ace\_type:
+
+"A" - ACCESS ALLOWED
+
+"D" - ACCESS DENIED
+
+"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
+
+"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
+
+"AU" - SYSTEM AUDIT
+
+"A" - SYSTEM ALARM
+
+"OU" - OBJECT SYSTEM AUDIT
+
+"OL" - OBJECT SYSTEM ALARM
+
+- ace\_flags:
+
+"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
+
+"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+
+"NP" - NO PROPAGATE: only immediate children inherit this ace.
+
+"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+
+"ID" - ACE IS INHERITED
+
+"SA" - SUCCESSFUL ACCESS AUDIT
+
+"FA" - FAILED ACCESS AUDIT
+- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+
+| Value | Description | Value | Description |
+|----------------------------|---------------------------------|----------------------|--------------------------|
+| Generic access rights | Directory service access rights |
+| "GA" | GENERIC ALL | "RC" | Read Permissions |
+| "GR" | GENERIC READ | "SD" | Delete |
+| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
+| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
+| File access rights | "RP" | Read All Properties |
+| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
+| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
+| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
+| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
+| Registry key access rights | "SW" | All Validated Writes |
+| "KA" | "LO" | "LO" | List Object |
+| "K" | KEY READ | "DT" | Delete Subtree |
+| "KW" | KEY WRITE | "CR" | All Extended Rights |
+| "KX" | KEY EXECUTE | | |
+
+- object\_guid: N/A
+- inherit\_object\_guid: N/A
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+
+For more information about SDDL syntax, see these articles: 
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates every time a network share object is deleted.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Detailed File Share](audit-detailed-file-share.md)
+
+***Event Description:***
+
+This event generates every time network share object (file or folder) was accessed.
+
+*Important*: Failure events are generated only when access is denied at the file share level. No events are generated if access was denied on the file system (NTFS) level.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
Schema Value | Description | +|-----------------------------------------------------------|----------------------------|---------------| +| ReadData (or ListDirectory) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | + +> Table 13. File access codes. + +**Access Check Results** \[Type = UnicodeString\]: the list of access check results. The format of the result is:
+ +REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. + +- REQUESTED\_ACCESS – the name of requested access. See [Table of file access codes](#table-of-file-access-codes), earlier in this topic. + +- RESULT: + + - Granted by – if access was granted. + + - Denied by – if access was denied. + +- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access. + +> **Note** The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. + +> Example: + +> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) + +> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. +> See the list of possible values in the table below. + +## SDDL values for Access Control Entry + +| Value | Description | Value | Description | +|-------|--------------------------------------|-------|---------------------------------| +| "AO" | Account operators | "PA" | Group Policy administrators | +| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user | +| "AN" | Anonymous logon | "LA" | Local administrator | +| "AU" | Authenticated users | "LG" | Local guest | +| "BA" | Built-in administrators | "LS" | Local service account | +| "BG" | Built-in guests | "SY" | Local system | +| "BO" | Backup operators | "NU" | Network logon user | +| "BU" | Built-in users | "NO" | Network configuration operators | +| "CA" | Certificate server administrators | "NS" | Network service account | +| "CG" | Creator group | "PO" | Printer operators | +| "CO" | Creator owner | "PS" | Personal self | +| "DA" | Domain administrators | "PU" | Power users | +| "DC" | Domain computers | "RS" | RAS servers group | +| "DD" | Domain controllers | "RD" | Terminal server users | +| "DG" | Domain guests | "RE" | Replicator | +| "DU" | Domain users | "RC" | Restricted code | +| "EA" | Enterprise administrators | "SA" | Schema administrators | +| "ED" | Enterprise domain controllers | "SO" | Server operators | +| "WD" | Everyone | "SU" | Service logon user | + +- *G*: = Primary Group. +- *D*: = DACL Entries. +- *S*: = SACL Entries. + +*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid) + +Example: D:(A;;FA;;;WD) + +- entry\_type: + +“D” - DACL + +“S” - SACL + +- inheritance\_flags: + +"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. + +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. + +"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. + +- ace\_type: + +"A" - ACCESS ALLOWED + +"D" - ACCESS DENIED + +"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s). + +"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s). + +"AU" - SYSTEM AUDIT + +"A" - SYSTEM ALARM + +"OU" - OBJECT SYSTEM AUDIT + +"OL" - OBJECT SYSTEM ALARM + +- ace\_flags: + +"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. + +"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. + +"NP" - NO PROPAGATE: only immediate children inherit this ace. + +"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance. + +"ID" - ACE IS INHERITED + +"SA" - SUCCESSFUL ACCESS AUDIT + +"FA" - FAILED ACCESS AUDIT +- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. + +| Value | Description | Value | Description | +|----------------------------|---------------------------------|----------------------|--------------------------| +| Generic access rights | Directory service access rights | +| "GA" | GENERIC ALL | "RC" | Read Permissions | +| "GR" | GENERIC READ | "SD" | Delete | +| "GW" | GENERIC WRITE | "WD" | Modify Permissions | +| "GX" | GENERIC EXECUTE | "WO" | Modify Owner | +| File access rights | "RP" | Read All Properties | +| "FA" | FILE ALL ACCESS | "WP" | Write All Properties | +| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects | +| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects | +| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents | +| Registry key access rights | "SW" | All Validated Writes | +| "KA" | "LO" | "LO" | List Object | +| "K" | KEY READ | "DT" | Delete Subtree | +| "KW" | KEY WRITE | "CR" | All Extended Rights | +| "KX" | KEY EXECUTE | | | + +- object\_guid: N/A +- inherit\_object\_guid: N/A +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. + +For more information about SDDL syntax, see these articles:
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a network packet.
+
+This event is generated for every received network packet.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of blocked connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the packet.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which packet was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+ 
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5152(F): The Windows Filtering Platform blocked a packet.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that **Source Address** is one of the addresses assigned to the computer.
+
+- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5153.md b/windows/keep-secure/event-5153.md
new file mode 100644
index 0000000000..e02ea78a1e
--- /dev/null
+++ b/windows/keep-secure/event-5153.md
@@ -0,0 +1,59 @@
+---
+title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
+description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
+
+***Event Schema:***
+
+*A more restrictive Windows Filtering Platform filter has blocked a packet.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5154.md b/windows/keep-secure/event-5154.md
new file mode 100644
index 0000000000..12255300cf
--- /dev/null
+++ b/windows/keep-secure/event-5154.md
@@ -0,0 +1,144 @@
+---
+title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)
+description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to listen on a port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application requested to listen on the port.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application.
+
+- **Protocol** \[Type = UInt32\]: protocol number. For example:
+
+ - 6 – TCP.
+
+ - 17 – UDP.
+
+ More information about possible values for this field:
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+
+- If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
+
+- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
+
+- If a certain application is allowed to listen only on a specific IP address, monitor this event for **“Application Name”** and **“Network Information\\Source Address**.**”**
+
+- If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Typically this event has an informational purpose.
+
diff --git a/windows/keep-secure/event-5155.md b/windows/keep-secure/event-5155.md
new file mode 100644
index 0000000000..369db60297
--- /dev/null
+++ b/windows/keep-secure/event-5155.md
@@ -0,0 +1,61 @@
+---
+title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)
+description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
+
+You can add your own filters using the WFP APIs to block listen to reproduce this event: 
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has allowed a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of allowed connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the connection.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which connection was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5156(S): The Windows Filtering Platform has permitted a connection.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5157.md b/windows/keep-secure/event-5157.md
new file mode 100644
index 0000000000..b66541d467
--- /dev/null
+++ b/windows/keep-secure/event-5157.md
@@ -0,0 +1,185 @@
+---
+title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10)
+description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5157(F): The Windows Filtering Platform has blocked a connection.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a connection.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Direction** \[Type = UnicodeString\]: direction of blocked connection.
+
+ - Inbound – for inbound connections.
+
+ - Outbound – for unbound connections.
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application received the connection.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
+
+- **Destination Address** \[Type = UnicodeString\]**:** IP address ***from*** which connection was received or initiated.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5157(F): The Windows Filtering Platform has blocked a connection.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+
+- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+
+- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+
+- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5158.md b/windows/keep-secure/event-5158.md
new file mode 100644
index 0000000000..2e9b42e9b0
--- /dev/null
+++ b/windows/keep-secure/event-5158.md
@@ -0,0 +1,156 @@
+---
+title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10)
+description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Description:***
+
+This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to bind to a local port.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+ If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
+
+ You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+
+
+
+- **Application Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+
+ Logical disk is displayed in format \\device\\harddiskvolume\#. You can get all local volume numbers by using **diskpart** utility. The command to get volume numbers using diskpart is “**list volume”**:
+
+
+
+**Network Information:**
+
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bind the port.
+
+ - IPv4 Address
+
+ - IPv6 Address
+
+ - :: - all IP addresses in IPv6 format
+
+ - 0.0.0.0 - all IP addresses in IPv4 format
+
+ - 127.0.0.1 , ::1 - localhost
+
+- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
+
+- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+
+| Service | Protocol Number |
+|----------------------------------------------------|-----------------|
+| Internet Control Message Protocol (ICMP) | 1 |
+| Transmission Control Protocol (TCP) | 6 |
+| User Datagram Protocol (UDP) | 17 |
+| General Routing Encapsulation (PPTP data over GRE) | 47 |
+| Authentication Header (AH) IPSec | 51 |
+| Encapsulation Security Payload (ESP) IPSec | 50 |
+| Exterior Gateway Protocol (EGP) | 8 |
+| Gateway-Gateway Protocol (GGP) | 3 |
+| Host Monitoring Protocol (HMP) | 20 |
+| Internet Group Management Protocol (IGMP) | 88 |
+| MIT Remote Virtual Disk (RVD) | 66 |
+| OSPF Open Shortest Path First | 89 |
+| PARC Universal Packet Protocol (PUP) | 12 |
+| Reliable Datagram Protocol (RDP) | 27 |
+| Reservation Protocol (RSVP) QoS | 46 |
+
+**Filter Information:**
+
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesn’t match any filters you will get value 0 in this field.
+
+ To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+
+
+
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+
+
+
+## Security Monitoring Recommendations
+
+For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
+
+- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+
+- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
+
+- Check that “**Source Address”** is one of the addresses assigned to the computer.
+
+- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
+
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17.
+
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
+
diff --git a/windows/keep-secure/event-5159.md b/windows/keep-secure/event-5159.md
new file mode 100644
index 0000000000..02939e687e
--- /dev/null
+++ b/windows/keep-secure/event-5159.md
@@ -0,0 +1,59 @@
+---
+title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)
+description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event is logged if the Windows Filtering Platform has blocked a bind to a local port.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
+
+***Event Schema:***
+
+*The Windows Filtering Platform has blocked a bind to a local port.*
+
+*Application Information:*
+
+> *Process ID:%1*
+>
+> *Application Name:%2*
+
+*Network Information:*
+
+> *Source Address:%3*
+>
+> *Source Port:%4*
+>
+> *Protocol:%5*
+
+*Filter Information:*
+
+> *Filter Run-Time ID:%6*
+>
+> *Layer Name:%7*
+>
+> *Layer Run-Time ID:%8*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008, Windows Vista.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-5168.md b/windows/keep-secure/event-5168.md
new file mode 100644
index 0000000000..44c9fe20cc
--- /dev/null
+++ b/windows/keep-secure/event-5168.md
@@ -0,0 +1,119 @@
+---
+title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
+description: Describes security event 5168(F) SPN check for SMB/SMB2 failed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 5168(F): SPN check for SMB/SMB2 failed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit File Share](audit-file-share.md)
+
+***Event Description:***
+
+This event generates when SMB SPN check fails.
+
+It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](https://technet.microsoft.com/en-us/library/jj852272.aspx)” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully backs up the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Back up Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
+
+***Event Description:***
+
+This event generates every time the user (**Subject**) successfully restores the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+
+Typically this can be done by clicking “Restore Credentials” in Credential Manager in the Control Panel.
+
+This event generates on domain controllers, member servers, and workstations.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates requested [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) credentials delegation was disallowed by [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation policy.
+
+It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation for [WinRM](https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx) [double-hop](https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx) session was not set properly.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time a [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) filter has been changed.
+
+It typically generates during Group Policy update procedures.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wireless network.
+
+It typically generates when network adapter connects to new wireless network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+- **Local MAC Address** \[Type = UnicodeString\]**:** local interface’s MAC-address.
+
+- **Peer MAC Address** \[Type = UnicodeString\]**:** peer’s (typically – access point) MAC-address.
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: 
+
+***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+
+***Event Description:***
+
+This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wired network.
+
+It typically generates when network adapter connects to new wired network.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Additional Information:**
+
+- **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: 
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was modified.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when the object in the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was deleted.
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
+
+***Event Description:***
+
+This event generates when new object was added to the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx).
+
+For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself.
+
+It is a routine event which shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
+
+This event generates every time Group Policy is applied to the computer.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 6144(S): Security policy in the group policy objects has been applied successfully.
+
+- If you have a pre-defined list of Group Policy Objects which contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and in case of any difference trigger an alert.
+
+- This event is mostly an informational event.
+
diff --git a/windows/keep-secure/event-6145.md b/windows/keep-secure/event-6145.md
new file mode 100644
index 0000000000..5566da1217
--- /dev/null
+++ b/windows/keep-secure/event-6145.md
@@ -0,0 +1,88 @@
+---
+title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)
+description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
+
+***Event Description:***
+
+This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
+
+This event generates, for example, if the [SID](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
+
+## Security Monitoring Recommendations
+
+For 6145(F): One or more errors occurred while processing security policy in the group policy objects.
+
+- This event indicates that Group Policy Objects which were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
+
+- If you have a pre-defined list of Group Policy Objects that contain Security Settings and that must be applied to specific computers, check this event to see if errors occurred when the Security Settings were applied. If so, you can review the error codes and investigate the cause of the failure.
+
+- Typically this event has an informational purpose and the reason is configuration errors in Group Policy’s security settings.
+
+- This event might be used for Group Policy troubleshooting purposes.
+
diff --git a/windows/keep-secure/event-6281.md b/windows/keep-secure/event-6281.md
new file mode 100644
index 0000000000..5f76bd8681
--- /dev/null
+++ b/windows/keep-secure/event-6281.md
@@ -0,0 +1,43 @@
+---
+title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10)
+description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
+
+[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+This event generates when [code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.*
+
+*File Name:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
diff --git a/windows/keep-secure/event-6400.md b/windows/keep-secure/event-6400.md
new file mode 100644
index 0000000000..814cd9ffca
--- /dev/null
+++ b/windows/keep-secure/event-6400.md
@@ -0,0 +1,39 @@
+---
+title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10)
+description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
+
+*IP address of the client that sent this response:%1 *
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6401.md b/windows/keep-secure/event-6401.md
new file mode 100644
index 0000000000..f7d1d86945
--- /dev/null
+++ b/windows/keep-secure/event-6401.md
@@ -0,0 +1,39 @@
+---
+title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10)
+description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Received invalid data from a peer. Data discarded. *
+
+*IP address of the client that sent this data:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6402.md b/windows/keep-secure/event-6402.md
new file mode 100644
index 0000000000..95d011d2ac
--- /dev/null
+++ b/windows/keep-secure/event-6402.md
@@ -0,0 +1,39 @@
+---
+title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10)
+description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
+
+*IP address of the client that sent this message: %1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6403.md b/windows/keep-secure/event-6403.md
new file mode 100644
index 0000000000..bead5c33d0
--- /dev/null
+++ b/windows/keep-secure/event-6403.md
@@ -0,0 +1,39 @@
+---
+title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10)
+description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. *
+
+*Domain name of the hosted cache is:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6404.md b/windows/keep-secure/event-6404.md
new file mode 100644
index 0000000000..b01dff56dd
--- /dev/null
+++ b/windows/keep-secure/event-6404.md
@@ -0,0 +1,41 @@
+---
+title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10)
+description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
+
+*Domain name of the hosted cache:%1*
+
+*Error Code:%2*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6405.md b/windows/keep-secure/event-6405.md
new file mode 100644
index 0000000000..e17b4ca9f4
--- /dev/null
+++ b/windows/keep-secure/event-6405.md
@@ -0,0 +1,37 @@
+---
+title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10)
+description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: %2 instance(s) of event id %1 occurred.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6406.md b/windows/keep-secure/event-6406.md
new file mode 100644
index 0000000000..0d964b060b
--- /dev/null
+++ b/windows/keep-secure/event-6406.md
@@ -0,0 +1,39 @@
+---
+title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10)
+description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*%1 registered to Windows Firewall to control filtering for the following:*
+
+*%2.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6407.md b/windows/keep-secure/event-6407.md
new file mode 100644
index 0000000000..98a71f5c1c
--- /dev/null
+++ b/windows/keep-secure/event-6407.md
@@ -0,0 +1,37 @@
+---
+title: 6407(-) 1%. (Windows 10)
+description: Describes security event 6407(-) 1%.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6407(-): 1%.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6408.md b/windows/keep-secure/event-6408.md
new file mode 100644
index 0000000000..29b4a1f469
--- /dev/null
+++ b/windows/keep-secure/event-6408.md
@@ -0,0 +1,37 @@
+---
+title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10)
+description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6409.md b/windows/keep-secure/event-6409.md
new file mode 100644
index 0000000000..7716be0032
--- /dev/null
+++ b/windows/keep-secure/event-6409.md
@@ -0,0 +1,39 @@
+---
+title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10)
+description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6409(-): BranchCache: A service connection point object could not be parsed.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit Other System Events](audit-other-system-events.md)
+
+***Event Schema:***
+
+*BranchCache: A service connection point object could not be parsed. *
+
+*SCP object GUID: %1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/event-6410.md b/windows/keep-secure/event-6410.md
new file mode 100644
index 0000000000..b0a4c89708
--- /dev/null
+++ b/windows/keep-secure/event-6410.md
@@ -0,0 +1,43 @@
+---
+title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10)
+description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+
+This event generates due to writable [shared sections](https://msdn.microsoft.com/en-us/library/windows/desktop/cc307397.aspx) being present in a file image.
+
+There is no example of this event in this document.
+
+***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
+
+***Event Schema:***
+
+*Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.*
+
+*File Name:%1*
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows Server 2012 R2, Windows 8.1.
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
+
+
+
diff --git a/windows/keep-secure/event-6416.md b/windows/keep-secure/event-6416.md
new file mode 100644
index 0000000000..9f93d86eb0
--- /dev/null
+++ b/windows/keep-secure/event-6416.md
@@ -0,0 +1,154 @@
+---
+title: 6416(S) A new external device was recognized by the System. (Windows 10)
+description: Describes security event 6416(S) A new external device was recognized by the System.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6416(S): A new external device was recognized by the System.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time a new external device is recognized by a system.
+
+This event generates, for example, when a new external device is connected or enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\] \[Version 1\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\] \[Version 1\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Vendor IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6416(S): A new external device was recognized by the System.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|-----------------------------------------------------|----------------------------|
+| Device recognition events, **Device Instance Path** | “**Device ID**” |
+| Device recognition events, **Device Description** | “**Device Name**” |
+| Device recognition events, **Class GUID** | “**Class ID**” |
+| Device recognition events, **Hardware IDs** | “**Vendor IDs**” |
+| Device recognition events, **Compatible IDs** | “**Compatible IDs**” |
+| Device recognition events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6419.md b/windows/keep-secure/event-6419.md
new file mode 100644
index 0000000000..b874b2ea54
--- /dev/null
+++ b/windows/keep-secure/event-6419.md
@@ -0,0 +1,142 @@
+---
+title: 6419(S) A request was made to disable a device. (Windows 10)
+description: Describes security event 6419(S) A request was made to disable a device.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6419(S): A request was made to disable a device.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to disable a device.
+
+This event doesn’t mean that device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6419(S): A request was made to disable a device.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|---------------------------------------------------|----------------------------|
+| Device disable requests, **Device Instance Path** | “**Device ID**” |
+| Device disable requests, **Device Description** | “**Device Name**” |
+| Device disable requests, **Class GUID** | “**Class ID**” |
+| Device disable requests, **Hardware IDs** | “**Hardware IDs**” |
+| Device disable requests, **Compatible IDs** | “**Compatible IDs**” |
+| Device disable requests, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6420.md b/windows/keep-secure/event-6420.md
new file mode 100644
index 0000000000..ec339814ea
--- /dev/null
+++ b/windows/keep-secure/event-6420.md
@@ -0,0 +1,140 @@
+---
+title: 6420(S) A device was disabled. (Windows 10)
+description: Describes security event 6420(S) A device was disabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6420(S): A device was disabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was disabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6420(S): A device was disabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|-------------------------------------------------|----------------------------|
+| Device disable events, **Device Instance Path** | “**Device ID**” |
+| Device disable events, **Device Description** | “**Device Name**” |
+| Device disable events, **Class GUID** | “**Class ID**” |
+| Device disable events, **Hardware IDs** | “**Hardware IDs**” |
+| Device disable events, **Compatible IDs** | “**Compatible IDs**” |
+| Device disable events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6421.md b/windows/keep-secure/event-6421.md
new file mode 100644
index 0000000000..ea9ce9c6a5
--- /dev/null
+++ b/windows/keep-secure/event-6421.md
@@ -0,0 +1,142 @@
+---
+title: 6421(S) A request was made to enable a device. (Windows 10)
+description: Describes security event 6421(S) A request was made to enable a device.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6421(S): A request was made to enable a device.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time when someone made a request to enable a device.
+
+This event doesn’t mean that device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6421(S): A request was made to enable a device.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|--------------------------------------------------|----------------------------|
+| Device enable requests, **Device Instance Path** | “**Device ID**” |
+| Device enable requests, **Device Description** | “**Device Name**” |
+| Device enable requests, **Class GUID** | “**Class ID**” |
+| Device enable requests, **Hardware IDs** | “**Hardware IDs**” |
+| Device enable requests, **Compatible IDs** | “**Compatible IDs**” |
+| Device enable requests, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6422.md b/windows/keep-secure/event-6422.md
new file mode 100644
index 0000000000..fb59fad3bf
--- /dev/null
+++ b/windows/keep-secure/event-6422.md
@@ -0,0 +1,142 @@
+---
+title: 6422(S) A device was enabled. (Windows 10)
+description: Describes security event 6422(S) A device was enabled.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6422(S): A device was enabled.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time specific device was enabled.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6422(S): A device was enabled.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the events and event information shown in the following table by using the listed fields:
+
+| Event and event information to monitor | Field to use |
+|------------------------------------------------|----------------------------|
+| Device enable events, **Device Instance Path** | “**Device ID**” |
+| Device enable events, **Device Description** | “**Device Name**” |
+| Device enable events, **Class GUID** | “**Class ID**” |
+| Device enable events, **Hardware IDs** | “**Hardware IDs**” |
+| Device enable events, **Compatible IDs** | “**Compatible IDs**” |
+| Device enable events, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6423.md b/windows/keep-secure/event-6423.md
new file mode 100644
index 0000000000..09e75dc4cd
--- /dev/null
+++ b/windows/keep-secure/event-6423.md
@@ -0,0 +1,148 @@
+---
+title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10)
+description: Describes security event 6423(S) The installation of this device is forbidden by system policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6423(S): The installation of this device is forbidden by system policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Event Description:***
+
+This event generates every time installation of this device is forbidden by system policy.
+
+Device installation restriction group policies are located here: **\\Computer Configuration\\Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. If one of the policies restricts installation of a specific device, this event will be generated.
+
+> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+
++ +***Event XML:*** +``` +-
+
+**Device Name** \[Type = UnicodeString\]: “**Device description**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class ID** \[Type = UnicodeString\]: “**Class Guid**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Class Name** \[Type = UnicodeString\]: “**Class**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Hardware IDs** \[Type = UnicodeString\]: “**Hardware Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Compatible IDs** \[Type = UnicodeString\]: “**Compatible Ids**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+**Location Information** \[Type = UnicodeString\]: “**Location information**” attribute of device. To see device properties, start Device Manager, open specific device properties, and click “Details”:
+
+
+
+## Security Monitoring Recommendations
+
+For 6423(S): The installation of this device is forbidden by system policy.
+
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+
+- If you want to track device installation policy violations then you need to track every event of this type.
+
+
+
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+
+- You can use this event to track the policy violations and related information shown in the following table by using the listed fields:
+
+| Policy violation and related information to monitor | Field to use |
+|-----------------------------------------------------------------|----------------------------|
+| Device installation policy violations, **Device Instance Path** | “**Device ID**” |
+| Device installation policy violations, **Device Description** | “**Device Name**” |
+| Device installation policy violations, **Class GUID** | “**Class ID**” |
+| Device installation policy violations, **Hardware IDs** | “**Hardware IDs**” |
+| Device installation policy violations, **Compatible IDs** | “**Compatible IDs**” |
+| Device installation policy violations, **Location information** | “**Location Information**” |
+
diff --git a/windows/keep-secure/event-6424.md b/windows/keep-secure/event-6424.md
new file mode 100644
index 0000000000..a91d282a95
--- /dev/null
+++ b/windows/keep-secure/event-6424.md
@@ -0,0 +1,31 @@
+---
+title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10)
+description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: Mir0sh
+---
+
+# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+This event occurs rarely, and in some situations may be difficult to reproduce.
+
+***Subcategory:*** [Audit PNP Activity](audit-pnp-activity.md)
+
+***Required Server Roles:*** None.
+
+***Minimum OS Version:*** Windows 10 \[Version 1511\].
+
+***Event Versions:*** 0.
+
+## Security Monitoring Recommendations
+
+- There is no recommendation for this event in this document.
+
diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md
new file mode 100644
index 0000000000..a60e483753
--- /dev/null
+++ b/windows/keep-secure/exempt-icmp-from-authentication.md
@@ -0,0 +1,30 @@
+---
+title: Exempt ICMP from Authentication (Windows 10)
+description: Exempt ICMP from Authentication
+ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Exempt ICMP from Authentication
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+To exempt ICMP network traffic from authentication
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.
diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md
new file mode 100644
index 0000000000..3ebf7a465b
--- /dev/null
+++ b/windows/keep-secure/exemption-list.md
@@ -0,0 +1,52 @@
+---
+title: Exemption List (Windows 10)
+description: Exemption List
+ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Exemption List
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic.
+
+In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list.
+
+Generally, the following conditions are reasons to consider adding a device to the exemption list:
+
+- If the device must be accessed by trusted devices but it does not have a compatible IPsec implementation.
+
+- If the device must provide services to both trusted and untrusted devices, but does not meet the criteria for membership in the boundary zone.
+
+- If the device must be accessed by trusted devices from different isolated domains that do not have an Active Directory trust relationship established with each other.
+
+- If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista.
+
+- If the device must support trusted and untrusted devices, but cannot use IPsec to help secure communications to trusted devices.
+
+For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following:
+
+- Reduces the overall effectiveness of isolation.
+
+- Creates a larger management burden (because of frequent updates).
+
+- Increases the size of the IPsec policy, which means that it consumes more memory and CPU resources, slows down network throughput, and increases the time required to download and apply the GPO containing the IPsec policy.
+
+To keep the number of exemptions as small as possible, you have several options:
+
+- Carefully consider the communications requirements of each isolation zone, especially server-only zones. They might not be required to communicate with every exemption in the domain-level policy for clients.
+
+- Consolidate server functions. If several exempt services can be hosted at one IP address, the number of exemptions is reduced.
+
+- Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address.
+
+As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section.
+
+**Next: **[Isolated Domain](isolated-domain.md)
diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md
new file mode 100644
index 0000000000..b264a38993
--- /dev/null
+++ b/windows/keep-secure/firewall-gpos.md
@@ -0,0 +1,22 @@
+---
+title: Firewall GPOs (Windows 10)
+description: Firewall GPOs
+ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Firewall GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
+
+The GPO created for the example Woodgrove Bank scenario include the following:
+
+- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)
diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md
new file mode 100644
index 0000000000..41310314aa
--- /dev/null
+++ b/windows/keep-secure/firewall-policy-design-example.md
@@ -0,0 +1,106 @@
+---
+title: Firewall Policy Design Example (Windows 10)
+description: Firewall Policy Design Example
+ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Firewall Policy Design Example
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+In this example, the fictitious company Woodgrove Bank is a financial services institution.
+
+Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing.
+
+Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems.
+
+A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server.
+
+## Design requirements
+
+The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
+
+The following illustration shows the traffic protection needs for this design example.
+
+
+
+1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers.
+
+2. The WGBank front-end servers can receive unsolicited inbound traffic from the client devices and the WGBank partner servers. The WGBank client devices and partner servers can receive the response.
+
+3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it.
+
+4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses.
+
+5. There is no direct communications between the client devices and the WGBank back-end devices.
+
+6. There is no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers.
+
+7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that do not require an outside server. Firewall rules must block the network traffic created by these programs.
+
+8. The WGBank partner servers can receive inbound requests from partner devices through the Internet.
+
+Other traffic notes:
+
+- Devices are not to receive any unsolicited traffic from any computer other than specifically allowed above.
+
+- Other outbound network traffic from the client devices not specifically identified in this example is permitted.
+
+## Design details
+
+
+Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices:
+
+- Client devices that run Windows 10, Windows 8, or Windows 7
+
+- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them)
+
+- WGBank partner servers that run Windows Server 2008
+
+- WGBank back-end SQL Server devices that run Windows Server 2008 (there are none in place yet, but their solution must support adding them)
+
+- Infrastructure servers that run Windows Server 2008
+
+- Active Directory domain controllers that run Windows Server 2008 R2 or Windows Server 2012
+
+- DHCP servers that run the UNIX operating system
+
+After evaluating these sets of devices, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct devices.
+
+Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs.
+
+The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all devices that run Windows were added to the correct groups:
+
+- **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all devices.
+
+ The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs.
+
+ - Client devices receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
+
+ - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices.
+
+ All rules are scoped to allow network traffic only from devices on Woodgrove Bank's corporate network.
+
+- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group.
+
+- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
+
+- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
+
+In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.
+
+**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+
diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
new file mode 100644
index 0000000000..33727fc9f4
--- /dev/null
+++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md
@@ -0,0 +1,32 @@
+---
+title: Gathering Information about Your Active Directory Deployment (Windows 10)
+description: Gathering Information about Your Active Directory Deployment
+ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Information about Your Active Directory Deployment
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:
+
+- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation.
+
+- **Names and number of domains**. Authentication in server and domain isolation uses the IKE negotiation process with the Kerberos V5 protocol. This protocol assumes that devices are domain members.
+
+- **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between devices in different Active Directory domains.
+
+- **Names and number of sites**. Site architecture is usually aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment.
+
+- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices.
+
+- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
+
+**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)
diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
new file mode 100644
index 0000000000..65555cc782
--- /dev/null
+++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md
@@ -0,0 +1,113 @@
+---
+title: Gathering Information about Your Current Network Infrastructure (Windows 10)
+description: Gathering Information about Your Current Network Infrastructure
+ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Information about Your Current Network Infrastructure
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
+
+- **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them.
+
+- Network address translation (NAT). NAT is a means of separating network segments by using a device that maps all of the IP addresses on one side of the device to a single IP address accessible on the other side.
+
+- Network infrastructure devices. This includes the routers, switches, hubs, and other network equipment that makes communications between the devices on the network possible.
+
+- **Current network traffic model.** This includes the quantity and the characteristics of the network traffic flowing through your network.
+
+- Intrusion Detection System (IDS) devices. You will need to identify if you have any IDS devices on your network that might be negatively impacted by any encryption introduced in an Encryption Zone.
+
+The goal is to have enough information to be able to identify an asset by its network location, in addition to its physical location.
+
+Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation.
+
+This guidance helps obtain the most relevant information for planning Windows Firewall with Advanced Security implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
+
+## Network segmentation
+
+
+If your organization does not have its current network architecture documented and available for reference, such documentation should be obtained as soon as possible before you continue with the design and deployment. If the documented information is not current or has not been validated recently, you have two options:
+
+- Accept that the lack of accurate information can cause risk to the project.
+
+- Undertake a discovery project, either through manual processes or with network analysis tools that can provide the information you need to document the current network topology.
+
+Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, do not include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every device in your organization.
+
+During this process, you might discover some network applications and services that are not compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization.
+
+Other examples of incompatibility include:
+
+- Cisco NetFlow on routers cannot analyze packets between IPsec members based on protocol or port.
+
+- Router-based Quality of Service (QoS) cannot use ports or protocols to prioritize traffic. However, using firewall rules that specify IP addresses to prioritize traffic are not affected by this limitation of QoS. For example, a rule that says "From anyone to anyone using port 80 prioritize" does not work, but a rule that says "From anyone to 10.0.1.10 prioritize" works.
+
+- Weighted Fair Queuing and other flow-based router traffic priority methods might fail.
+
+- Devices that do not support or allow IP protocol 50, the port that is used by Encapsulating Security Payload (ESP).
+
+- Router access control lists (ACLs) cannot examine protocol and port fields in ESP-encrypted packets, and therefore the packets are dropped. ACLs based only on IP address are forwarded as usual. If the device cannot parse ESP, any ACLs that specify port or protocol rules will not be processed on the ESP packets. If the device has an ESP parser and uses encryption, ACLs that specify port or protocol rules will not be processed on the ESP packets.
+
+- Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null).
+
+ >**Note:** Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](http://www.microsoft.com/download/details.aspx?id=44226).
+
+## Network address translation (NAT)
+
+IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T does not support the use of AH across NAT devices.
+
+## Network infrastructure devices
+
+The devices that make up the network infrastructure (routers, switches, load balancers, and firewalls) must be able communicate using IPsec after the solution is implemented. For this reason, you have to examine the following characteristics of these network devices to ensure that they can handle the technical and physical requirements of the design:
+
+- **Make/model**. You can use this information to determine the features that the device supports. In addition, check the BIOS version or software running on the device to ensure that IPsec is supported.
+
+- **Amount of RAM**. This information is useful when you are analyzing capacity or the impact of IPsec on the device.
+
+- **Traffic analysis**. Information, such as peak usage and daily orweekly trends, is helpful to have. The information helps provide a baseline snapshot of the device and how it is used over time. If problems occur after IPsec is implemented, the information can help determine whether the root cause is related to greater usage of the device.
+
+- **Router ACLs that affect IPsec directly**. ACLs directly affect the ability of specific protocols to function. For example, blocking the Kerberos V5 protocol (UDP and TCP port 88) or IP protocol 50 or 51 prevents IPsec from working. Devices must also be configured to allow IKE traffic (UDP port 500) if using NAT-T (UDP port 4500).
+
+- **Networks/subnets connected to device interfaces**. This information provides the best picture of what the internal network looks like. Defining the boundary of subnets based on an address range is straightforward and helps identify whether other addresses are either unmanaged or foreign to the internal network (such as IP addresses on the Internet).
+
+- **VLAN segmentation**. Determining how VLANs are implemented on the network can help you understand traffic patterns and security requirements, and then help to determine how IPsec might augment or interfere with these requirements.
+
+- **The maximum transmission unit (MTU) size on device interface(s)**. The MTU defines the largest datagram that can be transmitted on a particular interface without being divided into smaller pieces for transmission (a process also known as *fragmentation*). In IPsec communications, the MTU is necessary to anticipate when fragmentation occurs. Packet fragmentation must be tracked for Internet Security Association and Key Management Protocol (ISAKMP) by the router. IPsec configures the MTU size on the session to the minimum-discovered MTU size along the communication path being used, and then set the Don't Fragment bit (DF bit) to 1.
+
+ >**Note:** If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly.
+
+- **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS does not have such a parser, it cannot determine if data in those packets is encrypted.
+
+After you obtain this information, you can quickly determine whether you must upgrade the devices to support the requirements of the project, change the ACLs, or take other measures to ensure that the devices can handle the loads needed.
+
+## Current network traffic model
+
+After gathering the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that is not secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet.
+
+When you examine traffic flow, look closely at how all managed and unmanaged devices interact. This includes non-Windows-based devices running Linux, UNIX, and Macintosh. Ask yourself such questions as:
+
+- Do specific communications occur at the port and protocol level, or are there many sessions between the same hosts across many protocols?
+
+- How do servers and clients communicate with each other?
+
+- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
+
+Some of the more common applications and protocols are as follows:
+
+- **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it is common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that does not use the security context of a known user or entity. Frequently, these sessions are anonymous.
+
+- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account.
+
+- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
+
+**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md
new file mode 100644
index 0000000000..1f3b73fa21
--- /dev/null
+++ b/windows/keep-secure/gathering-information-about-your-devices.md
@@ -0,0 +1,54 @@
+---
+title: Gathering Information about Your Devices (Windows 10)
+description: Gathering Information about Your Devices
+ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Information about Your Devices
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned.
+
+Capture the following information from each device:
+
+- **Computer name**. This name is the device's NetBIOS or DNS name that identifies the device on the network. Because a device can have more than one media access control (MAC) or IP address, the device's name is one of the criteria that can be used to determine uniqueness on the network. Because device names can be duplicated under some circumstances, the uniqueness should not be considered absolute.
+
+- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address is not an effective way to identify an asset because it is often subject to change.
+
+- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It is also important to track the current state of service packs and updates that might be installed, because these are often used to determine that minimum security standards have been met.
+
+- **Domain membership**. This information is used to determine whether a device can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy.
+
+- **Physical location**. This information is just the location of the device in your organization. It can be used to determine whether a device can participate in a specific isolation group based on its location or the location of the devices that it communicates with regularly.
+
+- **Hardware type or role**. Some tools that perform host discovery can provide this information by querying the hardware information and running applications to determine its type, such as server, workstation, or portable device. You can use this information to determine the appropriate IPsec policy to assign, whether a specific device can participate in isolation, and in which isolation group to include the device.
+
+After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements.
+
+You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to completely manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy.
+
+## Automated Discovery
+
+Using an automated auditing network management system provides valuable information about the current state of the IT infrastructure.
+
+
+## Manual Discovery
+
+
+The biggest difference between manual discovery methods and automated methods is time.
+
+You can use Windows PowerShell to create a script file that can collect the system configuration information. For more information, see [Windows PowerShell Scripting](http://go.microsoft.com/fwlink/?linkid=110413).
+
+Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory.
+
+This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design.
+
+**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md
new file mode 100644
index 0000000000..ca8d396fcb
--- /dev/null
+++ b/windows/keep-secure/gathering-other-relevant-information.md
@@ -0,0 +1,77 @@
+---
+title: Gathering Other Relevant Information (Windows 10)
+description: Gathering Other Relevant Information
+ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering Other Relevant Information
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.
+
+## Capacity considerations
+
+Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a device. Areas to watch:
+
+- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](http://technet.microsoft.com/network/dd277647.aspx).
+
+- **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5 KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization.
+
+- **NAT devices.** As discussed earlier, NAT does not allow Authentication Header (AH) conversations between hosts. If NAT devices exist on the internal network, ESP must be selected instead of AH.
+
+- **Switches and routers.** Proper capacity planning for the implementation of IPsec is more about thorough testing and expected traffic loads than exact calculations. You might have to upgrade or reconfigure switches or routers that currently exceed 75 percent usage to allow for increased traffic on the device and still provide some extra usage for bursts of traffic.
+
+- **Other factors.** These include CPU usage on network infrastructure servers, increased overhead on servers and workstations running IPsec (especially servers, because they usually contain more main mode SAs than clients), and increased network latency because of IPsec negotiation.
+
+ >**Note:** When Microsoft deployed its own domain isolation solution, it found a one to three percent increase in usage on the network as a direct result of IPsec.
+
+## Group Policy deployment groups and WMI filters
+
+You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
+
+## Different Active Directory trust environments
+
+When you design a domain isolation policy, consider any logical boundaries that might affect IPsec-secured communications. For example, the trust relationships between your domains and forests are critical in determining an appropriate IKE authentication method.
+
+Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responder’s domain. If firewalls separate the domains then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389.
+
+If the use of Kerberos V5 authentication is not possible because two-way trusts across forests cannot be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication.
+
+## Creating firewall rules to permit IKE, AH, and ESP traffic
+
+
+In some cases, IPsec-secured traffic might have to pass through a router, perimeter firewall, or other filtering device. In the case of a router, unless the router filters TCP and UDP traffic or other upper-level protocol headers, no special configuration is required to allow the IPsec traffic to be forwarded.
+
+In the case of a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected.
+
+For more info, see [How to Enable IPsec Traffic Through a Firewall](http://go.microsoft.com/fwlink/?LinkId=45085).
+
+## Network load balancing and server clusters
+
+There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific device, it prevents different devices from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client device as untrusted.
+
+This means that NLB in "no affinity" mode is not supported by IPsec at all. If you must use "no affinity" mode in the cluster then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec.
+
+When a TCP connection is dropped because of a cluster node failover, IPsec detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out.
+
+## Network inspection technologies
+
+Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some are not yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device.
+
+Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, cannot parse ESP-encrypted traffic. Only the destination device, with which the originating device negotiated the connection, can decrypt the traffic.
+
+In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there is no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you cannot upgrade monitoring or management devices to support IPsec, it is important that you record this information and figure it into your domain or server isolation design.
+
+Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices.
+
+Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
+
+**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md
new file mode 100644
index 0000000000..3e8a62b0cc
--- /dev/null
+++ b/windows/keep-secure/gathering-the-information-you-need.md
@@ -0,0 +1,28 @@
+---
+title: Gathering the Information You Need (Windows 10)
+description: Gathering the Information You Need
+ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Gathering the Information You Need
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
+
+Review each of the following topics for guidance about the kinds of information that you must gather:
+
+- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
+
+- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
+
+- [Gathering Information about Your Devices](gathering-information-about-your-devices.md)
+
+- [Gathering Other Relevant Information](gathering-other-relevant-information.md)
diff --git a/windows/keep-secure/gpo-domiso-boundary.md b/windows/keep-secure/gpo-domiso-boundary.md
new file mode 100644
index 0000000000..22db5273b8
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-boundary.md
@@ -0,0 +1,43 @@
+---
+title: GPO\_DOMISO\_Boundary (Windows 10)
+description: GPO\_DOMISO\_Boundary
+ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_Boundary
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+
+This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008.
+
+## IPsec settings
+
+The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain when authentication can be used.
+
+## Connection security rules
+
+
+Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that is not part of the isolated domain connects.
+
+## Registry settings
+
+
+The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
+
+## Firewall rules
+
+
+Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other devices. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests.
+
+Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
+
+**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)
diff --git a/windows/keep-secure/gpo-domiso-encryption.md b/windows/keep-secure/gpo-domiso-encryption.md
new file mode 100644
index 0000000000..dac33f72d4
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-encryption.md
@@ -0,0 +1,50 @@
+---
+title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10)
+description: GPO\_DOMISO\_Encryption\_WS2008
+ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_Encryption\_WS2008
+
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
+
+This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.
+
+## IPsec settings
+
+
+The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO:
+
+The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations.
+
+## Connection security rules
+
+
+Rename the **Isolated Domain Rule** to **Encryption Zone Rule**. Leave the authentication mode setting on **Require inbound and request outbound**. In this mode, the computer forces authentication for all inbound network traffic, and uses it when it can on outbound traffic.
+
+## Registry settings
+
+
+The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
+
+## Firewall rules
+
+
+Copy the firewall rules for the encryption zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 1433 for SQL Server client requests.
+
+Change the action for every inbound firewall rule from **Allow the connection** to **Allow only secure connections**, and then select **Require the connections to be encrypted**.
+
+Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules.
+
+**Next: **[Server Isolation GPOs](server-isolation-gpos.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md
new file mode 100644
index 0000000000..226c9deac1
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-firewall.md
@@ -0,0 +1,64 @@
+---
+title: GPO\_DOMISO\_Firewall (Windows 10)
+description: GPO\_DOMISO\_Firewall
+ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_Firewall
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
+
+## Firewall settings
+
+This GPO provides the following settings:
+
+- Unless otherwise stated, the firewall rules and settings described here are applied to all profiles.
+
+- The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed.
+
+- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the devices can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**.
+
+ >**Note:** Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot devices.
+
+## Firewall rules
+
+This GPO provides the following rules:
+
+- Built-in firewall rule groups are configured to support typically required network operation. The following rule groups are set to **Allow the connection**:
+
+ - Core Networking
+
+ - File and Printer Sharing
+
+ - Network Discovery
+
+ - Remote Administration
+
+ - Remote Desktop
+
+ - Remote Event Log Management
+
+ - Remote Scheduled Tasks Management
+
+ - Remote Service Management
+
+ - Remote Volume Management
+
+ - Windows Firewall Remote Management
+
+ - Windows Management Instrumentation (WMI)
+
+ - Windows Remote Management
+
+- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile.
+
+**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
new file mode 100644
index 0000000000..0f2faadb9e
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md
@@ -0,0 +1,83 @@
+---
+title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10)
+description: GPO\_DOMISO\_IsolatedDomain\_Clients
+ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_IsolatedDomain\_Clients
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
+
+Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.
+
+## General settings
+
+This GPO provides the following settings:
+
+- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy.
+
+- The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting.
+
+- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones.
+
+- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
+
+| Setting | Value |
+| - | - |
+| Enable PMTU Discovery | 1 |
+| IPsec Exemptions | 3 |
+
+- The main mode security method combinations in the order shown in the following table.
+
+| Integrity | Encryption |
+| - | - |
+| Secure Hash Algorithm (SHA-1) | Advanced Encryption Standard (AES-128) |
+| SHA-1 | 3DES |
+
+- The following quick mode security data integrity algorithms combinations in the order shown in the following table.
+
+| Protocol | Integrity | Key Lifetime (minutes/KB) |
+| - | - | - |
+| ESP | SHA-1 | 60/100,000 |
+
+- The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table.
+
+| Protocol | Integrity | Encryption | Key Lifetime (minutes/KB) |
+| - | - | - | - |
+| ESP | SHA-1 | AES-128 | 60/100,000|
+| ESP | SHA-1 | 3DES | 60/100,000|
+
+>**Note:** Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows.
+
+## Connection Security Rules
+
+This GPO provides the following rules:
+
+- A connection security rule named **Isolated Domain Rule** with the following settings:
+
+ - From **Any IP address** to **Any IP address**.
+
+ - **Require inbound and request outbound** authentication requirements.
+
+ >**Important:** On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the devices were successfully communicating by using IPsec, they switched the GPOs to require authentication.
+
+ - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that cannot run Windows or cannot join the domain, but must still participate in the isolated domain.
+
+ - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box.
+
+- A connection security rule to exempt devices that are in the exemption list from the requirement to authenticate:
+
+ - The IP addresses of all devices on the exemption list must be added individually under **Endpoint 2**.
+
+ - Authentication mode is set to **Do not authenticate**.
+
+**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)
diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
new file mode 100644
index 0000000000..fb984adf5f
--- /dev/null
+++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md
@@ -0,0 +1,27 @@
+---
+title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10)
+description: GPO\_DOMISO\_IsolatedDomain\_Servers
+ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# GPO\_DOMISO\_IsolatedDomain\_Servers
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
+
+Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
+
+- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008).
+
+ >**Important:** Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device.
+
+**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)
+
diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
new file mode 100644
index 0000000000..b1adf33fd9
--- /dev/null
+++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -0,0 +1,60 @@
+---
+title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10)
+description: Identifying Your Windows Firewall with Advanced Security Deployment Goals
+ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Identifying Your Windows Firewall with Advanced Security Deployment Goals
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.
+
+The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Firewall with Advanced Security deployment goals.
+
+| Deployment goal tasks | +Reference links | +
|---|---|
Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. |
+Predefined deployment goals: +
|
+
Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design. |
+
|
+
Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan. |
+
|
+
This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.| +| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
During the early days of testing, this group might contain only a very small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| +| CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.
Members of this group receive a GPO that specifies that authentication is requested, but not required.|
+| CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone.
Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections.
+| CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group.
Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.
There will be one group for each set of servers that have different user and device restriction requirements. |
+
+Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md).
+
+If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
+
+**Next: **[Planning Network Access Groups](planning-network-access-groups.md)
+
diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md
new file mode 100644
index 0000000000..4d9b002e7c
--- /dev/null
+++ b/windows/keep-secure/planning-network-access-groups.md
@@ -0,0 +1,33 @@
+---
+title: Planning Network Access Groups (Windows 10)
+description: Planning Network Access Groups
+ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Network Access Groups
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required.
+
+Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the devices or users that are granted access. You can optionally split the NAG into two different groups: one for authorized devices and one for authorized users.
+
+The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership.
+
+For the Woodgrove Bank scenario, access to the devices running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service.
+
+| NAG Name | NAG Member Users, Computers, or Groups | Description |
+| - | - | - |
+| CG_NAG_*ServerRole*_Users| Svr1AdminA
Svr1AdminB
Group_AppUsers
AppSvcAccount| This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.|
+| CG_NAG_*ServerRole*_Computers| Desktop1
Desktop2
AdminDT1
AppAdminDT1| This group contains all devices that are authorized to make inbound IPsec connections to the isolated servers in this zone.|
+
+>**Note:** Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5.
+
+**Next: **[Planning the GPOs](planning-the-gpos.md)
diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md
new file mode 100644
index 0000000000..12688b93c9
--- /dev/null
+++ b/windows/keep-secure/planning-server-isolation-zones.md
@@ -0,0 +1,74 @@
+---
+title: Planning Server Isolation Zones (Windows 10)
+description: Planning Server Isolation Zones
+ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Server Isolation Zones
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server.
+
+The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices.
+
+To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device is not a member of a required NAG then the network connection is refused.
+
+## Isolated domains and isolated servers
+
+If you are using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user.
+
+If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG.
+
+## Creating multiple isolated server zones
+
+Each set of servers that must be accessed by different sets of users should be set up in its own isolated server zone. After one set of GPOs for one isolated server zone has been successfully created and verified, you can copy the GPOs to a new set. You must change the GPO names to reflect the new zone, the name and membership of the isolated server zone group to which the GPOs are applied, and the names and membership of the NAG groups that determine which clients can access the servers in the isolated server zone.
+
+## Creating the GPOs
+
+Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members.
+
+### GPO settings for isolated servers running at least Windows Server 2008
+
+GPOs for devices running at least Windows Server 2008 should include the following:
+
+>**Note:** The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone.
+
+- IPsec default settings that specify the following options:
+
+ 1. Exempt all ICMP traffic from IPsec.
+
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+ If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs.
+
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else devices that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method.
+
+- The following connection security and firewall rules:
+
+ - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
+
+ - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication.
+
+ >**Important:** Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.
+
+ - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both device and user network access groups.
+
+- A registry policy that includes the following values:
+
+ - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
+
+ >**Note:** For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).
+
+**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
new file mode 100644
index 0000000000..4fcbd977dc
--- /dev/null
+++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md
@@ -0,0 +1,50 @@
+---
+title: Planning Settings for a Basic Firewall Policy (Windows 10)
+description: Planning Settings for a Basic Firewall Policy
+ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Settings for a Basic Firewall Policy
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
+
+The following is a list of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis:
+
+- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization.
+
+ >**Important:** We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices.
+
+- **Firewall state: On**. We recommend that you prevent the user from turning it off.
+
+- **Default behavior for Inbound connections: Block**. We recommend that you enforce the default behavior of blocking unsolicited inbound connections. To allow network traffic for a specific program, create an inbound rule that serves as an exception to this default behavior.
+
+- **Default behavior for Outbound connections: Allow**. We recommend that you enforce the default behavior of allowing outbound connections.
+
+- **Allow unicast response: Yes**. We recommend that you use the default setting of **Yes** unless you have specific requirements to do otherwise.
+
+- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows does not create a new firewall rule and the traffic remains blocked.
+
+ If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs then you can set this value to **No**.
+
+- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot.
+
+- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions.
+
+- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port.
+
+ Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required.
+
+ >**Important:** If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application.
+
+- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs.
+
+**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md
new file mode 100644
index 0000000000..b22f0497cd
--- /dev/null
+++ b/windows/keep-secure/planning-the-gpos.md
@@ -0,0 +1,55 @@
+---
+title: Planning the GPOs (Windows 10)
+description: Planning the GPOs
+ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning the GPOs
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones.
+
+## General considerations
+
+A few things to consider as you plan the GPOs:
+
+- Do not allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior.
+
+ The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones.
+
+- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The devices will negotiate down from the top of their lists, selecting one that is configured on both devices.
+
+- The primary difference in your domain isolation GPOs is whether the rules request or require authentication.
+
+ >**Caution:** It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone.
+
+- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
+
+ >**Note:** Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
+
+After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
+
+## Woodgrove Bank example GPOs
+
+
+The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
+
+In this section you can find information about the following:
+
+- [Firewall GPOs](firewall-gpos.md)
+
+- [Isolated Domain GPOs](isolated-domain-gpos.md)
+
+- [Boundary Zone GPOs](boundary-zone-gpos.md)
+
+- [Encryption Zone GPOs](encryption-zone-gpos.md)
+
+- [Server Isolation GPOs](server-isolation-gpos.md)
diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
new file mode 100644
index 0000000000..1801d2a86a
--- /dev/null
+++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -0,0 +1,48 @@
+---
+title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10)
+description: Planning to Deploy Windows Firewall with Advanced Security
+ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning to Deploy Windows Firewall with Advanced Security
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
+
+## Reviewing your Windows Firewall with Advanced Security Design
+
+If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
+
+- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide:
+
+ - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+
+ - [Planning the GPOs](planning-the-gpos.md)
+
+ - [Planning GPO Deployment](planning-gpo-deployment.md)
+
+- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
+
+- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
+
+- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated.
+
+- The requirement that all devices that must communicate with each other share a common set of:
+
+ - Authentication methods
+
+ - Main mode key exchange algorithms
+
+ - Quick mode data integrity algorithms
+
+ If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
+
+After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
new file mode 100644
index 0000000000..c800eca94d
--- /dev/null
+++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md
@@ -0,0 +1,91 @@
+---
+title: Planning Your Windows Firewall with Advanced Security Design (Windows 10)
+description: Planning Your Windows Firewall with Advanced Security Design
+ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Planning Your Windows Firewall with Advanced Security Design
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
+
+## Basic firewall design
+
+We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization.
+
+When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section.
+
+## Algorithm and method support and selection
+
+To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths.
+
+## IPsec performance considerations
+
+Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
+
+IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
+
+## Domain isolation design
+
+
+Include this design in your plans:
+
+- If you have an Active Directory domain of which most of the devices are members.
+
+- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that are not part of the domain.
+
+If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting.
+
+When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
+
+## Server isolation design
+
+
+Include this design in your plans:
+
+- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices.
+
+- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices.
+
+If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements.
+
+When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section.
+
+## Certificate-based authentication design
+
+
+Include this design in your plans:
+
+- If you want to implement some of the elements of domain or server isolation on devices that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism.
+
+- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the device is not running Windows, or for any other reason.
+
+- You must enable external devices that are not managed by your organization to access information on one of your servers, and want to do this in a secure way.
+
+If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it.
+
+When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section.
+
+## Documenting your design
+
+
+After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
+
+- [Documenting the Zones](documenting-the-zones.md)
+
+## Designing groups and GPOs
+
+
+After you have selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your devices.
+
+When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md
new file mode 100644
index 0000000000..d19699b94b
--- /dev/null
+++ b/windows/keep-secure/procedures-used-in-this-guide.md
@@ -0,0 +1,92 @@
+---
+title: Procedures Used in This Guide (Windows 10)
+description: Procedures Used in This Guide
+ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Procedures Used in This Guide
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
+
+- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+
+- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+
+- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+
+- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
+
+- [Configure Authentication Methods](configure-authentication-methods.md)
+
+- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
+
+- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+
+- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
+
+- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
+
+- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
+
+- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
+
+- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+
+- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
+
+- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
+
+- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+
+- [Create a Group Policy Object](create-a-group-policy-object.md)
+
+- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
+
+- [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
+
+- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
+
+- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
+
+- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
+
+- [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
+
+- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
+
+- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
+
+- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
+
+- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
+
+- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
+
+- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
+
+- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
+
+- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+
+- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+
+- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
+
+- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+
+- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
+
+- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
+
+- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
+
+- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
new file mode 100644
index 0000000000..a24379dacf
--- /dev/null
+++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md
@@ -0,0 +1,42 @@
+---
+title: Protect Devices from Unwanted Network Traffic (Windows 10)
+description: Protect Devices from Unwanted Network Traffic
+ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Protect Devices from Unwanted Network Traffic
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
+
+Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](http://www.microsoft.com/security/sir/default.aspx).
+
+Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
+
+A host-based firewall helps secure a device by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits:
+
+- Network traffic that is a reply to a request from the local device is permitted into the device from the network.
+
+- Network traffic that is unsolicited, but that matches a rule for allowed network traffic, is permitted into the device from the network.
+
+ For example, Woodgrove Bank wants a device that is running SQL Server to be able to receive the SQL queries sent to it by client devices. The firewall policy deployed to the device that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program.
+
+- Outbound network traffic that is not specifically blocked is allowed on the network.
+
+ For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted.
+
+The following component is recommended for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain.
+
+Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
+
+**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
new file mode 100644
index 0000000000..890eaf1d99
--- /dev/null
+++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md
@@ -0,0 +1,40 @@
+---
+title: Require Encryption When Accessing Sensitive Network Resources (Windows 10)
+description: Require Encryption When Accessing Sensitive Network Resources
+ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Require Encryption When Accessing Sensitive Network Resources
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
+
+For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
+
+The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
+
+
+
+This goal provides the following benefits:
+
+- Devices in the encryption zone require authentication to communicate with other devices. This works no differently from the domain isolation goal and design. For more info, see [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md).
+
+- Devices in the encryption zone require that all inbound and outbound network traffic be encrypted.
+
+ For example, Woodgrove Bank processes sensitive customer data on a device that must be protected from eavesdropping by devices on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data.
+
+- Devices in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more info, see [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md).
+
+The following components are required for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
+
+**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
new file mode 100644
index 0000000000..049625343b
--- /dev/null
+++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md
@@ -0,0 +1,44 @@
+---
+title: Restrict Access to Only Specified Users or Devices (Windows 10)
+description: Restrict Access to Only Specified Users or Devices
+ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Restrict Access to Only Specified Users or Computers
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
+
+Windows Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
+
+Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
+
+You can restrict access by specifying either computer or user credentials.
+
+The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server.
+
+
+
+This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features:
+
+- Isolated servers accept unsolicited inbound network traffic only from devices or users that are members of the NAG.
+
+- Isolated servers can be implemented as part of an isolated domain, and treated as another zone. Members of the zone group receive a GPO with rules that require authentication, and that specify that only network traffic authenticated as coming from a member of the NAG is allowed.
+
+- Server isolation can also be configured independently of an isolated domain. To do so, configure only the devices that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership.
+
+- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+
+The following components are required for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
+
+**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
new file mode 100644
index 0000000000..d2b47a2dbe
--- /dev/null
+++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md
@@ -0,0 +1,54 @@
+---
+title: Restrict Access to Only Trusted Devices (Windows 10)
+description: Restrict Access to Only Trusted Devices
+ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Restrict Access to Only Trusted Devices
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
+
+To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
+
+>**Note:** Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
+
+The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
+
+The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
+
+
+
+These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits:
+
+- Devices in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another device in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication.
+
+ For example, Woodgrove Bank wants all of its devices to block all unsolicited inbound network traffic from any device that it does not manage. The connection security rules deployed to domain member devices require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted.
+
+- Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests.
+
+ For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required.
+
+These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices:
+
+- Devices in the "boundary zone" are configured to use connection security rules that request but do not require authentication. This enables them to receive unsolicited inbound network traffic from untrusted devices, and also to receive traffic from the other members of the isolated domain.
+
+ For example, Woodgrove Bank has a server that must be accessed by its partners' devices through the Internet. The rules applied to devices in the boundary zone use authentication when the client device can support it, but do not block the connection if the client device cannot authenticate.
+
+- Devices in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it is sent over the network.
+
+ For example, Woodgrove Bank wants the devices running SQL Server to only transmit data that is encrypted to help protect the sensitive data stored on those devices.
+
+The following components are required for this deployment goal:
+
+- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
+
+**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
new file mode 100644
index 0000000000..85d7267abb
--- /dev/null
+++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
@@ -0,0 +1,44 @@
+---
+title: Restrict Server Access to Members of a Group Only (Windows 10)
+description: Restrict Server Access to Members of a Group Only
+ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Restrict Server Access to Members of a Group Only
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group.
+
+In this topic:
+
+- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#to-create-a-firewall-rule-that-grants-access-to-an-isolated-server)
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+## To create a firewall rule that grants access to an isolated server
+
+1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
+
+2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**.
+
+3. On the **Rule Type** page, click **Custom**, and then click **Next**.
+
+4. If you must restrict access to a single network program, then you can select **This program path**, and specify the program or service to which to grant access. Otherwise, click **All programs**, and then click **Next**.
+
+5. If you must restrict access to only some TCP or UDP port numbers, then enter the port numbers on the **Protocol and Ports** page. Otherwise, set **Protocol type** to **Any**, and then click **Next**.
+
+6. On the **Scope** page, select **Any IP address** for both local and remote addresses, and then click **Next**.
+
+7. On the **Action** page, click **Allow the connection if it is secure**. If required by your design, you can also click **Customize** and select **Require the connections to be encrypted**. Click **Next**.
+
+8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the device and user accounts permitted to access the server.
diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
new file mode 100644
index 0000000000..fa9c66bfb4
--- /dev/null
+++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -0,0 +1,189 @@
+---
+title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10)
+description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Securing End-to-End IPsec connections by using IKEv2
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+IKEv2 offers the following:
+
+- Supports IPsec end-to-end transport mode connections
+
+- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security
+
+- Supports Suite B (RFC 4869) requirements
+
+- Coexists with existing policies that deploy AuthIP/IKEv1
+
+- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface.
+
+- Uses certificates for the authentication mechanism
+
+You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
+
+**In this document**
+
+- [Prerequisites](#prerequisites)
+
+- [Devices joined to a domain](#devices-joined-to-a-domain)
+
+- [Device not joined to a domain](#devices-not-joined-to-a-domain)
+
+- [Troubleshooting](#troubleshooting)
+
+>**Note:** This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693).
+
+## Prerequisites
+
+These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication.
+
+## Devices joined to a domain
+
+The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
+
+
+
+**Figure 1** The Contoso corporate network
+
+This script does the following:
+
+- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members.
+
+- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain.
+
+- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**.
+
+- Indicates the certificate to use for authentication.
+
+ >**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
+
+- Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
+
+**Windows PowerShell commands**
+
+Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
+
+``` syntax
+# Create a Security Group for the computers that will get the policy
+$pathname = (Get-ADDomain).distinguishedname
+New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" `
+-GroupCategory security -GroupScope Global -path $pathname
+
+# Add test computers to the Security Group
+$computer = Get-ADComputer -LDAPFilter "(name=client1)"
+Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
+$computer = Get-ADComputer -LDAPFilter "(name=server1)"
+Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
+
+# Create and link the GPO to the domain
+$gpo = New-gpo IPsecRequireInRequestOut
+$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes
+
+# Set permissions to security group for the GPO
+$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace
+$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace
+
+#Set up the certificate for authentication
+$gponame = "corp.contoso.com\IPsecRequireInRequestOut"
+$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
+$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame
+
+#Create the IKEv2 Connection Security rule
+New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
+-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame
+```
+
+## Devices not joined to a domain
+
+Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection.
+
+>**Important:** The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
+
+**Windows PowerShell commands**
+
+Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
+
+``` syntax
+#Set up the certificate
+$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
+$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop
+
+#Create the IKEv2 Connection Security rule
+New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID `
+-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2
+```
+
+Make sure that you install the required certificates on the participating computers.
+
+>**Note:**
+- For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
+- You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
+- For remote devices, you can create a secure website to facilitate access to the script and certificates.
+
+## Troubleshooting
+
+Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
+
+**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
+
+1. Open the Windows Firewall with Advanced Security console.
+
+2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
+
+3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
+
+**Use Windows PowerShell cmdlets to display the security associations.**
+
+1. Open a Windows PowerShell command prompt.
+
+2. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations.
+
+3. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations.
+
+**Use netsh to capture IPsec events.**
+
+1. Open an elevated command prompt.
+
+2. At the command prompt, type **netsh wfp capture start**.
+
+3. Reproduce the error event so that it can be captured.
+
+4. At the command prompt, type **netsh wfp capture stop**.
+
+ A wfpdiag.cab file is created in the current folder.
+
+5. Open the cab file, and then extract the wfpdiag.xml file.
+
+6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
+
+ ``` syntax
+
By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
+| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
+| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
+| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
+| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
+| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.|
+| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. |
+| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
This is not related to the term zone as used by Domain Name System (DNS). |
+
+**Next:** [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md
new file mode 100644
index 0000000000..51c6967315
--- /dev/null
+++ b/windows/keep-secure/windows-firewall-with-advanced-security.md
@@ -0,0 +1,42 @@
+---
+title: Windows Firewall with Advanced Security (Windows 10)
+description: Windows Firewall with Advanced Security
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows Firewall with Advanced Security
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 Technical Preview
+
+This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+
+## Feature description
+
+Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy.
+
+## Practical applications
+
+
+To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits:
+
+- **Reduces the risk of network security threats.** Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
+
+- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
+
+- **Extends the value of existing investments.** Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
+
+## In this section
+
+| Topic | Description
+| - | - |
+| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
+| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
+| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. |
+| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. |
+| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Firewall with Advanced Security. |
diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md
index 8e22322f1c..47dc081e5c 100644
--- a/windows/manage/acquire-apps-windows-store-for-business.md
+++ b/windows/manage/acquire-apps-windows-store-for-business.md
@@ -1,7 +1,7 @@
---
title: Acquire apps in Windows Store for Business (Windows 10)
description: As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see Apps in the Windows Store for Business.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
diff --git a/windows/manage/add-unsigned-app-to-code-integrity-policy.md b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
index 538034d0f2..8ccdfd7c62 100644
--- a/windows/manage/add-unsigned-app-to-code-integrity-policy.md
+++ b/windows/manage/add-unsigned-app-to-code-integrity-policy.md
@@ -2,7 +2,7 @@
title: Add unsigned app to code integrity policy (Windows 10)
description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device.
ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/manage/administrative-tools-in-windows-10.md
index 5019f298d8..cc42197767 100644
--- a/windows/manage/administrative-tools-in-windows-10.md
+++ b/windows/manage/administrative-tools-in-windows-10.md
@@ -2,7 +2,7 @@
title: Administrative Tools in Windows 10 (Windows 10)
description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md
index 245d15cac1..16923a2b15 100644
--- a/windows/manage/app-inventory-managemement-windows-store-for-business.md
+++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: App inventory management for Windows Store for Business (Windows 10)
description: You can manage all apps that you've acquired on your Inventory page.
ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md
index cffbdd7092..5b8fc04a92 100644
--- a/windows/manage/application-development-for-windows-as-a-service.md
+++ b/windows/manage/application-development-for-windows-as-a-service.md
@@ -2,7 +2,7 @@
title: Application development for Windows as a service (Windows 10)
description: In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years.
ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md
index 30d0677d94..bd94b6ad6f 100644
--- a/windows/manage/apps-in-windows-store-for-business.md
+++ b/windows/manage/apps-in-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Apps in Windows Store for Business (Windows 10)
description: Windows Store for Business has thousands of apps from many different categories.
ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md
index c6e8393f30..e3be271bfd 100644
--- a/windows/manage/assign-apps-to-employees.md
+++ b/windows/manage/assign-apps-to-employees.md
@@ -2,7 +2,7 @@
title: Assign apps to employees (Windows 10)
description: Administrators can assign online-licensed apps to employees in their organization.
ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index df398cfd27..5bdd320fd8 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -2,7 +2,7 @@
title: Change history for Manage and update Windows 10 (Windows 10)
description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile.
ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
@@ -17,7 +17,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
| New or changed topic | Description |
| ---|---|
| [Group Policies that apply only to Windows 10 Enterprise and Education Editions](group-policies-for-enterprise-and-education-editions.md) | New |
-| [Configure Windows 10 devices to stop data flow to Microsoft](configure-windows-10-devices-to-stop-data-flow-to-microsoft.md) | Added section on how to turn off Live Tiles |
+| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added section on how to turn off Live Tiles |
| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md
index 30a8c0a870..8697ff8945 100644
--- a/windows/manage/changes-to-start-policies-in-windows-10.md
+++ b/windows/manage/changes-to-start-policies-in-windows-10.md
@@ -3,7 +3,7 @@ title: Changes to Group Policy settings for Windows 10 Start (Windows 10)
description: Windows 10 has a brand new Start experience.
ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F
keywords: ["group policy", "start menu", "start screen"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md
index 82e3420ae6..11dd816f58 100644
--- a/windows/manage/configure-devices-without-mdm.md
+++ b/windows/manage/configure-devices-without-mdm.md
@@ -3,7 +3,7 @@ title: Configure devices without MDM (Windows 10)
description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
keywords: ["runtime provisioning", "provisioning package"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md
index 2b94aba619..d187a3674a 100644
--- a/windows/manage/configure-mdm-provider-windows-store-for-business.md
+++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Configure an MDM provider (Windows 10)
description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses.
ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md
index 4d1f382a15..bd7b75c0fd 100644
--- a/windows/manage/customize-and-export-start-layout.md
+++ b/windows/manage/customize-and-export-start-layout.md
@@ -3,7 +3,7 @@ title: Customize and export Start layout (Windows 10)
description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236
keywords: ["start screen"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
index 614edb4d66..bf5aed9ec4 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md
@@ -3,7 +3,7 @@ title: Customize Windows 10 Start with Group Policy (Windows 10)
description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
keywords: ["Start layout", "start menu", "layout", "group policy"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
index d3c9160101..a0ad00415a 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -3,7 +3,7 @@ title: Customize Windows 10 Start with mobile device management (MDM) (Windows 1
description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
keywords: ["start screen", "start menu"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 3af066fdac..cc0c54d783 100644
--- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -3,7 +3,7 @@ title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10
description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC
keywords: ["Start layout", "start menu"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/device-guard-signing-portal.md b/windows/manage/device-guard-signing-portal.md
index 4604411897..c511f4b081 100644
--- a/windows/manage/device-guard-signing-portal.md
+++ b/windows/manage/device-guard-signing-portal.md
@@ -2,7 +2,7 @@
title: Device Guard signing (Windows 10)
description: Device Guard signing is a Device Guard feature that is available in the Windows Store for Business.
ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md
index d751c6d2f2..07e519edc4 100644
--- a/windows/manage/distribute-apps-from-your-private-store.md
+++ b/windows/manage/distribute-apps-from-your-private-store.md
@@ -2,7 +2,7 @@
title: Distribute apps using your private store (Windows 10)
description: The private store is a feature in Windows Store for Business that organizations receive during the sign up process.
ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
index 28f762ec11..1c58d0489a 100644
--- a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
+++ b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Distribute apps to your employees from the Windows Store for Business (Windows 10)
description: Distribute apps to your employees from Windows Store for Business. You can assign apps to employees, or let employees install them from your private store.
ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/distribute-apps-with-management-tool.md b/windows/manage/distribute-apps-with-management-tool.md
index 37824f30c5..65abfa89d6 100644
--- a/windows/manage/distribute-apps-with-management-tool.md
+++ b/windows/manage/distribute-apps-with-management-tool.md
@@ -2,7 +2,7 @@
title: Distribute apps with a management tool (Windows 10)
description: You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content.
ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md
index 8cb184da6b..82c3720714 100644
--- a/windows/manage/distribute-offline-apps.md
+++ b/windows/manage/distribute-offline-apps.md
@@ -2,7 +2,7 @@
title: Distribute offline apps (Windows 10)
description: Offline licensing is a new licensing option for Windows 10.
ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/find-and-acquire-apps-overview.md b/windows/manage/find-and-acquire-apps-overview.md
index dbb7882835..28a4e36fef 100644
--- a/windows/manage/find-and-acquire-apps-overview.md
+++ b/windows/manage/find-and-acquire-apps-overview.md
@@ -2,7 +2,7 @@
title: Find and acquire apps (Windows 10)
description: Use the Windows Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization.
ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md
index 5d5f71e9f1..8a39c49e60 100644
--- a/windows/manage/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md
@@ -1,7 +1,7 @@
---
title: Group Policies that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy objects that apply only to Windows 10 Enterprise and Windows 10 Education.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
index 463a578534..bab2563813 100644
--- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/manage/how-it-pros-can-use-configuration-service-providers.md
@@ -2,7 +2,7 @@
title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10)
description: Configuration service providers (CSPs) expose device configuration settings in Windows 10.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/index.md b/windows/manage/index.md
index 412bfc3d9b..fa16723bc3 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -3,7 +3,7 @@ title: Manage and update Windows 10 (Windows 10)
description: Learn about managing and updating Windows 10.
ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0
keywords: Windows 10, MDM, WSUS, Windows update
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md
index 0c6c2ab9a6..4a7499aac7 100644
--- a/windows/manage/introduction-to-windows-10-servicing.md
+++ b/windows/manage/introduction-to-windows-10-servicing.md
@@ -3,7 +3,7 @@ title: Windows 10 servicing options for updates and upgrades (Windows 10)
description: This article describes the new servicing options available in Windows 10.
ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42
keywords: update, LTSB, lifecycle, Windows update, upgrade
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
index cd798c3163..876c02620c 100644
--- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md
@@ -2,7 +2,7 @@
title: Join Windows 10 Mobile to Azure Active Directory (Windows 10)
description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).
ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md
index 095f7b1bbf..800fe35493 100644
--- a/windows/manage/lock-down-windows-10-to-specific-apps.md
+++ b/windows/manage/lock-down-windows-10-to-specific-apps.md
@@ -3,7 +3,7 @@ title: Lock down Windows 10 to specific apps (Windows 10)
description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
keywords: ["lockdown", "app restrictions", "applocker"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md
index 61004d8822..4c11f7b7ce 100644
--- a/windows/manage/lock-down-windows-10.md
+++ b/windows/manage/lock-down-windows-10.md
@@ -3,7 +3,7 @@ title: Lock down Windows 10 (Windows 10)
description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.
ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D
keywords: lockdown
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md
index 616e800b95..3baacaad11 100644
--- a/windows/manage/lockdown-xml.md
+++ b/windows/manage/lockdown-xml.md
@@ -2,7 +2,7 @@
title: Configure Windows 10 Mobile using Lockdown XML (Windows 10)
description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.
ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/manage-apps-windows-store-for-business-overview.md b/windows/manage/manage-apps-windows-store-for-business-overview.md
index f763f788bf..faaed20b58 100644
--- a/windows/manage/manage-apps-windows-store-for-business-overview.md
+++ b/windows/manage/manage-apps-windows-store-for-business-overview.md
@@ -2,7 +2,7 @@
title: Manage apps in Windows Store for Business (Windows 10)
description: Manage settings and access to apps in Windows Store for Business.
ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 616f93dc73..b1a2217df3 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -3,7 +3,7 @@ title: Manage connections from Windows operating system components to Microsoft
description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
keywords: privacy, manage connections to Microsoft
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index bbfa571b02..87b3a7684b 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -3,7 +3,7 @@ title: Manage corporate devices (Windows 10)
description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
keywords: ["MDM", "device management"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md
index 0a364336aa..8535d16d65 100644
--- a/windows/manage/manage-inventory-windows-store-for-business.md
+++ b/windows/manage/manage-inventory-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Manage inventory in Windows Store for Business (Windows 10)
description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md
index d698699806..bfebed0a7e 100644
--- a/windows/manage/manage-orders-windows-store-for-business.md
+++ b/windows/manage/manage-orders-windows-store-for-business.md
@@ -1,7 +1,7 @@
---
title: Manage app orders in Windows Store for Business (Windows 10)
description: You can view your order history with Windows Store for Business.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
diff --git a/windows/manage/manage-private-store-settings.md b/windows/manage/manage-private-store-settings.md
index 835535ff36..dd0d959555 100644
--- a/windows/manage/manage-private-store-settings.md
+++ b/windows/manage/manage-private-store-settings.md
@@ -2,7 +2,7 @@
title: Manage private store settings (Windows 10)
description: The private store is a feature in the Windows Store for Business that organizations receive during the sign up process.
ms.assetid: 2D501538-0C6E-4408-948A-2BF5B05F7A0C
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md
index 488b0f26ab..5736a2df33 100644
--- a/windows/manage/manage-settings-windows-store-for-business.md
+++ b/windows/manage/manage-settings-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Manage settings for the Windows Store for Business (Windows 10)
description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant.
ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/manage-users-and-groups-windows-store-for-business.md b/windows/manage/manage-users-and-groups-windows-store-for-business.md
index 8621faf1e6..a057ed9e67 100644
--- a/windows/manage/manage-users-and-groups-windows-store-for-business.md
+++ b/windows/manage/manage-users-and-groups-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Manage user accounts in Windows Store for Business (Windows 10)
description: Windows Store for Business manages permissions with a set of roles. Currently, you can assign these roles to individuals in your organization, but not to groups.
ms.assetid: 5E7FA071-CABD-4ACA-8AAE-F549EFCE922F
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md
index 58d0eadae7..2728a8dd5d 100644
--- a/windows/manage/manage-wifi-sense-in-enterprise.md
+++ b/windows/manage/manage-wifi-sense-in-enterprise.md
@@ -3,7 +3,7 @@ title: Manage Wi-Fi Sense in your company (Windows 10)
description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places.
ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271
keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
index 7bc7dd8224..2da6a7e615 100644
--- a/windows/manage/new-policies-for-windows-10.md
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -3,7 +3,7 @@ title: New policies for Windows 10 (Windows 10)
description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1.
ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D
keywords: ["MDM", "Group Policy"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/prerequisites-windows-store-for-business.md b/windows/manage/prerequisites-windows-store-for-business.md
index b3d9b02599..706b1a93a1 100644
--- a/windows/manage/prerequisites-windows-store-for-business.md
+++ b/windows/manage/prerequisites-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Prerequisites for Windows Store for Business (Windows 10)
description: There are a few prerequisites for using Windows Store for Business.
ms.assetid: CEBC6870-FFDD-48AD-8650-8B0DC6B2651D
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md
index 0dcbc397eb..0e9a15a716 100644
--- a/windows/manage/product-ids-in-windows-10-mobile.md
+++ b/windows/manage/product-ids-in-windows-10-mobile.md
@@ -3,7 +3,7 @@ title: Product IDs in Windows 10 Mobile (Windows 10)
description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user.
ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C
keywords: ["lockdown"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/manage/reset-a-windows-10-mobile-device.md
index 40b79a96a5..15d8ead349 100644
--- a/windows/manage/reset-a-windows-10-mobile-device.md
+++ b/windows/manage/reset-a-windows-10-mobile-device.md
@@ -2,7 +2,7 @@
title: Reset a Windows 10 Mobile device (Windows 10)
description: There are two methods for resetting a Windows 10 Mobile device factory reset and \ 0034;wipe and persist \ 0034; reset.
ms.assetid: B42A71F4-DFEE-4D6E-A904-7942D1AAB73F
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
index fae343dfca..6906e95ed6 100644
--- a/windows/manage/roles-and-permissions-windows-store-for-business.md
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Roles and permissions in Windows Store for Business (Windows 10)
description: The first person to sign in to Windows Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md
index cc81d0801d..156c44901a 100644
--- a/windows/manage/set-up-a-device-for-anyone-to-use.md
+++ b/windows/manage/set-up-a-device-for-anyone-to-use.md
@@ -3,7 +3,7 @@ title: Set up a device for anyone to use (kiosk mode) (Windows 10)
description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app.
ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8
keywords: ["kiosk", "lockdown", "assigned access"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index 55945ea84b..2c481fd829 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -3,7 +3,7 @@ title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10)
description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
keywords: ["assigned access", "kiosk", "lockdown"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index bc918aae23..6b5f7c60df 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -3,7 +3,7 @@ title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Wind
description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings.
ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7
keywords: ["kiosk", "lockdown", "assigned access"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md
index b3b1cf9083..7cf2f724c9 100644
--- a/windows/manage/settings-reference-windows-store-for-business.md
+++ b/windows/manage/settings-reference-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Settings reference Windows Store for Business (Windows 10)
description: The Windows Store for Business has a group of settings that admins use to manage the store.
ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md
index 09b88d9160..325b33fcb7 100644
--- a/windows/manage/settings-that-can-be-locked-down.md
+++ b/windows/manage/settings-that-can-be-locked-down.md
@@ -3,7 +3,7 @@ title: Settings and quick actions that can be locked down in Windows 10 Mobile (
description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile.
ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185
keywords: ["lockdown"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
index 45cf03f80d..4fc6b81da0 100644
--- a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
@@ -2,7 +2,7 @@
title: Sign code integrity policy with Device Guard signing (Windows 10)
description: Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal.
ms.assetid: 63B56B8B-2A40-44B5-B100-DC50C43D20A9
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/windows/manage/sign-up-windows-store-for-business-overview.md
index 382b317a88..5aeff64c06 100644
--- a/windows/manage/sign-up-windows-store-for-business-overview.md
+++ b/windows/manage/sign-up-windows-store-for-business-overview.md
@@ -2,7 +2,7 @@
title: Sign up and get started (Windows 10)
description: IT admins can sign up for the Windows Store for Business, and get started working with apps.
ms.assetid: 87C6FA60-3AB9-4152-A85C-6A1588A20C7B
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/sign-up-windows-store-for-business.md b/windows/manage/sign-up-windows-store-for-business.md
index bbbb7df639..cd31dc1d15 100644
--- a/windows/manage/sign-up-windows-store-for-business.md
+++ b/windows/manage/sign-up-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Sign up for Windows Store for Business (Windows 10)
description: Before you sign up for Windows Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization.
ms.assetid: 296AAC02-5C79-4999-B221-4F5F8CEA1F12
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md
index a8e3f58f0b..7b3cb2aa7b 100644
--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@@ -2,7 +2,7 @@
title: Configure access to Windows Store (Windows 10)
description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.
ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/windows/manage/troubleshoot-windows-store-for-business.md
index 0c9404bb5a..f39d0bcdbf 100644
--- a/windows/manage/troubleshoot-windows-store-for-business.md
+++ b/windows/manage/troubleshoot-windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Troubleshoot Windows Store for Business (Windows 10)
description: Troubleshooting topics for Windows Store for Business.
ms.assetid: 243755A3-9B20-4032-9A77-2207320A242A
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md
index 0150a4f7e4..613556110e 100644
--- a/windows/manage/update-windows-store-for-business-account-settings.md
+++ b/windows/manage/update-windows-store-for-business-account-settings.md
@@ -1,7 +1,7 @@
---
title: Update Windows Store for Business account settings (Windows 10)
description: The Account information page in Windows Store for Business shows information about your organization that you can update, including country or region, organization name, default domain, and language preference.
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md
index a818238913..6e48f9f183 100644
--- a/windows/manage/windows-10-mobile-and-mdm.md
+++ b/windows/manage/windows-10-mobile-and-mdm.md
@@ -3,7 +3,7 @@ title: Windows 10 Mobile and mobile device management (Windows 10)
description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system.
ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E
keywords: telemetry, BYOD, MDM
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: mobile; devices
diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md
index 5a0c3eadfe..34e40d5095 100644
--- a/windows/manage/windows-10-start-layout-options-and-policies.md
+++ b/windows/manage/windows-10-start-layout-options-and-policies.md
@@ -3,7 +3,7 @@ title: Manage Windows 10 Start layout options (Windows 10)
description: Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
keywords: ["start screen", "start menu"]
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerMS
diff --git a/windows/manage/windows-store-for-business.md b/windows/manage/windows-store-for-business.md
index b718c7ace7..b30c16566a 100644
--- a/windows/manage/windows-store-for-business.md
+++ b/windows/manage/windows-store-for-business.md
@@ -2,7 +2,7 @@
title: Windows Store for Business (Windows 10)
description: Welcome to the Windows Store for Business You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.
ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md
index 2700a1f83a..e3bfdb63b7 100644
--- a/windows/manage/working-with-line-of-business-apps.md
+++ b/windows/manage/working-with-line-of-business-apps.md
@@ -2,7 +2,7 @@
title: Working with line-of-business apps (Windows 10)
description: Your company can make line-of-business (LOB) applications available through Windows Store for Business. These apps are custom to your company – they might be internal business apps, or apps specific to your business or industry.
ms.assetid: 95EB7085-335A-447B-84BA-39C26AEB5AC7
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: TrudyHa
diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md
index da2f4412e7..5ef6884c18 100644
--- a/windows/plan/deployment-considerations-for-windows-to-go.md
+++ b/windows/plan/deployment-considerations-for-windows-to-go.md
@@ -3,7 +3,7 @@ title: Deployment considerations for Windows To Go (Windows 10)
description: Deployment considerations for Windows To Go
ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
keywords: deploy, mobile, device, USB, boot, image, workspace, driver
-ms.prod: W10
+ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: mobility
ms.sitesec: library