deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 23:33:35 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/microsoftdocs/windows-itpro-docs into public-8919

Browse Source
This commit is contained in:
Liza Poggemeyer
2019-08-09 14:50:47 -07:00
parent 53365f2f3c a11cbd7cef
commit b887daef29
216 changed files with 17150 additions and 16941 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -39,6 +39,26 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- To audit failure events, click **Fail.**
- To audit all events, click **All.**
6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
- **This folder only**
- **This folder, subfolders and files**
- **This folder and subfolders**
- **This folder and files**
- **Subfolders and files only**
- **Subfolders only**
- **Files only**
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
- **List folder contents**
- **Read**
- Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
> **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
 
## Additional considerations

4
windows/security/threat-protection/auditing/event-4612.md
View File

@ -30,9 +30,9 @@ There is no example of this event in this document.
***Event Schema:***
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. *
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.*
*Number of audit messages discarded: %1 *
*Number of audit messages discarded: %1*
*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*

2
windows/security/threat-protection/auditing/event-4615.md
View File

@ -48,7 +48,7 @@ It appears that this event never occurs.
*LPC Server Port Name:%6*
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSAs use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." *
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSAs use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-4624.md
View File

@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
**Logon Information** \[Version 2\]**: **
**Logon Information** \[Version 2\]**:**
- **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field.

2
windows/security/threat-protection/auditing/event-4670.md
View File

@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4688.md
View File

@ -151,7 +151,7 @@ This event generates every time a new process starts.
- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
- **Token Elevation Type** \[Type = UnicodeString\]**: **
- **Token Elevation Type** \[Type = UnicodeString\]**:**
- **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.

2
windows/security/threat-protection/auditing/event-4704.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**New Right: **
**New Right:**
- **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:

2
windows/security/threat-protection/auditing/event-4705.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**Removed Right: **
**Removed Right:**
- **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:

2
windows/security/threat-protection/auditing/event-4715.md
View File

@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4717.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**Access Granted: **
**Access Granted:**
- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:

2
windows/security/threat-protection/auditing/event-4718.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**Access Removed: **
**Access Removed:**
- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:

2
windows/security/threat-protection/auditing/event-4738.md
View File

@ -266,7 +266,7 @@ For 4738(S): A user account was changed.
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Display Name**<br>**User Principal Name**<br>**Home Directory**<br>**Home Drive**<br>**Script Path**<br>**Profile Path**<br>**User Workstations**<br>**Password Last Set**<br>**Account Expires**<br>**Primary Group ID<br>Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. |
| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt; ** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt;** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following user account control flags:

2
windows/security/threat-protection/auditing/event-4742.md
View File

@ -276,7 +276,7 @@ For 4742(S): A computer account was changed.
| **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**Account Expires** is not -<br>**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. |
| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:<br>**516** for domain controllers<br>**521** for read only domain controllers (RODCs)<br>**515** for servers and workstations (domain computers)<br>Other values should be monitored. |
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt; ** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt;** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following account control flags:

4
windows/security/threat-protection/auditing/event-4817.md
View File

@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic
| Job | Port | FilterConnectionPort | |
| ALPC Port | Semaphore | Adapter | |
- **Object Name: **
- **Object Name:**
- Key if “Registry” Global Object Access Auditing policy was changed.
@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4864.md
View File

@ -44,7 +44,7 @@ There is no example of this event in this document.
*Security ID:%7*
*New Flags:%8 *
*New Flags:%8*
***Required Server Roles:*** Active Directory domain controller.

2
windows/security/threat-protection/auditing/event-4907.md
View File

@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects.
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4911.md
View File

@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4913.md
View File

@ -156,7 +156,7 @@ This event always generates, regardless of the objects [SACL](https://msdn.mi
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-5143.md
View File

@ -141,7 +141,7 @@ This event generates every time network share object was modified.
- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-5145.md
View File

@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
> **Note**&nbsp;&nbsp;The ** <span id="SDDL" class="anchor"></span>Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **<a id="SDDL" class="anchor"></a>Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-5150.md
View File

@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
> *Layer Run-Time ID:%10 *
> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-5151.md
View File

@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
> *Layer Run-Time ID:%10 *
> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-6400.md
View File

@ -30,7 +30,7 @@ There is no example of this event in this document.
*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
*IP address of the client that sent this response:%1 *
*IP address of the client that sent this response:%1*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-6401.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: Received invalid data from a peer. Data discarded. *
*BranchCache: Received invalid data from a peer. Data discarded.*
*IP address of the client that sent this data:%1*

2
windows/security/threat-protection/auditing/event-6402.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.*
*IP address of the client that sent this message: %1*

2
windows/security/threat-protection/auditing/event-6403.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: The hosted cache sent an incorrectly formatted response to the clients message to offer it data. *
*BranchCache: The hosted cache sent an incorrectly formatted response to the clients message to offer it data.*
*Domain name of the hosted cache is:%1*

2
windows/security/threat-protection/auditing/event-6404.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.*
*Domain name of the hosted cache:%1*

2
windows/security/threat-protection/auditing/event-6409.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: A service connection point object could not be parsed. *
*BranchCache: A service connection point object could not be parsed.*
*SCP object GUID: %1*

2
windows/security/threat-protection/index.md
View File

@ -141,7 +141,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
**[Microsoft Threat Protection](microsoft-defender-atp/threat-protection-integration.md)** <br>
Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization.
- [Conditional access](microsoft-defender-atp/conditional-access.md)
- [O365 ATP](microsoft-defender-atp/threat-protection-integration.md)
- [Office 365 ATP](microsoft-defender-atp/threat-protection-integration.md)
- [Azure ATP](microsoft-defender-atp/threat-protection-integration.md)
- [Azure Security Center](microsoft-defender-atp/threat-protection-integration.md)
- [Skype for Business](microsoft-defender-atp/threat-protection-integration.md)

8
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -58,10 +58,10 @@ The Windows Defender AV threat severity represents the absolute severity of the
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
So, for example:
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
#### Understanding alert categories
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names.

123
windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
View File

@ -1,6 +1,8 @@
---
title: Configure managed security service provider support
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -21,9 +23,11 @@ ms.date: 09/03/2018
# Configure managed security service provider integration
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu
> - MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender Security Center portal
- Get access to MSSP customer's Windows Defender Security Center portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
In general, the following configuration steps need to be taken:
- **Grant the MSSP access to Microsoft Defender Security Center** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
- **Grant the MSSP access to Windows Defender Security Center** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
- **Configure alert notifications sent to MSSPs** <br>
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
## Grant the MSSP access to the portal
>[!NOTE]
>[!NOTE]
> These set of steps are directed towards the MSSP customer. <br>
> Access to the portal can only be done by the MSSP customer.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
You'll need to take the following 2 steps:
- Add MSSP user to your tenant as a guest user
- Grant MSSP user access to Microsoft Defender Security Center
- Grant MSSP user access to Windows Defender Security Center
### Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
### Grant MSSP user access to Microsoft Defender Security Center
Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
### Grant MSSP user access to Windows Defender Security Center
Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md).
>[!NOTE]
>There is no difference between the Member user and Guest user roles from RBAC perspective.
@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
## Access the Microsoft Defender Security Center MSSP customer portal
## Access the Windows Defender Security Center MSSP customer portal
>[!NOTE]
>[!NOTE]
>These set of steps are directed towards the MSSP.
By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
@ -123,7 +138,9 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications).
These check boxes must be checked:
- **Include organization name** - The customer name will be added to email notifications
@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: Whitelist your application on Microsoft Defender Security Center
Step 3: Whitelist your application on Windows Defender Security Center
### Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
3. Click **New application registration**.
3. Click **New registration**.
4. Specify the following values:
- Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- Application type: Web app / API
- Sign-on URL: `https://SiemMsspConnector`
- Supported account types: Account in this organizational directory only
- Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
5. Click **Create**. The application is displayed in the list of applications you own.
5. Click **Register**. The application is displayed in the list of applications you own.
6. Select the application, then click **Settings** > **Properties**.
6. Select the application, then click **Overview**.
7. Copy the value from the **Application ID** field.
7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
8. Change the value in the **App ID URI** to: `https://<domain_name>/SiemMsspConnector` (replace \<domain_name\> with the tenant name.
8. Select **Certificate & secrets** in the new application panel.
9. Ensure that the **Multi-tenanted** field is set to **Yes**.
9. Click **New client secret**.
10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`.
11. Click **Save**.
12. Select **Keys** and specify the following values:
- Description: Enter a description for the key.
- Expires: Select **In 1 year**
13. Click **Save**. Save the value is a safe place, you'll need this
10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
### Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
@ -248,17 +268,20 @@ After providing your credentials, you'll need to grant consent to the applicatio
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
- Replace \<client_id\> with the Application ID you got from the previous step.
- Replace \<app_key\> with the application key you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's tenant ID.
- Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
- Replace \<app_key\> with the **Client Secret** you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's **Tenant ID**.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
### Step 3: Whitelist your application on Microsoft Defender Security Center
You'll need to whitelist the application you created in Microsoft Defender Security Center.
### Step 3: Whitelist your application on Windows Defender Security Center
You'll need to whitelist the application you created in Windows Defender Security Center.
You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
@ -272,17 +295,21 @@ You'll need to have **Manage portal system settings** permission to whitelist th
5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md).
- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
## Related topics
- [Use basic permissions to access the portal](basic-permissions.md)
- [Manage portal access using RBAC](rbac.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
reportId | String | The reportId, as obtained from the advanced query. **Required**.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.

95
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
View File

@ -62,29 +62,29 @@ This page explains how to create an AAD application, get an access token to Micr
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
- On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
- On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
![Image of API access and API selection](images/add-permission.png)
![Image of API access and API selection](images/add-permission.png)
- Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
- Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
![Image of API access and API selection](images/application-permissions-public-client.png)
![Image of API access and API selection](images/application-permissions-public-client.png)
- **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
- **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
For instance,
For instance,
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
- Click **Grant consent**
- Click **Grant consent**
**Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
**Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
![Image of Grant permissions](images/grant-consent.png)
![Image of Grant permissions](images/grant-consent.png)
6. Write down your application ID and your tenant ID:
@ -102,42 +102,42 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
- Copy/Paste the below class in your application.
- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
```
namespace WindowsDefenderATP
{
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json.Linq;
```csharp
namespace WindowsDefenderATP
{
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json.Linq;
public static class WindowsDefenderATPUtils
{
private const string Authority = "https://login.windows.net";
public static class WindowsDefenderATPUtils
{
private const string Authority = "https://login.windows.net";
private const string WdatpResourceId = "https://api.securitycenter.windows.com";
private const string WdatpResourceId = "https://api.securitycenter.windows.com";
public static async Task<string> AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
{
using (var httpClient = new HttpClient())
{
var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
public static async Task<string> AcquireUserTokenAsync(string username, string password, string appId, string tenantId)
{
using (var httpClient = new HttpClient())
{
var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}";
var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded");
using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
{
response.EnsureSuccessStatusCode();
using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
{
response.EnsureSuccessStatusCode();
var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
var jObject = JObject.Parse(json);
var jObject = JObject.Parse(json);
return jObject["access_token"].Value<string>();
}
}
}
}
}
return jObject["access_token"].Value<string>();
}
}
}
}
}
```
## Validate the token
@ -156,16 +156,17 @@ Sanity check to make sure you got a correct token:
- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
- Example of sending a request to get a list of alerts **using C#**
```
var httpClient = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
```csharp
var httpClient = new HttpClient();
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
// Do something useful with the response
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
// Do something useful with the response
```
## Related topics

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
View File

@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
GET /api/users/{id}/alerts
```
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
## Request headers

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
View File

@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
GET /api/users/{id}/machines
```
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
## Request headers

4
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
View File

@ -45,8 +45,8 @@ Sensitivity labels classify and help protect sensitive content.
Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
- Default
- Custom
- Default
- Custom
Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).

4
windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
View File

@ -61,8 +61,8 @@ Comment | String | Comment to associate with the action. **Required**.
IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'.
**IsolationType** controls the type of isolation to perform and can be one of the following:
- Full Full isolation
- Selective Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
- Full Full isolation
- Selective Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
## Response

4
windows/security/threat-protection/microsoft-defender-atp/onboard.md
View File

@ -33,8 +33,8 @@ Topic | Description
[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP.
Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.

6
windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
View File

@ -21,7 +21,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
>[!NOTE]
> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
@ -79,11 +79,11 @@ Within the tile, you can click on each control to see the recommended optimizati
Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
## Related topic
## Related topic
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)

4
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -63,7 +63,7 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select File from the dropdown menu and enter the file name
- **Search box** - select **File** from the dropdown menu and enter the file name
2. Go to the top bar and select **Stop and Quarantine File**.
@ -98,7 +98,7 @@ You can roll back and remove a file from quarantine if youve determined that
1. Open an elevated commandline prompt on the machine:
a. Go to **Start** and type cmd.
a. Go to **Start** and type _cmd_.
b. Rightclick **Command prompt** and select **Run as administrator**.

2
windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
View File

@ -96,7 +96,7 @@ The package contains the following folders:
|:---|:---------|
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewassExecutionLog.txt and pfirewall.log |
|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewassExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. |
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. |

2
windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
View File

@ -75,7 +75,7 @@ The **Sensor health** tile provides information on the individual machines ab
![Sensor health tile](images/atp-tile-sensor-health.png)
There are two status indicators that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Misconfigured** These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.

4
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
View File

@ -296,8 +296,8 @@ You might also need to check the following:
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).

46
windows/security/threat-protection/microsoft-defender-atp/user-roles.md
View File

@ -34,31 +34,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
3. Enter the role name, description, and permissions you'd like to assign to the role.
- **Role name**
- **Description**
- **Permissions**
- **View data** - Users can view information in the portal.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
>[!NOTE]
>This setting is only available in the Microsoft Defender ATP administrator (default) role.
- **Role name**
- **Description**
- **Permissions**
- **View data** - Users can view information in the portal.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
> [!NOTE]
> This setting is only available in the Microsoft Defender ATP administrator (default) role.
- **Live response capabilities** - Users can take basic or advanced live response commands. <br>
- Basic commands allow users to:
- Start a live response session
- Run read only live response commands on a remote machine
- Advanced commands allow users to:
- Run basic actions
- Download a file from the remote machine
- View a script from the files library
- Run a script on the remote machine from the files library take read and write commands.
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
- **Live response capabilities** - Users can take basic or advanced live response commands.
- Basic commands allow users to:
- Start a live response session
- Run read only live response commands on a remote machine
- Advanced commands allow users to:
- Run basic actions
- Download a file from the remote machine
- View a script from the files library
- Run a script on the remote machine from the files library take read and write commands.
For more information on the available commands, see [Investigate machines using Live response](live-response.md).
4. Click **Next** to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.

8
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -79,8 +79,8 @@ For more information preview features, see [Preview features](https://docs.micro
Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- New in Windows 10 version 1809, there are two new attack surface reduction rules:
- Block Adobe Reader from creating child processes
- Block Office communication application from creating child processes.
- Block Adobe Reader from creating child processes
- Block Office communication application from creating child processes.
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
@ -95,8 +95,8 @@ Query data using Advanced hunting in Microsoft Defender ATP.
- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)<BR>
New attack surface reduction rules:
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block executable content from email client and webmail

2
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of:
- Local Group Policy Object (LGPO) tool
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?

2
windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
View File

@ -102,7 +102,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.<br>**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.<br>**Note: ** An event will be generated for every attempted operation on the object. |
| 570 | A client attempted to access an object.<br>**Note:** An event will be generated for every attempted operation on the object. |
## Security considerations

5
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -413,7 +413,7 @@ Here are the minimum steps for WEF to operate:
## <a href="" id="bkmk-appendixe"></a>Appendix E Annotated baseline subscription event query
``` syntax
```xml
<QueryList>
<Query Id="0" Path="System">
<!-- Anti-malware *old* events, but only detect events (cuts down noise) -->
@ -578,8 +578,7 @@ Here are the minimum steps for WEF to operate:
## <a href="" id="bkmk-appendixf"></a>Appendix F Annotated Suspect Subscription Event Query
``` syntax
```xml
<QueryList>
<Query Id="0" Path="Security">
<!-- Network logon events-->

102
windows/security/threat-protection/windows-10-mobile-security-guide.md
View File

@ -22,16 +22,16 @@ ms.date: 10/13/2017
Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the users personal apps and data.
Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include:
- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware.
**In this article:**
- Windows Hello for Business
- Windows Information Protection
- Malware resistance
- Windows Hello for Business
- Windows Information Protection
- Malware resistance
## Windows Hello
@ -56,9 +56,9 @@ To compromise Windows Hello credentials, an attacker would need access to the ph
Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the users device and be able to impersonate the users biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.
Windows Hello supports three biometric sensor scenarios:
- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
- **Fingerprint recognition** uses a sensor to scan the users fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
- **Iris scanning** uses cameras designed to scan the users iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
- **Fingerprint recognition** uses a sensor to scan the users fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello.
- **Iris scanning** uses cameras designed to scan the users iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology.
>Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture.
@ -72,8 +72,6 @@ The biometric image collected at enrollment is converted into an algorithmic for
A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the users identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that dont have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail.
In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the users credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2).
### <a href="" id="standards-based-approach"></a>Standards-based approach
The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms.
@ -87,12 +85,12 @@ Enterprises have seen huge growth in the convergence of personal and corporate d
Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. Its easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity.
Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include:
- Automatically tag personal and corporate data.
- Protect data while its at rest on local or removable storage.
- Control which apps can access corporate data.
- Control which apps can access a virtual private network (VPN) connection.
- Prevent users from copying corporate data to public locations.
- Help ensure business data is inaccessible when the device is in a locked state.
- Automatically tag personal and corporate data.
- Protect data while its at rest on local or removable storage.
- Control which apps can access corporate data.
- Control which apps can access a virtual private network (VPN) connection.
- Prevent users from copying corporate data to public locations.
- Help ensure business data is inaccessible when the device is in a locked state.
### <a href="" id="enlightened-apps"></a>Enlightened apps
@ -101,21 +99,21 @@ Third-party data loss protection solutions usually require developers to wrap th
Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
When you do not want all data encrypted by default because it would create a poor user experience developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
- Dont use common controls for saving files.
- Dont use common controls for text boxes.
- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance).
- Dont use common controls for saving files.
- Dont use common controls for text boxes.
- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance).
In many cases, most apps dont require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data.
**When is app enlightenment required?**
- **Required**
- App needs to work with both personal and enterprise data.
- **Recommended**
- App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldnt be able to properly revoke these apps.
- App needs to access enterprise data, while protection under lock is activated.
- **Not required**
- App handles only corporate data
- App handles only personal data
- **Required**
- App needs to work with both personal and enterprise data.
- **Recommended**
- App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldnt be able to properly revoke these apps.
- App needs to access enterprise data, while protection under lock is activated.
- **Not required**
- App handles only corporate data
- App handles only personal data
### <a href="" id="companion-devices"></a>Data leakage control
@ -124,10 +122,10 @@ To configure Windows Information Protection in a Mobile Device Management (MDM)
Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Window Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data.
The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set:
- **Block.** Windows Information Protection blocks users from completing the operation.
- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log.
- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log.
- **Block.** Windows Information Protection blocks users from completing the operation.
- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log.
- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log.
- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log.
### <a href="" id="companion-devices"></a>Data separation
@ -140,11 +138,11 @@ Windows Information Protection provides data separation without requiring a cont
Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices.
- Cryptography
- Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
- TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
- BitLocker
- Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
- Cryptography
- Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
- TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
- BitLocker
- Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello.
@ -230,9 +228,9 @@ A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that
A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform.
The following list describes key functionality that a TPM provides in Windows 10 Mobile:
- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component from firmware up through the drivers and then stores those measurements in the devices TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM.
- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys.
- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component from firmware up through the drivers and then stores those measurements in the devices TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device.
- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM.
Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
@ -241,9 +239,9 @@ Many assume that original equipment manufacturers (OEMs) must implant a TPM in h
>Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](https://technet.microsoft.com/library/dn915086.aspx)
Several Windows 10 Mobile security features require TPM:
- Virtual smart cards
- Measured Boot
- Health attestation (requires TPM 2.0 or later)
- Virtual smart cards
- Measured Boot
- Health attestation (requires TPM 2.0 or later)
Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if its available. Organizations can configure policy to require TPM for Windows Hello.
@ -312,9 +310,9 @@ Malware depends on its ability to insert a malicious payload into memory with th
The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use.
Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows:
- Internal data structures that the heap uses are better protected against memory corruption.
- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
- Internal data structures that the heap uses are better protected against memory corruption.
- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable.
- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app.
### <a href="" id="memeory-reservation"></a>Memory reservations
@ -342,9 +340,9 @@ The security policy of a specific AppContainer defines the operating system capa
A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time.
The AppContainer concept is advantageous because it provides:
- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions.
- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent.
- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types.
Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the apps age rating and publisher.
@ -355,9 +353,9 @@ The combination of Device Guard and AppContainer help to prevent unauthorized ap
The web browser is a critical component of any security strategy. It is the users interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
## Summary

15
windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -51,13 +51,14 @@ As a cloud service, it is required that computers have access to the internet an
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com|
| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com|
| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com|
| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com|
| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|\*.wdcp.microsoft.com \*.wdcpalt.microsoft.com \*.wd.microsoft.com|
| *Microsoft Update Service (MU)*| Security intelligence and product updates |\*.update.microsoft.com|
| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| \*.download.microsoft.com|
| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com|
## Validate connections between your network and the cloud

2
windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
View File

@ -41,6 +41,6 @@ You can also manually merge AppLocker policies. For the procedure to do this, se
Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path.
``` syntax
```powershell
C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge
```

8
windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
View File

@ -50,11 +50,11 @@ The following table contains information about the events that you can use to de
| 8000 | Error| Application Identity Policy conversion failed. Status *&lt;%1&gt; *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
| 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt; * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.|
| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.|
| 8005| Information| *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt; * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|

2
windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
View File

@ -30,7 +30,7 @@ This topic for IT professionals provides links to procedural topics about creati
| Topic | Description |
| - | - |
| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.|
| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.|
| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.|
| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.|
| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.|
| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.|

8
windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
View File

@ -52,10 +52,10 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
- Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe)
- One or the other, not both at the same time
- Does not support wildcard in the middle (ex. C:\\*\foo.exe)
- Examples:
- %WINDIR%\\...
- %SYSTEM32%\\...
- %OSDRIVE%\\...
- Supported Macros:
- %WINDIR%\\...
- %SYSTEM32%\\...
- %OSDRIVE%\\...
- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:

11
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -111,15 +111,16 @@ They could also choose to create a catalog that captures information about the u
Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules.
- New-CIPolicy parameters
- New-CIPolicy parameter
- FilePath: create path rules under path \<path to scan> for anything not user-writeable (at the individual file level)
```powershell
New-CIPolicy -f .\mypolicy.xml -l FilePath -s <path to scan> -u
New-CIPolicy -FilePath .\mypolicy.xml -Level FileName -ScanPath <path to scan> -UserPEs
```
Optionally, add -UserWriteablePaths to ignore user writeability
- New-CIPolicyRule parameter
- FilePathRule: create a rule where filepath string is directly set to value of \<any path string>
```powershell
@ -134,7 +135,7 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
$rules = New-CIPolicyRule …
$rules += New-CIPolicyRule …
New-CIPolicyRule -f .\mypolicy.xml -u
New-CIPolicy -FilePath .\mypolicy.xml -Rules $rules -UserPEs
```
- Wildcards supported
@ -149,6 +150,6 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:
```powershell
Set-RuleOption -o 18 .\policy.xml
Set-RuleOption -Option 18 .\policy.xml
```

6
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -18,7 +18,7 @@ ms.date: 01/08/2019
**Applies to:**
- Windows 10
- Windows 10 Enterprise
- Windows Server 2016
- Windows Server 2019
@ -40,8 +40,8 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
## WDAC System Requirements
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016.
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above.
They can be applied to computers running Windows 10 Enterprise or Windows Server 2016 and above and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
Group Policy or Intune can be used to distribute WDAC policies.
## New and changed functionality

12
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -29,11 +29,13 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
| Policy name | Supported versions | Description |
|-------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. |
| Enterprise resource domains hosted in the cloud | At least Windows Server 2012, Windows 8, or Windows RT | A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. |
| Domains categorized as both work and personal | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. |
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, include a full domain name (for example "**contoso.com**") in the configuration. 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (when there is more than one subdomain). Configuring "**.constoso.com**" will automatically trust "**subdomain1.contoso.com**", "**subdomain2.contoso.com**", etc. 3) To trust a subdomain, precede your domain with two dots, for example "**..contoso.com**". |
|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.|
## Application-specific settings
These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.

8
windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -103,3 +103,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A
| **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com. |
<br>
| | |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? |
| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). |
<br>

21
windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
View File

@ -19,29 +19,12 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Review system requirements
See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard.
>[!NOTE]
>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
### Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.
|Hardware|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum 4 cores is required for the hypervisor. For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
|Hardware memory|Microsoft requires a minimum of 8GB RAM|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
### Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
|Software|Description|
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803|
|Browser|Microsoft Edge and Internet Explorer|
|Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
## Prepare for Windows Defender Application Guard

63
windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
View File

@ -39,69 +39,12 @@ Application Guard has been created to target several types of systems:
## Frequently Asked Questions
| | |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | Can I enable Application Guard on machines equipped with 4GB RAM? |
| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
| | HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. |
| | HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. |
| | HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB. |
<br>
| | |
|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | Can employees download documents from the Application Guard Edge session onto host devices? |
| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.<br><br>In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. |
<br>
| | |
|--------|------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | Can employees copy and paste between the host device and the Application Guard Edge session? |
| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. |
<br>
| | |
|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | Why don't employees see their Favorites in the Application Guard Edge session? |
| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. |
<br>
| | |
|--------|---------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | Why arent employees able to see their Extensions in the Application Guard Edge session? |
| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. |
<br>
| | |
|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? |
| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. |
<br>
| | |
|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? |
| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and well work with you to enable the feature. |
<br>
Please see [Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md) for common user-submitted questions.
| | |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Q:** | What is the WDAGUtilityAccount local account? |
| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. |
| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? |
| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). |
<br>

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -53,6 +53,8 @@ For more information about disabling local list merging, see [Prevent or allow u
>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -183,7 +183,7 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709.
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.

2
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -88,7 +88,7 @@ Where:
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
```PowerShell
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by replacing `-Enable` with `-Disable`.

18
windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
View File

@ -56,7 +56,9 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576).
2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@ -86,7 +88,18 @@ This can only be done in Group Policy.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
7. Use the following registry key and DWORD value to **Hide all notifications**.
**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableNotifications"=dword:00000001**
8. Use the following registry key and DWORD value to **Hide not-critical notifications**
**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableEnhancedNotifications"=dword:00000001**
9. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Notifications
@ -136,3 +149,4 @@ This can only be done in Group Policy.
| Dynamic lock on, bluetooth on, but unable to detect device | | | No |
| NoPa or federated no hello | | | No |
| NoPa or federated hello broken | | | No |

4
windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
View File

@ -123,8 +123,8 @@ Default is Any address.
[Learn more](https://aka.ms/intunefirewallremotaddressrule)
## Edge traversal (coming soon)
Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default.
## Edge traversal (UI coming soon)
Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. This setting can only be configured via Intune Graph at this time.
[Learn more](https://aka.ms/intunefirewalledgetraversal)

6
windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
View File

@ -80,7 +80,7 @@ This script does the following:
Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
``` syntax
```powershell
# Create a Security Group for the computers that will get the policy
$pathname = (Get-ADDomain).distinguishedname
New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" `
@ -120,7 +120,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec
Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
``` syntax
```powershell
#Set up the certificate
$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop
@ -173,7 +173,7 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
``` syntax
```xml
<item>
<error>ERROR_IPSEC_IKE_NO_CERT</error>
<frequency>32</frequency>

76
windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -67,7 +67,7 @@ netsh advfirewall set allprofiles state on
**Windows PowerShell**
``` syntax
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
@ -88,7 +88,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile
Windows PowerShell
``` syntax
```powershell
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow NotifyOnListen True -AllowUnicastResponseToMulticast True LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
@ -140,7 +140,7 @@ netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program=
Windows PowerShell
``` syntax
```powershell
New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
```
@ -157,7 +157,7 @@ netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program
Windows PowerShell
``` syntax
```powershell
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe Protocol TCP LocalPort 23 -Action Block PolicyStore domain.contoso.com\gpo_name
```
@ -169,7 +169,7 @@ The following performs the same actions as the previous example (by adding a Tel
Windows PowerShell
``` syntax
```powershell
$gpo = Open-NetGPO PolicyStore domain.contoso.com\gpo_name
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe Protocol TCP LocalPort 23 -Action Block GPOSession $gpo
Save-NetGPO GPOSession $gpo
@ -191,7 +191,7 @@ netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2
Windows PowerShell
``` syntax
```powershell
Set-NetFirewallRule DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2
```
@ -205,7 +205,7 @@ In the following example, we assume the query returns a single firewall rule, wh
Windows PowerShell
``` syntax
```powershell
Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction eq “Inbound” -and $_.Action eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2
```
@ -213,7 +213,7 @@ You can also query for rules using the wildcard character. The following example
Windows PowerShell
``` syntax
```powershell
Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule
```
@ -223,7 +223,7 @@ In the following example, we add both inbound and outbound Telnet firewall rules
Windows PowerShell
``` syntax
```powershell
New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
```
@ -232,7 +232,7 @@ If the group is not specified at rule creation time, the rule can be added to th
Windows PowerShell
``` syntax
```powershell
$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet”
$rule.Group = “Telnet Management”
$rule | Set-NetFirewallRule
@ -250,7 +250,7 @@ netsh advfirewall firewall set rule group="Windows Defender Firewall remote mana
Windows PowerShell
``` syntax
```powershell
Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” Enabled True
```
@ -258,7 +258,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g
Windows PowerShell
``` syntax
```powershell
Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
```
@ -276,7 +276,7 @@ netsh advfirewall firewall delete rule name=“Allow Web 80”
Windows PowerShell
``` syntax
```powershell
Remove-NetFirewallRule DisplayName “Allow Web 80”
```
@ -284,7 +284,7 @@ Like with other cmdlets, you can also query for rules to be removed. Here, all b
Windows PowerShell
``` syntax
```powershell
Remove-NetFirewallRule Action Block
```
@ -292,7 +292,7 @@ Note that it may be safer to query the rules with the **Get** command and save i
Windows PowerShell
``` syntax
```powershell
$x = Get-NetFirewallRule Action Block
$x
$x[0-3] | Remove-NetFirewallRule
@ -306,7 +306,7 @@ The following example returns all firewall rules of the persistent store on a de
Windows PowerShell
``` syntax
```powershell
Get-NetFirewallRule CimSession RemoteDevice
```
@ -314,7 +314,7 @@ We can perform any modifications or view rules on remote devices by simply usin
Windows PowerShell
``` syntax
```powershell
$RemoteSession = New-CimSession ComputerName RemoteDevice
Remove-NetFirewallRule DisplayName “AllowWeb80” CimSession $RemoteSession -Confirm
```
@ -342,7 +342,7 @@ netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint
Windows PowerShell
``` syntax
```powershell
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name
```
@ -365,7 +365,7 @@ netsh advfirewall consec add rule name="Require Outbound Authentication" endpoin
Windows PowerShell
``` syntax
```powershell
$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP AHHash SHA1 -ESPHash SHA1 -Encryption DES3
$QMCryptoSet = New-NetIPsecQuickModeCryptoSet DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM PolicyStore domain.contoso.com\gpo_name
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name PolicyStore domain.contoso.com\gpo_name
@ -379,7 +379,7 @@ You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying
Windows PowerShell
``` syntax
```powershell
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 RemoteAddress $nonWindowsGateway
```
@ -395,7 +395,7 @@ Copying individual rules is a task that is not possible through the Netsh interf
Windows PowerShell
``` syntax
```powershell
$Rule = Get-NetIPsecRule DisplayName “Require Inbound Authentication”
$Rule | Copy-NetIPsecRule NewPolicyStore domain.costoso.com\new_gpo_name
$Rule | Copy-NetPhase1AuthSet NewPolicyStore domain.costoso.com\new_gpo_name
@ -407,7 +407,7 @@ To handle errors in your Windows PowerShell scripts, you can use the *ErrorAc
Windows PowerShell
``` syntax
```powershell
Remove-NetFirewallRule DisplayName “Contoso Messenger 98” ErrorAction SilentlyContinue
```
@ -415,7 +415,7 @@ Note that the use of wildcards can also suppress errors, but they could potentia
Windows PowerShell
``` syntax
```powershell
Remove-NetFirewallRule DisplayName “Contoso Messenger 98*”
```
@ -423,7 +423,7 @@ When using wildcards, if you want to double-check the set of rules that is match
Windows PowerShell
``` syntax
```powershell
Remove-NetFirewallRule DisplayName “Contoso Messenger 98*” WhatIf
```
@ -431,7 +431,7 @@ If you only want to delete some of the matched rules, you can use the *Confir
Windows PowerShell
``` syntax
```powershell
Remove-NetFirewallRule DisplayName “Contoso Messenger 98*” Confirm
```
@ -439,7 +439,7 @@ You can also just perform the whole operation, displaying the name of each rule
Windows PowerShell
``` syntax
```powershell
Remove-NetFirewallRule DisplayName “Contoso Messenger 98*” Verbose
```
@ -457,7 +457,7 @@ netsh advfirewall consec show rule name=all
Windows PowerShell
``` syntax
```powershell
Show-NetIPsecRule PolicyStore ActiveStore
```
@ -473,7 +473,7 @@ netsh advfirewall monitor show mmsa all
Windows PowerShell
``` syntax
```powershell
Get-NetIPsecMainModeSA
```
@ -485,7 +485,7 @@ For objects that come from a GPO (the *PolicyStoreSourceType* parameter is sp
Windows PowerShell
``` syntax
```powershell
Get-NetIPsecRule DisplayName “Require Inbound Authentication” TracePolicyStore
```
@ -506,7 +506,7 @@ netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profi
Windows PowerShell
``` syntax
```powershell
$kerbprop = New-NetIPsecAuthProposal Machine Kerberos
$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop PolicyStore domain.contoso.com\domain_isolation
New-NetIPsecRule DisplayName “Basic Domain Isolation Policy” Profile Domain Phase1AuthSet $Phase1AuthSet.Name InboundSecurity Require OutboundSecurity Request PolicyStore domain.contoso.com\domain_isolation
@ -524,7 +524,7 @@ netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.
Windows PowerShell
``` syntax
```powershell
$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3
$QMCryptoSet = New-NetIPsecQuickModeCryptoSet DisplayName “esp:sha1-des3” -Proposal $QMProposal
New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
@ -548,7 +548,7 @@ netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in pro
Windows PowerShell
``` syntax
```powershell
New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow
```
@ -562,7 +562,7 @@ netsh advfirewall consec add rule name="Authenticate Both Computer and User" end
Windows PowerShell
``` syntax
```powershell
$mkerbauthprop = New-NetIPsecAuthProposal -Machine Kerberos
$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” Proposal $mkerbauthprop,$mntlmauthprop
@ -593,7 +593,7 @@ The following example shows you how to create an SDDL string that represents sec
Windows PowerShell
``` syntax
```powershell
$user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”)
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"
@ -603,7 +603,7 @@ By using the previous scriptlet, you can also get the SDDL string for a secure c
Windows PowerShell
``` syntax
```powershell
$secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
```
@ -622,7 +622,7 @@ netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Gr
Windows PowerShell
``` syntax
```powershell
New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required RemoteUser $secureUserGroup PolicyStore domain.contoso.com\Server_Isolation
```
@ -634,7 +634,7 @@ In this example, we set the global IPsec setting to only allow transport mode tr
Windows PowerShell
``` syntax
```powershell
Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup
```
@ -653,7 +653,7 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec
Windows PowerShell
``` syntax
```powershell
New-NetFirewallRule DisplayName “Inbound Secure Bypass Rule" Direction Inbound Authentication Required OverrideBlockRules $true -RemoteMachine $secureMachineGroup RemoteUser $secureUserGroup PolicyStore domain.contoso.com\domain_isolation
```