From 9e1239af66d6f8092136a7cb97896c4ad017168b Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 13 Aug 2018 17:07:02 -0700 Subject: [PATCH 1/4] Fixed typo. --- ...windows-event-forwarding-to-assist-in-intrusion-detection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index e42efc4ec8..35ab89b19d 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -108,7 +108,7 @@ Wecutil ss “testSubscription” /cf:Events ### How frequently are WEF events delivered? -Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. +Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. This table outlines the built-in delivery options: From e3f5389275223f95c35197220c12e06bd103324c Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 24 Aug 2018 23:41:37 +0000 Subject: [PATCH 2/4] Merged PR 10910: UserRights policy - added examples --- .../mdm/policy-csp-userrights.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 00b49c54f7..ead54a0bfb 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -12,6 +12,61 @@ ms.date: 03/12/2018 # Policy CSP - UserRights +
+ +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things, like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. + +Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. + +```syntax + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories + + Authenticated UsersAdministrators + + + + + +``` + +Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator + +- Grant an user right to Administrators group via SID: + ``` + *S-1-5-32-544 + ``` + +- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID + ``` + *S-1-5-32-544*S-1-5-11 + ``` + +- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings + ``` + *S-1-5-32-544Authenticated Users + ``` + +- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings + ``` + Authenticated UsersAdministrators + ``` + +- Empty input indicates that there are no users configured to have that user right + ``` + + ``` +
From 6302ea96169bdcac4d449971d19ded7a01919d7b Mon Sep 17 00:00:00 2001 From: Andrea Bichsel <35236577+andreabichsel@users.noreply.github.com> Date: Mon, 27 Aug 2018 07:58:05 -0700 Subject: [PATCH 3/4] Added text about PE files. --- .../applocker/working-with-applocker-rules.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 4cb0d0390a..8400f6cb17 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -6,8 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 09/21/2017 +author: andreabichsel +msauthor: v-anbic +ms.date: 08/27/2018 --- # Working with AppLocker rules @@ -60,6 +61,8 @@ The AppLocker console is organized into rule collections, which are executable f When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). + +EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file.   ## Rule conditions From 36b16c69c16a30fe4e1c7b8b715bb7ae398da85a Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 27 Aug 2018 15:19:50 +0000 Subject: [PATCH 4/4] Merged PR 10919: format string so it displays properly --- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index a032dc458d..eff3c3a789 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -75,7 +75,7 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat > > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. >2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). ->3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +>3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). >4. Save the XML file. >5. Open the project again in Windows Configuration Designer. >6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.