mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 03:43:39 +00:00
Merge branch 'master' of https://github.com/microsoftdocs/windows-itpro-docs
This commit is contained in:
Patti Short
@ -14,6 +14,10 @@
|
|||||||
|Enabled |3 |3 |Send both intranet and Internet history | |
|
|Enabled |3 |3 |Send both intranet and Internet history | |
|
||||||
---
|
---
|
||||||
|
|
||||||
|
>>You can find this setting in the following location of the Group Policy Editor:
|
||||||
|
>>
|
||||||
|
>> **_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_**
|
||||||
|
|
||||||
>[!IMPORTANT]
|
>[!IMPORTANT]
|
||||||
>For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID.
|
>For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID.
|
||||||
|
|
||||||
|
|||||||
@ -22,7 +22,7 @@ We are discontinuing the use of the **Configure Favorites** group policy. Use th
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:
|
>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
|
||||||
>>
|
>>
|
||||||
>> **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_**
|
>> **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_**
|
||||||
<p>
|
<p>
|
||||||
|
|||||||
@ -20,8 +20,6 @@ See the following resources for additional MBAM documentation:
|
|||||||
|
|
||||||
- [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653)
|
- [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653)
|
||||||
|
|
||||||
- [Microsoft Training Overview](https://go.microsoft.com/fwlink/p/?LinkId=80347)
|
|
||||||
|
|
||||||
Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment.
|
Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment.
|
||||||
|
|
||||||
## Getting started with MBAM 2.5
|
## Getting started with MBAM 2.5
|
||||||
|
|||||||
@ -379,7 +379,7 @@ Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/
|
|||||||
|
|
||||||
Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
|
Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
|
||||||
|
|
||||||
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
|
1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
|
||||||
|
|
||||||
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
|
2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
|
||||||
|
|
||||||
|
|||||||
@ -85,13 +85,13 @@ DMA-based expansion slots are another avenue of attack, but these slots generall
|
|||||||
|
|
||||||
To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
|
To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
|
||||||
|
|
||||||
### Hyberfil.sys Attacks
|
### Hiberfil.sys Attacks
|
||||||
|
|
||||||
The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file.
|
The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file.
|
||||||
|
|
||||||
Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
|
Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
|
||||||
|
|
||||||
In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
|
In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
|
||||||
|
|
||||||
### Memory Remanence Attacks
|
### Memory Remanence Attacks
|
||||||
|
|
||||||
|
|||||||
@ -50,7 +50,7 @@ By default, the members of the following groups have this right on domain contro
|
|||||||
|
|
||||||
### Location
|
### Location
|
||||||
|
|
||||||
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
|
||||||
|
|
||||||
### Default values
|
### Default values
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user