From c084273567dd4b515d76d23c4f5a57b3d374d7da Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Tue, 11 Jun 2019 15:11:32 -0700 Subject: [PATCH] more fixes --- .../windows-10-enterprise-e3-overview.md | 2 +- .../access-control/local-accounts.md | 68 +++++++++++++++++++ .../access-control/special-identities.md | 2 +- .../hello-cert-trust-adfs.md | 2 +- .../hello-how-it-works-device-registration.md | 11 ++- .../hello-how-it-works-tech-deep-dive.md | 6 +- .../hello-hybrid-aadj-sso-base.md | 2 +- .../hello-hybrid-key-new-install.md | 21 +++--- .../hello-hybrid-key-trust-prereqs.md | 28 +++++--- .../hello-key-trust-adfs.md | 2 +- .../hello-key-trust-deploy-mfa.md | 2 +- ...iew-of-threat-mitigations-in-windows-10.md | 2 +- ...s-defender-application-control-policies.md | 6 +- .../configure-the-windows-firewall-log.md | 4 -- ...windows-firewall-with-advanced-security.md | 6 -- 15 files changed, 114 insertions(+), 50 deletions(-) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 0837197376..1bfb00bab7 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -145,7 +145,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). ## Deploy Windows 10 Enterprise features -Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)? +Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)? The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index f7a788e6f8..1bd0ee3c7b 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -117,6 +117,74 @@ When enabling the Guest account, only grant limited rights and permissions. For In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. +## HelpAssistant account (installed with a Remote Assistance session) + + +The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. + +HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. + +**Security considerations** + +The SIDs that pertain to the default HelpAssistant account include: + +- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services. + +- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. + +For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. + +For details about the HelpAssistant account attributes, see the following table. + +**HelpAssistant account attributes** + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
AttributeValue

Well-Known SID/RID

S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)

Type

User

Default container

CN=Users, DC=<domain>, DC=

Default members

None

Default member of

Domain Guests

+

Guests

Protected by ADMINSDHOLDER?

No

Safe to move out of default container?

Can be moved out, but we do not recommend it.

Safe to delegate management of this group to non-Service admins?

No

### DefaultAccount diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 8713d91370..978d72142a 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -83,7 +83,7 @@ The special identity groups are described in the following tables: - [This Organization](#this-organization) -- [Window Manager\\Window Manager Group](#window-manager-window-manager-group) +- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group) ## Anonymous Logon diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 3d74e8a3b3..8d6b7d474a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -151,7 +151,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva ### Windows Server 2012 or later Domain Controllers -Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. +Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section. Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index c4ffbeb3a0..58616c9d65 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -27,9 +27,6 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning [Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)
[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)
- - - ## Azure AD joined in Managed environments ![Azure AD joined in Managed environments](images/howitworks/devreg-aadj-managed.png) @@ -44,7 +41,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning |G | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.| |H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.| -[Return to top](#Windows-Hello-for-Business-and-Device-Registration) +[Return to top](#windows-hello-for-business-and-device-registration) ## Azure AD joined in Federated environments ![Azure AD joined in Managed environments](images/howitworks/devreg-aadj-federated.png) @@ -60,7 +57,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning |H | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.| |I | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.| -[Return to top](#Windows-Hello-for-Business-and-Device-Registration) +[Return to top](#windows-hello-for-business-and-device-registration) ## Hybrid Azure AD joined in Managed environments ![Hybrid Azure AD joined in Managed environments](images/howitworks/devreg-hybrid-haadj-managed.png) @@ -75,7 +72,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning |G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.| |H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| -[Return to top](#Windows-Hello-for-Business-and-Device-Registration) +[Return to top](#windows-hello-for-business-and-device-registration) ## Hybrid Azure AD joined in Federated environments ![Hybrid Azure AD joined in Managed environments](images/howitworks/devreg-hybrid-haadj-federated.png) @@ -89,4 +86,4 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning |F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| |G | If Azure AD Connect device write-back is enabled, Azure AD Connect requests updates from Azure Active Directory at its next synchronization cycle (device write-back is required for hybrid deployment using certificate trust). Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.| -[Return to top](#Windows-Hello-for-Business-and-Device-Registration) +[Return to top](#windows-hello-for-business-and-device-registration) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md index ca78d68e98..ef7fb31fff 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md @@ -22,9 +22,9 @@ ms.reviewer: - Windows 10 Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories: -- [Registration](#Registration) -- [Provisioning](#Provisioning) -- [Authentication](#Authentication) +- [Registration](#registration) +- [Provisioning](#provisioning) +- [Authentication](#authentication) ## Registration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index fbb7791800..1a9dd4cf29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -90,7 +90,7 @@ Steps you will perform include: - [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point) - [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list) -- [Configure the new CRL distribution point in the issuing certificate authority](#Configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority) +- [Configure the new CRL distribution point in the issuing certificate authority](#configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority) - [Publish CRL](#publish-a-new-crl) - [Reissue domain controller certificates](#reissue-domain-controller-certificates) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index b826287e64..c8c3fee1a5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -29,14 +29,14 @@ Windows Hello for Business involves configuring distributed technologies that ma * [Active Directory](#active-directory) * [Public Key Infrastructure](#public-key-infrastructure) * [Azure Active Directory](#azure-active-directory) -* [Active Directory Federation Services](#active-directory-federation-services) +* [Multifactor Authentication Services](#multifactor-authentication-services) New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization. The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. -## Active Directory ## +## Active Directory This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. @@ -83,7 +83,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL. -### Section Review ### +### Section Review > [!div class="checklist"] > * Minimum Windows Server 2012 Certificate Authority. @@ -92,7 +92,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Root certificate authority certificate (Azure AD Joined devices). > * Highly available certificate revocation list (Azure AD Joined devices). -## Azure Active Directory ## +## Azure Active Directory You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. @@ -104,12 +104,13 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h > * Create an Azure Active Directory Tenant. > * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary. -## Multifactor Authentication Services ## +## Multifactor Authentication Services Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. -### Azure Multi-Factor Authentication (MFA) Cloud ### +### Azure Multi-Factor Authentication (MFA) Cloud + > [!IMPORTANT] > As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: > * Azure Multi-Factor Authentication @@ -118,16 +119,16 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co > > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. -#### Azure MFA Provider #### +#### Azure MFA Provider If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. -#### Configure Azure MFA Settings #### +#### Configure Azure MFA Settings Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. -#### Azure MFA User States #### +#### Azure MFA User States After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. -### Azure MFA via ADFS ### +### Azure MFA via ADFS Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 07bcd4e0ba..d494deca75 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -34,7 +34,8 @@ The distributed systems on which these technologies were built involved several * [MultiFactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) -## Directories ## +## Directories + Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. @@ -43,7 +44,7 @@ You can deploy Windows Hello for Business in any environment with Windows Server Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. -### Section Review ### +### Section Review > [!div class="checklist"] > * Active Directory Domain Functional Level @@ -54,7 +55,7 @@ Review these requirements and those from the Windows Hello for Business planning
-## Public Key Infrastructure ## +## Public Key Infrastructure The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. @@ -83,7 +84,8 @@ The minimum required enterprise certificate authority that can be used with Wind
-## Directory Synchronization ## +## Directory Synchronization + The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect. @@ -96,17 +98,20 @@ Organizations using older directory synchronization technology, such as DirSync
-## Federation with Azure ## +## Federation with Azure + You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. -### Section Review ### +### Section Review + > [!div class="checklist"] > * Non-federated environments > * Federated environments
-## Multifactor Authentication ## +## Multifactor Authentication + Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. @@ -119,17 +124,20 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
-## Device Registration ## +## Device Registration + Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. -### Section Checklist ### +### Section Checklist + > [!div class="checklist"] > * Device Registration with Azure Device Registration
-### Next Steps ### +### Next Steps + Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 13cf3b5a0e..b76e9bc1ab 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -150,7 +150,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva ### Windows Server 2016, 2012 R2 or later Domain Controllers -Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. +Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-R2-domain-controllers) section. Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. 1. Start **Server Manager**. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md index fd1a237822..9b6ae813f1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md @@ -174,7 +174,7 @@ Update the server using Windows Update until the server has no required or optio #### Configure the IIS Server’s Certificate -To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. +To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section. #### Create WebServices SDK user account diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index d0df6caa9a..2549af8feb 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -192,7 +192,7 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within | **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.

**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | | **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | | **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | -| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. | +| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. | ### SMB hardening improvements for SYSVOL and NETLOGON shares diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 7342686647..30acb5dae4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -23,7 +23,7 @@ ms.date: 05/03/2018 Running Appication Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies. -Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](#create-initial-default-policy). +Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). **To audit a Windows Defender Application Control policy with local policy:** @@ -94,7 +94,7 @@ Use the following procedure after you have been running a computer with a WDAC p - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run. -You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies). +You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). > [!NOTE] -> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies. +> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index 851b77b568..ea78e8de16 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -29,10 +29,6 @@ To configure Windows Defender Firewall with Advanced Security to log dropped pac To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -In this topic: - -- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log) - ## To configure the Windows Defender Firewall with Advanced Security log 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index bba537328b..17d43619ee 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -29,12 +29,6 @@ This procedure shows you how to open the Windows Defender Firewall with Advanced To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations. -## Opening Windows Defender Firewall - -- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui) - -- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt) - ## To open Windows Defender Firewall using the UI Click Start, type **Windows Defender Firewall**, and the press ENTER.