From a5bfd378cda71ad1e6ed7b5b3093f17cf2ff9f46 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 21 Jun 2016 16:52:21 -0700 Subject: [PATCH 1/2] Added Applies To, fixed links --- windows/keep-secure/access-control.md | 7 +- .../keep-secure/active-directory-accounts.md | 15 +-- .../active-directory-security-groups.md | 104 +++++++++--------- windows/keep-secure/dynamic-access-control.md | 5 +- windows/keep-secure/local-accounts.md | 13 ++- windows/keep-secure/microsoft-accounts.md | 8 +- windows/keep-secure/security-identifiers.md | 4 + windows/keep-secure/security-principals.md | 5 +- windows/keep-secure/service-accounts.md | 11 +- windows/keep-secure/special-identities.md | 56 +++++----- 10 files changed, 122 insertions(+), 106 deletions(-) diff --git a/windows/keep-secure/access-control.md b/windows/keep-secure/access-control.md index fd87c67e02..0f9eca4004 100644 --- a/windows/keep-secure/access-control.md +++ b/windows/keep-secure/access-control.md @@ -9,6 +9,9 @@ ms.pagetype: security # Access Control Overview +**Applies to** +- Windows 10 +- Windows Server 2016 This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. @@ -111,14 +114,14 @@ User rights grant specific privileges and sign-in rights to users and groups in User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**. -For more information about user rights, see [User Rights Assignment](http://technet.microsoft.com/library/dn221963.aspx). +For more information about user rights, see [User Rights Assignment](user-rights-assignment.md). ## Object auditing With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer. -For more information about auditing, see [Security Auditing Overview](security_auditing_overview_glbl). +For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md). ## See also diff --git a/windows/keep-secure/active-directory-accounts.md b/windows/keep-secure/active-directory-accounts.md index 8ac05bf562..8acc3ea048 100644 --- a/windows/keep-secure/active-directory-accounts.md +++ b/windows/keep-secure/active-directory-accounts.md @@ -9,6 +9,8 @@ ms.pagetype: security # Active Directory Accounts +**Applies to** +- Windows Server 2016 Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory. @@ -174,7 +176,7 @@ Because the Guest account can provide anonymous access, it is a security risk. I When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access: -- Do not grant the Guest account the [Shut down the system](shut_down_the_system__technical_reference_security_considerations) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer. +- Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer. - Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. @@ -343,21 +345,12 @@ For all account types (users, computers, and services) - NTLM authenticated connections are not affected -**Author's Note:  **Need technical input for Note - -**Note**   -Group Managed Service Accounts and Managed Service Accounts… - -  - Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected. **Important**   Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer. -  - -For information how to resolve issues and potential issues from a compromised KRBTGT account, see [Reset the KRBTGT account password](5f4bb6b7-7b20-4d16-b74d-9a59c1ba022b). + ### Read-only domain controllers and the KRBTGT account diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/keep-secure/active-directory-security-groups.md index b8d9434317..c3856faf75 100644 --- a/windows/keep-secure/active-directory-security-groups.md +++ b/windows/keep-secure/active-directory-security-groups.md @@ -9,6 +9,8 @@ ms.pagetype: security # Active Directory Security Groups +**Applies to** +- Windows Server 2016 This reference topic for the IT professional describes the default Active Directory security groups. @@ -48,7 +50,7 @@ Security groups can provide an efficient way to assign access to resources on yo For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group. - You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user_rights_assignment_glbl). + You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user-rights-assignment.md). - Assign permissions to security groups for resources. @@ -627,7 +629,7 @@ This security group has not changed since Windows Server 2008.

Default User Rights

-

[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight

+

[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight

@@ -649,9 +651,9 @@ Membership can be modified by members of the following groups: the default servi This security group includes the following changes since Windows Server 2008: -- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow_log_on_through_remote_desktop_services__technical_reference_security_considerations). +- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md). -- [Remove computer from docking station](remove_computer_from_docking_station__technical_reference_security_considerations) was removed in Windows Server 2012 R2. +- [Remove computer from docking station](remove-computer-from-docking-station.md) was removed in Windows Server 2012 R2. @@ -699,33 +701,33 @@ This security group includes the following changes since Windows Server 2008: - +

Default User Rights

[Adjust memory quotas for a process](adjust_memory_quotas_for_a_process__technical_reference_security_considerations): SeIncreaseQuotaPrivilege

-

[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight

-

[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight

-

[Allow log on through Remote Desktop Services](allow_log_on_through_remote_desktop_services__technical_reference_security_considerations): SeRemoteInteractiveLogonRight

-

[Back up files and directories](back_up_files_and_directories__technical_reference_security_considerations): SeBackupPrivilege

-

[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege

-

[Change the system time](change_the_system_time__technical_reference_security_considerations): SeSystemTimePrivilege

-

[Change the time zone](change_the_time_zone__technical_reference_security_considerations): SeTimeZonePrivilege

-

[Create a pagefile](create_a_pagefile__technical_reference_security_considerations): SeCreatePagefilePrivilege

-

[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege

-

[Create symbolic links](create_symbolic_links__technical_reference_security_considerations): SeCreateSymbolicLinkPrivilege

-

[Debug programs](debug_programs__technical_reference_security_considerations): SeDebugPrivilege

-

[Enable computer and user accounts to be trusted for delegation](enable_computer_and_user_accounts_to_be_trusted_for_delegation__technical_reference_security_considerations): SeEnableDelegationPrivilege

-

[Force shutdown from a remote system](force_shutdown_from_a_remote_system__technical_reference_security_considerations): SeRemoteShutdownPrivilege

-

[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege

-

[Increase scheduling priority](increase_scheduling_priority__technical_reference_security_considerations): SeIncreaseBasePriorityPrivilege

-

[Load and unload device drivers](load_and_unload_device_drivers__technical_reference_security_considerations): SeLoadDriverPrivilege

-

[Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations): SeBatchLogonRight

-

[Manage auditing and security log](manage_auditing_and_security_log__technical_reference_security_considerations): SeSecurityPrivilege

-

[Modify firmware environment values](modify_firmware_environment_values__technical_reference_security_considerations): SeSystemEnvironmentPrivilege

-

[Perform volume maintenance tasks](perform_volume_maintenance_tasks__technical_reference_security_considerations): SeManageVolumePrivilege

-

[Profile system performance](profile_system_performance__technical_reference_security_considerations): SeSystemProfilePrivilege

-

[Profile single process](profile_single_process__technical_reference_security_considerations): SeProfileSingleProcessPrivilege

-

[Remove computer from docking station](remove_computer_from_docking_station__technical_reference_security_considerations): SeUndockPrivilege

-

[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): SeRestorePrivilege

-

[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege

-

[Take ownership of files or other objects](take_ownership_of_files_or_other_objects__technical_reference_security_considerations): SeTakeOwnershipPrivilege

[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege

+

[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight

+

[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight

+

[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md): SeRemoteInteractiveLogonRight

+

[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege

+

[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege

+

[Change the system time](change-the-system-time.md): SeSystemTimePrivilege

+

[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege

+

[Create a pagefile](create-a-pagefile.md): SeCreatePagefilePrivilege

+

[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege

+

[Create symbolic links](create-symbolic-links.md): SeCreateSymbolicLinkPrivilege

+

[Debug programs](debug-programs.md): SeDebugPrivilege

+

[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md): SeEnableDelegationPrivilege

+

[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege

+

[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege

+

[Increase scheduling priority](increase-scheduling-priority.md): SeIncreaseBasePriorityPrivilege

+

[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege

+

[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight

+

[Manage auditing and security log](manage-auditing-and-security-log.md): SeSecurityPrivilege

+

[Modify firmware environment values](modify-firmware-environment-values.md): SeSystemEnvironmentPrivilege

+

[Perform volume maintenance tasks](perform-volume-maintenance-tasks.md): SeManageVolumePrivilege

+

[Profile system performance](profile-system-performance.md): SeSystemProfilePrivilege

+

[Profile single process](profile-single-process.md): SeProfileSingleProcessPrivilege

+

[Remove computer from docking station](remove-computer-from-docking-station.md): SeUndockPrivilege

+

[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege

+

[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege

+

[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md): SeTakeOwnershipPrivilege
@@ -847,11 +849,11 @@ This security group has not changed since Windows Server 2008.

Default User Rights

-

[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight

-

[Back up files and directories](back_up_files_and_directories__technical_reference_security_considerations): SeBackupPrivilege

-

[Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations): SeBatchLogonRight

-

[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): SeRestorePrivilege

-

[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege

+

[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight

+

[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege

+

[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight

+

[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege

+

[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege

@@ -2289,7 +2291,7 @@ Members of the Performance Log Users group can manage performance counters, logs - Can use all the features that are available to the Performance Monitor Users group. -- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations) user right. +- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right. **Warning**   If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials. @@ -2298,7 +2300,7 @@ Members of the Performance Log Users group can manage performance counters, logs - Cannot use the Windows Kernel Trace event provider in Data Collector Sets. -For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console. +For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console. **Note**   This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). @@ -2360,7 +2362,7 @@ This security group has not changed since Windows Server 2008.

Default User Rights

-

[Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations): SeBatchLogonRight

+

[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight

@@ -2507,8 +2509,8 @@ This security group has not changed since Windows Server 2008.

Default User Rights

-

[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight

-

[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege

+

[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight

+

[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege

@@ -2571,9 +2573,9 @@ This security group has not changed since Windows Server 2008. However, in Windo

Default User Rights

-

[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight

-

[Load and unload device drivers](load_and_unload_device_drivers__technical_reference_security_considerations): SeLoadDriverPrivilege

-

[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege

+

[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight

+

[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege

+

[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege

@@ -3285,13 +3287,13 @@ This security group has not changed since Windows Server 2008.

Default User Rights

-

[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight

-

[Back up files and directories](back_up_files_and_directories__technical_reference_security_considerations): SeBackupPrivilege

-

[Change the system time](change_the_system_time__technical_reference_security_considerations): SeSystemTimePrivilege

-

[Change the time zone](change_the_time_zone__technical_reference_security_considerations): SeTimeZonePrivilege

-

[Force shutdown from a remote system](force_shutdown_from_a_remote_system__technical_reference_security_considerations): SeRemoteShutdownPrivilege

-

[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): Restore files and directories SeRestorePrivilege

-

[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege

+

[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight

+

[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege

+

[Change the system time](change-the-system-time.md): SeSystemTimePrivilege

+

[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege

+

[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege

+

[Restore files and directories](restore-files-and-directories.md): Restore files and directories SeRestorePrivilege

+

[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege

diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/keep-secure/dynamic-access-control.md index 366b64a723..c3cdcb2c32 100644 --- a/windows/keep-secure/dynamic-access-control.md +++ b/windows/keep-secure/dynamic-access-control.md @@ -9,6 +9,8 @@ ms.pagetype: security # Dynamic Access Control Overview +**Applies to** +- Windows Server 2016 This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8. @@ -134,8 +136,7 @@ A file server running Windows Server 2012 or Windows Server 2012 R2 must have a ## Additional resource - -For information about implementing solutions based on this technology, see [Dynamic Access Control: Scenario Overview](dynamic_access_control_scenario_overview_pscen_overview). +[Access control overview](access-control.md)   diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md index 68c55f161d..e76d606feb 100644 --- a/windows/keep-secure/local-accounts.md +++ b/windows/keep-secure/local-accounts.md @@ -9,6 +9,9 @@ ms.pagetype: security # Local Accounts +**Applies to** +- Windows 10 +- Windows Server 2016 This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller. @@ -147,7 +150,7 @@ By default, the Guest account is the only member of the default Guests group, wh When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers. -When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut_down_the_system__technical_reference_security_considerations) user right. +When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. @@ -248,7 +251,7 @@ The following table shows the Group Policy and registry settings that are used t

1

Policy name

-

[User Account Control: Run all administrators in Admin Approval Mode](user_account_control_run_all_administrators_in_admin_approval_mode_technical_reference_mgmt_security_considerations)

+

[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)

@@ -263,7 +266,7 @@ The following table shows the Group Policy and registry settings that are used t

Policy name

-

[User Account Control: Run all administrators in Admin Approval Mode](user_account_control_run_all_administrators_in_admin_approval_mode_technical_reference_mgmt_security_considerations)

+

[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)

@@ -392,7 +395,7 @@ The following table shows the Group Policy settings that are used to deny networ

1

Policy name

-

[Deny access to this computer from the network](deny_access_to_this_computer_from_the_network__technical_reference_security_considerations)

+

[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)

@@ -408,7 +411,7 @@ The following table shows the Group Policy settings that are used to deny networ

Policy name

-

[Deny log on through Remote Desktop Services](deny_log_on_through_remote_desktop_services__technical_reference_security_considerations)

+

[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)

(Windows Server 2008 R2 and later.)

Deny logon through Terminal Services

(Windows Server 2008)

diff --git a/windows/keep-secure/microsoft-accounts.md b/windows/keep-secure/microsoft-accounts.md index be75c775b9..2c38dba1d0 100644 --- a/windows/keep-secure/microsoft-accounts.md +++ b/windows/keep-secure/microsoft-accounts.md @@ -9,6 +9,8 @@ ms.pagetype: security # Microsoft Accounts +**Applies to** +- Windows 10 This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization. @@ -116,7 +118,7 @@ Depending on your IT and business models, introducing Microsoft accounts into yo ### Restrict the use of the Microsoft account -If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts_block_microsoft_accounts_tech_ref_mgmt_security____w8). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain. +If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain. The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can: @@ -149,12 +151,12 @@ Only the owner of the Microsoft account can change the password. Passwords can b ### Restrict app installation and usage -Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker Overview](applocker_overview_server) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged_apps_and_packaged_app_installer_rules_in_applocker). +Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](applocker-overview.md) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). ## See also -[Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](managing_privacy_using_a_microsoft_account_to_logon_and_resulting_internet_communication) +[Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)   diff --git a/windows/keep-secure/security-identifiers.md b/windows/keep-secure/security-identifiers.md index 99d5c145b5..1997d5b2d1 100644 --- a/windows/keep-secure/security-identifiers.md +++ b/windows/keep-secure/security-identifiers.md @@ -9,6 +9,10 @@ ms.pagetype: security # Security identifiers +**Applies to** +- Windows 10 +- Windows Server 2016 + This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system. ## What are security identifiers? diff --git a/windows/keep-secure/security-principals.md b/windows/keep-secure/security-principals.md index 21fdc283f8..c91126837d 100644 --- a/windows/keep-secure/security-principals.md +++ b/windows/keep-secure/security-principals.md @@ -9,6 +9,9 @@ ms.pagetype: security # Security Principals +**Applies to** +- Windows 10 +- Windows Server 2016 This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals. @@ -80,7 +83,7 @@ Permissions are different from user rights in that permissions are attached to o On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers. -For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user_rights_assignment_glbl). +For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user-rights-assignment.md). ### Security context in authentication diff --git a/windows/keep-secure/service-accounts.md b/windows/keep-secure/service-accounts.md index 0cc1d98640..3fecf693d7 100644 --- a/windows/keep-secure/service-accounts.md +++ b/windows/keep-secure/service-accounts.md @@ -9,6 +9,9 @@ ms.pagetype: security # Service Accounts +**Applies to** +- Windows 10 +- Windows Server 2016 This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts. @@ -29,7 +32,7 @@ This topic contains information about the following types of service accounts: A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts. -To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group managed service account. For more information, see [Group Managed Service Accounts Overview](group_managed_service_accounts_overview). +To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group managed service account. For more information, see [Group Managed Service Accounts Overview](https://technet.microsoft.com/library/hh831782(v=ws.11).aspx). In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: @@ -113,10 +116,10 @@ The following table provides links to additional resources that are related to s

Product evaluation

-

[What's New for Managed Service Accounts](whats_new_for_managed_service_accounts_vil)

+

[What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)

[Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2](http://technet.microsoft.com/library/ff641731.aspx)

[Service Accounts Step-by-Step Guide](http://technet.microsoft.com/library/dd548356.aspx)

-

[Getting Started with Group Managed Service Accounts](getting_started_with_group_managed_service_accounts)

+

[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx)

Deployment

@@ -137,7 +140,7 @@ The following table provides links to additional resources that are related to s

Related technologies

[Security Principals Technical Overview](security-principals.md)

-

[Active Directory Domain Services Overview](39dd9b55-2512-49d8-8927-a283697f0547)

+

[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx)

diff --git a/windows/keep-secure/special-identities.md b/windows/keep-secure/special-identities.md index a598385d65..69c4ad8674 100644 --- a/windows/keep-secure/special-identities.md +++ b/windows/keep-secure/special-identities.md @@ -9,6 +9,8 @@ ms.pagetype: security # Special Identities +**Applies to** +- Windows Server 2016 This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. @@ -143,9 +145,9 @@ Any user who accesses the system through a sign-in process has the Authenticated

Default User Rights

-

[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight

-

[Add workstations to domain](add_workstations_to_domain__technical_reference_security_considerations): SeMachineAccountPrivilege

-

[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege

+

[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight

+

[Add workstations to domain](add-workstations-to-domain.md): SeMachineAccountPrivilege

+

[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege

@@ -373,8 +375,8 @@ This group includes all domain controllers in an Active Directory forest. Domain

Default User Rights Assignment

-

[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight

-

[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight

+

[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight

+

[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight

@@ -416,9 +418,9 @@ Membership is controlled by the operating system.

Default User Rights

-

[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight

-

[Act as part of the operating system](act_as_part_of_the_operating_system__technical_reference_security_considerations): SeTcbPrivilege

-

[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege

+

[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight

+

[Act as part of the operating system](act-as-part-of-the-operating-system.md): SeTcbPrivilege

+

[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege

@@ -494,14 +496,14 @@ The Local Service account is similar to an Authenticated User account. The Local

Default user rights

-

[Adjust memory quotas for a process](adjust_memory_quotas_for_a_process__technical_reference_security_considerations): SeIncreaseQuotaPrivilege

-

[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege

-

[Change the system time](change_the_system_time__technical_reference_security_considerations): SeSystemtimePrivilege

-

[Change the time zone](change_the_time_zone__technical_reference_security_considerations): SeTimeZonePrivilege

-

[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege

-

[Generate security audits](generate_security_audits__technical_reference_security_considerations): SeAuditPrivilege

-

[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege

-

[Replace a process level token](replace_a_process_level_token__technical_reference_security_considerations): SeAssignPrimaryTokenPrivilege

+

[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege

+

[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege

+

[Change the system time](change-the-system-time.md): SeSystemtimePrivilege

+

[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege

+

[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege

+

[Generate security audits](generate-security-audits.md): SeAuditPrivilege

+

[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege

+

[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege

@@ -615,13 +617,13 @@ The Network Service account is similar to an Authenticated User account. The Net

Default User Rights

-

[Adjust memory quotas for a process](adjust_memory_quotas_for_a_process__technical_reference_security_considerations): SeIncreaseQuotaPrivilege

-

[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege

-

[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege

-

[Generate security audits](generate_security_audits__technical_reference_security_considerations): SeAuditPrivilege

-

[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege

-

[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): SeAssignPrimaryTokenPrivilege

-

[Replace a process level token](replace_a_process_level_token__technical_reference_security_considerations): SeAssignPrimaryTokenPrivilege

+

[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege

+

[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege

+

[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege

+

[Generate security audits](generate-security-audits.md): SeAuditPrivilege

+

[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege

+

[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege

+

[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege

@@ -883,8 +885,8 @@ Any service that accesses the system has the Service identity. This identity gro

Default User Rights

-

[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege

-

[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege

+

[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege

+

[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege

@@ -994,8 +996,8 @@ Any user accessing the system through Terminal Services has the Terminal Server

Default User Rights

-

[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege

-

[Increase a process working set](increase_a_process_working_set__technical_reference_security_considerations): SeIncreaseWorkingSetPrivilege

+

[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege

+

[Increase a process working set](increase-a-process-working-set.md): SeIncreaseWorkingSetPrivilege

From eb353c73c09a6a8e18a7c99b63505704a24fe310 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Tue, 21 Jun 2016 17:49:56 -0700 Subject: [PATCH 2/2] Tweakd link text & dealt w vry old links --- windows/keep-secure/access-control.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/access-control.md b/windows/keep-secure/access-control.md index 0f9eca4004..969bd01684 100644 --- a/windows/keep-secure/access-control.md +++ b/windows/keep-secure/access-control.md @@ -34,9 +34,9 @@ This content set contains: - [Dynamic Access Control Overview](dynamic-access-control.md) -- [Security Identifiers Technical Overview](security-identifiers.md) +- [Security identifiers](security-identifiers.md) -- [Security Principals Technical Overview](security-principals.md) +- [Security Principals](security-principals.md) - [Local Accounts](local-accounts.md) @@ -125,10 +125,8 @@ For more information about auditing, see [Security Auditing Overview](security-a ## See also +- For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/en-us/library/jj134043(v=ws.11).aspx). -- For more information about authorization and access control, see [Windows Security Collection](http://go.microsoft.com/fwlink/?LinkId=4565). - -- For information about authorization strategy, see [Designing a Resource Authorization Strategy](http://go.microsoft.com/fwlink/?LinkId=4734).