deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch '5102047' of https://github.com/Microsoft/win-cpub-itpro-docs into 5102047

Browse Source
This commit is contained in:
Brian Lich 2016-06-22 08:52:02 -07:00
commit c09c76ff6d
10 changed files with 125 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/keep-secure/access-control.md
View File

@ -9,6 +9,9 @@ ms.pagetype: security
# Access Control Overview
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
@ -31,9 +34,9 @@ This content set contains:
- [Dynamic Access Control Overview](dynamic-access-control.md)
- [Security Identifiers Technical Overview](security-identifiers.md)
- [Security identifiers](security-identifiers.md)
- [Security Principals Technical Overview](security-principals.md)
- [Security Principals](security-principals.md)
- [Local Accounts](local-accounts.md)
@ -111,21 +114,19 @@ User rights grant specific privileges and sign-in rights to users and groups in
User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
For more information about user rights, see [User Rights Assignment](http://technet.microsoft.com/library/dn221963.aspx).
For more information about user rights, see [User Rights Assignment](user-rights-assignment.md).
## Object auditing
With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
For more information about auditing, see [Security Auditing Overview](security_auditing_overview_glbl).
For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md).
## See also
- For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/en-us/library/jj134043(v=ws.11).aspx).
- For more information about authorization and access control, see [Windows Security Collection](http://go.microsoft.com/fwlink/?LinkId=4565).
- For information about authorization strategy, see [Designing a Resource Authorization Strategy](http://go.microsoft.com/fwlink/?LinkId=4734).
 

15
windows/keep-secure/active-directory-accounts.md
View File

@ -9,6 +9,8 @@ ms.pagetype: security
# Active Directory Accounts
**Applies to**
- Windows Server 2016
Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory.
@ -174,7 +176,7 @@ Because the Guest account can provide anonymous access, it is a security risk. I
When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
- Do not grant the Guest account the [Shut down the system](shut_down_the_system__technical_reference_security_considerations) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
- Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
@ -343,21 +345,12 @@ For all account types (users, computers, and services)
- NTLM authenticated connections are not affected
**Author's Note:  **Need technical input for Note
**Note**  
Group Managed Service Accounts and Managed Service Accounts…
 
Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
**Important**  
Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
 
For information how to resolve issues and potential issues from a compromised KRBTGT account, see [Reset the KRBTGT account password](5f4bb6b7-7b20-4d16-b74d-9a59c1ba022b).
<!-- For information how to resolve issues and potential issues from a compromised KRBTGT account, see "Reset the KRBTGT account password." -->
### Read-only domain controllers and the KRBTGT account

104
windows/keep-secure/active-directory-security-groups.md
View File

@ -9,6 +9,8 @@ ms.pagetype: security
# Active Directory Security Groups
**Applies to**
- Windows Server 2016
This reference topic for the IT professional describes the default Active Directory security groups.
@ -48,7 +50,7 @@ Security groups can provide an efficient way to assign access to resources on yo
For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.
You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user_rights_assignment_glbl).
You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user-rights-assignment.md).
- Assign permissions to security groups for resources.
@ -627,7 +629,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight</p></td>
<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p></td>
</tr>
</tbody>
</table>
@ -649,9 +651,9 @@ Membership can be modified by members of the following groups: the default servi
This security group includes the following changes since Windows Server 2008:
- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow_log_on_through_remote_desktop_services__technical_reference_security_considerations).
- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md).
- [Remove computer from docking station](remove_computer_from_docking_station__technical_reference_security_considerations) was removed in Windows Server 2012 R2.
- [Remove computer from docking station](remove-computer-from-docking-station.md) was removed in Windows Server 2012 R2.
<table>
<colgroup>
@ -699,33 +701,33 @@ This security group includes the following changes since Windows Server 2008:
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>[Adjust memory quotas for a process](adjust_memory_quotas_for_a_process__technical_reference_security_considerations): SeIncreaseQuotaPrivilege</p>
<p>[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight</p>
<p>[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight</p>
<p>[Allow log on through Remote Desktop Services](allow_log_on_through_remote_desktop_services__technical_reference_security_considerations): SeRemoteInteractiveLogonRight</p>
<p>[Back up files and directories](back_up_files_and_directories__technical_reference_security_considerations): SeBackupPrivilege</p>
<p>[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege</p>
<p>[Change the system time](change_the_system_time__technical_reference_security_considerations): SeSystemTimePrivilege</p>
<p>[Change the time zone](change_the_time_zone__technical_reference_security_considerations): SeTimeZonePrivilege</p>
<p>[Create a pagefile](create_a_pagefile__technical_reference_security_considerations): SeCreatePagefilePrivilege</p>
<p>[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege</p>
<p>[Create symbolic links](create_symbolic_links__technical_reference_security_considerations): SeCreateSymbolicLinkPrivilege</p>
<p>[Debug programs](debug_programs__technical_reference_security_considerations): SeDebugPrivilege</p>
<p>[Enable computer and user accounts to be trusted for delegation](enable_computer_and_user_accounts_to_be_trusted_for_delegation__technical_reference_security_considerations): SeEnableDelegationPrivilege</p>
<p>[Force shutdown from a remote system](force_shutdown_from_a_remote_system__technical_reference_security_considerations): SeRemoteShutdownPrivilege</p>
<p>[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege</p>
<p>[Increase scheduling priority](increase_scheduling_priority__technical_reference_security_considerations): SeIncreaseBasePriorityPrivilege</p>
<p>[Load and unload device drivers](load_and_unload_device_drivers__technical_reference_security_considerations): SeLoadDriverPrivilege</p>
<p>[Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations): SeBatchLogonRight</p>
<p>[Manage auditing and security log](manage_auditing_and_security_log__technical_reference_security_considerations): SeSecurityPrivilege</p>
<p>[Modify firmware environment values](modify_firmware_environment_values__technical_reference_security_considerations): SeSystemEnvironmentPrivilege</p>
<p>[Perform volume maintenance tasks](perform_volume_maintenance_tasks__technical_reference_security_considerations): SeManageVolumePrivilege</p>
<p>[Profile system performance](profile_system_performance__technical_reference_security_considerations): SeSystemProfilePrivilege</p>
<p>[Profile single process](profile_single_process__technical_reference_security_considerations): SeProfileSingleProcessPrivilege</p>
<p>[Remove computer from docking station](remove_computer_from_docking_station__technical_reference_security_considerations): SeUndockPrivilege</p>
<p>[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): SeRestorePrivilege</p>
<p>[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege</p>
<p>[Take ownership of files or other objects](take_ownership_of_files_or_other_objects__technical_reference_security_considerations): SeTakeOwnershipPrivilege</p></td>
<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
<p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
<p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
<p>[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md): SeRemoteInteractiveLogonRight</p>
<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
<p>[Change the system time](change-the-system-time.md): SeSystemTimePrivilege</p>
<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
<p>[Create a pagefile](create-a-pagefile.md): SeCreatePagefilePrivilege</p>
<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
<p>[Create symbolic links](create-symbolic-links.md): SeCreateSymbolicLinkPrivilege</p>
<p>[Debug programs](debug-programs.md): SeDebugPrivilege</p>
<p>[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md): SeEnableDelegationPrivilege</p>
<p>[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege</p>
<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
<p>[Increase scheduling priority](increase-scheduling-priority.md): SeIncreaseBasePriorityPrivilege</p>
<p>[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege</p>
<p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p>
<p>[Manage auditing and security log](manage-auditing-and-security-log.md): SeSecurityPrivilege</p>
<p>[Modify firmware environment values](modify-firmware-environment-values.md): SeSystemEnvironmentPrivilege</p>
<p>[Perform volume maintenance tasks](perform-volume-maintenance-tasks.md): SeManageVolumePrivilege</p>
<p>[Profile system performance](profile-system-performance.md): SeSystemProfilePrivilege</p>
<p>[Profile single process](profile-single-process.md): SeProfileSingleProcessPrivilege</p>
<p>[Remove computer from docking station](remove-computer-from-docking-station.md): SeUndockPrivilege</p>
<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p>
<p>[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md): SeTakeOwnershipPrivilege</p></td>
</tr>
</tbody>
</table>
@ -847,11 +849,11 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight</p>
<p>[Back up files and directories](back_up_files_and_directories__technical_reference_security_considerations): SeBackupPrivilege</p>
<p>[Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations): SeBatchLogonRight</p>
<p>[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): SeRestorePrivilege</p>
<p>[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege</p></td>
<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
<p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p>
<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
</tr>
</tbody>
</table>
@ -2289,7 +2291,7 @@ Members of the Performance Log Users group can manage performance counters, logs
- Can use all the features that are available to the Performance Monitor Users group.
- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations) user right.
- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right.
**Warning**  
If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
@ -2298,7 +2300,7 @@ Members of the Performance Log Users group can manage performance counters, logs
- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
**Note**  
This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@ -2360,7 +2362,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>[Log on as a batch job](log_on_as_a_batch_job__technical_reference_security_considerations): SeBatchLogonRight</p></td>
<td><p>[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight</p></td>
</tr>
</tbody>
</table>
@ -2507,8 +2509,8 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight</p>
<p>[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege</p></td>
<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
</tr>
</tbody>
</table>
@ -2571,9 +2573,9 @@ This security group has not changed since Windows Server 2008. However, in Windo
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight</p>
<p>[Load and unload device drivers](load_and_unload_device_drivers__technical_reference_security_considerations): SeLoadDriverPrivilege</p>
<p>[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege</p></td>
<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
<p>[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege</p>
<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
</tr>
</tbody>
</table>
@ -3285,13 +3287,13 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight</p>
<p>[Back up files and directories](back_up_files_and_directories__technical_reference_security_considerations): SeBackupPrivilege</p>
<p>[Change the system time](change_the_system_time__technical_reference_security_considerations): SeSystemTimePrivilege</p>
<p>[Change the time zone](change_the_time_zone__technical_reference_security_considerations): SeTimeZonePrivilege</p>
<p>[Force shutdown from a remote system](force_shutdown_from_a_remote_system__technical_reference_security_considerations): SeRemoteShutdownPrivilege</p>
<p>[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): Restore files and directories SeRestorePrivilege</p>
<p>[Shut down the system](shut_down_the_system__technical_reference_security_considerations): SeShutdownPrivilege</p></td>
<td><p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p>
<p>[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege</p>
<p>[Change the system time](change-the-system-time.md): SeSystemTimePrivilege</p>
<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
<p>[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege</p>
<p>[Restore files and directories](restore-files-and-directories.md): Restore files and directories SeRestorePrivilege</p>
<p>[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege</p></td>
</tr>
</tbody>
</table>

5
windows/keep-secure/dynamic-access-control.md
View File

@ -9,6 +9,8 @@ ms.pagetype: security
# Dynamic Access Control Overview
**Applies to**
- Windows Server 2016
This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
@ -134,8 +136,7 @@ A file server running Windows Server 2012 or Windows Server 2012 R2 must have a
## Additional resource
For information about implementing solutions based on this technology, see [Dynamic Access Control: Scenario Overview](dynamic_access_control_scenario_overview_pscen_overview).
[Access control overview](access-control.md)
 

13
windows/keep-secure/local-accounts.md
View File

@ -9,6 +9,9 @@ ms.pagetype: security
# Local Accounts
**Applies to**
- Windows 10
- Windows Server 2016
This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller.
@ -147,7 +150,7 @@ By default, the Guest account is the only member of the default Guests group, wh
When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut_down_the_system__technical_reference_security_considerations) user right.
When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right.
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
@ -248,7 +251,7 @@ The following table shows the Group Policy and registry settings that are used t
<tr class="odd">
<td><p>1</p></td>
<td><p>Policy name</p></td>
<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user_account_control_run_all_administrators_in_admin_approval_mode_technical_reference_mgmt_security_considerations)</p></td>
<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)</p></td>
</tr>
<tr class="even">
<td><p></p></td>
@ -263,7 +266,7 @@ The following table shows the Group Policy and registry settings that are used t
<tr class="even">
<td><p></p></td>
<td><p>Policy name</p></td>
<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user_account_control_run_all_administrators_in_admin_approval_mode_technical_reference_mgmt_security_considerations)</p></td>
<td><p>[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)</p></td>
</tr>
<tr class="odd">
<td><p></p></td>
@ -392,7 +395,7 @@ The following table shows the Group Policy settings that are used to deny networ
<tr class="odd">
<td><p>1</p></td>
<td><p>Policy name</p></td>
<td><p>[Deny access to this computer from the network](deny_access_to_this_computer_from_the_network__technical_reference_security_considerations)</p></td>
<td><p>[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)</p></td>
</tr>
<tr class="even">
<td><p></p></td>
@ -408,7 +411,7 @@ The following table shows the Group Policy settings that are used to deny networ
<tr class="even">
<td><p></p></td>
<td><p>Policy name</p></td>
<td><p>[Deny log on through Remote Desktop Services](deny_log_on_through_remote_desktop_services__technical_reference_security_considerations)</p>
<td><p>[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)</p>
<p>(Windows Server 2008 R2 and later.)</p>
<p>Deny logon through Terminal Services</p>
<p>(Windows Server 2008)</p></td>

8
windows/keep-secure/microsoft-accounts.md
View File

@ -9,6 +9,8 @@ ms.pagetype: security
# Microsoft Accounts
**Applies to**
- Windows 10
This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
@ -116,7 +118,7 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts_block_microsoft_accounts_tech_ref_mgmt_security____w8). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
@ -149,12 +151,12 @@ Only the owner of the Microsoft account can change the password. Passwords can b
### <a href="" id="bkmk-restrictappinstallationandusage"></a>Restrict app installation and usage
Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker Overview](applocker_overview_server) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged_apps_and_packaged_app_installer_rules_in_applocker).
Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](applocker-overview.md) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
## See also
[Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](managing_privacy_using_a_microsoft_account_to_logon_and_resulting_internet_communication)
[Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
 

4
windows/keep-secure/security-identifiers.md
View File

@ -9,6 +9,10 @@ ms.pagetype: security
# Security identifiers
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
## What are security identifiers?

5
windows/keep-secure/security-principals.md
View File

@ -9,6 +9,9 @@ ms.pagetype: security
# Security Principals
**Applies to**
- Windows 10
- Windows Server 2016
This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals.
@ -80,7 +83,7 @@ Permissions are different from user rights in that permissions are attached to o
On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user_rights_assignment_glbl).
For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user-rights-assignment.md).
### <a href="" id="bkmk-authn"></a> Security context in authentication

11
windows/keep-secure/service-accounts.md
View File

@ -9,6 +9,9 @@ ms.pagetype: security
# Service Accounts
**Applies to**
- Windows 10
- Windows Server 2016
This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts.
@ -29,7 +32,7 @@ This topic contains information about the following types of service accounts:
A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts.
To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group managed service account. For more information, see [Group Managed Service Accounts Overview](group_managed_service_accounts_overview).
To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group managed service account. For more information, see [Group Managed Service Accounts Overview](https://technet.microsoft.com/library/hh831782(v=ws.11).aspx).
In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
@ -113,10 +116,10 @@ The following table provides links to additional resources that are related to s
<tbody>
<tr class="odd">
<td><p><strong>Product evaluation</strong></p></td>
<td><p>[What's New for Managed Service Accounts](whats_new_for_managed_service_accounts_vil)</p>
<td><p>[What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)</p>
<p>[Managed Service Accounts Documentation for Windows 7 and Windows Server 2008 R2](http://technet.microsoft.com/library/ff641731.aspx)</p>
<p>[Service Accounts Step-by-Step Guide](http://technet.microsoft.com/library/dd548356.aspx)</p>
<p>[Getting Started with Group Managed Service Accounts](getting_started_with_group_managed_service_accounts)</p></td>
<p>[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx)</p></td>
</tr>
<tr class="even">
<td><p><strong>Deployment</strong></p></td>
@ -137,7 +140,7 @@ The following table provides links to additional resources that are related to s
<tr class="even">
<td><p><strong>Related technologies</strong></p></td>
<td><p>[Security Principals Technical Overview](security-principals.md)</p>
<p>[Active Directory Domain Services Overview](39dd9b55-2512-49d8-8927-a283697f0547)</p></td>
<p>[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx)</p></td>
</tr>
</tbody>
</table>

56
windows/keep-secure/special-identities.md
View File

@ -9,6 +9,8 @@ ms.pagetype: security
# Special Identities
**Applies to**
- Windows Server 2016
This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
@ -143,9 +145,9 @@ Any user who accesses the system through a sign-in process has the Authenticated
</tr>
<tr class="even">
<td><p>Default User Rights</p></td>
<td><p>[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight</p>
<p>[Add workstations to domain](add_workstations_to_domain__technical_reference_security_considerations): SeMachineAccountPrivilege</p>
<p>[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege</p></td>
<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
<p>[Add workstations to domain](add-workstations-to-domain.md): SeMachineAccountPrivilege</p>
<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
</tr>
</tbody>
</table>
@ -373,8 +375,8 @@ This group includes all domain controllers in an Active Directory forest. Domain
</tr>
<tr class="even">
<td><p>Default User Rights Assignment</p></td>
<td><p>[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight</p>
<p>[Allow log on locally](allow_log_on_locally__technical_reference_security_considerations): SeInteractiveLogonRight</p></td>
<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
<p>[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight</p></td>
</tr>
</tbody>
</table>
@ -416,9 +418,9 @@ Membership is controlled by the operating system.
</tr>
<tr class="even">
<td><p>Default User Rights</p></td>
<td><p>[Access this computer from the network](access_this_computer_from_the_network__technical_reference_security_considerations): SeNetworkLogonRight</p>
<p>[Act as part of the operating system](act_as_part_of_the_operating_system__technical_reference_security_considerations): SeTcbPrivilege</p>
<p>[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege</p></td>
<td><p>[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight</p>
<p>[Act as part of the operating system](act-as-part-of-the-operating-system.md): SeTcbPrivilege</p>
<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p></td>
</tr>
</tbody>
</table>
@ -494,14 +496,14 @@ The Local Service account is similar to an Authenticated User account. The Local
</tr>
<tr class="even">
<td><p>Default user rights</p></td>
<td><p>[Adjust memory quotas for a process](adjust_memory_quotas_for_a_process__technical_reference_security_considerations): SeIncreaseQuotaPrivilege</p>
<p>[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege</p>
<p>[Change the system time](change_the_system_time__technical_reference_security_considerations): SeSystemtimePrivilege</p>
<p>[Change the time zone](change_the_time_zone__technical_reference_security_considerations): SeTimeZonePrivilege</p>
<p>[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege</p>
<p>[Generate security audits](generate_security_audits__technical_reference_security_considerations): SeAuditPrivilege</p>
<p>[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege</p>
<p>[Replace a process level token](replace_a_process_level_token__technical_reference_security_considerations): SeAssignPrimaryTokenPrivilege</p></td>
<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
<p>[Change the system time](change-the-system-time.md): SeSystemtimePrivilege</p>
<p>[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege</p>
<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
<p>[Generate security audits](generate-security-audits.md): SeAuditPrivilege</p>
<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
<p>[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege</p></td>
</tr>
</tbody>
</table>
@ -615,13 +617,13 @@ The Network Service account is similar to an Authenticated User account. The Net
</tr>
<tr class="even">
<td><p>Default User Rights</p></td>
<td><p>[Adjust memory quotas for a process](adjust_memory_quotas_for_a_process__technical_reference_security_considerations): SeIncreaseQuotaPrivilege</p>
<p>[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege</p>
<p>[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege</p>
<p>[Generate security audits](generate_security_audits__technical_reference_security_considerations): SeAuditPrivilege</p>
<p>[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege</p>
<p>[Restore files and directories](restore_files_and_directories__technical_reference_security_considerations): SeAssignPrimaryTokenPrivilege</p>
<p>[Replace a process level token](replace_a_process_level_token__technical_reference_security_considerations): SeAssignPrimaryTokenPrivilege</p></td>
<td><p>[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege</p>
<p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
<p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
<p>[Generate security audits](generate-security-audits.md): SeAuditPrivilege</p>
<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p>
<p>[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege</p>
<p>[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege</p></td>
</tr>
</tbody>
</table>
@ -883,8 +885,8 @@ Any service that accesses the system has the Service identity. This identity gro
</tr>
<tr class="even">
<td><p>Default User Rights</p></td>
<td><p>[Create global objects](create_global_objects__technical_reference_security_considerations): SeCreateGlobalPrivilege</p>
<p>[Impersonate a client after authentication](impersonate_a_client_after_authentication__technical_reference_security_considerations): SeImpersonatePrivilege</p></td>
<td><p>[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege</p>
<p>[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege</p></td>
</tr>
</tbody>
</table>
@ -994,8 +996,8 @@ Any user accessing the system through Terminal Services has the Terminal Server
</tr>
<tr class="even">
<td><p>Default User Rights</p></td>
<td><p>[Bypass traverse checking](bypass_traverse_checking__technical_reference_management_security_considerations): SeChangeNotifyPrivilege</p>
<p>[Increase a process working set](increase_a_process_working_set__technical_reference_security_considerations): SeIncreaseWorkingSetPrivilege</p></td>
<td><p>[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege</p>
<p>[Increase a process working set](increase-a-process-working-set.md): SeIncreaseWorkingSetPrivilege</p></td>
</tr>
</tbody>
</table>