mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 06:43:38 +00:00
Merge branch 'main' into sheshachary-5714481-part-6
This commit is contained in:
Diana Hanson
GitHub
@ -42,8 +42,6 @@ Changes to user and group objects are tracked by the Account Management audit ca
|
||||
|
||||
**Event volume**: High on domain controllers.
|
||||
|
||||
For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/kb/841001).
|
||||
|
||||
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|
||||
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
|
||||
|
||||
@ -120,9 +120,9 @@ This event is always logged regardless of the "Audit Other Policy Change Events"
|
||||
|
||||
- **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here: <https://msdn.microsoft.com/library/windows/hardware/ff542202(v=vs.85).aspx>.
|
||||
|
||||
- **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx). Information about [Hyper-V](/windows/deployment/deploy-whats-new) technology is available on Microsoft TechNet web site.
|
||||
- **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host). Information about [Hyper-V](/windows/deployment/deploy-whats-new) technology is available on Microsoft TechNet web site.
|
||||
|
||||
- **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx).
|
||||
- **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](/windows-hardware/drivers/debugger/setting-up-network-debugging-of-a-virtual-machine-host).
|
||||
|
||||
## Security Monitoring Recommendations
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ ms.technology: windows-sec
|
||||
|
||||
***Event Description:***
|
||||
|
||||
This event generates when [resource attributes](https://blogs.technet.com/b/canitpro/archive/2013/05/07/step-by-step-protecting-your-information-with-dynamic-access-control.aspx) of the file system object were changed.
|
||||
This event generates when [resource attributes](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview) of the file system object were changed.
|
||||
|
||||
Resource attributes for file or folder can be changed, for example, using Windows File Explorer (object’s Properties->Classification tab).
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ ms.technology: windows-sec
|
||||
|
||||
***Event Description:***
|
||||
|
||||
This event occurs when an account that is a member of any defined [Special Group](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) logs in.
|
||||
This event occurs when an account that is a member of any defined [Special Group](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) logs in.
|
||||
|
||||
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
|
||||
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for CNG troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about CNG, visit these pages:
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/bb204775(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for CNG troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -23,8 +23,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -25,8 +25,6 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
|
||||
|
||||
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=1251>
|
||||
|
||||
- <https://www.microsoft.com/download/details.aspx?id=30688>
|
||||
|
||||
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
|
||||
|
||||
@ -103,7 +103,7 @@ It typically generates when network adapter connects to new wired network.
|
||||
|
||||
- **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: <https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx>, <https://technet.microsoft.com/library/cc727747(v=ws.10).aspx>.
|
||||
|
||||
- **Error Code** \[Type = HexInt32\]: unique [EAP error code](https://msdn.microsoft.com/library/windows/desktop/aa813691(v=vs.85).aspx).
|
||||
- **Error Code** \[Type = HexInt32\]: unique [EAP error code](/windows/win32/eaphost/eap-related-error-and-information-constants).
|
||||
|
||||
## Security Monitoring Recommendations
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ Use the following procedures to monitor the use of removable storage devices and
|
||||
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
|
||||
|
||||
> [!NOTE]
|
||||
> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor.
|
||||
> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299(v=vs.85)). This may require the device to restart to apply the new security descriptor.
|
||||
|
||||
**To configure settings to monitor removable storage devices**
|
||||
|
||||
|
||||
@ -390,7 +390,7 @@ Examples:
|
||||
Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
|
||||
```
|
||||
|
||||
- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](/windows/device-security/device-guard/deploy-windows-defender-application-control). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections.
|
||||
- **Convert Attack surface reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET's Attack surface reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy. For more information, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control/windows-defender-application-control-deployment-guide.md). This completion will enable protections on Windows 10 equivalent to EMET's ASR protections.
|
||||
|
||||
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET "Certificate Trust" XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning). For example:
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ You can add information about your organization in a contact card to the Windows
|
||||
|
||||
|
||||
|
||||
This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
|
||||
This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
|
||||
|
||||
Users can select the displayed information to initiate a support request:
|
||||
|
||||
|
||||
@ -84,7 +84,7 @@ You can find more information about each section, including options for configur
|
||||
>
|
||||
>Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
|
||||
>
|
||||
> Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
|
||||
> Disabling the Windows Security Center Service will not disable Microsoft Defender Antivirus or [Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
|
||||
|
||||
> [!WARNING]
|
||||
> If you disable the Windows Security Center Service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
|
||||
|
||||
@ -70,7 +70,7 @@ Other examples of incompatibility include:
|
||||
|
||||
- Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null).
|
||||
|
||||
>**Note:** Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
|
||||
>**Note:** Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide).
|
||||
|
||||
## Network address translation (NAT)
|
||||
|
||||
|
||||
@ -80,6 +80,6 @@ In general, IPsec defeats network-based prioritization and port- or protocol-bas
|
||||
|
||||
Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices.
|
||||
|
||||
Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
|
||||
Message Analyzer is available on the [Microsoft Download Center](/message-analyzer/microsoft-message-analyzer-operating-guide).
|
||||
|
||||
**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
|
||||
@ -27,7 +27,7 @@ ms.technology: windows-sec
|
||||
|
||||
Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
|
||||
|
||||
Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/microsoft-digital-defense-report).
|
||||
Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/security-intelligence-report).
|
||||
|
||||
Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user