diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 5ec17717c0..e7693103ba 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -24,9 +24,9 @@ ms.date: 04/19/2017
This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
-Central access policies and rules determine access permissions for multiple files on multiple file servers. So it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced.
+Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
-Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](https://technet.microsoft.com/library/hh846167.aspx).
+Follow these procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](https://technet.microsoft.com/library/hh846167.aspx).
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@@ -42,7 +42,7 @@ Use the following procedures to configure settings to monitor changes to central
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**.
9. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab.
-10. Select **Add**, add a security auditing setting for the container, and then close all security properties dialog boxes.
+10. Select **Add**, add a security auditing setting for the container, and then close all the security properties dialog boxes.
After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 5f51fda91a..666528f9e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -1,6 +1,6 @@
---
title: Optimize ASR rule deployment and detections
-description: Ensure your attack surface reduction (ASR) rules are optimized to identify and prevent typical malware exploits.
+description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -23,28 +23,28 @@ ms.topic: article
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
+> Want to experience Microsoft Defender Advanced Threat Protection (ATP)? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
-[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typically malware exploits. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
+[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typically malware exploits. They control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
*Attack surface management card*
The *Attack surface management* card is an entry point to tools in Microsoft 365 security center that you can use to:
-* Understand how ASR rules are currently deployed in your organization
-* Review ASR detections and identify possible incorrect detections
-* Analyze the impact of exclusions and generate the list of file paths to exclude
+* Understand how ASR rules are currently deployed in your organization.
+* Review ASR detections and identify possible incorrect detections.
+* Analyze the impact of exclusions and generate the list of file paths to exclude.
Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
-*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
+***Add exclusions*** tab in the Attack surface reduction rules page in Microsoft 365 security center*
> [!NOTE]
> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
-For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
**Related topics**
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index f5599c4348..1991f617c8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -1,5 +1,5 @@
---
-title: Interactive log-on Prompt user to change password before expiration (Windows 10)
+title: Interactive log-on: Prompt user to change password before expiration (Windows 10)
description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
ms.reviewer:
@@ -26,7 +26,7 @@ This article describes the best practices, location, values, policy management,
## Reference
-The **Interactive logon: Prompt user to change password before expiration** policy setting determines when users are warned that their passwords are about to expire. This advance warning gives users the time to select a strong password before their current password expires and avoid losing system access.
+This policy setting determines when users are warned that their passwords are about to expire. This warning gives users time to select a strong password before their current password expires and avoid losing system access.
### Possible values
@@ -35,9 +35,9 @@ The **Interactive logon: Prompt user to change password before expiration** poli
### Best practices
-- Configure user passwords to expire periodically. Users need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally. Or prevent make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on.
+- Configure user passwords to expire periodically. Users need warning that their passwords are going to expire, or they might get locked out of the system.
- Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
-- Do not set the value to zero, which results in displaying the password expiration warning every time the user logs on.
+- Don't set the value to zero, which displays the password expiration warning every time the user logs on.
### Location
@@ -70,7 +70,7 @@ None.
### Group Policy
-This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, ti can be configured on the local computer through the Local Security Policy snap-in.
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, it can be configured on the local computer through the Local Security Policy snap-in.
## Security considerations
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or VPN connections.
+If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently.
### Countermeasure
@@ -86,7 +86,7 @@ Configure the **Interactive logon: Prompt user to change password before expirat
### Potential impact
-Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
+Users see a dialog-box that prompts them to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index c51746c7d7..2c0315e826 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -26,23 +26,23 @@ This article describes the best practices, location, values, policy management,
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets.
-Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data access failure.
+Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." Misuse of these policy settings is a common error that can cause data access failure.
-Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
+Beginning with SMBv2 clients and servers, signing can be either *required* or *not required*. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
-There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table shows the effective behavior for SMBv3 and SMBv2.
+Negotiation occurs between the SMB client and the SMB server to decide whether signing will be used. The following table shows the effective behavior for SMBv3 and SMBv2.
| | Server – required | Server – not required |
|---------------------------|---------------------|------------------------|
| **Client – required** | Signed | Signed |
-| **Client – not required** | Signed 1 | Not Signed2 |
+| **Client – not required** | Signed 1 | Not signed2 |
1 Default for domain controller SMB traffic
2 Default for all other SMB traffic
-Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact).
+Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact).
### Possible values
@@ -76,7 +76,7 @@ This section describes features and tools that you can use to manage this policy
### Restart requirement
-None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
## Security considerations
@@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it to make the server perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data.
-SMB is the resource-sharing protocol that's supported by many versions of the Windows operating systems. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
+SMB is the resource-sharing protocol that's supported by many versions of the Windows operating systems. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't happen.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 008185b850..5f27780a1a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -30,23 +30,19 @@ Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Su
When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
-> [!Note]
-> The ability to link online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
+> [!NOTE]
+> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later.
### Possible values
-- **Enabled**
+- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
- This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
+ > [!NOTE]
+ > KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server.
- > [!NOTE]
- > KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fail. To resolve this, enable PKU2U on the server.
-
-- **Disabled**
-
- This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
+- **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
- ***Not set***. Not configuring this policy prevents online IDs from being used to authenticate the user. This option is the default on domain-joined devices.
@@ -77,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this setup is beneficial for workgroups or home groups, in a domain-joined environment it might circumvent your established security policies.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies.
### Countermeasure
@@ -85,7 +81,7 @@ Set this policy to *Disabled* or don't configure this security policy for domain
### Potential impact
-If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which force users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This allows users to share resources between devices.
+If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which force users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
## Related topics