deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into live

Browse Source
This commit is contained in:
LizRoss
2016-08-19 09:56:28 -07:00
parent 63b1d2cf70 e64bb8e73f
commit dc465b7163
125 changed files with 426 additions and 623 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
windows/keep-secure/active-directory-security-groups.md
View File

@ -2232,8 +2232,9 @@ The Key Admins group applies to versions of the Windows Server operating system
| Default member of | None |
| Protected by ADMINSDHOLDER? | No |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
<!-- WHEN MORE INFO IS AVAILABLE, ADD LINES to the above table -- a line under the ADMINSDHOLDER line, "Safe to move out of default container?" ...plus the last line, "Default User Rights" -->
<!-- WHEN MORE INFO IS AVAILABLE, ADD LINES to the above table -- a line under the ADMINSDHOLDER line, "Safe to move out of default container?" -->
### <a href="" id="bkmk-networkcfgoperators"></a>Network Configuration Operators
@ -2625,11 +2626,11 @@ Members of the Protected Users group are afforded additional protection against
This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group.
This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
This domain-related, global group triggers non-configurable protection on devices and host computers, starting with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable protection on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
Depending on the accounts domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1, so the device fails to authenticate to a domain when the account is a member of the Protected User group.
- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a member of the Protected User group.
- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite.
@ -3351,8 +3352,9 @@ The Storage Replica Administrators group applies to versions of the Windows Serv
| Default member of | None |
| Protected by ADMINSDHOLDER? | No |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
<!-- WHEN MORE INFO IS AVAILABLE, ADD LINES to the above table -- a line under the ADMINSDHOLDER line, "Safe to move out of default container?" ...plus the last line, "Default User Rights" -->
<!-- WHEN MORE INFO IS AVAILABLE, ADD LINES to the above table -- a line under the ADMINSDHOLDER line, "Safe to move out of default container?" -->
### System Managed Accounts Group
@ -3370,8 +3372,9 @@ The System Managed Accounts group applies to versions of the Windows Server oper
| Default member of | None |
| Protected by ADMINSDHOLDER? | No |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
<!-- WHEN MORE INFO IS AVAILABLE, ADD LINES to the above table -- a line under the ADMINSDHOLDER line, "Safe to move out of default container?" ...plus the last line, "Default User Rights" -- ALSO, CONFIRM "Users" is correct for "Default members." -->
<!-- WHEN MORE INFO IS AVAILABLE, ADD LINES to the above table -- a line under the ADMINSDHOLDER line, "Safe to move out of default container?" -->
### <a href="" id="bkmk-terminalserverlic"></a>Terminal Server License Servers

5
windows/keep-secure/microsoft-passport-guide.md
View File

@ -16,7 +16,10 @@ localizationpriority: high
**Applies to**
- Windows 10
This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.
This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10, version 1511 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.
>[!NOTE]
>For information about Windows Hello for Business in Windows 10, version 1607, see [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md).
A fundamental assumption about information security is that a system can identify whos using it. In identifying a user, the system can decide whether the user has identified himself or herself appropriately (a process known as authentication), and then determine what that properly authenticated user should be able to do (a process known as authorization). The overwhelming majority of computer systems deployed throughout the world depend on user credentials as a means of making authentication and authorization decisions, and that means that these systems depend on reusable, user-created passwords for their security. The oft-cited maxim that authentication can involve “something you know, something you have, or something you are” neatly highlights the issue: a reusable password is an authentication factor all by itself, so anyone who knows the password can impersonate the user who owns it.