deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-7910360

Browse Source
This commit is contained in:
LizRoss 2016-06-17 10:59:10 -07:00
commit dcdab1093e
6 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
View File

@ -18,6 +18,9 @@ After you have properly deployed the Microsoft Application Virtualization (App-V
**Note**  
For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).
**Note**
The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
## Sequencing an application

3
mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
View File

@ -56,6 +56,9 @@ ms.prod: w10
- If short paths have been disabled for the virtualized packages target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume.
**Note**
The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
**To sequence a new standard application**
1. On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

7
mdop/appv-v5/release-notes-for-app-v-51.md
View File

@ -136,6 +136,13 @@ App-V 5.1 does not support Visual Studio 2012.
**Workaround**: None
## Application filename restrictions for App-V 5.x Sequencer
The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
**Workaround**: Use a different filename
## Got a suggestion for App-V?

8
windows/keep-secure/audit-authorization-policy-change.md
View File

@ -20,9 +20,9 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
@ -38,5 +38,5 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
- [4913](event-4913.md)(S): Central Access Policy on the object was changed.
**Event volume**: Medium.
**Event volume**: Medium to High.

2
windows/keep-secure/bitlocker-overview.md
View File

@ -77,3 +77,5 @@ When installing the BitLocker optional component on a server you will also need
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a devices configuration. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm).

7
windows/keep-secure/event-4703.md
View File

@ -21,7 +21,7 @@ author: Mir0sh
***Event Description:***
This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific accounts token.
This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific accounts token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -180,6 +180,10 @@ Token privileges provide the ability to take certain system-level actions that y
For 4703(S): A user right was adjusted.
As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
Otherwise, see the recommendations in the following table.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
@ -191,4 +195,3 @@ For 4703(S): A user right was adjusted.
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. |
| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.<br>For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |