From a75ddd91837b3d7c1ce9d9500aa966b2f492c0b0 Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Wed, 15 Jun 2016 14:01:02 -0700 Subject: [PATCH 1/3] MDOP 7555829 App-V 4.6 SP2 is EOS - remove all references including changing filenames with material to be retained --- ...ating-and-managing-app-v-51-virtualized-applications.md | 3 +++ ...equence-a-new-application-with-app-v-51-beta-gb18030.md | 3 +++ mdop/appv-v5/release-notes-for-app-v-51.md | 7 +++++++ 3 files changed, 13 insertions(+) diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index 9d9109d788..e7670ca4e2 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -13,6 +13,9 @@ After you have properly deployed the Microsoft Application Virtualization (App-V **Note**   For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +**Note** +The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. + ## Sequencing an application diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md index fa95464abb..8c2ab69747 100644 --- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md +++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md @@ -51,6 +51,9 @@ author: jamiejdt - If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume. +**Note** +The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. + **To sequence a new standard application** 1. On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. diff --git a/mdop/appv-v5/release-notes-for-app-v-51.md b/mdop/appv-v5/release-notes-for-app-v-51.md index 42cb4bcc3d..92facdd8e1 100644 --- a/mdop/appv-v5/release-notes-for-app-v-51.md +++ b/mdop/appv-v5/release-notes-for-app-v-51.md @@ -131,6 +131,13 @@ App-V 5.1 does not support Visual Studio 2012. **Workaround**: None +## Application filename restrictions for App-V 5.x Sequencer + + +The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. + +**Workaround**: Use a different filename + ## Got a suggestion for App-V? From 9a0e42b9d9c41dc80d365514664a6eef9247301e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 16 Jun 2016 15:45:13 -0700 Subject: [PATCH 2/3] VSO bug# 6975656 --- windows/keep-secure/bitlocker-overview.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 58f3047141..18c4baf5b6 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -77,3 +77,5 @@ When installing the BitLocker optional component on a server you will also need | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. | | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| + +If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm). \ No newline at end of file From 2365e11f250993e78794f90ecd94b2018aa58268 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 16 Jun 2016 16:29:09 -0700 Subject: [PATCH 3/3] updates, evt 4703, per item 7632971 --- windows/keep-secure/audit-authorization-policy-change.md | 8 ++++---- windows/keep-secure/event-4703.md | 7 +++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index bb16d06124..665bdbe166 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -20,9 +20,9 @@ Audit Authorization Policy Change allows you to audit assignment and removal of | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.
Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.
Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.
Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** @@ -38,5 +38,5 @@ Audit Authorization Policy Change allows you to audit assignment and removal of - [4913](event-4913.md)(S): Central Access Policy on the object was changed. -**Event volume**: Medium. +**Event volume**: Medium to High. diff --git a/windows/keep-secure/event-4703.md b/windows/keep-secure/event-4703.md index 4b6ac99faa..bdce298519 100644 --- a/windows/keep-secure/event-4703.md +++ b/windows/keep-secure/event-4703.md @@ -21,7 +21,7 @@ author: Mir0sh ***Event Description:*** -This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. +This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -180,6 +180,10 @@ Token privileges provide the ability to take certain system-level actions that y For 4703(S): A user right was adjusted. +As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703. + +Otherwise, see the recommendations in the following table. + | **Type of monitoring required** | **Recommendation** | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | @@ -191,4 +195,3 @@ For 4703(S): A user right was adjusted. | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | | **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | -