Merge pull request #6116 from MicrosoftDocs/master

Publish 12/21/2021, 3:30 PM PT
2025-05-13 05:47:23 +00:00 · 2021-12-21 16:59:03 -07:00 · 2021-12-21 16:59:03 -07:00 · e2ee11d9c0
commit e2ee11d9c0
parent 1f54f3b7d4 682427c5bd
4 changed files with 130 additions and 15 deletions
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: dansimp
-ms.date: 09/23/2020
+ms.date: 12/21/2021
 ms.reviewer: 
 manager: dansimp
 ---
@ -78,7 +78,7 @@ Time zone redirection is possible only when connecting to at least a Microsoft W
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP Friendly name: *Allow time zone redirection*
-   GP name: *TS_GATEWAY_POLICY_ENABLE*
+-   GP name: *TS_TIME_ZONE*
 -   GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
 -   GP ADMX file name: *TerminalServer.admx*

--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs.
 | S-1-5 | NT Authority | A SID that represents an identifier authority. |
 | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|

-The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
+The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list.

 | Identifier Authority | Value | SID String Prefix |
 | - | - | - |
@ -174,6 +174,8 @@ The following table lists the predefined identifier authority constants. The fir
 | SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
 | SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
 | SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
+| SECURITY_NT_AUTHORITY | 5 | S-1-5 |
+| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 |

 The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.

@ -256,14 +258,6 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 | S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
 | S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
 | S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
-| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.|
-| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.|
-| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.|
-| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.|
-| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.|
-| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.|
-| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.|
-| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.|

 The following RIDs are relative to each domain.

--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@ -2,6 +2,7 @@
 title: Special Identities (Windows 10)
 description: Special Identities
 ms.prod: m365-security
+ms.technology: windows-sec
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@ -12,14 +13,14 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 10/12/2021
+ms.date: 12/21/2021
 ms.reviewer: 
 ---

 # Special Identities

 **Applies to**
-   Windows Server 2016
+-   Windows Server 2016 or later

 This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.

@ -97,6 +98,18 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights|None|

+## Attested Key Property
+
+
+A SID that means the key trust object had the attestation property.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-6 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Authenticated Users


@ -109,6 +122,18 @@ Any user who accesses the system through a sign-in process has the Authenticated
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<br>  [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege<br>  [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|

+## Authentication Authority Asserted Identity
+
+
+A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-1 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Batch


@ -121,6 +146,18 @@ Any user or process that accesses the system as a batch job (or through the batc
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| none|

+## Console Logon
+
+
+A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-2-1 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Creator Group


@ -197,6 +234,18 @@ Membership is controlled by the operating system.
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</br> [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|

+## Fresh Public Key Identity
+
+
+A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-3 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Interactive


@ -209,6 +258,30 @@ Any user who is logged on to the local system has the Interactive identity. This
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| None|

+## IUSR
+
+
+Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-17 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
+## Key Trust
+
+
+A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-4 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Local Service


@ -234,6 +307,18 @@ This is a service account that is used by the operating system. The LocalSystem
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights|None|

+## MFA Key Property
+
+
+A SID that means the key trust object had the multifactor authentication (MFA) property.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-5 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Network

 This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
@ -279,6 +364,18 @@ This group implicitly includes all users who are logged on to the system through
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| None |

+## Owner Rights
+
+
+A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-3-4 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Principal Self


@ -291,6 +388,18 @@ This identity is a placeholder in an ACE on a user, group, or computer object in
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| None |

+## Proxy
+
+
+Identifies a SECURITY_NT_AUTHORITY Proxy.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-8 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Remote Interactive Logon


@ -338,6 +447,18 @@ Any service that accesses the system has the Service identity. This identity gro
 |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
 |Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege<br> [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege<br>|

+## Service Asserted Identity
+
+
+A SID that means the client's identity is asserted by a service.
+
+| Attribute | Value |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-18-2 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
+
 ## Terminal Server User


--- a/windows/security/identity.md
+++ b/windows/security/identity.md
@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords,
 | Securing user identity with Windows Hello  |  Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) |
 | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)|
 | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). |
-| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md).  |
+| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone).  |
 | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).|
-| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|
+| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|