From 5a4a37565b21d15a515bb2097713be9cc21db82d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Dec 2021 08:55:53 +0500 Subject: [PATCH 01/10] Update security-identifiers.md --- .../access-control/security-identifiers.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index d9d4084ca6..6abe9b1c87 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs. | S-1-5 | NT Authority | A SID that represents an identifier authority. | | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list. +The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. | Identifier Authority | Value | SID String Prefix | | - | - | - | @@ -174,6 +174,8 @@ The following table lists the predefined identifier authority constants. The fir | SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 | | SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 | | SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 | +| SECURITY_NT_AUTHORITY | 5 | S-1-5 | +| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 | The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID. @@ -256,14 +258,6 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| | S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| | S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | -| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.| -| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.| -| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.| -| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.| -| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.| -| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.| -| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.| -| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.| The following RIDs are relative to each domain. From 40e0815dc6355c38b2bc92a6e021f04034f794d5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 20 Dec 2021 11:26:24 +0500 Subject: [PATCH 02/10] Update special-identities.md --- .../access-control/special-identities.md | 122 +++++++++++++++++- 1 file changed, 121 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index d4abeec003..c1871a8804 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -19,7 +19,7 @@ ms.reviewer: # Special Identities **Applies to** -- Windows Server 2016 +- Windows Server 2016 or later This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. @@ -97,6 +97,18 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights|None| +## Attested Key Property + + +A SID that means the key trust object had the attestation property. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-6 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Authenticated Users @@ -109,6 +121,18 @@ Any user who accesses the system through a sign-in process has the Authenticated |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| +## Authentication Authority Asserted Identity + + +A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Batch @@ -121,6 +145,18 @@ Any user or process that accesses the system as a batch job (or through the batc |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| none| +## Console Logon + + +A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-2-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Creator Group @@ -197,6 +233,18 @@ Membership is controlled by the operating system. |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| +## Fresh public key identity + + +A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-3 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Interactive @@ -209,6 +257,30 @@ Any user who is logged on to the local system has the Interactive identity. This |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None| +## IUSR + + +Internet Information Services (IIS) use this account by default whenever anonymous authentication is enabled. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-17 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + +## Key Trust + + +A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-4 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Local Service @@ -234,6 +306,18 @@ This is a service account that is used by the operating system. The LocalSystem |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights|None| +## MFA Key Property + + +A SID that means the key trust object had the multifactor authentication (MFA) property. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-5 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Network This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. @@ -279,6 +363,18 @@ This group implicitly includes all users who are logged on to the system through |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None | +## Owner Rights + + +A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-3-4 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Principal Self @@ -291,6 +387,18 @@ This identity is a placeholder in an ACE on a user, group, or computer object in |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None | +## Proxy + + +Identifies a SECURITY_NT_AUTHORITY Proxy. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-8 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Remote Interactive Logon @@ -338,6 +446,18 @@ Any service that accesses the system has the Service identity. This identity gro |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
| +## Service Asserted Identity + + +A SID that means the client's identity is asserted by a service. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-2 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Terminal Server User From 5515a808d5289f184ad27c25718c4da23762cdb7 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 21 Dec 2021 17:32:19 +0530 Subject: [PATCH 03/10] added correct link as per user report #10224 , so i added correct link. --- windows/security/identity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index 7e2e8ca4b9..f94bc0578b 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords, | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | -| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-phone). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| -| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| \ No newline at end of file +| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| From c2a8a31b485e450efcc1584a583307cd91997f9f Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 21 Dec 2021 17:49:18 +0530 Subject: [PATCH 04/10] corrected word as per user report #10227 , so i corrected, after verifying with windows 11 build no 22000.376 admx templates --- windows/client-management/mdm/policy-csp-admx-terminalserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 1181f4bd47..12f70d7328 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -78,7 +78,7 @@ Time zone redirection is possible only when connecting to at least a Microsoft W ADMX Info: - GP Friendly name: *Allow time zone redirection* -- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP name: *TS_TIME_ZONE* - GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* - GP ADMX file name: *TerminalServer.admx* From a1e180db5fdd57f96bde96c5d38b4d280c2919ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:02:30 -0800 Subject: [PATCH 05/10] Update policy-csp-admx-terminalserver.md --- windows/client-management/mdm/policy-csp-admx-terminalserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 12f70d7328..77b8035989 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 09/23/2020 +ms.date: 12/21/2021 ms.reviewer: manager: dansimp --- From f499618245f3d3b5adde46515714636d29400627 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:04:57 -0800 Subject: [PATCH 06/10] Update identity.md --- windows/security/identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index f94bc0578b..bf6a97473a 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords, | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | -| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-phone). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| | Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| From 630d5b52dfbb678ec931007fb8e126f614916d7c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:21 -0800 Subject: [PATCH 07/10] Update special-identities.md --- .../identity-protection/access-control/special-identities.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index c1871a8804..242a5fc876 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -2,6 +2,7 @@ title: Special Identities (Windows 10) description: Special Identities ms.prod: m365-security +ms.technology: windows-sec ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/12/2021 +ms.date: 12/21/2021 ms.reviewer: --- From 5f95eb58403f04be49522674e6d1026c0a07f6ee Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:41 -0800 Subject: [PATCH 08/10] Update windows/security/identity-protection/access-control/special-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 242a5fc876..3958382eee 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -234,7 +234,7 @@ Membership is controlled by the operating system. |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| -## Fresh public key identity +## Fresh Public Key Identity A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. From e117fe7f5971d92ee74ac04299f403ed5dc9efbe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:49 -0800 Subject: [PATCH 09/10] Update windows/security/identity-protection/access-control/special-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 3958382eee..66754be796 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -261,7 +261,7 @@ Any user who is logged on to the local system has the Interactive identity. This ## IUSR -Internet Information Services (IIS) use this account by default whenever anonymous authentication is enabled. +Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled. | Attribute | Value | | :--: | :--: | From 4716bb90fce7f6f7a84d0a412a38f151cd564c92 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:11:01 -0800 Subject: [PATCH 10/10] Update windows/security/identity-protection/access-control/security-identifiers.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/security-identifiers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index 6abe9b1c87..9a30c84314 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs. | S-1-5 | NT Authority | A SID that represents an identifier authority. | | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. +The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. | Identifier Authority | Value | SID String Prefix | | - | - | - |