From c86d64cfba0e58217536548f8aad433fae19ca77 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Apr 2016 16:15:01 -0700 Subject: [PATCH 01/26] initial migration of Windows Firewall content --- windows/keep-secure/TOC.md | 113 +++ ...ters-to-the-membership-group-for-a-zone.md | 84 ++ ...ters-to-the-membership-group-for-a-zone.md | 79 ++ .../additional-resources-wfasdesign.md | 67 ++ .../additional-resourceswfas-deploy.md | 64 ++ ...e-files-for-settings-used-in-this-guide.md | 98 +++ ...ssign-security-group-filters-to-the-gpo.md | 84 ++ .../basic-firewall-policy-design.md | 74 ++ windows/keep-secure/boundary-zone-gpos.md | 33 + windows/keep-secure/boundary-zone.md | 68 ++ ...e-based-isolation-policy-design-example.md | 56 ++ ...rtificate-based-isolation-policy-design.md | 42 + ...ange-rules-from-request-to-require-mode.md | 68 ++ ...ist-configuring-basic-firewall-settings.md | 59 ++ ...uring-rules-for-an-isolated-server-zone.md | 125 +++ ...rs-in-a-standalone-isolated-server-zone.md | 126 +++ ...configuring-rules-for-the-boundary-zone.md | 73 ++ ...nfiguring-rules-for-the-encryption-zone.md | 75 ++ ...nfiguring-rules-for-the-isolated-domain.md | 107 +++ ...checklist-creating-group-policy-objects.md | 97 +++ ...ecklist-creating-inbound-firewall-rules.md | 69 ++ ...cklist-creating-outbound-firewall-rules.md | 61 ++ ...ts-of-a-standalone-isolated-server-zone.md | 100 +++ ...ementing-a-basic-firewall-policy-design.md | 97 +++ ...rtificate-based-isolation-policy-design.md | 76 ++ ...enting-a-domain-isolation-policy-design.md | 88 +++ ...andalone-server-isolation-policy-design.md | 83 ++ ...-server-2008-and-windows-server-2008-r2.md | 84 ++ ...-server-2008-and-windows-server-2008-r2.md | 66 ++ ...y-to-autoenroll-and-deploy-certificates.md | 42 + ...-server-2008-and-windows-server-2008-r2.md | 79 ++ ...-server-2008-and-windows-server-2008-r2.md | 61 ++ .../configure-the-windows-firewall-log.md | 60 ++ ...entication-certificate-templatewfas-dep.md | 53 ++ ...notifications-when-a-program-is-blocked.md | 58 ++ ...hat-certificates-are-deployed-correctly.md | 56 ++ .../copy-a-gpo-to-create-a-new-gpo.md | 54 ++ ...ate-a-group-account-in-active-directory.md | 47 ++ .../create-a-group-policy-object.md | 51 ++ ...-server-2008-and-windows-server-2008-r2.md | 73 ++ ...-server-2008-and-windows-server-2008-r2.md | 94 +++ ...s-server-2008-or-windows-server-2008-r2.md | 71 ++ ...s-server-2008-or-windows-server-2008-r2.md | 75 ++ ...s-server-2008-or-windows-server-2008-r2.md | 88 +++ ...s-server-2008-or-windows-server-2008-r2.md | 64 ++ ...s-server-2008-or-windows-server-2008-r2.md | 68 ++ ...s-server-2008-or-windows-server-2008-r2.md | 108 +++ .../create-wmi-filters-for-the-gpo.md | 105 +++ ...irewall-with-advanced-security-strategy.md | 60 ++ ...ing-the-trusted-state-of-your-computers.md | 184 +++++ windows/keep-secure/documenting-the-zones.md | 85 ++ .../domain-isolation-policy-design-example.md | 65 ++ .../domain-isolation-policy-design.md | 69 ++ ...s-server-2008-or-windows-server-2008-r2.md | 47 ++ ...s-server-2008-or-windows-server-2008-r2.md | 47 ++ windows/keep-secure/encryption-zone-gpos.md | 24 + windows/keep-secure/encryption-zone.md | 67 ++ ...-with-advanced-security-design-examples.md | 28 + ...-server-2008-and-windows-server-2008-r2.md | 39 + windows/keep-secure/exemption-list.md | 54 ++ windows/keep-secure/firewall-gpos.md | 24 + .../firewall-policy-design-example.md | 108 +++ ...-about-your-active-directory-deployment.md | 34 + ...hering-information-about-your-computers.md | 58 ++ ...out-your-current-network-infrastructure.md | 128 +++ .../gathering-other-relevant-information.md | 91 +++ .../gathering-the-information-you-need.md | 30 + .../keep-secure/gpo-domiso-boundary-ws2008.md | 46 ++ .../gpo-domiso-encryption-ws2008.md | 50 ++ windows/keep-secure/gpo-domiso-firewall.md | 71 ++ .../gpo-domiso-isolateddomain-clients.md | 181 +++++ .../gpo-domiso-isolateddomain-servers.md | 31 + ...with-advanced-security-deployment-goals.md | 64 ++ .../15dd35b6-6cc6-421f-93f8-7109920e7144.gif | Bin 0 -> 345 bytes .../2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif | Bin 0 -> 519 bytes .../bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif | Bin 0 -> 615 bytes windows/keep-secure/images/corpnet.gif | Bin 0 -> 7184 bytes .../keep-secure/images/createipsecrule.gif | Bin 0 -> 7017 bytes .../faa393df-4856-4431-9eda-4f4e5be72a90.gif | Bin 0 -> 595 bytes .../images/powershelllogosmall.gif | Bin 0 -> 1415 bytes windows/keep-secure/images/qmcryptoset.gif | Bin 0 -> 6297 bytes .../images/wfas-design2example1.gif | Bin 0 -> 29827 bytes .../images/wfas-design3example1.gif | Bin 0 -> 22393 bytes .../images/wfas-designexample1.gif | Bin 0 -> 30091 bytes .../images/wfas-designflowchart1.gif | Bin 0 -> 17357 bytes windows/keep-secure/images/wfas-domainiso.gif | Bin 0 -> 18347 bytes .../images/wfas-domainisoencrypt.gif | Bin 0 -> 21039 bytes .../images/wfas-domainisohighsec.gif | Bin 0 -> 21301 bytes windows/keep-secure/images/wfas-domainnag.gif | Bin 0 -> 17902 bytes .../keep-secure/images/wfas-icon-checkbox.gif | Bin 0 -> 70 bytes windows/keep-secure/images/wfas-implement.gif | Bin 0 -> 37159 bytes .../images/wfasdomainisoboundary.gif | Bin 0 -> 30054 bytes ...wall-with-advanced-security-design-plan.md | 49 ++ ...l-active-directory-certificate-services.md | 77 ++ windows/keep-secure/isolated-domain-gpos.md | 28 + windows/keep-secure/isolated-domain.md | 67 ++ ...ting-windows-store-apps-on-your-network.md | 343 ++++++++ .../keep-secure/link-the-gpo-to-the-domain.md | 40 + ...-firewall-with-advanced-security-design.md | 82 ++ ...-a-different-zone-or-version-of-windows.md | 91 +++ ...agement-console-to-ip-security-policies.md | 28 + ...windows-firewall-with-advanced-security.md | 28 + ...-management-console-to-windows-firewall.md | 28 + ...windows-firewall-with-advanced-security.md | 55 ++ ...anning-certificate-based-authentication.md | 58 ++ .../planning-domain-isolation-zones.md | 32 + .../keep-secure/planning-gpo-deployment.md | 134 ++++ ...icy-deployment-for-your-isolation-zones.md | 30 + ...planning-isolation-groups-for-the-zones.md | 79 ++ .../planning-network-access-groups.md | 68 ++ .../planning-server-isolation-zones.md | 88 +++ ...ng-settings-for-a-basic-firewall-policy.md | 58 ++ windows/keep-secure/planning-the-gpos.md | 64 ++ ...windows-firewall-with-advanced-security.md | 51 ++ ...-firewall-with-advanced-security-design.md | 96 +++ .../procedures-used-in-this-guide.md | 98 +++ ...computers-from-unwanted-network-traffic.md | 44 ++ ...n-accessing-sensitive-network-resources.md | 42 + ...ss-to-only-specified-users-or-computers.md | 46 ++ ...strict-access-to-only-trusted-computers.md | 59 ++ ...erver-access-to-members-of-a-group-only.md | 58 ++ ...s-by-using-ikev2-in-windows-server-2012.md | 203 +++++ windows/keep-secure/server-isolation-gpos.md | 36 + .../server-isolation-policy-design-example.md | 87 +++ .../server-isolation-policy-design.md | 59 ++ ...rt-a-command-prompt-as-an-administrator.md | 34 + ...firewall-and-configure-default-behavior.md | 48 ++ ...l-with-advanced-security-design-process.md | 34 + ...y-that-network-traffic-is-authenticated.md | 77 ++ ...-administration-with-windows-powershell.md | 734 ++++++++++++++++++ ...with-advanced-security-deployment-guide.md | 76 ++ ...all-with-advanced-security-design-guide.md | 144 ++++ ...windows-firewall-with-advanced-security.md | 147 ++++ 133 files changed, 9008 insertions(+) create mode 100644 windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md create mode 100644 windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md create mode 100644 windows/keep-secure/additional-resources-wfasdesign.md create mode 100644 windows/keep-secure/additional-resourceswfas-deploy.md create mode 100644 windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md create mode 100644 windows/keep-secure/assign-security-group-filters-to-the-gpo.md create mode 100644 windows/keep-secure/basic-firewall-policy-design.md create mode 100644 windows/keep-secure/boundary-zone-gpos.md create mode 100644 windows/keep-secure/boundary-zone.md create mode 100644 windows/keep-secure/certificate-based-isolation-policy-design-example.md create mode 100644 windows/keep-secure/certificate-based-isolation-policy-design.md create mode 100644 windows/keep-secure/change-rules-from-request-to-require-mode.md create mode 100644 windows/keep-secure/checklist-configuring-basic-firewall-settings.md create mode 100644 windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md create mode 100644 windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md create mode 100644 windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md create mode 100644 windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md create mode 100644 windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md create mode 100644 windows/keep-secure/checklist-creating-group-policy-objects.md create mode 100644 windows/keep-secure/checklist-creating-inbound-firewall-rules.md create mode 100644 windows/keep-secure/checklist-creating-outbound-firewall-rules.md create mode 100644 windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md create mode 100644 windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md create mode 100644 windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md create mode 100644 windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md create mode 100644 windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md create mode 100644 windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md create mode 100644 windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/configure-the-windows-firewall-log.md create mode 100644 windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md create mode 100644 windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md create mode 100644 windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md create mode 100644 windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md create mode 100644 windows/keep-secure/create-a-group-account-in-active-directory.md create mode 100644 windows/keep-secure/create-a-group-policy-object.md create mode 100644 windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-wmi-filters-for-the-gpo.md create mode 100644 windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md create mode 100644 windows/keep-secure/determining-the-trusted-state-of-your-computers.md create mode 100644 windows/keep-secure/documenting-the-zones.md create mode 100644 windows/keep-secure/domain-isolation-policy-design-example.md create mode 100644 windows/keep-secure/domain-isolation-policy-design.md create mode 100644 windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/encryption-zone-gpos.md create mode 100644 windows/keep-secure/encryption-zone.md create mode 100644 windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md create mode 100644 windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/exemption-list.md create mode 100644 windows/keep-secure/firewall-gpos.md create mode 100644 windows/keep-secure/firewall-policy-design-example.md create mode 100644 windows/keep-secure/gathering-information-about-your-active-directory-deployment.md create mode 100644 windows/keep-secure/gathering-information-about-your-computers.md create mode 100644 windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md create mode 100644 windows/keep-secure/gathering-other-relevant-information.md create mode 100644 windows/keep-secure/gathering-the-information-you-need.md create mode 100644 windows/keep-secure/gpo-domiso-boundary-ws2008.md create mode 100644 windows/keep-secure/gpo-domiso-encryption-ws2008.md create mode 100644 windows/keep-secure/gpo-domiso-firewall.md create mode 100644 windows/keep-secure/gpo-domiso-isolateddomain-clients.md create mode 100644 windows/keep-secure/gpo-domiso-isolateddomain-servers.md create mode 100644 windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md create mode 100644 windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif create mode 100644 windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif create mode 100644 windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif create mode 100644 windows/keep-secure/images/corpnet.gif create mode 100644 windows/keep-secure/images/createipsecrule.gif create mode 100644 windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif create mode 100644 windows/keep-secure/images/powershelllogosmall.gif create mode 100644 windows/keep-secure/images/qmcryptoset.gif create mode 100644 windows/keep-secure/images/wfas-design2example1.gif create mode 100644 windows/keep-secure/images/wfas-design3example1.gif create mode 100644 windows/keep-secure/images/wfas-designexample1.gif create mode 100644 windows/keep-secure/images/wfas-designflowchart1.gif create mode 100644 windows/keep-secure/images/wfas-domainiso.gif create mode 100644 windows/keep-secure/images/wfas-domainisoencrypt.gif create mode 100644 windows/keep-secure/images/wfas-domainisohighsec.gif create mode 100644 windows/keep-secure/images/wfas-domainnag.gif create mode 100644 windows/keep-secure/images/wfas-icon-checkbox.gif create mode 100644 windows/keep-secure/images/wfas-implement.gif create mode 100644 windows/keep-secure/images/wfasdomainisoboundary.gif create mode 100644 windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md create mode 100644 windows/keep-secure/install-active-directory-certificate-services.md create mode 100644 windows/keep-secure/isolated-domain-gpos.md create mode 100644 windows/keep-secure/isolated-domain.md create mode 100644 windows/keep-secure/isolating-windows-store-apps-on-your-network.md create mode 100644 windows/keep-secure/link-the-gpo-to-the-domain.md create mode 100644 windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md create mode 100644 windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md create mode 100644 windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md create mode 100644 windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md create mode 100644 windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md create mode 100644 windows/keep-secure/open-windows-firewall-with-advanced-security.md create mode 100644 windows/keep-secure/planning-certificate-based-authentication.md create mode 100644 windows/keep-secure/planning-domain-isolation-zones.md create mode 100644 windows/keep-secure/planning-gpo-deployment.md create mode 100644 windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md create mode 100644 windows/keep-secure/planning-isolation-groups-for-the-zones.md create mode 100644 windows/keep-secure/planning-network-access-groups.md create mode 100644 windows/keep-secure/planning-server-isolation-zones.md create mode 100644 windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md create mode 100644 windows/keep-secure/planning-the-gpos.md create mode 100644 windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md create mode 100644 windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md create mode 100644 windows/keep-secure/procedures-used-in-this-guide.md create mode 100644 windows/keep-secure/protect-computers-from-unwanted-network-traffic.md create mode 100644 windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md create mode 100644 windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md create mode 100644 windows/keep-secure/restrict-access-to-only-trusted-computers.md create mode 100644 windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md create mode 100644 windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md create mode 100644 windows/keep-secure/server-isolation-gpos.md create mode 100644 windows/keep-secure/server-isolation-policy-design-example.md create mode 100644 windows/keep-secure/server-isolation-policy-design.md create mode 100644 windows/keep-secure/start-a-command-prompt-as-an-administrator.md create mode 100644 windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md create mode 100644 windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md create mode 100644 windows/keep-secure/verify-that-network-traffic-is-authenticated.md create mode 100644 windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md create mode 100644 windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md create mode 100644 windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md create mode 100644 windows/keep-secure/windows-firewall-with-advanced-security.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 05507c1d74..09e5265e8a 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -405,6 +405,119 @@ #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) +### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) +#### [Isolating Windows Store Apps on Your Network](isolating-windows-store-apps-on-your-network.md) +#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) +#### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) +#### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) +##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) +##### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) +###### [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) +###### [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md) +###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) +###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md) +##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) +###### [Basic Firewall Policy Design](basic-firewall-policy-design.md) +###### [Domain Isolation Policy Design](domain-isolation-policy-design.md) +###### [Server Isolation Policy Design](server-isolation-policy-design.md) +###### [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) +##### [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) +###### [Firewall Policy Design Example](firewall-policy-design-example.md) +###### [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) +###### [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) +###### [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) +##### [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) +###### [Gathering the Information You Need](gathering-the-information-you-need.md) +####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) +####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) +####### [Gathering Information about Your Computers](gathering-information-about-your-computers.md) +####### [Gathering Other Relevant Information](gathering-other-relevant-information.md) +###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md) +##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) +###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) +###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) +####### [Exemption List](exemption-list.md) +####### [Isolated Domain](isolated-domain.md) +####### [Boundary Zone](boundary-zone.md) +####### [Encryption Zone](encryption-zone.md) +###### [Planning Server Isolation Zones](planning-server-isolation-zones.md) +###### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) +###### [Documenting the Zones](documenting-the-zones.md) +###### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) +####### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) +####### [Planning Network Access Groups](planning-network-access-groups.md) +####### [Planning the GPOs](planning-the-gpos.md) +######## [Firewall GPOs](firewall-gpos.md) +######### [GPO_DOMISO_Firewall](gpo-domiso-firewall.md) +######## [Isolated Domain GPOs](isolated-domain-gpos.md) +######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md) +######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md) +######## [Boundary Zone GPOs](boundary-zone-gpos.md) +######### [GPO_DOMISO_Boundary_WS2008](gpo-domiso-boundary-ws2008.md) +######## [Encryption Zone GPOs](encryption-zone-gpos.md) +######### [GPO_DOMISO_Encryption_WS2008](gpo-domiso-encryption-ws2008.md) +######## [Server Isolation GPOs](server-isolation-gpos.md) +####### [Planning GPO Deployment](planning-gpo-deployment.md) +##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) +##### [Additional Resources [WFASDesign]](additional-resources-wfasdesign.md) +#### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) +##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md) +##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) +##### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) +##### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md) +###### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md) +###### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md) +###### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md) +##### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) +###### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md) +###### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md) +###### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md) +###### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md) +##### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md) +###### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md) +###### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md) +##### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) +##### [Procedures Used in This Guide](procedures-used-in-this-guide.md) +###### [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md) +###### [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md) +###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) +###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) +###### [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) +###### [Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) +###### [Configure the Workstation Authentication Certificate Template[wfas_dep]](configure-the-workstation-authentication-certificate-templatewfas-dep.md) +###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) +###### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) +###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) +###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) +###### [Create a Group Policy Object](create-a-group-policy-object.md) +###### [Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) +###### [Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) +###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) +###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) +###### [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) +###### [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md) +###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) +###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) +###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) +###### [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) +###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) +###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) +##### [Additional Resources[wfas_deploy]](additional-resourceswfas-deploy.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) ### [Device Guard deployment guide](device-guard-deployment-guide.md) diff --git a/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md new file mode 100644 index 0000000000..cad68e2a55 --- /dev/null +++ b/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md @@ -0,0 +1,84 @@ +--- +title: Add Production Computers to the Membership Group for a Zone (Windows 10) +description: Add Production Computers to the Membership Group for a Zone +ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 +author: brianlic-msft +--- + +# Add Production Computers to the Membership Group for a Zone + + +After you test the GPOs for your design on a small set of computers, you can deploy them to the production computers. + +**Caution**   +For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your computers are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode. + +  + +The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new computers that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude computers that must not receive the GPOs. Use computer groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Computers that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md). + +Without such a group (or groups), you must either add computers individually or use the groups containing computer accounts that are available to you. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. + +In this topic: + +- [Add the group Domain Computers to the GPO membership group](#bkmk-toadddomaincomputerstothegpomembershipgroup) + +- [Refresh Group Policy on the computers in the membership group](#bkmk-torefreshgrouppolicyonacomputer) + +- [Check which GPOs apply to a computer](#bkmk-toseewhatgposareappliedtoacomputer) + +## + + +**To add domain computers to the GPO membership group** + +1. On a computer that has the Active Directory management tools installed, click the **Start** charm, then click the **Active Directory Users and Computers** tile. + +2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group. + +3. In the details pane, double-click the GPO membership group to which you want to add computers. + +4. Select the **Members** tab, and then click **Add**. + +5. Type **Domain Computers** in the text box, and then click **OK**. + +6. Click **OK** to close the group properties dialog box. + +After a computer is a member of the group, you can force a Group Policy refresh on the computer. + +## + + +**To refresh Group Policy on a computer** + +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: + + ``` syntax + gpupdate /target:computer /force + ``` + +After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. + +## + + +**To see which GPOs are applied to a computer** + +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: + + ``` syntax + gpresult /r /scope:computer + ``` + +  + +  + + + + + diff --git a/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md new file mode 100644 index 0000000000..f297cfd705 --- /dev/null +++ b/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md @@ -0,0 +1,79 @@ +--- +title: Add Test Computers to the Membership Group for a Zone (Windows 10) +description: Add Test Computers to the Membership Group for a Zone +ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 +author: brianlic-msft +--- + +# Add Test Computers to the Membership Group for a Zone + + +Before you deploy your rules to large numbers of computers, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between computers. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of computers only to be sure that the correct GPOs are being processed by each computer. + +Add at least one computer of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a computer among the test group. After Group Policy has been refreshed on each test computer, check the output of the **gpresult** command to confirm that each computer is receiving only the GPOs it is supposed to receive. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. + +In this topic: + +- [Add the test computers to the GPO membership groups](#bkmk-toadddomaincomputerstothegpomembershipgroup) + +- [Refresh Group Policy on the computers in each membership group](#bkmk-torefreshgrouppolicyonacomputer) + +- [Check which GPOs apply to a computer](#bkmk-toseewhatgposareappliedtoacomputer) + +## + + +**To add test computers to the GPO membership groups** + +1. On a computer that has the Active Directory management tools installed, click the **Start** charm, then click the **Active Directory Users and Computers** tile. + +2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account. + +3. In the details pane, double-click the GPO membership group to which you want to add computers. + +4. Select the **Members** tab, and then click **Add**. + +5. Type the name of the computer in the text box, and then click **OK**. + +6. Repeat steps 5 and 6 for each additional computer account or group that you want to add. + +7. Click **OK** to close the group properties dialog box. + +After a computer is a member of the group, you can force a Group Policy refresh on the computer. + +## + + +**To refresh Group Policy on a computer** + +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: + + ``` syntax + gpupdate /target:computer /force + ``` + +After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. + +## + + +**To see which GPOs are applied to a computer** + +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: + + ``` syntax + gpresult /r /scope:computer + ``` + +  + +  + + + + + diff --git a/windows/keep-secure/additional-resources-wfasdesign.md b/windows/keep-secure/additional-resources-wfasdesign.md new file mode 100644 index 0000000000..1e524c920a --- /dev/null +++ b/windows/keep-secure/additional-resources-wfasdesign.md @@ -0,0 +1,67 @@ +--- +title: Additional Resources (Windows 10) +description: Additional Resources +ms.assetid: 74897052-508d-49b9-911c-5902a1fb0d26 +author: brianlic-msft +--- + +# Additional Resources + + +For more information about the technologies discussed in this guide, see topics referenced in the following sections. + +## Windows Firewall with Advanced Security + + +- [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365) (http://technet.microsoft.com/library/hh831365) + + This TechNet page contains links to a variety of documents available for Windows Firewall with Advanced Security. + +## IPsec + + +- [IPsec](http://technet.microsoft.com/network/bb531150.aspx) (http://technet.microsoft.com/network/bb531150.aspx) + + This TechNet page contains links to a variety of documents currently available for Internet Protocol security (IPsec) for Windows available as connection security rules. + +## Server and Domain Isolation + + +- [Server and Domain Isolation](http://technet.microsoft.com/network/bb545651.aspx) (http://technet.microsoft.com/network/bb545651.aspx) + + This TechNet page contains links to documentation about the most common uses for IPsec: server isolation and domain isolation. + +## Group Policy + + +Group Policy is a key method for implementing firewall and server and domain isolation designs. + +For more information about Group Policy and related technologies, see: + +- **Group Policy**[Group Policy Overview](http://technet.microsoft.com/library/hh831791) (http://technet.microsoft.com/library/hh831791) + + This page contains links to the documents currently available for Group Policy. + +- [WMI Filtering Using GPMC](http://technet.microsoft.com/library/6237b9b2-4a21-425e-8976-2065d28b3147) (http://technet.microsoft.com/library/6237b9b2-4a21-425e-8976-2065d28b3147) + +- [HOWTO: Leverage Group Policies with WMI Filters](http://support.microsoft.com/kb/555253) (http://support.microsoft.com/kb/555253) + + This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system. + +## Active Directory Domain Services + + +Organizations can use AD DS to manage users and resources, such as computers, printers, or applications, on a network. Server isolation and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication. + +For more information about AD DS and related technologies, see: + +- [Active Directory Domain Services Overview](http://technet.microsoft.com/library/hh831484) (http://technet.microsoft.com/library/hh831484) + +  + +  + + + + + diff --git a/windows/keep-secure/additional-resourceswfas-deploy.md b/windows/keep-secure/additional-resourceswfas-deploy.md new file mode 100644 index 0000000000..3a4efaa457 --- /dev/null +++ b/windows/keep-secure/additional-resourceswfas-deploy.md @@ -0,0 +1,64 @@ +--- +title: Additional Resources (Windows 10) +description: Additional Resources +ms.assetid: 09bdec5d-8a3f-448c-bc48-d4cb41f9c6e8 +author: brianlic-msft +--- + +# Additional Resources + + +For more information about the technologies discussed in this guide, see topics referenced in the following sections. + +## Windows Firewall with Advanced Security + + +- [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365.aspx) (http://technet.microsoft.com/library/hh831365.aspx) + + This TechNet page contains links to a variety of documents available for Windows Firewall with Advanced Security in Windows Server 2012. + +- [Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012](http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx#z6d72b831d4c24158874a04e9e9d37c43) + + This wiki article describes how Windows Firewall with Advanced Security works, what the common troubleshooting situations are, and which tools you can use for troubleshooting. The community is encouraged to add their troubleshooting and experiences to this article. + +## IPsec + + +- [IPsec](http://www.microsoft.com/ipsec) (http://www.microsoft.com/ipsec) + + This TechNet page contains links to a variety of documents currently available for Internet Protocol security (IPsec) in Windows. + +## Group Policy + + +Group Policy is a key method for implementing firewall and server and domain isolation designs. + +For more information about Group Policy and related technologies, see: + +- [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx) (http://technet.microsoft.com/library/hh831791.aspx) + + This page contains links to the documents currently available for Group Policy. + +- [WMI Filtering Using GPMC](http://go.microsoft.com/fwlink/?linkid=93188) (http://go.microsoft.com/fwlink/?linkid=93188) + +- [HOWTO: Leverage Group Policies with WMI Filters](http://go.microsoft.com/fwlink/?linkid=93760) (http://go.microsoft.com/fwlink/?linkid=93760) + + This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system. + +## Active Directory Domain Services + + +In Windows 8 and Windows Server 2012, organizations can use AD DS to manage users and resources, such as computers, printers, or applications, on a network. Server isolation and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication. + +For more information about AD DS and related technologies, see: + +- [Active Directory Domain Services Overview](http://technet.microsoft.com/library/hh831484.aspx) (http://technet.microsoft.com/library/hh831484.aspx) + +  + +  + + + + + diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md new file mode 100644 index 0000000000..078ccc621c --- /dev/null +++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -0,0 +1,98 @@ +--- +title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10) +description: Appendix A Sample GPO Template Files for Settings Used in this Guide +ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 +author: brianlic-msft +--- + +# Appendix A: Sample GPO Template Files for Settings Used in this Guide + + +You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). Creating registry setting preferences as described here was first implemented in Windows Server 2008 and Windows Vista with Service Pack 1 (SP1). + +To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there. + +To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide. + +The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply. + +**Note**   +The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. + +  + +``` syntax + + + + + + + + + + + + + + + + + +``` + +  + +  + + + + + diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md new file mode 100644 index 0000000000..642d680da8 --- /dev/null +++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md @@ -0,0 +1,84 @@ +--- +title: Assign Security Group Filters to the GPO (Windows 10) +description: Assign Security Group Filters to the GPO +ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 +author: brianlic-msft +--- + +# Assign Security Group Filters to the GPO + + +To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. + +**Important**   +This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones. + +  + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs. + +In this topic: + +- [Allow members of a group to apply a GPO](#bkmk-toallowamembersofagrouptoapplyagpo) + +- [Prevent members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo) + +## + + +Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO. + +**To allow members of a group to apply a GPO** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**. + + **Note**   + You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. + +   + +4. Click **Add**. + +5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. + +## + + +Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain. + +**To prevent members of group from applying a GPO** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. In the details pane, click the **Delegation** tab. + +4. Click **Advanced**. + +5. Under the **Group or user names** list, click **Add**. + +6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. + +7. Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**. + +8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**. + +9. The group appears in the list with **Custom** permissions. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md new file mode 100644 index 0000000000..0c1698eb75 --- /dev/null +++ b/windows/keep-secure/basic-firewall-policy-design.md @@ -0,0 +1,74 @@ +--- +title: Basic Firewall Policy Design (Windows 10) +description: Basic Firewall Policy Design +ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 +author: brianlic-msft +--- + +# Basic Firewall Policy Design + + +Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each computer in the organization. + +The Basic Firewall Policy Design helps you to protect the computers in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each computer in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped. + +Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the computer that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted. + +Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy: + +- On client computers, the default firewall behavior already supports typical client programs. Programs designed for Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another computer. + +- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you. + + For example, when you install a server role in Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008, the appropriate firewall rules are created and enabled automatically. + +- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the computers in your organization. + + For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. + +With few exceptions, the firewall can be enabled on all configurations of Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista. Therefore, we recommended that you enable the firewall on every computer in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. + +**Caution**   +**Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft**. + +By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista. + +If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. For more information about Windows Service Hardening, see . + +Third-party firewall software that is compatible with Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. + +  + +An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation. + +After implementing this design, your administrative team will have centralized management of the firewall rules applied to all computers that are running Windows in your organization. + +**Important**   +If you also intend to deploy the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md), or the [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. + +  + +The basic firewall design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules. + +For more information about this design: + +- This design coincides with the deployment goal to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md). + +- To learn more about this design, see [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md). + +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). + +- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md). + +- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see "Checklist: Implementing a Basic Firewall Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. + +**Next: **[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) + +  + +  + + + + + diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md new file mode 100644 index 0000000000..b987d99a53 --- /dev/null +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -0,0 +1,33 @@ +--- +title: Boundary Zone GPOs (Windows 10) +description: Boundary Zone GPOs +ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e +author: brianlic-msft +--- + +# Boundary Zone GPOs + + +All the computers in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. + +**Note**   +If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any computers that are incorrectly assigned to more than one group. + +  + +This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone. + +The boundary zone GPOs discussed in this guide are only for server versions of Windows because client computers are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. + +In the Woodgrove Bank example, only the GPO settings for a Web service on Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 are discussed. + +- [GPO\_DOMISO\_Boundary\_WS2008](../p_server_archive/gpo-domiso-boundary-ws2008.md) + +  + +  + + + + + diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md new file mode 100644 index 0000000000..4aa10f7795 --- /dev/null +++ b/windows/keep-secure/boundary-zone.md @@ -0,0 +1,68 @@ +--- +title: Boundary Zone (Windows 10) +description: Boundary Zone +ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 +author: brianlic-msft +--- + +# Boundary Zone + + +In most organizations, some computers must be able to receive network traffic from computers that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted computers, create a boundary zone within your isolated domain. + +Computers in the boundary zone are trusted computers that can accept communication requests both from other isolated domain member computers and from untrusted computers. Boundary zone computers try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating computer. + +The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it. + +Because these boundary zone computers can receive unsolicited inbound communications from untrusted computers that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a computer to the boundary zone. For example, completing a formal business justification process before adding each computer to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. + +![design flowchart](images/wfas-designflowchart1.gif) + +The goal of this process is to determine whether the risk of adding a computer to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. + +You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. + +Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. + +## GPO settings for boundary zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 + + +The boundary zone GPO for computers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 should include the following: + +- IPsec default settings that specify the following options: + + 1. Exempt all ICMP traffic from IPsec. + + 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. + + 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.. + + If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. + + 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. + +- The following connection security rules: + + - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + + - A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication. + +- A registry policy that includes the following values: + + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + + **Note**   + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) + +   + +**Next: **[Encryption Zone](../p_server_archive/encryption-zone.md) + +  + +  + + + + + diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md new file mode 100644 index 0000000000..765f3010c9 --- /dev/null +++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md @@ -0,0 +1,56 @@ +--- +title: Certificate-based Isolation Policy Design Example (Windows 10) +description: Certificate-based Isolation Policy Design Example +ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 +author: brianlic-msft +--- + +# Certificate-based Isolation Policy Design Example + + +This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md), [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md). + +One of the servers that must be included in the domain isolation environment is a computer running UNIX that supplies other information to the WGBank dashboard program running on the client computers. This computer sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the computers that receive this information. + +## Design requirements + + +One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows computer even though it cannot authenticate. + +A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows computer in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed. + +In this case, Woodgrove Bank used Microsoft Certificate Services, included with Windows Server 2008, to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server. + +The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate. + +The creation of the IPsec connection security rules for a non-Windows computer is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows computer by using the standard IPsec protocols is the subject of this design. + +The non-Windows computer can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the computer. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX computer must also be supported by the Windows-based computers with which it communicates. + +**Other traffic notes:** + +- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows computer. + +## Design details + + +Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the computers in their organization. + +The inclusion of one or more non-Windows computers to the network requires only a simple addition to the GPOs for computers that must communicate with the non-Windows computer. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules. + +When multiple authentication methods are available, two negotiating computers agree on the first one in their lists that match. Because the majority of the computers in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. + +By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the computer accounts to this group for Windows computers that need to communicate with the non-Windows computers. If all the computers in the isolated domain need to be able to access the non-Windows computers, then the **Domain Computers** group can be added to the group as a member. + +Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local computer. + +**Next: **[Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md) + +  + +  + + + + + diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md new file mode 100644 index 0000000000..a59802bd5c --- /dev/null +++ b/windows/keep-secure/certificate-based-isolation-policy-design.md @@ -0,0 +1,42 @@ +--- +title: Certificate-based Isolation Policy Design (Windows 10) +description: Certificate-based Isolation Policy Design +ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 +author: brianlic-msft +--- + +# Certificate-based Isolation Policy Design + + +In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) and [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. + +Domain isolation and server isolation help provide security for the computers on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some computers that must run another operating system, such as Linux or UNIX. These computers cannot join an Active Directory domain, without a third-party package being installed. Also, some computers that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the computer needs to be joined to the Active Directory and (for non-windows computers) support Kerberos as an authentication protocol. + +To authenticate with non-domain member computers, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to computers that do not run the Windows operating system. + +The same principles of the domain and server isolation designs apply to this design. Only computers that can authenticate (in this case, by providing a specified certificate) can communicate with the computers in your isolated domain. + +For computers that run Windows and that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the computers that are trusted but are not part of the Active Directory domain. For other computers, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner. + +For more information about this design: + +- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). + +- To learn more about this design, see [Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md). + +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). + +- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md). + +- For a list of tasks that you can use to deploy your certificate-based policy design, see "Checklist: Implementing a Certificate-based Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. + +**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](../p_server_archive/evaluating-windows-firewall-with-advanced-security-design-examples.md) + +  + +  + + + + + diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md new file mode 100644 index 0000000000..3f8a49404e --- /dev/null +++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md @@ -0,0 +1,68 @@ +--- +title: Change Rules from Request to Require Mode (Windows 10) +description: Change Rules from Request to Require Mode +ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff +author: brianlic-msft +--- + +# Change Rules from Request to Require Mode + + +After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that computers in the boundary zone can continue to accept connections from computers that are not part of the isolated domain. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +- [Convert a rule in a GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](#bkmk-section1) + +- [Convert a rule for an earlier version of Windows](#bkmk-section2) + +- [Refresh policy on the client computers to receive the modified GPOs](#bkmk-section3) + +## + + +**To convert a rule from request to require mode for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Connection Security Rules**. + +3. In the details pane, double-click the connection security rule that you want to modify. + +4. Click the **Authentication** tab. + +5. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**. + +## + + +**To apply the modified GPOs to the client computers** + +1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md) and run the following command: + + ``` syntax + gpupdate /force + ``` + +2. To verify that the modified GPO is correctly applied to the client computers, you can run one of the following commands: + + On computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, run the following command: + + ``` syntax + gpresult /r /scope computer + ``` + +3. Examine the command output for the list of GPOs that are applied to the computer, and make sure that the list contains the GPOs you expect to see on that computer. + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md new file mode 100644 index 0000000000..c4c624a4b7 --- /dev/null +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -0,0 +1,59 @@ +--- +title: Checklist Configuring Basic Firewall Settings (Windows 10) +description: Checklist Configuring Basic Firewall Settings +ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 +author: brianlic-msft +--- + +# Checklist: Configuring Basic Firewall Settings + + +This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. + +## + + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring firewall defaults and settings** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Turn the firewall on and set the default inbound and outbound behavior.

Procedure topic[Turn on Windows Firewall and Configure Default Behavior](../p_server_archive/turn-on-windows-firewall-and-configure-default-behavior.md)

_

Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules.

Procedure topic[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](../p_server_archive/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)

_

Configure the firewall to record a log file.

Procedure topic[Configure the Windows Firewall Log](../p_server_archive/configure-the-windows-firewall-log.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md new file mode 100644 index 0000000000..4fe0df466c --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -0,0 +1,125 @@ +--- +title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10) +description: Checklist Configuring Rules for an Isolated Server Zone +ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c +author: brianlic-msft +--- + +# Checklist: Configuring Rules for an Isolated Server Zone + + +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](../p_server_archive/checklist-implementing-a-standalone-server-isolation-policy-design.md). + +In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or computers who are authenticated members of a network access group (NAG). Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access in IPsec only to computers that are members of the NAG, because IPsec and IKE in those versions of Windows do not support user-based authentication. If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. + +Computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can identify both computers and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. For more information, see “AuthIP in Windows Vista” (). + +The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server. + +## + + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring rules for isolated servers for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2** + +**Note**   +The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. + +  + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

+

Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone.

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

_

Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for all network traffic.

+
+Important   +

Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

+
+
+  +

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone.

Procedure topic[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)

_

Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG.

Procedure topic[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+ +  + +Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md new file mode 100644 index 0000000000..aaccf455e0 --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -0,0 +1,126 @@ +--- +title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10) +description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone +ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 +author: brianlic-msft +--- + +# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone + + +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](../p_server_archive/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). + +The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. + +## + + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring rules for isolated servers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +**Note**   +The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. + +  + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for all inbound network traffic.

+
+Important   +

Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

+
+
+  +

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it.

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.

Procedure topic[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)

_

Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zone’s NAG.

Procedure topic[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+ +  + +Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md new file mode 100644 index 0000000000..92853aab0f --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -0,0 +1,73 @@ +--- +title: Checklist Configuring Rules for the Boundary Zone (Windows 10) +description: Checklist Configuring Rules for the Boundary Zone +ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b +author: brianlic-msft +--- + +# Checklist: Configuring Rules for the Boundary Zone + + +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. + +Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. + +## + + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring boundary zone rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.

Procedure topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md new file mode 100644 index 0000000000..6f79c81796 --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -0,0 +1,75 @@ +--- +title: Checklist Configuring Rules for the Encryption Zone (Windows 10) +description: Checklist Configuring Rules for the Encryption Zone +ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 +author: brianlic-msft +--- + +# Checklist: Configuring Rules for the Encryption Zone + + +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. + +Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring encryption zone rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.

Procedure topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

_

Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Add the encryption requirements for the zone.

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic.

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md new file mode 100644 index 0000000000..e88f33cec8 --- /dev/null +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -0,0 +1,107 @@ +--- +title: Checklist Configuring Rules for the Isolated Domain (Windows 10) +description: Checklist Configuring Rules for the Isolated Domain +ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e +author: brianlic-msft +--- + +# Checklist: Configuring Rules for the Isolated Domain + + +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. + +## + + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring isolated domain rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +**Note**   +The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. + +  + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the rule that requests authentication for all inbound network traffic.

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the AD DS organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic to and from the test computers.

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

+ +  + +Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md new file mode 100644 index 0000000000..5264c7d2c6 --- /dev/null +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -0,0 +1,97 @@ +--- +title: Checklist Creating Group Policy Objects (Windows 10) +description: Checklist Creating Group Policy Objects +ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 +author: brianlic-msft +--- + +# Checklist: Creating Group Policy Objects + + +To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a computer into a membership group. + +The checklists for firewall, domain isolation, and server isolation include a link to this checklist. + +## About membership groups + + +For most GPO deployment tasks, you must determine which computers must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a computer, you make that computer's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. + +## About exclusion groups + + +A Windows Firewall with Advanced Security design must often take into account domain-joined computers on the network that cannot or must not apply the rules and settings in the GPOs. Because these computers are typically fewer in number than the computers that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception computers into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a computer that is a member of both the membership group and the exception group is prevented from applying the GPO. Computers typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. + +You can also use a membership group for one zone as an exclusion group for another zone. For example, computers in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating Group Policy objects** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.

Procedure topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Procedure topic[Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md)

_

Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO.

+

If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter.

Procedure topic[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)

_

Create a GPO for each version of Windows that has different implementation requirements.

Procedure topic[Create a Group Policy Object](../p_server_archive/create-a-group-policy-object.md)

_

Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group.

Procedure topic[Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md)

_

Create WMI filters to limit each GPO to only the computers that match the criteria in the filter.

Procedure topic[Create WMI Filters for the GPO](../p_server_archive/create-wmi-filters-for-the-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md new file mode 100644 index 0000000000..65a3c463b5 --- /dev/null +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -0,0 +1,69 @@ +--- +title: Checklist Creating Inbound Firewall Rules (Windows 10) +description: Checklist Creating Inbound Firewall Rules +ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f +author: brianlic-msft +--- + +# Checklist: Creating Inbound Firewall Rules + + +This checklist includes tasks for creating firewall rules in your GPOs. + +## + + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating inbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires.

Procedure topic[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound network traffic on a specified port number.

Procedure topic[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound ICMP network traffic.

Procedure topic[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create rules that allow inbound RPC network traffic.

Procedure topic[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

Procedure topic[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md new file mode 100644 index 0000000000..61e94ff601 --- /dev/null +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -0,0 +1,61 @@ +--- +title: Checklist Creating Outbound Firewall Rules (Windows 10) +description: Checklist Creating Outbound Firewall Rules +ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de +author: brianlic-msft +--- + +# Checklist: Creating Outbound Firewall Rules + + +This checklist includes tasks for creating outbound firewall rules in your GPOs. Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 support the use of outbound rules. + +**Important**   +By default, in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. + +  + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Create a rule that allows a program to send any outbound network traffic on any port it requires.

Procedure topic[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows outbound network traffic on a specified port number.

Procedure topic[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

Procedure topic[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md new file mode 100644 index 0000000000..251866927c --- /dev/null +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -0,0 +1,100 @@ +--- +title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10) +description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone +ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 +author: brianlic-msft +--- + +# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone + + +This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client computers that must connect to servers in an isolated server zone. + +## + + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring isolated server zone client rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +**Note**   +The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO. For example, create and configure the GPO for Windows 8, create a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the required changes (if any) to the copy. + +  + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

_

To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.

Checklist topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md new file mode 100644 index 0000000000..d6ff2cb7f5 --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -0,0 +1,97 @@ +--- +title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) +description: Checklist Implementing a Basic Firewall Policy Design +ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 +author: brianlic-msft +--- + +# Checklist: Implementing a Basic Firewall Policy Design + + +This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. + +**Note**   +Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. + +The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. + +  + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a basic firewall policy design** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md)

+

Conceptual topic[Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md)

+

Conceptual topic[Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md)

_

Create the membership group and a GPO for each set of computers that require different firewall rules. Where GPOs will be similar, such as for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy.

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure the GPO with firewall default settings appropriate for your design.

Checklist topic[Checklist: Configuring Basic Firewall Settings](../p_server_archive/checklist-configuring-basic-firewall-settings.md)

_

Create one or more inbound firewall rules to allow unsolicited inbound network traffic.

Checklist topic[Checklist: Creating Inbound Firewall Rules](../p_server_archive/checklist-creating-inbound-firewall-rules.md)

_

Create one or more outbound firewall rules to block unwanted outbound network traffic.

Checklist topic[Checklist: Creating Outbound Firewall Rules](../p_server_archive/checklist-creating-outbound-firewall-rules.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

_

Add test computers to the membership group, and then confirm that the computers receive the firewall rules from the GPOs as expected.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy the completed firewall policy settings to your computers.

Procedure topic[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md new file mode 100644 index 0000000000..59ca82798d --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -0,0 +1,76 @@ +--- +title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10) +description: Checklist Implementing a Certificate-based Isolation Policy Design +ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 +author: brianlic-msft +--- + +# Checklist: Implementing a Certificate-based Isolation Policy Design + + +This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. + +**Note**   +Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist + +The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. + +  + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing certificate-based authentication** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md)

+

Conceptual topic[Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md)

+

Conceptual topic[Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md)

_

Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.

Procedure topic[Install Active Directory Certificate Services](../p_server_archive/install-active-directory-certificate-services.md)

_

Configure the certificate template for workstation authentication certificates.

Procedure topic[Configure the Workstation Authentication Certificate Template](../p_server_archive/configure-the-workstation-authentication-certificate-templatewfas-dep.md)

_

Configure Group Policy to automatically deploy certificates based on your template to workstation computers.

Procedure topic[Configure Group Policy to Autoenroll and Deploy Certificates](../p_server_archive/configure-group-policy-to-autoenroll-and-deploy-certificates.md)

_

On a test computer, refresh Group Policy and confirm that the certificate is installed.

Procedure topic[Confirm That Certificates Are Deployed Correctly](../p_server_archive/confirm-that-certificates-are-deployed-correctly.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md new file mode 100644 index 0000000000..6febf014de --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -0,0 +1,88 @@ +--- +title: Checklist Implementing a Domain Isolation Policy Design (Windows 10) +description: Checklist Implementing a Domain Isolation Policy Design +ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 +author: brianlic-msft +--- + +# Checklist: Implementing a Domain Isolation Policy Design + + +This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. + +**Note**   +Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. + +The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. + +For more information about the security algorithms and authentication methods available in each version of Windows, see [IPsec Algorithms and Methods Supported in Windows](http://technet.microsoft.com/library/dd125380.aspx) at http://technet.microsoft.com/library/dd125380.aspx. + +  + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a domain isolation policy design** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md)

+

Conceptual topic[Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md)

+

Conceptual topic[Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md)

_

Create the GPOs and connection security rules for the isolated domain.

Checklist topic[Checklist: Configuring Rules for the Isolated Domain](../p_server_archive/checklist-configuring-rules-for-the-isolated-domain.md)

_

Create the GPOs and connection security rules for the boundary zone.

Checklist topic[Checklist: Configuring Rules for the Boundary Zone](../p_server_archive/checklist-configuring-rules-for-the-boundary-zone.md)

_

Create the GPOs and connection security rules for the encryption zone.

Checklist topic[Checklist: Configuring Rules for the Encryption Zone](../p_server_archive/checklist-configuring-rules-for-the-encryption-zone.md)

_

Create the GPOs and connection security rules for the isolated server zone.

Checklist topic[Checklist: Configuring Rules for an Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-an-isolated-server-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.

Procedure topic[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)

_

After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.

Procedure topic[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md new file mode 100644 index 0000000000..92a7ec6199 --- /dev/null +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -0,0 +1,83 @@ +--- +title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10) +description: Checklist Implementing a Standalone Server Isolation Policy Design +ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 +author: brianlic-msft +--- + +# Checklist: Implementing a Standalone Server Isolation Policy Design + + +This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-an-isolated-server-zone.md). + +This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. + +**Note**   +Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. + +The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. + +  + +![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a standalone server isolation policy design** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TaskReference

_

Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md)

+

Conceptual topic[Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md)

+

Conceptual topic[Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md)

_

Create the GPOs and connection security rules for isolated servers.

Checklist topic[Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)

_

Create the GPOs and connection security rules for the client computers that must connect to the isolated servers.

Checklist topic[Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](../p_server_archive/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)

_

Verify that the connection security rules are protecting network traffic on your test computers.

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

_

After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it.

Procedure topic[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings.

Procedure topic[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)

+ +  + +  + +  + + + + + diff --git a/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md new file mode 100644 index 0000000000..6cd45af6d4 --- /dev/null +++ b/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -0,0 +1,84 @@ +--- +title: Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) +description: Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 +author: brianlic-msft +--- + +# Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 + + +This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. + +**Note**   +If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab. + +  + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To configure authentication methods** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec Settings** tab, click **Customize**. + +4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following: + + 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default. + + 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use Authenticated IP (AuthIP), including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. + + 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. + + 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + + The first authentication method can be one of the following: + + - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. + + - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. + + - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes. + + If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + + The second authentication method can be one of the following: + + - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. + + - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule. + + If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + + **Important**   + Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + +   + +5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md new file mode 100644 index 0000000000..19af4227c6 --- /dev/null +++ b/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -0,0 +1,66 @@ +--- +title: Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) +description: Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 +author: brianlic-msft +--- + +# Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 + + +This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To configure quick mode settings** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec Settings** tab, click **Customize**. + +4. In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**. + +5. If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone. + +6. If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following: + + 1. From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**. + + 2. Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT). + + 3. In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value. + + 4. Click **OK** to save your algorithm combination settings. + + 5. After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on. + +7. Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following: + + 1. From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**. + + 2. Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following: + + 3. Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT. + + 4. Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only. + + 5. Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. + + 6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value. + +8. Click **OK** three times to save your settings. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md new file mode 100644 index 0000000000..dca884a135 --- /dev/null +++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -0,0 +1,42 @@ +--- +title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10) +description: Configure Group Policy to Autoenroll and Deploy Certificates +ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 +author: brianlic-msft +--- + +# Configure Group Policy to Autoenroll and Deploy Certificates + + +You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. + +**Administrative credentials** + +To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group. + +**To configure Group Policy to autoenroll certificates** + +1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**. + +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. + +3. In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**. + +4. Double-click **Certificate Services Client - Auto-Enrollment**. + +5. In the **Properties** dialog box, change **Configuration Model** to **Enabled**. + +6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**. + +7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md new file mode 100644 index 0000000000..98b44775c3 --- /dev/null +++ b/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -0,0 +1,79 @@ +--- +title: Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) +description: Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 +author: brianlic-msft +--- + +# Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 + + +This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To configure key exchange settings** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec Settings** tab, click **Customize**. + +4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**. + +5. Select the security methods to be used to help protect the main mode negotiations between the two computers. If the security methods displayed in the list are not what you want, then do the following: + + **Important**   + In Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another computer running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both computers. + + Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your computers that run Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 have the same methods at the top of the list and the same key exchange algorithm selected. + +   + + **Note**   + When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select. + +   + + 1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**. + + 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**. + + **Caution**   + We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only. + +   + + 3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. + +6. From the list on the right, select the key exchange algorithm that you want to use. + + **Caution**   + We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only. + +   + +7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two computers requires a new key. + + **Note**   + You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance. + +   + +8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key. + +9. Click **OK** three times to save your settings. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md new file mode 100644 index 0000000000..d01116f6b5 --- /dev/null +++ b/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -0,0 +1,61 @@ +--- +title: Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) +description: Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 +author: brianlic-msft +--- + +# Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 + + +If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To modify an authentication request rule to also require encryption** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Connection Security Rules**. + +3. In the details pane, double-click the connection security rule you want to modify. + +4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**. + +5. In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**. + +6. Click the **IPsec Settings** tab. + +7. Under **IPsec defaults**, click **Customize**. + +8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**. + +9. Click **Require encryption for all connection security rules that use these settings**. + + This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client computers will use to connect to members of the encryption zone. The client computers receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client computers in that zone will not be able to connect to computers in this zone. + +10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md). + + **Note**   + Not all of the algorithms available in Windows 8 or Windows Server 2012 can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. + + Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell. + + For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md) + +   + +11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating computers select the most secure combination that they can jointly support. + +12. Click **OK** three times to save your changes. + +  + +  + + + + + diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md new file mode 100644 index 0000000000..0bd77d8930 --- /dev/null +++ b/windows/keep-secure/configure-the-windows-firewall-log.md @@ -0,0 +1,60 @@ +--- +title: Configure the Windows Firewall Log (Windows 10) +description: Configure the Windows Firewall Log +ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 +author: brianlic-msft +--- + +# Configure the Windows Firewall Log + + +To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +[To configure Windows Firewall logging for Windows Vista or Windows Server 2008](#bkmk-toenablewindowsfirewallandconfigurethedefaultbehavior) + +## + + +**To configure Windows Firewall logging for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. + +3. For each network location type (Domain, Private, Public), perform the following steps. + + 1. Click the tab that corresponds to the network location type. + + 2. Under **Logging**, click **Customize**. + + 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. + + **Important**   + The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file. + +   + + 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. + + 5. No logging occurs until you set one of following two options: + + - To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**. + + - To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**. + + 6. Click **OK** twice. + +  + +  + + + + + diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md new file mode 100644 index 0000000000..ebe06760bb --- /dev/null +++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md @@ -0,0 +1,53 @@ +--- +title: Configure the Workstation Authentication Certificate Template (Windows 10) +description: Configure the Workstation Authentication Certificate Template +ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 +author: brianlic-msft +--- + +# Configure the Workstation Authentication Certificate Template + + +This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for computer certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. + +**Administrative credentials** + +To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group. + +**To configure the workstation authentication certificate template and autoenrollment** + +1. On the computer where AD CS is installed, click the **Start** charm, and then click **Certification Authority**. + +2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**. + +3. In the details pane, click the **Workstation Authentication** template. + +4. On the **Action** menu, click **Duplicate Template**. In the **Duplicate Template** dialog box, select the template version that is appropriate for your deployment, and then click **OK**. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select **Windows Server 2003**. + +5. On the **General** tab, in **Template display name**, type a new name for the certificate template, such as **Domain Isolation Workstation Authentication Template**. + +6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**. + +7. Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048. + +8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**. + + **Note**   + If you want do not want to deploy the certificate to every computer in the domain, then specify a different group or groups that contain the computer accounts that you want to receive the certificate. + +   + +9. Close the Certificate Templates Console. + +10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. + +11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**. + +  + +  + + + + + diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md new file mode 100644 index 0000000000..e8fdd8d249 --- /dev/null +++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -0,0 +1,58 @@ +--- +title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10) +description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked +ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b +author: brianlic-msft +--- + +# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked + + +To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. + +**Caution**   +If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. + +We recommend that you do not enable these settings until you have created and tested the required rules. + +  + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +[To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](#bkmk-1) + +## + + +**To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. + +3. For each network location type (Domain, Private, Public), perform the following steps. + + 1. Click the tab that corresponds to the network location type. + + 2. Under **Settings**, click **Customize**. + + 3. Under **Firewall settings**, change **Display a notification** to **No**. + + 4. Under **Rule merging**, change **Apply local firewall rules** to **No**. + + 5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. + + 6. Click **OK** twice. + +  + +  + + + + + diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md new file mode 100644 index 0000000000..16224c9683 --- /dev/null +++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md @@ -0,0 +1,56 @@ +--- +title: Confirm That Certificates Are Deployed Correctly (Windows 10) +description: Confirm That Certificates Are Deployed Correctly +ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee +author: brianlic-msft +--- + +# Confirm That Certificates Are Deployed Correctly + + +After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation computers. + +In these procedures, you refresh Group Policy on a client computer, and then confirm that the certificate is deployed correctly. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +- [Refresh Group Policy on a computer](#bkmk-torefreshgrouppolicyonacomputer) + +- [Verify that a certificate is installed](#bkmk-toverifythatacertificateisinstalled) + +## + + +**To refresh Group Policy on a computer** + +- On a computer running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: + + ``` syntax + gpupdate /target:computer /force + ``` + +After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. + +## + + +**To verify that a certificate is installed** + +1. Click the **Start** charm, type **certmgr.msc**, and then press ENTER. + +2. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**. + + The CA that you created appears in the list. + +  + +  + + + + + diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md new file mode 100644 index 0000000000..59ce12e2c1 --- /dev/null +++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md @@ -0,0 +1,54 @@ +--- +title: Copy a GPO to Create a New GPO (Windows 10) +description: Copy a GPO to Create a New GPO +ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 +author: brianlic-msft +--- + +# Copy a GPO to Create a New GPO + + +To create the GPO for the boundary zone computers, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and Computers MMC snap-in. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. + +**To make a copy of a GPO** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click **Group Policy Management** tile. + +2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. + +3. In the details pane, right-click the GPO you want to copy, and then click **Copy**. + +4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. + +5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. + +6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. + +7. To rename it, right-click the GPO, and then click **Rename**. + +8. Type the new name, and then press ENTER. + +9. You must change the security filters to apply the policy to the correct group of computers. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. + +10. In the confirmation dialog box, click **OK**. + +11. Click **Add**. + +12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. + +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client computers running Windows 8, and the new boundary zone GPO is for computers running Windows Server 2012, then select a WMI filter that allows only those computers to read and apply the GPO. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md new file mode 100644 index 0000000000..d58c911d10 --- /dev/null +++ b/windows/keep-secure/create-a-group-account-in-active-directory.md @@ -0,0 +1,47 @@ +--- +title: Create a Group Account in Active Directory (Windows 10) +description: Create a Group Account in Active Directory +ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 +author: brianlic-msft +--- + +# Create a Group Account in Active Directory + + +To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers MMC snap-in. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new group accounts. + +**To add a new membership group in Active Directory** + +1. On a computer that has Active Directory management tools installed, click the **Start** charm, and then click the **Active Directory Users and Computers** tile. + +2. In the navigation pane, select the container in which you want to store your group. This is typically the **Users** container under the domain. + +3. Click **Action**, click **New**, and then click **Group**. + +4. In the **Group name** text box, type the name for your new group. + + **Note**   + Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups. + +   + +5. In the **Description** text box, enter a description of the purpose of this group. + +6. In the **Group scope** section, select either **Global** or **Universal**, depending on your Active Directory forest structure. If your group must include computers from multiple domains, then select **Universal**. If all of the members are from the same domain, then select **Global**. + +7. In the **Group type** section, click **Security**. + +8. Click **OK** to save your group. + +  + +  + + + + + diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md new file mode 100644 index 0000000000..c6c8df196b --- /dev/null +++ b/windows/keep-secure/create-a-group-policy-object.md @@ -0,0 +1,51 @@ +--- +title: Create a Group Policy Object (Windows 10) +description: Create a Group Policy Object +ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced +author: brianlic-msft +--- + +# Create a Group Policy Object + + +To create a new GPO, use the Active Directory Users and Computers MMC snap-in. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. + +**To create a new GPO** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. + +3. Click **Action**, and then click **New**. + +4. In the **Name** text box, type the name for your new GPO. + + **Note**   + Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. + +   + +5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**. + +6. If your GPO will not contain any user settings, then you can improve performance by disabling the **User Configuration** section of the GPO. To do this, perform these steps: + + 1. In the navigation pane, click the new GPO. + + 2. In the details pane, click the **Details** tab. + + 3. Change the **GPO Status** to **User configuration settings disabled**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md new file mode 100644 index 0000000000..93b8e8fa26 --- /dev/null +++ b/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -0,0 +1,73 @@ +--- +title: Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) +description: Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 +author: brianlic-msft +--- + +# Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 + + +In almost any isolated server or isolated domain scenario, there are some computers or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those computers from the authentication requirements of your isolation policies. + +**Important**   +Adding computers to the exemption list for a zone reduces security because it permits computers in the zone to send network traffic that is unprotected by IPsec to the computers on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted computers to the exemption list. + +  + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To create a rule that exempts specified hosts from authentication** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Connection Security Rules**. + +3. Click **Action**, and then click **New Rule**. + +4. On the **Rule Type** page of the New Connection Security Rule Wizard, click **Authentication exemption**, and then click **Next**. + +5. On the **Exempt Computers** page, to create a new exemption, click **Add**. To modify an existing exemption, click it, and then click **Edit**. + +6. In the **IP Address** dialog box, do one of the following: + + - To add a single IP address, click **This IP address or subnet**, type the IP address of the host in the text box, and then click **OK**. + + - To add an entire subnet by address, click **This IP address or subnet**, and then type the IP address of the subnet, followed by a forward slash (/) and the number of bits in the corresponding subnet mask. For example, **10.50.0.0/16** represents the class B subnet that begins with address 10.50.0.1, and ends with address **10.50.255.254**. Click **OK** when you are finished. + + - To add the local computer’s subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**. + + **Note**   + If you select the local subnet from the list rather than typing the subnet address in manually, the computer automatically adjusts the active local subnet to match the computer’s current IP address. + +   + + - To add a discrete range of addresses that do not correspond to a subnet, click **This IP address range**, type the beginning and ending IP addresses in the **From** and **To** text boxes, and then click **OK**. + + - To exempt all of the remote hosts that the local computer uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**. + +7. Repeat steps 5 and 6 for each exemption that you need to create. + +8. Click **Next** when you have created all of the exemptions. + +9. On the **Profile** page, check the profile for each network location type to which this set of exemptions applies, and then click **Next**. + + **Caution**   + If all of the exemptions are on the organization’s network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate. + +   + +10. On the **Name** page, type the name of the exemption rule, type a description, and then click **Finish**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md new file mode 100644 index 0000000000..d3c1139e03 --- /dev/null +++ b/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -0,0 +1,94 @@ +--- +title: Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) +description: Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 +author: brianlic-msft +--- + +# Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 + + +After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the computers on the network to use those protocols and methods before they can communicate. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To create the authentication request rule** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. + +3. On the **Rule Type** page, select **Isolation**, and then click **Next**. + +4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**. + + **Caution**   + Do not configure the rule to require inbound authentication until you have confirmed that all of your computers are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the computers to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. + +   + +5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP), which is supported only on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. + + 1. **Default**. Selecting this option tells the computer to request authentication by using the method currently defined as the default on the computer. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) procedure. + + 2. **Computer and User (Kerberos V5)**. Selecting this option tells the computer to request authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + 3. **Computer (Kerberos V5)**. Selecting this option tells the computer to request authentication of the computer by using its domain credentials. This option works with other computers than can use IKE v1, including earlier versions of Windows. + + 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + + The **First authentication method** can be one of the following: + + - **Computer (Kerberos V5)**. Selecting this option tells the computer to request authentication of the computer by using its domain credentials. This option works with other computers than can use IKE v1, including earlier versions of Windows. + + - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + + - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the computer to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. + + If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + + The **Second authentication method** can be one of the following: + + - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using NTLMv2 is not supported by IKE v1. + + - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. + + - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + + If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. + + **Important**   + Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + +   + +6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. + +7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. + + - On portable computers, consider clearing the **Private** and **Public** boxes to enable the computer to communicate without authentication when it is away from the domain network. + + - On computers that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. + + Click **Next**. + +8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. + + The new rule appears in the list of connection security rules. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..08aecf9783 --- /dev/null +++ b/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,71 @@ +--- +title: Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) +description: Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 +author: brianlic-msft +--- + +# Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 + + +To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see: + +- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +**To create an inbound ICMP rule** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + +5. On the **Program** page, click **All programs**, and then click **Next**. + +6. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each. + +7. Click **Customize**. + +8. In the **Customize ICMP Settings** dialog box, do one of the following: + + - To allow all ICMP network traffic, click **All ICMP types**, and then click **OK**. + + - To select one of the predefined ICMP types, click **Specific ICMP types**, and then select each type in the list that you want to allow. Click **OK**. + + - To select an ICMP type that does not appear in the list, click **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, click **Add**, and then select the newly created entry from the list. Click **OK** + +9. Click **Next**. + +10. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +11. On the **Action** page, select **Allow the connection**, and then click **Next**. + +12. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +13. On the **Name** page, type a name and description for your rule, and then click **Finish**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..6644cd06b4 --- /dev/null +++ b/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,75 @@ +--- +title: Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) +description: Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f +author: brianlic-msft +--- + +# Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 + + +To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see: + +- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +**To create an inbound port rule** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + + **Note**   + Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +   + +5. On the **Program** page, click **All programs**, and then click **Next**. + + **Note**   + This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. + +   + +6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. + + If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall. + + To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. + + When you have configured the protocols and ports, click **Next**. + +7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +8. On the **Action** page, select **Allow the connection**, and then click **Next**. + +9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +10. On the **Name** page, type a name and description for your rule, and then click **Finish**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..b254db6e7c --- /dev/null +++ b/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,88 @@ +--- +title: Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) +description: Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf +author: brianlic-msft +--- + +# Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 + + +To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. + +**Note**   +This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure. + +  + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To create an inbound firewall rule for a program or service** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + + **Note**   + Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +   + +5. On the **Program** page, click **This program path**. + +6. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly. + +7. Do one of the following: + + - If the executable file contains a single program, click **Next**. + + - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**. + + - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**. + + **Important**   + To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: + + **sc** **qsidtype** *<ServiceName>* + + If the result is **NONE**, then a firewall rule cannot be applied to that service. + + To set a SID type on a service, run the following command: + + **sc** **sidtype** *<Type> <ServiceName>* + + In the preceding command, the value of *<Type>* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**. For more information, see [Vista Services](http://go.microsoft.com/fwlink/?linkid=141454) (http://go.microsoft.com/fwlink/?linkid=141454) and the “Service Security Improvements” section of [Inside the Windows Vista Kernel](http://go.microsoft.com/fwlink/?linkid=141455) (http://go.microsoft.com/fwlink/?linkid=141455). + +   + +8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). After you have configured the protocol and port options, click **Next**. + +9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +10. On the **Action** page, select **Allow the connection**, and then click **Next**. + +11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rule to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +12. On the **Name** page, type a name and description for your rule, and then click **Finish**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..acc279e9e1 --- /dev/null +++ b/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,64 @@ +--- +title: Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 (Windows 10) +description: Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf +author: brianlic-msft +--- + +# Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 + + +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To create an outbound port rule** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Outbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Outbound Rule wizard, click **Custom**, and then click **Next**. + + **Note**   + Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +   + +5. On the **Program** page, click **All programs**, and then click **Next**. + +6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number. + + If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it. + + To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. + + When you have configured the protocols and ports, click **Next**. + +7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +8. On the **Action** page, select **Block the connection**, and then click **Next**. + +9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +10. On the **Name** page, type a name and description for your rule, and then click **Finish**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..6a9f0d3b2f --- /dev/null +++ b/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,68 @@ +--- +title: Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 (Windows 10) +description: Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 +author: brianlic-msft +--- + +# Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 + + +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To create an outbound firewall rule for a program or service** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Outbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Outbound Rule Wizard, click **Custom**, and then click **Next**. + + **Note**   + Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +   + +5. On the **Program** page, click **This program path**. + +6. Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly. + +7. Do one of the following: + + - If the executable file contains a single program, click **Next**. + + - If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**. + + - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**. + +8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). When you have configured the protocol and port options, click **Next**. + +9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +10. On the **Action** page, select **Block the connection**, and then click **Next**. + +11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +12. On the **Name** page, type a name and description for your rule, and then click **Finish**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..c18b3e488e --- /dev/null +++ b/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,108 @@ +--- +title: Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) +description: Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 +author: brianlic-msft +--- + +# Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 + + +To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your computer by allowing network traffic only from computers that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see: + +- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +In this topic: + +- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#bkmk-proc1) + +- [To create a rule to allow inbound network traffic to RPC-enabled network services](#bkmk-proc2) + +## + + +**To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + +5. On the **Program** page, click **This Program Path**, and then type **%systemroot%\\system32\\svchost.exe**. + +6. Click **Customize**. + +7. In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**. + +8. On the warning about Windows service-hardening rules, click **Yes**. + +9. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**. + +10. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**. + +11. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +12. On the **Action** page, select **Allow the connection**, and then click **Next**. + +13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +14. On the **Name** page, type a name and description for your rule, and then click **Finish**. + +## + + +**To create a rule to allow inbound network traffic to RPC-enabled network services** + +1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**. + +2. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + +3. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**. + +4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service does not appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box. + +5. Click **OK**, and then click **Next**. + +6. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**. + +7. For **Local port**, select **RPC Dynamic Ports**, and then click **Next**. + +8. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +9. On the **Action** page, select **Allow the connection**, and then click **Next**. + +10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +11. On the **Name** page, type a name and description for your rule, and then click **Finish**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md new file mode 100644 index 0000000000..adf0d2f7be --- /dev/null +++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md @@ -0,0 +1,105 @@ +--- +title: Create WMI Filters for the GPO (Windows 10) +description: Create WMI Filters for the GPO +ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e +author: brianlic-msft +--- + +# Create WMI Filters for the GPO + + +To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer. + +- [To create a WMI filter that queries for a specified version of Windows](#bkmk-1) + +- [To link a WMI filter to a GPO](#bkmk-2) + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system. + +## + + +**To create a WMI filter that queries for a specified version of Windows** + +1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**. + +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**. + +3. Click **Action**, and then click **New**. + +4. In the **Name** text box, type the name of the WMI filter. + + **Note**   + Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention. + +   + +5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description. + +6. Click **Add**. + +7. Leave the **Namespace** value set to **root\\CIMv2**. + +8. In the **Query** text box, type: + + ``` syntax + select * from Win32_OperatingSystem where Version like "6.%" + ``` + + This query will return **true** for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. To set a filter for just Windows 8 and Windows Server 2012, use `"6.2%"`. To specify multiple versions, combine them with `or`, as shown in the following: + + ``` syntax + ... where Version like "6.1%" or Version like "6.2%" + ``` + + To restrict the query to only clients or only servers, add a clause that includes the `ProductType` parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only `ProductType="1"`. For server operating systems that are not domain controllers, use `ProductType="3"`. For domain controllers only, use `ProductType="2"`. This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. + + The following clause returns **true** for all computers that are not domain controllers: + + ``` syntax + ... where ProductType="1" or ProductType="3" + ``` + + The following complete query returns **true** for all computers running Windows 8, and returns **false** for any server operating system or any other client operating system. + + ``` syntax + select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1" + ``` + + The following query returns **true** for any computer running Windows Server 2012, except domain controllers: + + ``` syntax + select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3" + ``` + +9. Click **OK** to save the query to the filter. + +10. Click **Save** to save your completed filter. + +## + + +After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs. + +**To link a WMI filter to a GPO** + +1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. Under **WMI Filtering**, select the correct WMI filter from the list. + +4. Click **Yes** to accept the filter. + +  + +  + + + + + diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md new file mode 100644 index 0000000000..7f5556412d --- /dev/null +++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -0,0 +1,60 @@ +--- +title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10) +description: Designing a Windows Firewall with Advanced Security Strategy +ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 +author: brianlic-msft +--- + +# Designing a Windows Firewall with Advanced Security Strategy + + +To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the computers on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the computers. + +- [Gathering the Information You Need](../p_server_archive/gathering-the-information-you-need.md) + +- [Determining the Trusted State of Your Computers](../p_server_archive/determining-the-trusted-state-of-your-computers.md) + +The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design. + +- What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs? + +- What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs? + +- What traffic on the network cannot be protected by IPsec because the computers or devices sending or receiving the traffic do not support IPsec? + +- For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required? + +- Do you have an Active Directory domain (or forest of trusted domains) to which all your computers are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use. + +- Which computers must be able to accept unsolicited inbound connections from computers that are not part of the domain? + +- Which computers contain data that must be encrypted when exchanged with another computer? + +- Which computers contain sensitive data to which access must be restricted to specifically authorized users and computers? + +- Does your organization have specific network troubleshooting devices or computers (such as protocol analyzers) that must be granted unlimited access to the computers on the network, essentially bypassing the firewall? + +## If you already have firewall or IPsec rules deployed + + +Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 has many new capabilities that are not available in earlier versions of Windows. + +If you already have a domain and/or server isolation deployment in your organization then you can continue to use your existing GPOs and apply them to computers running Windows 8 and Windows Server 2012. + +**Note**   +Computers running Windows XP and Windows Server 2003 will not be able to participate in this domain and/or server isolation deployment plan. + +  + +This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems, starting with Windows Vista and Windows Server 2008. Windows XP and Windows Server 2003 are not discussed in this guide. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide. + +**Next: **[Gathering the Information You Need](../p_server_archive/gathering-the-information-you-need.md) + +  + +  + + + + + diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-computers.md b/windows/keep-secure/determining-the-trusted-state-of-your-computers.md new file mode 100644 index 0000000000..c1812d4311 --- /dev/null +++ b/windows/keep-secure/determining-the-trusted-state-of-your-computers.md @@ -0,0 +1,184 @@ +--- +title: Determining the Trusted State of Your Computers (Windows 10) +description: Determining the Trusted State of Your Computers +ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 +author: brianlic-msft +--- + +# Determining the Trusted State of Your Computers + + +After obtaining information about the computers that are currently part of the IT infrastructure, you must determine at what point a computer is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. + +**Note**   +In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your computers just indicates the level of risk that you believe the computer brings to the network. Trusted computers bring little risk whereas untrusted computers can potentially bring great risk. + +  + +## Trust states + + +To understand this concept, consider the four basic states that apply to computers in a typical IT infrastructure. These states are (in order of risk, lowest risk first): + +- Trusted + +- Trustworthy + +- Known, untrusted + +- Unknown, untrusted + +The remainder of this section defines these states and how to determine which computers in your organization belong in each state. + +### Trusted state + +Classifying a computer as trusted means that the computer's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the computer. A trusted computer that is poorly managed will likely become a point of weakness for the network. + +When a computer is considered trusted, other trusted computers can reasonably assume that the computer will not initiate a malicious act. For example, trusted computers can expect that other trusted computers will not run a virus that attacks them, because all trusted computers are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. + +Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a computer to obtain trusted status. + +A possible list of technology requirements might include the following: + +- **Operating system.** A trusted client computer should run Windows 8, Windows 7, or Windows Vista. A trusted server should run Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. + +- **Domain membership.** A trusted computer will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member computers by using Group Policy. + +- **Management client.** All trusted computers must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Microsoft System Center Configuration Manager is one such management system with an appropriate client. For more information, see [System Center Configuration Manager](http://technet.microsoft.com/systemcenter/bb507744.aspx) at http://technet.microsoft.com/systemcenter/bb507744.aspx. + +- **Antivirus software.** All trusted computers will run antivirus software that is configured to check for and automatically update the latest virus signature files daily. Microsoft ForeFront Endpoint Protection is one such antivirus software program. For more information, see [ForeFront Endpoint Protection](http://technet.microsoft.com/forefront/ee822838.aspx) at http://technet.microsoft.com/forefront/ee822838.aspx. + +- **File system.** All trusted computers will be configured to use the NTFS file system. + +- **BIOS settings.** All trusted portable computers will be configured to use a BIOS-level password that is under the management of the IT support team. + +- **Password requirements.** Trusted clients must use strong passwords. + +It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted computers to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status. + +A computer that continues to meet all these security requirements can be considered trusted. However it is possible that most computers that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which computers can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. + +### Trustworthy state + +It is useful to identify as soon as possible those computers in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current computer can physically achieve the trusted state with required software and configuration changes. + +For each computer that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the computer to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the computer to the solution) and the support staff (to enable them to apply the required configuration). + +Generally, trustworthy computers fall into one of the following two groups: + +- **Configuration required.** The current hardware, operating system, and software enable the computer to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a computer can be considered trusted, a computer that uses a FAT32-formatted hard disk does not meet this requirement. + +- **Upgrade required.** These computers require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these computers might require: + + - **Operating system upgrade required.** If the computer's current operating system cannot support the security needs of the organization, an upgrade would be required before the computer could achieve a trusted state. + + - **Software required.** A computer that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active. + + - **Hardware upgrade required.** In some cases, a computer might require a specific hardware upgrade before it can achieve trusted status. This type of computer usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the computer. + + - **Computer replacement required.** This category is reserved for computers that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a computer that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based computer). + +Use these groups to assign costs for implementing the solution on the computers that require upgrades. + +### Known, untrusted state + +During the process of categorizing an organization's computers, you will identify some computers that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: + +- **Financial.** The funding is not available to upgrade the hardware or software for this computer. + +- **Political.** The computer must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the computer to discuss the added value of server and domain isolation. + +- **Functional.** The computer must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the computer might be required to run an older operating system because a specific line of business application will only work on that operating system. + +There can be multiple functional reasons for a computer to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: + +- **Computers that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Computers that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of computer configurations (although limited central management of user configurations is supported). + +- **Stand-alone computers.** Computers running any version of Windows that are configured as stand-alone computers or as members of a workgroup usually cannot achieve a trustworthy state. Although these computers fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the computer is not a part of a trusted domain. + +- **Computers in an untrusted domain.** A computer that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of computers that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when computers are not in a trusted domain. + +### Unknown, untrusted state + +The unknown, untrusted state should be considered the default state for all computers. Because computers in this state have a configuration that is unknown, you can assign no trust to them. All planning for computers in this state must assume that the computer is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the computers in this state can have on their organizations. + +## Capturing upgrade costs for current computers + + +The final step in this part of the process is to record the approximate cost of upgrading the computers to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions: + +- Does the computer meet the minimum hardware requirements necessary for isolation? + +- Does the computer meet the minimum software requirements necessary for isolation? + +- What configuration changes must be made to integrate this computer into the isolation solution? + +- What is the projected cost or impact of making the proposed changes to enable the computer to achieve a trusted state? + +By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular computer or group of computers into the scope of the project. It is important to remember that the state of a computer is transitive, and that by performing the listed remedial actions you can change the state of a computer from untrusted to trusted. After you decide whether to place a computer in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) discusses. + +The following table is an example of a data sheet that you could use to help capture the current state of a computer and what would be required for the computer to achieve a trusted state. + + ++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Computer nameHardware reqs metSoftware reqs metConfiguration requiredDetailsProjected cost

CLIENT001

No

No

Upgrade hardware and software.

Current operating system is Windows XP. Old hardware is not compatible with Windows 8.

$??

SERVER001

Yes

No

Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.

No antivirus software present.

$??

+ +  + +In the previous table, the computer CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many computers require the same upgrades, the overall cost of the solution would be much higher. + +The computer SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. + +With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) section. + +The costs identified in this section only capture the projected cost of the computer upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. + +For more information about how to configure firewalls to support IPsec, see "Configuring Firewalls" at . + +For more information about WMI, see "Windows Management Instrumentation" at . + +**Next: **[Planning Your Windows Firewall with Advanced Security Design](../p_server_archive/planning-your-windows-firewall-with-advanced-security-design.md) + +  + +  + + + + + diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md new file mode 100644 index 0000000000..30d08b26eb --- /dev/null +++ b/windows/keep-secure/documenting-the-zones.md @@ -0,0 +1,85 @@ +--- +title: Documenting the Zones (Windows 10) +description: Documenting the Zones +ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d +author: brianlic-msft +--- + +# Documenting the Zones + + +Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: + + +++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Host nameHardware reqs metSoftware reqs metConfiguration requiredDetailsProjected costGroup

CLIENT001

No

No

Upgrade hardware and software.

Current operating system is Windows XP. Old hardware not compatible with Windows 8.

$??

Isolated domain

SERVER002

Yes

No

Join trusted domain, upgrade from Windows Server 2008 to Windows Server 2012

No antivirus software present.

$??

Encryption

SENSITIVE001

Yes

Yes

Not required.

Running Windows Server 2012. Ready for inclusion.

$0

Isolated server (in zone by itself)

PRINTSVR1

Yes

Yes

Not required.

Running Windows Server 2008 R2. Ready for inclusion.

$0

Boundary

+ +  + +**Next: **[Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) + +  + +  + + + + + diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md new file mode 100644 index 0000000000..9d43df0cc7 --- /dev/null +++ b/windows/keep-secure/domain-isolation-policy-design-example.md @@ -0,0 +1,65 @@ +--- +title: Domain Isolation Policy Design Example (Windows 10) +description: Domain Isolation Policy Design Example +ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 +author: brianlic-msft +--- + +# Domain Isolation Policy Design Example + + +This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. + +## Design Requirements + + +In addition to the basic protection provided by the firewall rules in the previous design example, the administrators of the network want to implement domain isolation to provide another layer of security to their networked computers. They want to create firewall and connection security rules that use authentication to reduce the risk of communicating with untrusted and potentially hostile computers. + +The following illustration shows the traffic protection needed for this design example. + +![domain isolation policy design](images/wfas-design2example1.gif) + +1. All computers on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's computers reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. + +2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from computers owned by its partners, which are not members of Woodgrove Bank's domain. + +3. Client computers can initiate non-authenticated outbound communications with computers that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. + +4. Computers in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain. + +**Other traffic notes:** + +- All of the design requirements described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section are still enforced. + +## Design Details + + +Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the computers on its network. + +Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. + +The following groups were created by using the Active Directory Users and Computers MMC snap-in, all computers that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a computer in the isolated domain or any one of its subordinate zones, simply add the computer's account in the appropriate group. + +- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all computers in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the computers in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. + +- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that cannot participate in domain isolation, such as a DHCP server running UNIX, is added to this group. + +- **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the computers that are part of the boundary group able to receive unsolicited inbound traffic from untrusted computers. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication. + +- **CG\_DOMISO\_ENCRYPTION**. This group contains the computer accounts for all the computers that require all inbound and outbound traffic to be both authenticated and encrypted. Members of the group receive a GPO that configures connection security and firewall rules to require both authentication and encryption on all inbound and outbound traffic. + +**Note**   +If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, computers that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any computers that are incorrectly assigned to more than one group. + +  + +**Next: **[Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md) + +  + +  + + + + + diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md new file mode 100644 index 0000000000..7156c376c5 --- /dev/null +++ b/windows/keep-secure/domain-isolation-policy-design.md @@ -0,0 +1,69 @@ +--- +title: Domain Isolation Policy Design (Windows 10) +description: Domain Isolation Policy Design +ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 +author: brianlic-msft +--- + +# Domain Isolation Policy Design + + +In the domain isolation policy design, you configure the computers on your network to accept only connections coming from computers that are authenticated as members of the same isolated domain. + +This design typically begins with a network configured as described in the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure computers in the isolated domain to accept only network traffic from other computers that can authenticate as a member of the isolated domain. After implementing the new rules, your computers reject unsolicited network traffic from computers that are not members of the isolated domain. + +The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. + +By using connection security rules based on IPsec, you provide a logical barrier between computers even if they are connected to the same physical network segment. + +The design is shown in the following illustration, with the arrows that show the permitted communication paths. + +![isolated domain boundary zone](images/wfasdomainisoboundary.gif) + +Characteristics of this design, as shown in the diagram, include the following: + +- Isolated domain (area A) - Computers in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from computers referenced in authentication exemption rules. Computers in the isolated domain can send traffic to any computer. This includes unauthenticated traffic to computers that are not in the isolated domain. Computers that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more information, see the [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md). + +- Boundary zone (area B) - Computers in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted computers, such as clients on the Internet. + + Computers in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a computer that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated. + + Because boundary zone computers are exposed to network traffic from untrusted and potentially hostile computers, they must be carefully managed and secured. Put only the computers that must be accessed by external computers in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member computers. + +- Trusted non-domain members (area C) - Computers on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable computers in the isolated domain to accept inbound connections from these trusted non-domain member computers. + +- Untrusted non-domain members (area D) - Computers that are not managed by your organization and have an unknown security configuration must have access only to those computers required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted computers and your organization's computers. + +After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the computers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista in your organization. + +**Important**   +This design builds on the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. + +  + +This design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. + +In order to expand the isolated domain to include computers that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md). + +For more information about this design: + +- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). + +- To learn more about this design, see the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md). + +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). + +- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md). + +- For a list of tasks that you can use to deploy your domain isolation policy design, see "Checklist: Implementing a Domain Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxxx. + +**Next:** [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) + +  + +  + + + + + diff --git a/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..430a558adb --- /dev/null +++ b/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,47 @@ +--- +title: Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) +description: Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 +author: brianlic-msft +--- + +# Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 + + +Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To deploy predefined firewall rules that allow inbound network traffic for common network functions** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. + +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. + +6. On the **Action** page, select **Allow the connection**, and then click **Finish**. + + The selected rules are added to the GPO and applied to the computers to which the GPO is assigned the next time Group Policy is refreshed. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md new file mode 100644 index 0000000000..c82d0ba984 --- /dev/null +++ b/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -0,0 +1,47 @@ +--- +title: Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) +description: Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be +author: brianlic-msft +--- + +# Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 + + +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To deploy predefined firewall rules that block outbound network traffic for common network functions** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Outbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. + +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They are all selected by default. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. + +6. On the **Action** page, select **Block the connection**, and then click **Finish**. + + The selected rules are added to the GPO. + + **Note**   + If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +   + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md new file mode 100644 index 0000000000..d8eddfb597 --- /dev/null +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -0,0 +1,24 @@ +--- +title: Encryption Zone GPOs (Windows 10) +description: Encryption Zone GPOs +ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b +author: brianlic-msft +--- + +# Encryption Zone GPOs + + +Handle encryption zones in a similar manner to the boundary zones. A computer is added to an encryption zone by adding the computer account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the computers that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. + +The GPO is only for server versions of Windows. Client computers are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. + +- [GPO\_DOMISO\_Encryption\_WS2008](../p_server_archive/gpo-domiso-encryption-ws2008.md) + +  + +  + + + + + diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md new file mode 100644 index 0000000000..324c6f3514 --- /dev/null +++ b/windows/keep-secure/encryption-zone.md @@ -0,0 +1,67 @@ +--- +title: Encryption Zone (Windows 10) +description: Encryption Zone +ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 +author: brianlic-msft +--- + +# Encryption Zone + + +Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between computers. + +To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the computers and that requires that the sensitive inbound and outbound network traffic be encrypted. + +You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. + +Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. + +## GPO settings for encryption zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 + + +The GPO for computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 should include the following: + +- IPsec default settings that specify the following options: + + 1. Exempt all ICMP traffic from IPsec. + + 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. + + 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + + If any NAT devices are present on your networks, use ESP encapsulation.. + + 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. + +- The following connection security rules: + + - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + + - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy. + + **Important**   + Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + +   + +- A registry policy that includes the following values: + + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + + **Note**   + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + +   + +- If domain member computers must communicate with computers in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. + +**Next: **[Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) + +  + +  + + + + + diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md new file mode 100644 index 0000000000..030fbafc71 --- /dev/null +++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -0,0 +1,28 @@ +--- +title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10) +description: Evaluating Windows Firewall with Advanced Security Design Examples +ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd +author: brianlic-msft +--- + +# Evaluating Windows Firewall with Advanced Security Design Examples + + +The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. + +- [Firewall Policy Design Example](91fc4c4c-dca9-422e-be05-42a5e14f5e4a) + +- [Domain Isolation Policy Design Example](d918816a-52be-4266-9027-7bc3c36f4916) + +- [Server Isolation Policy Design Example](c275b916-56cf-4863-9900-e50193cd77ed) + +- [Certificate-based Isolation Policy Design Example](85a83c33-358b-4b73-9b08-ef7589d01f91) + +  + +  + + + + + diff --git a/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md new file mode 100644 index 0000000000..cfc0b71639 --- /dev/null +++ b/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -0,0 +1,39 @@ +--- +title: Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) +description: Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 +author: brianlic-msft +--- + +# Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 + + +This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. + +**Important**   +Because of its usefulness in troubleshooting network connectivity problems, we recommend that you exempt all ICMP network traffic from authentication requirements unless your network risk analysis indicates a need to protect this traffic. + +  + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +**To exempt ICMP network traffic from authentication** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md new file mode 100644 index 0000000000..a74d5b6f83 --- /dev/null +++ b/windows/keep-secure/exemption-list.md @@ -0,0 +1,54 @@ +--- +title: Exemption List (Windows 10) +description: Exemption List +ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 +author: brianlic-msft +--- + +# Exemption List + + +When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all computers on the internal network, yet secured from network attacks. However, if they must remain available to all computers on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. + +In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted computers cannot use IPsec to access, which would be added to the exemption list. + +Generally, the following conditions are reasons to consider adding a computer to the exemption list: + +- If the computer must be accessed by trusted computers but it does not have a compatible IPsec implementation. + +- If the computer must provide services to both trusted and untrusted computers, but does not meet the criteria for membership in the boundary zone. + +- If the computer must be accessed by trusted computers from different isolated domains that do not have an Active Directory trust relationship established with each other. + +- If the computer is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. + +- If the computer must support trusted and untrusted computers, but cannot use IPsec to help secure communications to trusted computers. + +For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all computers in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every computer that receives the GPO, including the following: + +- Reduces the overall effectiveness of isolation. + +- Creates a larger management burden (because of frequent updates). + +- Increases the size of the IPsec policy, which means that it consumes more memory and CPU resources, slows down network throughput, and increases the time required to download and apply the GPO containing the IPsec policy. + +To keep the number of exemptions as small as possible, you have several options: + +- Carefully consider the communications requirements of each isolation zone, especially server-only zones. They might not be required to communicate with every exemption in the domain-level policy for clients. + +- Consolidate server functions. If several exempt services can be hosted at one IP address, the number of exemptions is reduced. + +- Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address. + +As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](../p_server_archive/boundary-zone.md) section. + +**Next: **[Isolated Domain](../p_server_archive/isolated-domain.md) + +  + +  + + + + + diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md new file mode 100644 index 0000000000..e370430566 --- /dev/null +++ b/windows/keep-secure/firewall-gpos.md @@ -0,0 +1,24 @@ +--- +title: Firewall GPOs (Windows 10) +description: Firewall GPOs +ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 +author: brianlic-msft +--- + +# Firewall GPOs + + +All the computers on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. + +The GPO created for the example Woodgrove Bank scenario include the following: + +- [GPO\_DOMISO\_Firewall](../p_server_archive/gpo-domiso-firewall.md) + +  + +  + + + + + diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md new file mode 100644 index 0000000000..5caed1a7d4 --- /dev/null +++ b/windows/keep-secure/firewall-policy-design-example.md @@ -0,0 +1,108 @@ +--- +title: Firewall Policy Design Example (Windows 10) +description: Firewall Policy Design Example +ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 +author: brianlic-msft +--- + +# Firewall Policy Design Example + + +In this example, the fictitious company Woodgrove Bank is a financial services institution. + +Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows-based computers. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate computers host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of computers that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing. + +Woodgrove Bank is in the process of migrating their computers from Windows Vista and Windows Server 2008 to Windows 8 and Windows Server 2012. A significant number of the computers at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. + +A key line-of-business program called WGBank consists of a client program running on most of the desktop computers in the organization. This program accesses several front-end server computers that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database computers that are running Microsoft SQL Server. + +## Design requirements + + +The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted. + +The following illustration shows the traffic protection needs for this design example. + +![design example 1](images/wfas-designexample1.gif) + +1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers. + +2. The WGBank front-end servers can receive unsolicited inbound traffic from the client computers and the WGBank partner servers. The WGBank client computers and partner servers can receive the response. + +3. The WGBank front-end servers can send updated information to the client computers to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it. + +4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses. + +5. There is no direct communications between the client computers and the WGBank back-end computers. + +6. There is no unsolicited traffic from the WGBank back-end computers to the WGBank front-end servers. + +7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that do not require an outside server. Firewall rules must block the network traffic created by these programs. + +8. The WGBank partner servers can receive inbound requests from partner computers through the Internet. + +Other traffic notes: + +- Computers are not to receive any unsolicited traffic from any computer other than specifically allowed above. + +- Other outbound network traffic from the client computers not specifically identified in this example is permitted. + +## Design details + + +Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the computers on their network. They know that they must deploy policies to the following collections of computers: + +- Client computers that run Windows 8, Windows 7, or Windows Vista + +- WGBank front-end servers that run Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) + +- WGBank partner servers that run Windows Server 2008 + +- WGBank back-end SQL Server computers that run Windows Server 2008 (there are none in place yet, but their solution must support adding them) + +- Infrastructure servers that run Windows Server 2008 + +- Active Directory domain controllers that run Windows Server 2008 R2 or Windows Server 2012 + +- DHCP servers that run the UNIX operating system + +After evaluating these sets of computers, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant computers. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct computers. + +Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. + +The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all computers that run Windows were added to the correct groups: + +- **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all computers. + + The two computer types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for computers that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only computers that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. + + - Client computers receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. + + - Server computers receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server computers. + + All rules are scoped to allow network traffic only from computers on Woodgrove Bank's corporate network. + +- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Computers are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group. + +- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server computers. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Computers in this group also receive the default firewall GPO. + +- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end computers that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Computers in this group also receive the default firewall GPO. + +- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Computers in this group also receive the default firewall GPO. + +- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server computers. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Computers in this group also receive the default firewall GPO. + +- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server computers. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Computers in this group also receive the default firewall GPO. + +In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most computers on the network, you might consider adding computers performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. + +**Next: **[Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md new file mode 100644 index 0000000000..7aacef01e4 --- /dev/null +++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md @@ -0,0 +1,34 @@ +--- +title: Gathering Information about Your Active Directory Deployment (Windows 10) +description: Gathering Information about Your Active Directory Deployment +ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0 +author: brianlic-msft +--- + +# Gathering Information about Your Active Directory Deployment + + +Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where computers are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed: + +- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which computers can be isolated and how best to accomplish the required degree of isolation. + +- **Names and number of domains**. Authentication in server and domain isolation uses the IKE negotiation process with the Kerberos V5 protocol. This protocol assumes that computers are domain members. + +- **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between computers in different Active Directory domains. + +- **Names and number of sites**. Site architecture is usually aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment. + +- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct computers. + +- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to computers running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable computers using either the old or new IPsec policies to communicate with each other. + +**Next: **[Gathering Information about Your Computers](../p_server_archive/gathering-information-about-your-computers.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gathering-information-about-your-computers.md b/windows/keep-secure/gathering-information-about-your-computers.md new file mode 100644 index 0000000000..16e161b101 --- /dev/null +++ b/windows/keep-secure/gathering-information-about-your-computers.md @@ -0,0 +1,58 @@ +--- +title: Gathering Information about Your Computers (Windows 10) +description: Gathering Information about Your Computers +ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb +author: brianlic-msft +--- + +# Gathering Information about Your Computers + + +One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server computers on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. + +Capture the following information from each computer: + +- **Computer name**. This name is the computer's NetBIOS or DNS name that identifies the computer on the network. Because a computer can have more than one media access control (MAC) or IP address, the computer's name is one of the criteria that can be used to determine uniqueness on the network. Because computer names can be duplicated under some circumstances, the uniqueness should not be considered absolute. + +- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address is not an effective way to identify an asset because it is often subject to change. + +- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It is also important to track the current state of service packs and updates that might be installed, because these are often used to determine that minimum security standards have been met. + +- **Domain membership**. This information is used to determine whether a computer can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy. + +- **Physical location**. This information is just the location of the device in your organization. It can be used to determine whether a device can participate in a specific isolation group based on its location or the location of the devices that it communicates with regularly. + +- **Hardware type or role**. Some tools that perform host discovery can provide this information by querying the hardware information and running applications to determine its type, such as server, workstation, or portable computer. You can use this information to determine the appropriate IPsec policy to assign, whether a specific computer can participate in isolation, and in which isolation group to include the computer. + +After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements. + +You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to completely manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy. + +## Automated Discovery + + +Using an automated auditing network management system such as Microsoft System Center Configuration Manager (formerly known as Systems Management Server) provides valuable information about the current state of the IT infrastructure. + +For more information about how System Center Configuration Manager 2007 can help perform automated information gathering, see . + +## Manual Discovery + + +The biggest difference between manual discovery methods and automated methods is time. + +You can use the Windows Script Host (WSH), VBScript, and Windows Management Instrumentation (WMI) to create a script file that can collect the system configuration information. VBScript and WMI are built-in to Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. Starting with Windows Server 2008, Windows PowerShell is included with the operating system. For more information, see “Scripting with Windows PowerShell” (). + +Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory. + +This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design. + +**Next: **[Gathering Other Relevant Information](../p_server_archive/gathering-other-relevant-information.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md new file mode 100644 index 0000000000..1668112a6d --- /dev/null +++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md @@ -0,0 +1,128 @@ +--- +title: Gathering Information about Your Current Network Infrastructure (Windows 10) +description: Gathering Information about Your Current Network Infrastructure +ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 +author: brianlic-msft +--- + +# Gathering Information about Your Current Network Infrastructure + + +Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: + +- **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them. + +- Network address translation (NAT). NAT is a means of separating network segments by using a device that maps all of the IP addresses on one side of the device to a single IP address accessible on the other side. + +- Network infrastructure devices. This includes the routers, switches, hubs, and other network equipment that makes communications between the computers on the network possible. + +- **Current network traffic model.** This includes the quantity and the characteristics of the network traffic flowing through your network. + +- Intrusion Detection System (IDS) devices. You will need to identify if you have any IDS devices on your network that might be negatively impacted by any encryption introduced in an Encryption Zone. + +The goal is to have enough information to be able to identify an asset by its network location, in addition to its physical location. + +Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation. + +This guidance helps obtain the most relevant information for planning Windows Firewall with Advanced Security implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation. + +## Network segmentation + + +If your organization does not have its current network architecture documented and available for reference, such documentation should be obtained as soon as possible before you continue with the design and deployment. If the documented information is not current or has not been validated recently, you have two options: + +- Accept that the lack of accurate information can cause risk to the project. + +- Undertake a discovery project, either through manual processes or with network analysis tools that can provide the information you need to document the current network topology. + +Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, do not include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every computer in your organization. + +During this process, you might discover some network applications and services that are not compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization. + +Other examples of incompatibility include: + +- Cisco NetFlow on routers cannot analyze packets between IPsec members based on protocol or port. + +- Router-based Quality of Service (QoS) cannot use ports or protocols to prioritize traffic. However, using firewall rules that specify IP addresses to prioritize traffic are not affected by this limitation of QoS. For example, a rule that says "From anyone to anyone using port 80 prioritize" does not work, but a rule that says "From anyone to 10.0.1.10 prioritize" works. + +- Weighted Fair Queuing and other flow-based router traffic priority methods might fail. + +- Devices that do not support or allow IP protocol 50, the port that is used by Encapsulating Security Payload (ESP). + +- Router access control lists (ACLs) cannot examine protocol and port fields in ESP-encrypted packets, and therefore the packets are dropped. ACLs based only on IP address are forwarded as usual. If the device cannot parse ESP, any ACLs that specify port or protocol rules will not be processed on the ESP packets. If the device has an ESP parser and uses encryption, ACLs that specify port or protocol rules will not be processed on the ESP packets. + +- Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null). + + **Note**   + Network Monitor added an ESP parser starting in version 2.1 to aid troubleshooting of unencrypted IPsec packets. The latest version of Network Monitor is available as a free download from Microsoft (). + +   + +## Network address translation (NAT) + + +IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T does not support the use of AH across NAT devices. + +IPsec NAT-T is supported by Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, Windows Server 2008 R2, + +For detailed information about how IPsec NAT-T works, see "IPsec NAT Traversal Overview" in the August 2002 Cable Guy article at . + +## Network infrastructure devices + + +The devices that make up the network infrastructure (routers, switches, load balancers, and firewalls) must be able communicate using IPsec after the solution is implemented. For this reason, you have to examine the following characteristics of these network devices to ensure that they can handle the technical and physical requirements of the design: + +- **Make/model**. You can use this information to determine the features that the device supports. In addition, check the BIOS version or software running on the device to ensure that IPsec is supported. + +- **Amount of RAM**. This information is useful when you are analyzing capacity or the impact of IPsec on the device. + +- **Traffic analysis**. Information, such as peak usage and daily orweekly trends, is helpful to have. The information helps provide a baseline snapshot of the device and how it is used over time. If problems occur after IPsec is implemented, the information can help determine whether the root cause is related to greater usage of the device. + +- **Router ACLs that affect IPsec directly**. ACLs directly affect the ability of specific protocols to function. For example, blocking the Kerberos V5 protocol (UDP and TCP port 88) or IP protocol 50 or 51 prevents IPsec from working. Devices must also be configured to allow IKE traffic (UDP port 500) if using NAT-T (UDP port 4500). + +- **Networks/subnets connected to device interfaces**. This information provides the best picture of what the internal network looks like. Defining the boundary of subnets based on an address range is straightforward and helps identify whether other addresses are either unmanaged or foreign to the internal network (such as IP addresses on the Internet). + +- **VLAN segmentation**. Determining how VLANs are implemented on the network can help you understand traffic patterns and security requirements, and then help to determine how IPsec might augment or interfere with these requirements. + +- **The maximum transmission unit (MTU) size on device interface(s)**. The MTU defines the largest datagram that can be transmitted on a particular interface without being divided into smaller pieces for transmission (a process also known as *fragmentation*). In IPsec communications, the MTU is necessary to anticipate when fragmentation occurs. Packet fragmentation must be tracked for Internet Security Association and Key Management Protocol (ISAKMP) by the router. IPsec configures the MTU size on the session to the minimum-discovered MTU size along the communication path being used, and then set the Don't Fragment bit (DF bit) to 1. + + **Note**   + If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly. + +   + +- **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS does not have such a parser, it cannot determine if data in those packets is encrypted. + +After you obtain this information, you can quickly determine whether you must upgrade the devices to support the requirements of the project, change the ACLs, or take other measures to ensure that the devices can handle the loads needed. + +## Current network traffic model + + +After gathering the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that is not secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet. + +When you examine traffic flow, look closely at how all managed and unmanaged devices interact. This includes non-Windows-based computers running Linux, UNIX, and Macintosh. Ask yourself such questions as: + +- Do specific communications occur at the port and protocol level, or are there many sessions between the same hosts across many protocols? + +- How do servers and clients communicate with each other? + +- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your computers to "lock down" specific ports, such as UDP 500, IKE negotiations fail. + +Some of the more common applications and protocols are as follows: + +- **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it is common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that does not use the security context of a known user or entity. Frequently, these sessions are anonymous. + +- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 reduce this risk by introducing stateful inspection of RPC traffic. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account. + +- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between computers by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. + +**Next: **[Gathering Information about Your Active Directory Deployment](../p_server_archive/gathering-information-about-your-active-directory-deployment.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md new file mode 100644 index 0000000000..d92519121f --- /dev/null +++ b/windows/keep-secure/gathering-other-relevant-information.md @@ -0,0 +1,91 @@ +--- +title: Gathering Other Relevant Information (Windows 10) +description: Gathering Other Relevant Information +ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17 +author: brianlic-msft +--- + +# Gathering Other Relevant Information + + +This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization. + +## Capacity considerations + + +Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a computer. Areas to watch: + +- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](http://technet.microsoft.com/network/dd277647.aspx) at http://technet.microsoft.com/network/dd277647.aspx + +- **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5  KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization. + +- **NAT devices.** As discussed earlier, NAT does not allow Authentication Header (AH) conversations between hosts. If NAT devices exist on the internal network, ESP must be selected instead of AH. + +- **Switches and routers.** Proper capacity planning for the implementation of IPsec is more about thorough testing and expected traffic loads than exact calculations. You might have to upgrade or reconfigure switches or routers that currently exceed 75 percent usage to allow for increased traffic on the device and still provide some extra usage for bursts of traffic. + +- **Other factors.** These include CPU usage on network infrastructure servers, increased overhead on servers and workstations running IPsec (especially servers, because they usually contain more main mode SAs than clients), and increased network latency because of IPsec negotiation. + + **Note**   + When Microsoft deployed its own domain isolation solution, it found a one to three percent increase in usage on the network as a direct result of IPsec. + +   + +## Group Policy deployment groups and WMI filters + + +You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate computers or users can apply the GPO settings. Because the firewall and connection security rules have evolved significantly from Windows 2000 Server to Windows XP and Windows Server 2003, and now with Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, we recommend that you use WMI filtering to dynamically ensure that GPOs apply only to computers that are running the correct operating system. It is not necessary to use this technique if your network consists of computers running Windows Vista or later. + +## Different Active Directory trust environments + + +When you design a domain isolation policy, consider any logical boundaries that might affect IPsec-secured communications. For example, the trust relationships between your domains and forests are critical in determining an appropriate IKE authentication method. + +Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responder’s domain. If firewalls separate the domains then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389. + +For more information, see "Active Directory in Networks Segmented by Firewalls" at . + +If the use of Kerberos V5 authentication is not possible because two-way trusts across forests cannot be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication. For an example of how Microsoft deployed their PKI, see "Deploying PKI Inside Microsoft" at . + +## Creating firewall rules to permit IKE, AH, and ESP traffic + + +In some cases, IPsec-secured traffic might have to pass through a router, perimeter firewall, or other filtering device. In the case of a router, unless the router filters TCP and UDP traffic or other upper-level protocol headers, no special configuration is required to allow the IPsec traffic to be forwarded. + +In the case of a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected. + +For more information, see "How to Enable IPsec Traffic Through a Firewall" at . + +## Network load balancing and server clusters + + +There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific computer, it prevents different computers from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client computer as untrusted. + +This means that NLB in "no affinity" mode is not supported by IPsec at all. If you must use "no affinity" mode in the cluster then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec. + +**IPsec improvements for clusters running Windows Server 2008** + +Starting with Windows Server 2008 and Windows Vista, IPsec is much more tightly integrated into TCP/IP than in earlier versions of Windows. When a TCP connection is dropped because of a cluster node failover, IPsec on a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out. + +## Network inspection technologies + + +Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some are not yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device. + +Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, cannot parse ESP-encrypted traffic. Only the destination computer, with which the originating computer negotiated the connection, can decrypt the traffic. + +In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there is no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you cannot upgrade monitoring or management devices to support IPsec, it is important that you record this information and figure it into your domain or server isolation design. + +Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both computers. + +Network Monitor is available as a free download from Microsoft at . + +**Next: **[Determining the Trusted State of Your Computers](../p_server_archive/determining-the-trusted-state-of-your-computers.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md new file mode 100644 index 0000000000..1ff777de17 --- /dev/null +++ b/windows/keep-secure/gathering-the-information-you-need.md @@ -0,0 +1,30 @@ +--- +title: Gathering the Information You Need (Windows 10) +description: Gathering the Information You Need +ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15 +author: brianlic-msft +--- + +# Gathering the Information You Need + + +Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the computers that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and computers that were not considered during the planning phase are encountered during implementation. + +Review each of the following topics for guidance about the kinds of information that you must gather: + +- [Gathering Information about Your Current Network Infrastructure](../p_server_archive/gathering-information-about-your-current-network-infrastructure.md) + +- [Gathering Information about Your Active Directory Deployment](../p_server_archive/gathering-information-about-your-active-directory-deployment.md) + +- [Gathering Information about Your Computers](../p_server_archive/gathering-information-about-your-computers.md) + +- [Gathering Other Relevant Information](../p_server_archive/gathering-other-relevant-information.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gpo-domiso-boundary-ws2008.md b/windows/keep-secure/gpo-domiso-boundary-ws2008.md new file mode 100644 index 0000000000..4c2140385f --- /dev/null +++ b/windows/keep-secure/gpo-domiso-boundary-ws2008.md @@ -0,0 +1,46 @@ +--- +title: GPO\_DOMISO\_Boundary\_WS2008 (Windows 10) +description: GPO\_DOMISO\_Boundary\_WS2008 +ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd +author: brianlic-msft +--- + +# GPO\_DOMISO\_Boundary\_WS2008 + + +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. + +This GPO supports the ability for computers that are not part of the isolated domain to access specific servers that must be available to those untrusted computers. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. + +## IPsec settings + + +The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain when authentication can be used. + +## Connection security rules + + +Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the computer uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted computer that is not part of the isolated domain connects. + +## Registry settings + + +The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). + +## Firewall rules + + +Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests. + +Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. + +**Next: **[Encryption Zone GPOs](../p_server_archive/encryption-zone-gpos.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gpo-domiso-encryption-ws2008.md b/windows/keep-secure/gpo-domiso-encryption-ws2008.md new file mode 100644 index 0000000000..c5ec2d8c7a --- /dev/null +++ b/windows/keep-secure/gpo-domiso-encryption-ws2008.md @@ -0,0 +1,50 @@ +--- +title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10) +description: GPO\_DOMISO\_Encryption\_WS2008 +ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446 +author: brianlic-msft +--- + +# GPO\_DOMISO\_Encryption\_WS2008 + + +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. + +This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. + +## IPsec settings + + +The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO: + +The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations. + +## Connection security rules + + +Rename the **Isolated Domain Rule** to **Encryption Zone Rule**. Leave the authentication mode setting on **Require inbound and request outbound**. In this mode, the computer forces authentication for all inbound network traffic, and uses it when it can on outbound traffic. + +## Registry settings + + +The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). + +## Firewall rules + + +Copy the firewall rules for the encryption zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 1433 for SQL Server client requests. + +Change the action for every inbound firewall rule from **Allow the connection** to **Allow only secure connections**, and then select **Require the connections to be encrypted**. + +Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. + +**Next: **[Server Isolation GPOs](../p_server_archive/server-isolation-gpos.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md new file mode 100644 index 0000000000..78e4c0281a --- /dev/null +++ b/windows/keep-secure/gpo-domiso-firewall.md @@ -0,0 +1,71 @@ +--- +title: GPO\_DOMISO\_Firewall (Windows 10) +description: GPO\_DOMISO\_Firewall +ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 +author: brianlic-msft +--- + +# GPO\_DOMISO\_Firewall + + +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2. + +## Firewall settings + + +This GPO provides the following settings: + +- Unless otherwise stated, the firewall rules and settings described here are applied to all profiles. + +- The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed. + +- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the computers can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**. + + **Note**   + Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot computers. + +   + +## Firewall rules + + +This GPO provides the following rules: + +- Built-in firewall rule groups are configured to support typically required network operation. The following rule groups are set to **Allow the connection**: + + - Core Networking + + - File and Printer Sharing + + - Network Discovery + + - Remote Administration + + - Remote Desktop + + - Remote Event Log Management + + - Remote Scheduled Tasks Management + + - Remote Service Management + + - Remote Volume Management + + - Windows Firewall Remote Management + + - Windows Management Instrumentation (WMI) + + - Windows Remote Management + +- A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile. + +**Next: **[Isolated Domain GPOs](../p_server_archive/isolated-domain-gpos.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md new file mode 100644 index 0000000000..e03f882634 --- /dev/null +++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md @@ -0,0 +1,181 @@ +--- +title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) +description: GPO\_DOMISO\_IsolatedDomain\_Clients +ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 +author: brianlic-msft +--- + +# GPO\_DOMISO\_IsolatedDomain\_Clients + + +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client computers that are running Windows 8, Windows 7, or Windows Vista. + +Because client computers can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. + +## General settings + + +This GPO provides the following settings: + +- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](../p_server_archive/firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy. + +- The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting. + +- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones. + +- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). + + + + + + + + + + + + + + + + + + + + + + +
SettingValue

Enable PMTU Discovery

1

IPsec Exemptions

3

+ +   + +- The main mode security method combinations in the order shown in the following table. + + + + + + + + + + + + + + + + + + + + + + +
IntegrityEncryption

Secure Hash Algorithm (SHA-1)

Advanced Encryption Standard (AES-128)

SHA-1

3DES

+ +   + +- The following quick mode security data integrity algorithms combinations in the order shown in the following table. + + + + + + + + + + + + + + + + + + + + + +
ProtocolIntegrityKey Lifetime (minutes/KB)

ESP

SHA-1

60/100,000

+ +   + +- The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ProtocolIntegrityEncryptionKey Lifetime (minutes/KB)

ESP

SHA-1

AES-128

60/100,000

ESP

SHA-1

3DES

60/100,000

+ +   + +**Note**   +Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows. + +  + +## Connection Security Rules + + +This GPO provides the following rules: + +- A connection security rule named **Isolated Domain Rule** with the following settings: + + - From **Any IP address** to **Any IP address**. + + - **Require inbound and request outbound** authentication requirements. + + **Important**   + On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the computers were successfully communicating by using IPsec, they switched the GPOs to require authentication. + +   + + - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for computers that cannot run Windows or cannot join the domain, but must still participate in the isolated domain. + + - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box. + +- A connection security rule to exempt computers that are in the exemption list from the requirement to authenticate: + + - The IP addresses of all computers on the exemption list must be added individually under **Endpoint 2**. + + - Authentication mode is set to **Do not authenticate**. + +**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](../p_server_archive/gpo-domiso-isolateddomain-servers.md) + +  + +  + + + + + diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md new file mode 100644 index 0000000000..d179b62321 --- /dev/null +++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md @@ -0,0 +1,31 @@ +--- +title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) +description: GPO\_DOMISO\_IsolatedDomain\_Servers +ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 +author: brianlic-msft +--- + +# GPO\_DOMISO\_IsolatedDomain\_Servers + + +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2. + +Because so many of the settings and rules for this GPO are common to those in the GPO for Windows 8, Windows 7 and Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for Windows 8, Windows 7 and Windows Vista, and importing it to the GPO for Windows Server 2012, Windows Server 2008 and Windows Server 2008 R2. After the import, change only the items specified here: + +- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the computer to the Public profile with a different set of rules (in the case of a server running Windows Server 2008). + + **Important**   + Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the computer. If you attach a network adapter to a computer that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the computer. + +   + +**Next: **[Boundary Zone GPOs](../p_server_archive/boundary-zone-gpos.md) + +  + +  + + + + + diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md new file mode 100644 index 0000000000..995905d641 --- /dev/null +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -0,0 +1,64 @@ +--- +title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10) +description: Identifying Your Windows Firewall with Advanced Security Deployment Goals +ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba +author: brianlic-msft +--- + +# Identifying Your Windows Firewall with Advanced Security Deployment Goals + + +Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios. + +The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Firewall with Advanced Security deployment goals. + + ++++ + + + + + + + + + + + + + + + + + + + + +
Deployment goal tasksReference links

Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.

Predefined deployment goals:

+
    +

  • [Protect Computers from Unwanted Network Traffic](fe94e9b8-c456-4343-af5f-5511b8047d29)

    • +

  • [Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919)

    • +

  • [Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267)

    • +

  • [Restrict Access to Sensitive Resources to Only Specified Users or Computers](09cd6d03-c1ce-45ed-a894-d7f7aaa9b6f0)

    • +

Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design.

    +

  • [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](39bb8fa5-4601-45ae-83c5-121d42f7f82c)

    • +

Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan.

    +

  • [Designing A Windows Firewall with Advanced Security Strategy](36230ca4-ee8d-4b2c-ab4f-5492b4400340)

    • +

  • [Planning Your Windows Firewall with Advanced Security Design](6622d31d-a62c-4506-8cea-275bf42e755f)

    • +
+ +  + +**Next:**[Protect Computers from Unwanted Network Traffic](fe94e9b8-c456-4343-af5f-5511b8047d29) + +  + +  + + + + + diff --git a/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif b/windows/keep-secure/images/15dd35b6-6cc6-421f-93f8-7109920e7144.gif new file mode 100644 index 0000000000000000000000000000000000000000..374b1fe60e24f5be3578d253c4bc19bf4c757f0d GIT binary patch literal 345 zcmZ?wbhEHb6krfwxT?$W{oB{7s;UDA4(!;mW7n=-d-m+vym@nB_vyIay<4|#UAuN| z;fyC6H*Q?BX3c~N6WZF^eA^DpojW&g^6u&xI}0aXw{19-TCwrj)2F9So%;6eTSVcK z)Vhrkh0_mSdB1n>-qm|brF_}C;cfL+F&s24FKQ2 Bg@ynC literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif b/windows/keep-secure/images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif new file mode 100644 index 0000000000000000000000000000000000000000..60246363c0eaa6b92f60945af89a703b40e1715a GIT binary patch literal 519 zcmZ?wbhEHb6krfwc*ej`S63&y___Gx>-zit^K@N^-}Y?Fwbvg%e&lRE_5c6>n>TMh ze*E~+qepMvzU@Ep;^oVickkYP_UzeSZzAEzF;t-Rpj)vH%^cmLPh@?CZJ|2Ln1@H8Eh zU-)G2!*8!XevjDp?C!ho??1ekTmD92=B@T~Ure_DU?|zGv;HGb@71qgzkd1hMSbfp z;hytS3!aNK9eMuz`MrDh-oAaKvF*3U+K);zZv!37Fw}tJPZmZ71{Ve$ki$W7!oZ%= z;L_CG(%RO-CdMJg*51Nr?#$ZPB4*>*JH>_1klATg6B9Gz%qcpIYLgeREN*AiV^VSv zWwbJ0r>?=|!X(cq)yE=Y!l=Nws$H4Uj7fz_ZWg1qk+sYMWfm<{@dYlD62f;MH8NNO E0Jd(khX4Qo literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif b/windows/keep-secure/images/bc6cea1a-1c6c-4124-8c8f-1df5adfe8c88.gif new file mode 100644 index 0000000000000000000000000000000000000000..2d1bf229c3c9b657de2f0140d7957869069134dd GIT binary patch literal 615 zcmZ?wbhEHb6krfwcoxP`RaN!x-`@iV4*dQ5XVu30ly z|M>nLDE1Rbef|35`?sGze*F6R^UJ4CzkmJw_VvrJpFj5O+4K41$F*zMe*X0F&+lKe zrmvbcef77mUnfkMuyNzY??Bd<&uwjOUq64IJ9qBp&6~Gw-MVJYnqNTeU%t%Re!^nH ze)i_=Ux2c=UQ9i7``Oc{hAkWR@85sr;K`2FkG=TDzLegC<0%VDmToj-njKYH}&sZ*!U+Q<(UWf?<+NL|McO*iNojr|NqZ0a6s`V3nK$V7=sST z37|M(U_a6j#?;)>8rI&y#KX$W%*e>f=;`0lZp7Bzt7pgP;VU-PTw?~SW1s~iCp$Z5 zhnT3hicpAF-I!NzMt>^@O=F6w6HSQ(e>U2R)AkT0FTFinCY~TlY7!u+xs#zGBteU)lfi$ z|4eJk_(;{%E9Umj)<}P;lYl^NO@3_NZ3zjX4-2#X-MLR%Qg;9RI3x+Ru7Bh(yBl z^t)H%_0w-!iwe^^+VaU{a&m&-(&Cuy#i+9ZE-^7NJ3rS-i*8m_RBUd1URi$A+|u0K z$!u(Gxa{aS|M_Fze?4~|mdw8Epk~$r0I>FBo=7D2_V#*3q%CrWNF>s|nkrpWoq~J0 zeq}vZlk=Jyk`?C<~k{B`O3*Xfk9WhK~B0=Blha>5YwzckY#O*B8ysnzG04 zH-&{2RL1V^?sh#d+}rz;5EmSu5bxn;l%JnlJ6xTR7dQQJDme05ZuX_B?Ch^AQ#Dn$ zLldc&FJBG|Ip=%HcX4s?*RNk=LwEao9}m2mJV!lS-+q65YD^o6^ziWb`t|G6-uB1~ z7ykU-T3lXWb+r%m7OsAq{kr<4_@M9Ya{hek@b12uAvuOn=21nT9=oX?Yz%F>3CAZ2>)+v?AI@DadEMu zm;K`hF%_lPSHFLtWkg3tM*iGhy>;`NvF;%|Kf6y0Bk$k8*U(X)oSvX~*;!gy_{2J$ zu|0V^D(dgwUn3(US(SIYUsiKB*XtkG7w26$qN{~Qz{>0M`?||y1H7~cz5~J`0D!it{zqih0@X4H8VXiHaa>qF_fB` z5)*Zv`M4-1EwAEEMs5W?$=Za@$heQkXSbz{k2c#3etvptz$4Dr zwbFKWaxy77X?URSV$^ktjm?ks)kV(as}JwJLnz@fVR<>RWo2c~uFh9tE?tceVUIt( zb-ynr>z4a%yXpG6%-rDP$F(J7#Zn5Ac|4x{A1DX_c!1{r`T_pm1c2lLJU$sqCZjtZ zDXi`>#H{R1#wl8tTQ*hor%Py`IeNU|UQ?V~09(hLUOkYf>iEE8xOtHXD5U306fgBK zHLa5V>ANUcjaHE2QL-b{V!K%JfIaEpSk9odc$Ux|>$V5Zspbf&zdsLK6~?YNvEng-WCh2mv&sx8}u5*0o_209$@9&trV2||X>CBjR-@$N<+mV5C zOdv}WL~Aj=%ip3r)hWeX_cFBj3uOQ{GoO=N{O}eQRh&&z~|>s8phB$%7bq z37cPQT#OXQw(a;LK!XbBKKirAE z{Z(-#26}-tPWpvk71NKUwtC+2j0-PJ6t_f>ynWT3l}k+JN~ZZ8Bz@f-!{?M$%1)t< zss@3_1B)t~XJ%?Eh?Dp{QvXnXLS^D^1m^T%WaLscOps>*2`0Q1DInzqnf1DcIVgXl zl)?+0vhGHIo4K+t2%RTg7LE68*$R7-cf(Pt_N}*4u<|1<t5_fYH<}v&Inzh?rh_TK>{sx-=-~L0QSw8{9lEM&) zL-;%8%!M8a3qK5hR{))b@+8nnvO-AI-F^Bp>yZFka<64xtcO6MI(oC#<&KBj%u2?wC%$83LfSv73%;Va%S zkOH@U{ktJ>6*oDcF4;GixS0O_eFRv9Z4AO6D?g$;Z@Ov#(@s*n3#?R*zK_u1!wDuz z+_#9f=C9z8tOd$%c_DtZ^}dfl`6iHK6?|6Dq)X6LoBKr+@WByCJ|Zn@bM5#V+%WiT zFGjG!R1kKsyGYgq7Tic4#Lvf11bq@p5X_Qfw$h_TM0EOpHb3cHvtmT=IJ$mP<|Y7i zh_rYLYb~z!>9784(NGcvJo&aG^aB|3Rp>io=`fR? z_3o8v2Ze(;mDpGvGxcY5;I9ru$J7$NaEFK_H^f7S>Ws8U>Vlz26U~<_^Z#OVUU)^@Sz@c_bj6?0OOw3W^W)^Ok=eI%Jwg2REk6{;Edy>76-pyugXDt4ew?t}B$A zvsW$ujtMtS+YFBRuq1={YUTXwe(>=+Fu{v2MWT2!$B^&|`hbPLJd>-NncgdLlyYkO zw(%{sawQN2NF+#X6+a8~IChj0C+0yySNw+VMIeXIR4pF2cx@kfsHmo^!_VI8L?t ziSO*P{0%Z|kEUJaG9T*-OF6aeDDgQ+4aFunKJ=c0TiTR8@ciYFah_t?2v);V zGjhaMpkfc=Gi`F4x!}I`+GduTrY*th%}`I`*+`|yhP2lO)gBnv@<*4?SUF}0Eja6$ ztRQXKZyJd_zVNntRt`QI?hT5feeLxAM*%5H^cS1MPd;>iuM0vuwT3%)j9d`|=mPA3I3-d86MOb(A|LGuzzI!@Sn>WaF1I-QRr z!PKuAi{3XTNWh2vO=NddGA@REl2X)lPh{fVDn-7wa;VC=rbF59&~d(%`I{cmVUJNA8 z^Sb09fi2QXh}x+W?-XQ>*ZcKMo!3@6R|r5Xz^WKk}3$=mO1KBUm~OG)-oA zEEfA@tMO@9wmr(K3iOyW!ygXVsQnw2v+-b-uw8^)bi&1>5%j29BGin(cRttWfsBXZ@7?~x+|AO|yc+MWh=xmI>gm)_ z1z0ZcxW;pfmZtMg-le(^BLbx0G<(z4WFi1im0oVL{Xl?9F|99J0^#LBdaU`Sc<>pn zS&yCp1k+fP&YyzQd72WZ#U+Q~TA+COD@P3tV@E}B+NEzBz9VdG-=->*yN1eNwtTGz z`9NusjvTm1W*Pz0J4c!a=e`EjDfv#xi4;C11(oaw1nS zbWAScxAd$JdG}#k<|WMl1K$7uglP4?7KM(MPC9?H=LZ{B_T^8b;rRrG=~!ejN1CUG z)VkH?OoHkXKSMpbisb3zH*N|W{+TF@Z`Kven*Q?QVnju*cQqcM=jm;{JF%q#b|gVn z5_G-~N|=xUBbL4h5L574&z)=5)B+Z!->&VBQC*0E;=w*ty&P>_;S`9Th@l-TI#>%T zOa!6GkmrhVxsH%y_>(nDx^|4%=U*a&7hg`(&X zo(cN3qrp328$Npc?x47|u(C{q(7r2wGY4%%LW3d^!(m0)@M4?+&}YiW>#(X~CtaJQ2@yfw zR8S5bMq`|EDz@5gO?I1>004wJ3pB_AZ2~YbE1tR#D}+Zq0nl|ge&YxeukBObZ%pFp z$lMh%{uGcf8MH$~Z81|etJlnCUI zAjX#HtcV!0pZ1F(8kCBD$%Te=z{)H^Q}G6Df=wzb9s{b*%-);MZUYc6D<$@y zfDduNcJve-e1guBg?@E9l$w=3Nt35w4-rv86fBKuqFkKxiC}2xls!ShDCp)A+;Wv8 zb5%=n)zxynxM(F7iYS?PL@lqEh_&LtGdQbCI{$SMbAV~^Bn1K#r!yO`$uZdV( zhvuXirE1{8AGy#e0J#{EuoXbUmVo7$Adi^>uRjG8$wD99LciexIS#U(i}=FPyfRZ5 zG>pt*A};6_g}N0{zJk<9fDjJ)gMvt9LBC6eEi#2)_!<~V>Ooqmj* zSej6P4J`A^DQ;q;pY!;Tdim+TM@xDGMMaJIvl!Sxrhowv+rUO_yH)H2Ry0uZzVeAY z?!f+`ASP6@S|Y8x-`rVI1%)w>J^#aJyKQPuuZGZ8@{D+XF+-ABc8n7H^mpi?OWD+544DWv$77Xfm2PB# z3?kN_4YDk)wl1v>B_j4}?nb(qs!B0*=#XJcM*MbFl;Azox2#%vem23@?P-N`4m5;_ zE+>KqDJVZOmSY5oVnEO&zR+{Eq1K2I3e=ig?JroPQd;FsOK8ro`KT+#zXCtl`FWvamU8DJ_I{R+?D#%^$<34{a|X=)UHAPP`&z*RVeGmT%FM@(;J!@K@4NUd-( z<5v0xT9^qR*+xOwNFf_LD8=q~sFZ9EqL%@!vxF-#z#$aq+4Qz@0AzC4hU&I9{VL4E-0E`T}?;%8HZ zqX5|Cu+T6Q;COoOe>x+gpJ+jAi zs$=zVa^eg~vpX0^f>21JnSVRrf)dSi;3E;9!$!8^AU@UTe?V(xx0WyQ=9(oE#X)79xWc6~aciV+8aQ1QFN8$i_@Tkf)0WuWln^xh{CxaVGbMLGc|dZrA1>HmEhM|yuHp0IA&=c#+oaB?*tc|FL|++a{=q%PSlWFDC(gkK zn&aU<3O!ADOAn!w$AxQo#*%s)8fVPK#hQoCZC?4QMR*?fBF1AFA|wQl!=o1cV4%TT zd$3Y-FX2eO5as-gJuGwNZ9tHSY@P6ezc3EN`niV(dAb@Q?2%tYeW8nP7V%NihF}) z!kP!6-tOKxqJ5{;+`69uMAaV+;#Y&m^>WlZe-31!rP~T7Xv@M6eS{u{1kFeJuXQUe zjo~VH6gzgXMY-cixvnb9m$DqrTkecM`5>4%HFT?y9O5apAxm6yrSocFR_UBAaBVkl}qK)sbPw}9A%%|(rfqc%eJ#IKRic` zugNAI{2=cdnkn6CMEwiDw!iGTo8tV{@it$2lXgkde{j&OUd!bIXLW&3%AE8WWaW&}Tluh%!K+E5 zp)R=Ae-Z6>25o|+aVK6u?V$Dm1|L{K!u+Ia5g97O>H5H$t=X4)Hwx_^-mWSsWB<|C}?>pwtQ zu!vpw%`Vmbkg2Og936WzmvMzB}*99FKJ!jPFr7b2ev9YG=kkMMlkOk_G2j-UcI z0Lbg%^N4-n;(dTcEUhhY;&z;C2?dcU-7(U*H-ONumHZ>8nLVJ{A$81Yp^R5L_-im(G0mSg6s9?;8pG zo&_x;feG9nMN9~SfjSCcl^AdY4R(zQMSfV5+*q5(|9B5TBPoC&9sX+{;!1>sFkmM+ z7=0$Bhygba;tIxcXQ?0$8r+q!LEu2J>nJz{Im3ad@*t4_R+hKEf!+AlP63sWAP1Oy zg)~?Z1qj5$67jGOE;4`vxk+CiWo;ad;r9P;1}V@ID)s;sTE-O^rNa}M0GftQq+tmZ zAe!?PLEN%EFJgD#=SeCOPx@)hcWA({8)<1px-^Ccr=Pn=-z`+kqKKBW*kA-+7JR1`HNUKs0g*N<@)w~|}|8ErRUs8|)$M0c4d5YD|>v9Go&xTLw0 zJ}+Qk=p;HFeo@Irv7!1u56-7oSrGXApT4cNSSfEH>EMO;Q$O504kXv$?ccp6*jy9) z2Q+P3+DPV!nR4^K%(Y8;a5>!<>x$%+DuKw<* zexZ^}Vl6<|7%c=1Z$VJJ%(16o>*KbNv>9ag>phY$p9K9tO&L<~bdPnTQp87~$w$fV zuEy(V&F{%&zix0BGG75yd_M@{5cj-!Gm9f26sY;zjq`2fxXm{6^z0-L!6&C+bWeW+ zb(G6Wi_&LQc=|J|a0jANI0#LD))ygVatZ}xKw~L%T{yJyDHpljVVW6fEsrx2bH_|P zkz`C?C{n`68>Jx?N#24doi^^#VHj3iIz*29DH$1+f`T3MB2Vgz-^+h>M55BtTimMM z+b0)E-HuJLX^*U>?Q3>ll!Pd#62L;x(&}NbOL@o{y#gu!6tcf6I8CzzP%u64B7;Sf z{is8c7AlM75i^w@k>l^0Ej3(sur_=Knt%k14NPdTN!mE%^*8Ye{$c^`|WGfM$X;T==yM3SG8-K|NG{kc5^FO<(!RraRO99&M!Dw&pV7NlsI zJBe0TECnL|R(9n-QaPbmx$6Q0W?-!e|(^ z?|I($J9_WK>*)Sn*V$i5MNw4jy(+K)u;l?bty5X_0PUm*P5CJT00893W>wefFOx^` znt5MeUwG}@;Pn1df9qVH--NduMCi$QhF4Sfy00xCGE)%(fuyCSB^69J^siZ4TaUKY z9`+b4H@+S#Rp;j-FKtGdX|lls#U0*qgXkW|xC&LqLbPNVoxXXI5fcas3L=q6>o2ag zwY7pG5`~3@B~?w4k&&F7oXg{bXf)c-&yS9d?$5&3%qQx#P@c4cDh&+{6bdymxdey9 zK_HN>p~)B`g^Y~sqE)kZbee>e6gjq-o>OdOWF+(imzbD%Jkspz*RN6WX^JWuVGd@s zKgVKXVggjz9336a&CNNvg?V3!S$+D(z{nhy@hdVVS5!jE_632K@#n^l{+l5~4IRTA zTe-xdDPj^*)aD5t1LOGkcsgQ6TU&c^^_ZWZzpZ~GvtrKQ?(NX;z45uf5CxUOT4Y@Q zWPamfZUt$jJS#cUUa;pN9YESTJ}v0DuSJ`M>$Un*a#0eirzF zK|g{+Lc_u%BBP>XV&mcy5|ffsQqy4R8KJi1**Up+`2~eV#U-U>i1Lccs_Mdz_+JSc zo0?l%+uA#joj<#}dwTo&2L^|RM@GlSCt4j1h^D4zX6NP?7MGS$E30ek8=G5m2ITkz zt_O$cqvMm)v-69~E6nxH?cF^Vfcua^xhngoI}_QY(LhyBcL*7qYKC%kZf^vwpxxrY zF$?h9Uy^VJm74s)1h7u235M@|e+s|lP=-pabx+K`;ojn4ZP7R!^1Y=_rLOo_p7OJ` z$4~1@{uF8Fsq%^ml}wcx)|#4#*O$#yns?tLO6w7GwTjK*?}i)77aC8o1G$-MjfeWN zj;DJ|!v@9BRzKWF6?rr$zwS`VXQm@f)$9GSY-(BR%{80DxL5C&N1AK5$FuqR?;?&v z0{;~2l$nmU)bGz!Sq^7uv^E?p$Vje@x&i#qsLsGg%$jXY$Lj+L&&%(v@WXIjj)#*NJ9FBGUPI$(( z;)h3Lv*J&1PpIWaB?|%skST&!gQz;VAf6=Du3CQ7t~;wCppGJtG()h>S{V33Bv<0G z=7xDVe;+u{>q%*UqND(SHXH8mwC(j6$USXP=;cO}WsEFm$p$ulgm`y3{Ge`jg5;@g znk>bNK*?sZ$@MgT6z!}0_mYHo=38ktg(X|C&keg<>5hHe+Zis?Mjyl6ArG|DTrYOF z;eG@>;B5CjZVoxJS^k~e$X9zic{cM$=3c_qO$(ClW5v6L)HE$DMcKg*bBY$@IDbXt z7M7O!0M)~l3M@={vO*z)k1oaM=b-PWVNXXvyao;T60r(0#{ z4!3X{w8Uf1A#^9+6Ys)&p;CIz)|&b1Pt|1ohUkP^#n08)LP{+OI{9wXztv&=g%OB? z{pQo7ey~=mQx6BIchltu1$%W$QO~ zmf#w`t6gy4j}k_`?#iq~$^X&V{SzddA+pMc+abEnjr&EZGf>W_cD0g~seV&lV$5Uv z{*CvUoRe?#%dLHAdDE^}NJYaG0`**Mvw9)2WvgsvxoQ7-WqIpx?W23Ip~lnCHN&9K zRl9hUS3?qsF{iNGlhFt|$=^U{et&{H0kahX&}30N_Jl8R-0ax0JFAq4dGgZFi&PiQ zghM(xE)`0lyy89IUdG3Ba~KG}otKlj`2qI5NuNd1LV&ViSP&9o6Qp7S7<<2sZY*c#EK2F+xlhn<4 zaTFrUU_l9L_Ha` z)jx%~A7#HfpMyFC=w#q<6j5_Hj=8M8&phz{D5-=|x-&w1(9`GRDja2zMuM^rerDqf zPvE$}5b$NUH@g?tRv?w`jHc4FkU+Vqkj45HFsy*R*@39;W%8e9{q6z-?6UaP6c`+ZfdNxXXE>^~{a=h`f+ zo#A*Hof_q{qwwXp0?_CdMF~tTy71J;-P=}ya+dcOM}m&+yJse+L(|;B{Gnf`xbS5h z4K^RRR7#zd;Qaf>tk3&wk$$KXfq&`a5kZ{ez_xZMV9yBQ7%;&KH%vu}?lUmbB;Zibv9A zfccH>4ti)&)WR&mczg%Cwi3&G+G<90;ac@%6FyQ^1SfPo%PXq4(cz{0O}XP(?;gsd z9ARW8-ccEZ8Me?|r|ct&hWsFIFc;XAP@|kD@1<4D_U0Y1RCQg!)4zoXD;>Ri${C3$ z72GG*kcVz1`L#T>{%axlz--q?sCQ8<_o2j*+}tu>K(G9Y??)@G4@~DnQQw|(yUsRfw^KC20;%`}2dYa^ixvA@RpW4n6oO(7JbOVO(JX4vPFXwtMp(tkxXX_}2gH@h!&(TTi8 zc_;3v!%sBHrG=2JTq2^KDnNa&%k&Li`{pIju^ad2jbejwJ)ixs=Jq4rPtFm8GW@sJ4iR&l?k!J4|Irr6hqy4(fvFZ#l4rvq`nne=ec?d;UCu#9cY1v3(xc$+xUBT%j|j4`%fa(} zq4f4JrEw2g@axLJ_pIp?@(#INsxRw+-R5Gw;{wp@`vQn~G$;XgPXL%AZ$cXvt=|9& zus`(FFPnpvQrSN*(1T`xTVowSMixL8ixVaCfssh?QJp83yM3@8XuN32pQB9S{xEUB=p@qlsxxG%1mImXs9L8k8n%=M8mL?u23tBFj!Mq zL_pXXm$CUkSgvTeGi&fu0nX`w;L@gW#B6xQRd^L`MAa;w5-6gbGdrL=%A$Bx*J_YQ8DzcW4N$0O$9g zq?`~eVAU|1TOfK%nc75*)PpN~^%JW_p1QX>Y*qtc?|AEdpnPJ5`5=4G3fQbL|Km!vV67VQDccmQ+ahUHJ0iVLBL?rXQ~8 z3O*hvQxt;NI!E5#{Nx1$u#CynpUCJhd9sAbTz;BW9G0#dhP$F(lf4FYjhv#kr_)^{>Z zva{_lnNL;INmP>#cQPILb54x1X^e2?AOPv?obUd*JmOi*uta$>0=yM`c4KTVb!nU$ zKi=A4u4i?g)Lw?jHJLLR!I4Gk5LUbqz*J-t8lw#QA?^`l42q)@wGb%*LPO(=eN)9jNp=C5bj(RS zNhx%t2#PR~)#5@JGrXl#;ZI?~UgwKi4lw0;mJ zJ)7);as4aMppMR=f88@YMfNRq=Bc_Tll2tCq=Vt0^cl&zZ%W5MYmRU{@U-889Dx?} z%sDAGtCWs{`_h6p8oR-kyu-EYo|R)<^;3D4jM~7EXYY8=uzi8d59BwL%N6PR(y67M7JpkzRRG8X#X#b4m|XU+9e^r^c!dkUUZCkG`fm zKakf2IC|RV?b_y2rt!YFiDAN+aYCBG5g0R!bI#UA0cs7GkcG+1oJ4@6BuvqEtm8ee zQ9V-LuGXMFsj?u)H$5NRw%*fjy)m~^Nu~j^^1s{YHjqBAW67;7UeLd%xAnS!0vWXN zM&t=@nX-~Q>wg#%)0p(1Ym-Y#nI{_`ziPPAZXi6tdWaY5p61JN9DU%Ex8kak&69_M zie$8ViWi{X4VI&M z8m(pBldrV$y!uY%x`y&>z|YOVBkwQ;Qe4_H=@N~Ft)x3VEQ>;Yq8S?Jmb&hKO&+?s zf$A1kDHaY0NvDzeS^55nS2%7X8UpGyR;?A}7TpKJYD60ix(kXJe1&TrE7~)2w3=0U zii$v;AymJ~K0|Fau>(&}W_j2ULfa($HW(rSvC7biw|>pQ4-BJ1p2Vr_OAIid4?qY! zNEI|C3i`PNesZ69AV&;ng+_Y4kvZyWLv7g3cLZZc{?_$LvcD05J^SB*&g}JAR?~@KC}-< zrO=qPx4WkP7b7u{In#h;=_A`+J*T}2w^TRmF$=ZETN^b!Nzi7EuC_Og zZKI!{pO&WOCl!{@alGEite)az=mHnlvF~tuZ`l+_5SY3S$UEGN}*K}W#> zGe$)-u$~#tcQS4+9h^e)=rU;V0aK`yvpf})VPY00FB{9K+m%$4^nFgDJ?_j71ddQS zp>%dXXiE~3|6KrG`Oq4bJRiV-eARD7_eqU=SaGEu2Y+cY>dv`}(UGrLs=a;b0MV*d zzxY*ormYbhnZxmoMMXR{+#jy6sjjqE_x<$W8m1)x8yblGVRFt7jUkOLnWo(W{%Kt6in#OowF{ zjq<0`D7LI+p3D_4k_v9=6$VZ0TG7HPh^c}#tNb|$=s`!hh{xm-Y~B3xI`3g6-*P2+ z#hQ3DN?3C}t!-h9XXCNPhUDRz2-AkD^oFMCrlQa0JkRFiFKZed>n-J|bJ(U%$L8Yv zrq-9OUk|q~U-~&qZ@ZXoyZUUqXKj0SY7W!jAy^Lu$n^3;7dHES2vv752Hn{~fSe1vZd*vmKFEA-iWIzU?7v4>dR%U#~9 zV%jg(YDF^O*h)39FdNFJCyJo zlw;DeGAx}w+Cej35%VhxoAAf4YEaFnwD98jk_O1b2uGs5*;yeAK_LqIaL8DWR9uKj%j?4 zY2n9o$YTc7u^t4#$b7;obHZ+R!s&YghM&-4k9klhFR&-Hl?3LFI6`KpuY6BM;iuxr zQ%TgRH2PE*f-fU;CU178=zAtbN<9~zL-=v28P6BATbFjOg8g%uFQ45 z*>$oO4wdP4Jr*hwEbGO$YX-(-+goeA{Doi;%hP zgWnFx+_WQa$FR5kT9^r$yGi8LfZ5$F{4NT0JCC|sj=7q_-mM{TR%PzDkhhDz_j~Bu zP2~Nd!}S67{>1ENR|b0lzd82BUOQkgq(mM8{|mOUR8$H71>4Mo2Y6Zk0oy?C2M?(5 zN*}x|s;;T6OGv8!2W(riTmJ#uU~vduZ*TI?f50}V5j!$I(b@iMawbJ&>o2t126;ul1N`5#KRK&IpfL z)mxrmv?ro~&SEi@o3%eC@XDXzsS4X*LYQQ($)Iz=VDfXlt_+pa)nORhhb))g|A=ki zLq^sAh;0JTW|-iw(L#oA@$7y%rT>bp-O|v1#WtK#E%`IJI5;b}9sG^mU&3*H=pV4H zSZa0u7i=3VQApqM3dVfbqwWR}3i$tE%lPP($?OrdhnZUGzhLXcMOyKB4rCn-ll>QL zg-w2aQc0n4_q4>?%`|=8zj#Dn{&())&a$n&waIC{J?EalN9#&qtv^rAAhT`PdFwPo zD@eM%)orl0($cr+9qT1}=g)q5w9f67>n3xSffn+9|7c)YEfVe6afd}!8zgvLM|Gp1 z_c+DoF2LXN=KiY;#o7VOdgd%9H2Se!7QBW{KvVE@8-qYWDWdlx6hpP6EL5%`IC_$t+-Q2tfBkZcq#8Gj|mflFrfb;3LGjAweTMaB0r zdXtfAF%*ZGS{wAi1l;M@6&d+ucPCXfTRW+WRg*K2YR>UtLM$8_sPSq-@!3J$r2eOa z`dQO-NW9HU4;GVW=Gps<;3m8G1(g>tAcg*`>z%i>8?mb)DY;PfhO2+Y_EvGKMuYl<|$v=#+NxD1^v8d|6}y>Ygst$jKlzJPWk=O z(DO!wY9^rnZ-f99V&EVEOh#7I-O>fxVpKd+w(HuvI4(| zYv#uIxa}4-F2C6;tsQOIuhXKwIq(`ay*X@HJ(O5$BScaCMW#Q$J?1BmT|F5QLH{Gn zN_=-`lLiiV=d&Ljat;UF&{`ZTA$<2&8z~O=n4O}^`|H1r==+-yPcu~zK;r)Z6C(w8 literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif b/windows/keep-secure/images/faa393df-4856-4431-9eda-4f4e5be72a90.gif new file mode 100644 index 0000000000000000000000000000000000000000..d3c8021646300a2c29927e6fc77542f328d37d3f GIT binary patch literal 595 zcmZ?wbhEHb6krfwc;>|L@8935s;a+#{~S1Q;Lo4mzkmPw`Qtkf$Mx>rv17-tUq5&4 z+EqPcXUm)&d6Rb=R3G{B=@U?uZNnkowgcb4ef{zM``6E(zkmDo?dz8x-@pC*@ng@P zJ>S26ojZ5#x36C}Zru3w%a^TNxBmM1^Yh1#ZEbC9*REZ&X3g(kzrKF?{Q1+z2@@u4 z-n{wmpFb)6dz)tOcyRyz-o1PO{QmXn!v~;4K7abOd-v|6M~{B{@&#zak00On@84fI zbr(?UsZ*!^{`vjv>C+$IzWx090{vL>BSv$E*)DRyYfi5xk0g5QowyF=dmwxp$$lJON5 z`3_Yvg}cX3&QR@86Zj+{;vgy&C2G*Pf|-}&%f79z8a$46i2M#ncu=s=Nl&!H<3t5V XW4lY2n5P1l!=@!CC$%#%GFSruLNk%w1VHyAx0QUd@c&x=;qQ%Mg`$<}by3YTI!{^!M>iPcvM`nem$=iLx z<~mw)xaR&ggUMQksW6r2tGdWiYm17;`St(*oZ0v~WR+}sm8!<%m#xNfldURct5bTa zak$gO*Z+II-2VOkjIqR})bjEF|AMNu8hgxvw(PRn+;FkYgqpA|dB&*3%06|wag()r zji!~<>r8Hudz!RYkIE&6*V5|#hOE4Wy!3Xi(bMbpgrc;=>;K&T|Hlm$qP*uIB&$Yloxl{{M=syMndM zxXtRDw$tJN|4wwMXR*@s|MYpY(v7s+>;M1T^8bsi#h%37bGFkxa&0(Fql*a93tk0Xh(o}DR+UojZrOLC!)KhSbiM-lCSagHA(UZE;qQ2FGs>xi6 zw%Y6Sy3_W&+x&#D#X)PFK60ybrM&g}{zwaHd{x`439 zTyc(Ro3oz5=GN!;|MmI#`}$aRc=G@Fe3`3csm5fFz5n|Evf27%k*0g3sL$m0&*lBI z%Gzj_$7_qEQ;oAykG$>w_*;|CxY6%Va@!0V2sMYHK`}*eY|MC0!^8EiveaX|~ z|L^?ubeFk*mA*`No{zM@T$r?trn+K^$XubmpUmN2sLqA5&}*K%kG9ji|NpSp_=Jv_ zvD^2*-}YyevQLA*E?t#QmcDwj?Wn)#naAtg`RAO^>W!|aeXroZ;^cg{@tVHQm8!kK z+3$9rqhO%B!sFbKzT)im^~B=*pyl+;>i>tQz=WsGW1HqlWRP8lw~)ZsIf2!W!r$ch z|CqV5X`#YMYol(2t)8^ZSCO|%4`pqFqGpfT7H4KfsrS{*xb@=uW>=H47J z)2Gi+I1oM@5P>D0kvxT-Fvzim1_%yVeR$Ycpcybj7g{J4u_S?!CwYnp(D5Sy4If(f zDJW2YOtUaiEPT+@(mGEamJK? z7l2!#3{F&HkSG4Eu);sPY|sV-6C5x>7A$}TXLqmg)e`rl(dunPb4u{+Nc^nZDvA2IB zEG#_vc|+>T)#RsnZEpwOkIbMk2Bwy_`~pG+Wz`YHglWoN_vq$}x640&{~es%+T1-D z`~1DNZ-tqK#mUX{9r-I94sYyTS^oOFySw}7eTYy){mp3zh@1vdM$0;(yOOl z4XmX;%@Y=vU*A3`CACBsk2SpPou%vz43WS8IxZnKCqA3d(9l@fKA`?T{3rPTe~A2r zf&f4lxbi=#|H}lRr4n@Iz(jGbSVW?@A! zsl2i*ulCvVk{4AC)lD_c`KnsF8jv@l=C?O zpB$O~GQ0eFY2nk_;`-cI%D0v6)t$+!SFS4@~Oe1e=mI8o>@(L;hU0d}PIJRw>JSNIJ#}Gnd5F z>u&v2T3#)@gVFnuEL&p2IjJBdiROUEmF+FQKNI!<$c7~(XFI^|iFB}H#3L1o)%Jt8 z%5x~w)ml!N+gp_mVc{Qg+$>$A1#kN^Z}l)_ZgogRKDeNm7ZyB9Z=d7sFX;%C-gQI5 zL>#(v@)6UQKDktdlLdINf1p45UzS0Q!lcA15>%a|+*TLBDv&PkF+qElW@Y`?=FpW#9M)$mPPWY=i z7ZZmY3tsO=UM+Y}s_DK?F9mb!z5xrS zMZ%Lxp}B~q7BLIaU_u?G-hV?z0O^c70XzVjMjrrR?F1IcI2eJTM1Fy2FgnHc zOIc4u&HNFC2nt7zUZ(&~NiLfS8bh@FnjogjT9B|@0*qsY3cgn;2y|Z_2K?$lbog%8 z9_0ZZC()lr8}!?iLVXm0p{?u z=?sDdpCpKe;*-0dvrX9du4WpL zQDqb05(P{n0~YD|Yt}s4Ql)WVFOupFG70caN!BMo@ZSho_6Lux-q>4&2N6mHHDi@* zSJ_2QwWY))zb=@PK&Jq%~}TY~sP#hc zU$*%+{3>rbY!z}JuV?La9mLM#P2FTt0eK@h3bp;6z;lu|P|Ht%VK`o~Kyso~P%{fQ zca1Lx|DV~%beBkunD@`$i&{>Ah2{$1+~4|1uLLM9vyfY}^AaNS{x z-|ZKbGQsGZAi6Wz;v4~EeS06d(vG`aRnjFv1Ccklds78AuAB!(axl)tKn^#ap2xZ= zWN>`Y+btyebZLFDW{I!4a!F2|7u$sh?k!Vj$bsy>gE37;gbGM#RbnvB_1q0&l@eU+ z3HZ_ziwq{_O~a#*Nr?|8V4E-rG0i+9&w!i6Ue|5@%B?S>YQnh;${tnc7UbV<&GG*V zJXF~=uz`m1)$GTTSyj|3yut=&vE{D6>Z~+|r-i++YjjJ_{WHdcE5EYo>Q@#U2P{pl z5%>nQ@`8-lxXFfZ9oTivbb5|}OSE44=h>uWu!T~!HU*5`(g*9yKhv3CzU6p1n64^Iql1?*(K`R;wUG-b^&5O&h>BS^@hon3jM z^Z9vWsDzBlpQ>+E#PE$+%B^l_LXzipq(#N5?aRB8f1P&~?L(Dg8pV}@F>wW>iKE|D z7_?LF_{@558@#WXHoJ{#lwytl%wKomd7f$3PH4idhE6xe<&G=z)>GXP_hmagha;UD z7A(-g+o=g5YSOGNHx$1>yRp`Ba=4xOb2U$&6La}C>@^*NnXY7nGj0PJT?G(7~rGW|+7}Vx6$B)mrKZiO~rYziBBfL0u@}}H; zIP96?kY=0IsP8kTdF$#lt{w$5{u=w3A#oFT7n|D6J3Vds?nv)A|Hxa1gp6z>Ay*@y z-Gm!%pfP7+hDWEH;|tyJzt=G((16oGH9CS3PRUPZ)@owb={AzUP^zPOtcTFO^9O~~ z`-Z$9r2Z(!&dwq>kV8k}1}YHh@1vlfGi`b^R&P5Nn=qj5O$4SdIfjy=)c5U{(S$>^ zHEhq%Lp)^WBIYKoa~fJ(-8`1mXQCjvIE2{bRYGY1S_ zx?npmTR0GdE|GjG{y>~k(g!3qE*6Ih0FwQJ!~HO`$oR|(K!KR}c`~RE|Jc9`Q*=bN zWYRT5H3k(;2EBIie2}FdAmQsMk-$rg3(irGth#-PTPxf$b^Sw#oF;HH?VK(e z8l1NCCxEUaZRtDTA%C@;?L$gk z4voo5)v0i)RX~de-Ph{Z&M_k@Zl>=&N}YOz+S@Q4b-`IHIC@P10WMf>3Pug3le>@e zbGe&98}Q5pkB`YXdY190(!^02gEb9qCOQVWqVvS>kfXh(Cw-bxk*mm<7k-&pI$7V> zQVEx%`RD@dP~iaH-aaVG!cy%A2d?!}Ovyc)2YG3n!f6p)aVA0c6_Dr)II4-KxZ#Hi zw55VUs3a=H?P2FJG65Ezr<}X{ERE%BivJv@0f~n3RK5{Dq1)MVl#q=D3TLI|`<5 zrp*KwQF#g%;?oA^i)iNyDORbgH;esgi#F)ftaFT456p%*^mpk?e!8pt!j$~kDxSxe z{EaX9&YN<&RdQ}sawb_ql`I9YrJ#@!+S(F&>rw`fQus+J8y0hs2<1YQaD|}ebIW)_ z%6<-&32m40NtMq-%P-cJiDAnb9LgmV%B5?|dAET-2jy3X%M})=Wr_^XRPvvxCOo^1 zC|64`gr$`stt-$W6}tHq*v<<5g$hHD3eJ-XW0gu%>q_&GO3VC8YwJp*&Pw}}N(ThV zNrhyxQ0Wpv!snAbI!P!G()|;XH=@e7v*LkDRX|8p5SHYhUlq1c_4uSB^rR|Er8){x zO$@1yld6izuTEO14hgxPf~a}QK%#^D!c3tev_M8@O(C`tMFC0~YGq{Ai>zx&2^CSC zwTU6MFQjT1;I-W2wavq|bmQRC6QCvkd8HJH83*k=d0rR-q6c2|BWmbyF9!2p40paD z=T|=|r5i`oeNw5LvaXv6shi8MTj;D?T&P<*siUY+>*NSfa2lk~yZ&2#{dQ;l?n3>K zllnbG!*7*_ed~t9kcO>%2w0;YGOqaVL=Mu}03L6kS~n`QHlBGjGDx%2-D+e!ZIqg5 zgfcd9FtV}PH1X`Pau+o5hqCe&unRj#kEFBkK4n>A6LpPhKKJH0g*U^~n&BdxroZHc zZn5*Efwa=E%X+e0Nn|Mzk*$sbNqILD<)jby_*yjOsim#mvVwt4;Hzsbq9!eJta9Ds z!ulcz?oT`@R)HTP5+bDt^G|$yYy904t!uqJ_BNd6j7%Lppli=B<@SIOZ~@)xg0)(R z+!fi8GU?q39%fn2o0>1L8wo$)6JuHvmBvxIL|4U>j5&KjBJI9h7gi+=qoixfxen81 zVmw)xahLcB9p^n#vs!|Mavc8^C%FtP(#Y{D60`<-?bXzBU9(*_QZDYf1SL|6OaUAw z_X&DaS3|!Ke{f7(iC|v!Y94QrK`#1&MM?9*ABkb zB+vSW+z5h;^00vg)%gU4;PQ8jWr}^dvZFXBcLXA%I^#cek>S!a(mYeIr2sM$KTfhP zk<+Z{t&-zw>0iPl6QE3=E~Q%>8KQ^;5VuQud$SMM6j(&dhVxKUN~BjRmKDU=#g*TC zy}($k_Sb*BDD2I%@tWr<ZHK{H(IA%8X20?4nQ;+4GfauD%!7%Q+)7FVgeBz1D|N|IjT{JB9H4d&Jmw!f0S2RN2gw?PF}8zog@ch@gGq}6 zDQAPhi;c>SH?qTqatnv@yM_uEhln;;rg@TM*fe@ zsvlczKfVh4*k1Utv+HBm;>U*j5G4YXBc~WzgX-NS_S>d@P$dtYrG88zkJtu|@sFG- zk4zN?&V-G8+I>!bG2)j)9a&-uq$I_N^Nt=Uj7FfnTPramcr(heWtO?$qITi*q&^a_ z*1%;093)M}kER4>)+*o>GO<3#PaB|^h9gU#Ru`pKZL`48XRxe{Lu6!3!IU%3+Ra19 z!ixV(Ami59^Ys|3!(c}mC*cpCOv>mDQjqMd?h~X<`lcVaO;_R&s1fsaov~1=HkC{^ zsWmlVoz=(Q(ATpf3etZv&P)zfc-l&e-ImDlfuaXuP--wk)Nu|iV9yPpId6D258CpX zSsTm{B@Uy?T+Gw5(TAJlMW&GheUo9lS^qkA73n!eJFWQLOy^Y&lfMp}C)PFI(9YZd z`4dF%RB6$B0d~wn_ojtPo#mnIIKAt_huY zUY}U#%a_q`%b+pn4FRllvr_Ghi(T~PNjh7~Y86C)q8Pq*If(QK#5#i<;+cG7q30Fv z@g&IbcaYlHWydZ7BP0}u4xjRRqc(+76Ebt5w77=iNB92B8Jmud#A@r)E*)Q7`W9}p z{bnh4dg;fA@m{zVSCQI5a^U?V+t~|uN8-jDD~xCG&Xi|~$yQEbHxqU_6M@HJqjv7T zBWh==YJJC;#qaU+8O94i>TlyC2VSTp=UHGaCdARxkD`6616{LQ33q99nybduIgp1R z?6}9Ny1^9_owUf4ej=^8Uxpd-*|cS@;-?GvwcD4xn2JJVk6gblx|<$Y8WGnZ0<#VG z>@^e?H19b@wk{8Be)-qu?NK**@qwpRz~da0kKRGJs$!Ilavn`k#G`|ZJqaK55y12H zE6MNPWXrVex|w>oj+CI$S8<;c(&zUI2HdY^iVkx^Zlg_T+=W~T^5Lc?)4F_Ok4K77 z){oVa&5a)JM}bftsy7T^@Th)M-1nI5mCVO|XnR&O2d!2Dqu542%(Uq7_B1<2&<#6n zYE=8c%Rmv7-0{FoCIGSJs^I#t+j+KR~DqI>MB^xp8E1iB)d z`o)sRU|}gHM)FnV=izfx!lXN%Ib(y&AD%+5SK4$)H!%3MfXl2H&$xNE{pD- z1}vT@%f)C4Q^;W+{KITX2I+*>&dvo)P}-Gm7Rie7vnD}K3a%wZama%|*``KmL2*;X zb__p*UZJt}$h%}OgBwWurB>7{bG?rC#FaS<<4g=CDA9B|xHS{l?@Bsz^|Vd0p9414Uj6_iptleqt4S>PX4Q^svl zxb;4PSCh|P{ZFz6-?`>r-E?^W)4%M0f7zk(-~E-I`db{KRVs8MR!H*;@IF%kl>6`>C{mR1dHkiqt*re3Jlr%(%|@XMIb1C~56pq0}am4cFyjkioa z)w!#k7<T{R!&~hI{;t+ zV4xWmCQ@|+Lv;PCswf?nm&BOK?%tMY*pd!?OI7dC*#92el!;u#iU$s9n|`+m-rZv1 z(o19Al){gfb=0b3M9G2sEc-S3wVx%dpU_Q|3}sx-1Kl4Ow8n3JO^}Ow;1>waDdO`j6#+AM}c4>QZd(+xL+C{zME0$4W hG`#YjOXQB0&9PGLL_vej)~(5Eljj>RgyF!g{{t2^n2ovDMfLMPn;UMNyP$#ya+~hR|4&Bp)Q%8~d)Y zBqUi%5+#+iXnuWv=Q+>0uY3MF&vWlR_ny~1cJ{W0Mt*$Y08khJ90LBy|8Ua3QAi3W zCWZSa0KO21HwAPHp}Hkd!xDsH3DmR%@jor&F)hLT1B5aRp~TeG6hkOOSl`1F$Wqof zFxK~ktjol#%Y;ZZVx)Ugqo5IH~&Z?ldZ@QTbMN49xHwxx#z z0eKv!=z++{NRQ|)ppfGg-Q`4^Ak#+tXk~^8983wvkJjZ!>j|RucqC5+CG>IiYbgx|u_3{*>3aP|~=N+_s+3w%gd)nBMlOqAp zS@TkI*Ir}uKzh%wte)MPwxxSrt9d;f+61SthjXuIsjh3atE;PI;8V%Kue=dXW6$bd z^S|ggZ37D>6P$Y^oSG3%-YlnWWW8{fQ#Qq^nc&n-{OTH6zxNMMaVADaIL*yn6YKY8 zIXx3gT@#x<6YCQb6Lqtk=2_0b)Mnf4uf_$=$kb-t5~p#AGcvn5GW%&__EXQoueN{F zg-=~eoT-IR3kwTftDKRgUjwVZW|!8dmUd^CK25FejjVH~Rynh)dkd?(zZM22);X)I z>m!?-+4a5Ib2-qQN+(m%ZUYiV3^29y1BRT>7V6rR+rW{_troC(_c%woXt;r zpFZub@BZ4{{q^h9`sOa@)9$bJJ)iM2|RvTv*$&QWozIoaB{ zs;D0rF_dc*OC7&sczJUM>0jl94;7eP7;3DZtRUs6`HVC@n5K6Gzw;BcfzwMoA5Zi# zo~Tbiwdd^`=^4;ORy4xE1g#9nVJ>-&Y@R3`t2f?Rk`VcPw>@m3?m^e-vD+VCR*{BFo!j+Q zef~S;c;bdeJ)w)X<=iLZMeLV6}XMhBa{dH(F#t-oxNK+X*#noS~ZF+p%#Z)m@q z`x?epWhK6LzcKaf$~VF1F}9f7(+HP(qGJdrFL*UsrDn!i-UUM!uh7d^Xn#JqPgydU)=E9+zmN$J7cZ1DHXNU_q_&{fIaxd605ZFl)v{>dx$rK(*d z!Er+lE{E<9li(*AI5mG*zmvyrHF(mHR-d4@SD90ExFPz(`@7VoW~YlmUEQ7~Cr(<* z7pLiOsyL`O(*>cnxY!JnNwMiO%;GDX_cc4`D@H_Q7OWwXcIGvkHMMFuRIbq^XUA6i zAoy`wereH5J5YxRJ1O22inWU-?NIFFK~UBM)dA}@KI3Gu6?ssuQe*JLxzn$dbSds< za!R5SFQ=!smOoVofPK^&*1X!**t6>j0$?X~okrRZcQ7->Gl=ZY-^YIk{j`l$Ey4x8j>$T9UMY};-y2|Po$hb zAM~`tc$U7f$rX!9%iQmM?r1IaDcDayYcX`Mi&sAx**Ar*$a9@=U(3)ncPtHfTN(H# z97Iz#k6Ia4>ipK;>+1xXF~#z?ht@tczoR-7A9n-`k(9HyxNGpa!)k-E;sFHk_|^(Se#)iU0I#Y{(8^BzQTN$@AKlTVW9jiKg2bGH3=uXOHp`a>r*mj2-oP6)@5|mv{MeT>R(Z zGWrdKe_u5#?n)~fS;;6z4?j)~?yC??l4l_Vx;w;+_)pwMtRZlInWxjvq=uyh)X_yV z{N~t7V$9wr6GMag-xc^}rf6zYG#(>~T}H`nf<8MO22}!hLN_aLSwd*zD0S2eL=uF5 zc=*UQq{t)*E`Cxd0XVXod+>ov43SIKU|LDeeXTrn#$N7pp8|%~0ad%&Dg{|0XHJr& zH7;Azd|lGr1lPLp%7H0CEmi{7jl&Yr_T$5S5S|dnc$1>Z-XOI@K76ATW_i@1i$@UR zYhnZF3zm=r_pc>qh9NXtChF?qc(G5);vTTWG0RkREUaX*;J!?~*cxsm-?aDO%y$rK z-z{$632jglZU+{V%ibB=aM2`6A)xZocgB2Gpy3v?_UUj-bwV#dfVsw`frV83w322U z9;$A~?N}DiY>2vi-LRDGrJn{5)!U_4K_x_qidq}FfPQU&IJ(xFpN{}=#}K1x+vglg zT6A-R!b6@Zz=YkJyZwxu^jkiDh>p?9IN}ZmN8>l`FC-?o&d0k(FBkJn${E}d^OG9e zIK5=K0s@N-njg!P`nY71(DZlW;j`a9PIsH@drCaQ&zhmN7l}#Ho33?o9|lA)8+j@% zU!%WJAm9)N&v}GfR2Y_p-}{n&oip^f=JWbFOv652jPoaO4h!_}@$t_dk_YL^<^lgGFe_*sihfjMtkN$hr>_rDCY#%|u$KfT=jBi^%5 zdDm0lJvan&JGk+R4S%=56wKhlN+Faj*Td%*=d4fhlPQObf1@Yy{_&o<`8|%u0Mu)o zA~y%G5#uFOV}+MYs(-GEaE8MsCN-y4=$mXx2U!y#5(-YdNr<#;->}1mHiFZBrHYo8 z(G0+;LppD;5CigM{NCjHt46F)_(W5D3XM-ykTo2wPqO$Wfr#q(Vp~OqYwf7$gx;7} zLJnCOo}IL}vnzu$j(yeMq@|r(tPq4&|5ugdBjbi&6S<-vQEGJv8JTNj`I3+XF_-QQ zC9aXxt8KLcKLqRli4(yO=}8n#W?o~(0j}8Qw(-Z@5nF}c$%yY30)B!njNYR|ErVRu z_qOaNL9|c+{;1WND*T4^3fyXqxO9+-t%SV(n9*|HiJv#{)mu0wUtO2Y#T8}x+qSJ` zu<1B?z|QAH(J+Vd?NGZ9#yAi_@!pDRQ#|r@zNx(%LpO*N4~V;7yl`~DGbzp^4?)ee z>U^SUD8c88@$N8P$NbkiS#ejUrbg z3QSBlU2hv3kNa+$3s|YqRJe)1y7LIt3dg^(PJ_KWarP&rrQ2C&_;YVUxEIUbo=^HU zwx$_*EX+y((Pue~Byk^#;#M{uva;AE0PweK?`i)1X3ZV31_}FHllxH>8U%o+#Y&Le z(p?cL^YiJ^(p}fjHhO$EacKq@9~jO9Vl4c&$^@?q5wEt~f2LYSSxI*=ZTVi23 z1XLat##;~A)yEtA!SORcoov-BOt3)%V95pw1)T{Tf~!Fz z0={$O2bH$I!u^fG8@zr6yOF@U&%G3;V#|nJa7{EjPU0`;{<|ERv>$SLpLeZ0@d{mE zgqb9ijh^P>QW5Z1SmyPGtK?DX&@k8+0*@XDTth~G-{HAh2@b={1rdO~dNgU!<~y4w zn4R#%51zW5Oam*m@@K4;8Rx$|o^VVjXdn80$NRk>&tEEnUI6?@zZObIKmDF&kj?ww zPROkdsV{7b6^nOkPEnfxoWP*p0^IFk=+|NB>J9Eq47$Pwz_HUYJ-*u%#M<$6Rcq8h zz0b!psEat5ei^t~4q}6asr`gqVP`Wo(wir_zxavi+DnWvjfFS{!84b<52li!%nV3~ z%oP^6&J$f9EK^0`I{-igszTKcdRqU=0f@JhpG#mv6^`Nh%iz5;m54Nwtl#0?XD4Z6 zJFxP*%gm~S@57hhxraqs2WheXN zI(IK#!?T;q;DK>J6SbEG(3THxu!J`aX-$(UduMX1k4tv3`8okKmYr*8$;V(A{Uvhe zBqK9FsP-awipc1xdexzN^jnI;0D%6B0V^Tp^2naXVLU~Ki0|zDCL*6d7VOVPdr%PX zfYVPYd|DXDEXMV{93s)aK+OvphzI*H&hrjdTlgS;Uq<{>j@$ z;QP)-&0-*0YFw}Jkf%F*iJXz*EpfYdA#lT*3ZerbVkC)679>bi+F@b0+qCUd1QqIq zjk+s;1fUj{VWI~20tbaD1a!2+zvV*fI>>~2@}0v}wK*`Wk`=}oJa-3bZo4F=%vRn6 zml+U%)>;4G^=NSvs#UE@N=+^Y3%#kw_k_w-w2VH7fz~n53D>F*Sk*~I=(E+wQt=On z5~T=|KI*xw(}+$?72Ba<+E^}ixuSQDuRRg< zflVsM)Q!zo`*SFDaw-TlRVWcvV6bxg3OSotl%3GZCj$mi!i0~C`0G#phj!-y)ax^1 z`GPOsGmNdjNWC7+;B8fvtitj}Nw4ISL3R+Olz+9; z^`lbdkJd(YNl(YNjfc;+KX!E%DbVbKBiNZCF3S>Kmg@%8Y_7&uu9&VQ&|aJ2(V)iGvBQLYFcIVYp9_CRg^c5@cU2UMvq);`O-S7dTf^4zrpq+Ix+!HAQC{t~^0tK0|oQOk<{%k4t9ihD;HV{x@WQgQq1vxv6< zDpEYOkspO)fbh)DJPI=>t#6&$mLJpcc!#g3V>p}z=O07l0;tlHGD3^O_lwO=nZo?o z6afn4vLB{&PuQHuHIm5Jv?X+11o@*%Av_eOk=EX^IC^q7my*pZt3RfIVcUm~8A+7| zGsm0&m}U&>K7lV0+kEl(sXW4f!6a}93k$1nSuZPIlDbhvMz4gH)Nu%iccxs<9TP56 z$O51{mp#$=Wy0}nJwyCSZJWG*H&=?5ph0)e*Ma9cL@s~1Teg0(@55Tw?>sq1;47lC z+fNSGwk!VLNgZONf0H!sz7sNU1&7`-yHIpmT%-JoBs38~Gg)29f5Lj25$4wg;jF25 z4d_vE$Qz#g-wTJMj1X z$Sm@F3&AUU9?5e+ZcYVf=AAKAIUJM(})=3+svdIjT z&%x>&{OcKBR4-xt2@UQZDQH(e&L7J|{iPVU>%C7dc^J+ zTQR(J=dBC(_xd0VVNzuheK`vlWK~61fRP+3LOcX^jG0xm^MXi4?Sv(919O!C+~mjr zFB8`IZ7!a=lnM055Kx)*a5CRaqIG0i7U13~b?OLr@{ZSQir@i$EP^H|D1&ObOu7Ro{xq`($rxo6OzG=3Wf5g9kr?V`0L4a%EVUI}9rI+4=4ci^lCi%!CvlJx%n_CC2+TyF^sCA@kka756;<(hT!j7(7`VSN58eENQIp7Y(k2Oqt_VBKHC z3DPI_I8&z3#_I3Udg?FhP7VIO;IbF$aZ1i>+lt5<+G;tE#7!QX;{!Q`4C_G-8Oonc zPokL4G&W9UL7?$YtED%!?;XAScPII4vP-d%ma2=|Bj0Dgd|i;%ewqZ(ot{{LH1xp1 z;8E09RLh(AR~MP5YaV>e2IW~MJrQPU*%)tf(fl#jy1F&%lbTcOu_mTiY+R1Jw{@bR zm3_lNi99VCRyRkg(QHi1_BFenlW+&(AJca~Tu5kWo_HC7XTS6Re$ zw^|m#S{C;A`K9RdLhxmh+t-#+z)qE0SCln=)dg!HUMqO zS%4%Qwc$l2*(2B=v|Z;4zHy1GTn%79RePxd=Le@$PZmUO$}3G-ZwlNK9T|~&n+U%^ zksrTS=T+s*O=#2-QXMh5cu(h$%5a9w*P1@QfJ`$hlxmaVo^zh&@Aw?E^@6xuyVYd{ zr6anM$4JKpXjDi0!Sf?!4u|s^pE{3r_m!PEzx94pqs>}*QKkGr+6&1mbMkSL?3qAW z@85EXfa-p+wJkl^NmVGrG`sc{L#e@vTb0uCSTo&V-E$4*&hSH-6!WSMSy;Vlusf&2 z?YjDn5w3~3bmquNSrl|c!(qvC#=TarIpn3Y+#UM?4N}e@0mwzq;UB${Rr~kvsB-?m z=48YF%25o>xBJ|V=J7pzh{#rKwn|AeSr-FK&-z}6HW@TiVXDi7qxVTNa`F7G&~%0D zqn6W?LDS{QJsK^+RfSKkrF?xL0ItKr)13x?{md7Rmzff}rH{pC;*Kg}J*K}Uw5j-C zV|tfj>u0?uPa&~HPqAkwD5ykHURZ{L&}I}&dI=FIb}?g9S!yl)=wP*9{?R~gC6i+y zg}d?~ZGnlJ&V01A(eTl*63;JOkZ}IHt#vmehCd#WZb1&9BD-t;>~@PBD5>#i*8Z@F zvAfz9QDHp{2)Pd$Cnxx$q<;=MY%ww1QRhjiZ187&TZs0eybMRo&aiHhhjVI1Ua<>U z(JtrDxaD3U7|15J=;qTD*s6z({Q9o@_Y@j#Z1bnl){)0ZzO#~Q^<0!~V1TNl;2TwZ?mU zx`5|oRM99YTOf8d&WWHfOv0Vbt|h_GttSj?5(9E7+6AGwFKMIFOhlxhly(OZKy)M; z-9FK6*rEWtA4Eajep@bz^u*XeSp}6?1^grlW3)pl$gj7SHFZEa3Qjzp#{8BiPBHRPT#^P)^D$$j?~TfsfaZ1&t!04>lg) z@E8EbSyl*|AP5wKBmV8JOx1c@z#D&GA6m_IRQ)TA;zyBs6845ysXl?*b|(Lk0t{^) zhDksB4bol-pm!wzR0kF~jkf}PSrEq#%56^jN&8|?{6xwIIQ}joj_)QFK6-_%T(%ER z-HfGa@bt=<2umF*TH&*&KDId}CZK?5NFs%mXWgau$pZIOnAnJ#{Qzg}zgf=HC;J}C z5-i1U7%>2BJUrHB__94M{%uXAj29LVKb`YT1K+C~3UibHB$s}1#!B!QrHA(rhRc6u zH#I7+j`&M0$(&5V<_Bw{eesO`zf%RUW$@8~UiJSZpdu^P1H1Wy+$Y&!(GHBSq47^w zRnsa>iDCpw{t5YfvUmp5X@sdEBXkrB9d)w7= zC{dfZJ__k^WsOBA)J5nyq?{B1+KiJYtwNI+ww>n#j1hwl(D1%C+%jrunQKBR8gnYF zSMoSpj0ZKQ>=f4HU7Uq8o{zKo9^8w_&;4>G?iJ51(+9TW2k*G6sq3<$OyKuB+5_j# zx3q%!ncz=W0K(*~$44=_whcQUKGEB;{6K!-*@t<`PMBki3YimsU;2b21GUb$^BL)r zVqQ1}8pW_?jl1J4cLOm#@4>xtg#jr7lH`FtPfiEy}2mbZ1Uhj?gYMWWnNn_&phMGUw(}8sGf}$&Pk+eO0spz{SU1bBe$(5;O(s zI&-vvRA>|yp>6zSJAJZ;_q-HhZnF_=KUX2{_3yi}Hyrup3F*p5&HK1Bt~t`;4muiZ zNS&G@sw3B;>cO0@>IM-l*-33{nlO?W9b3z=JkB>(S3RhsIk*4m^|+9n9WEDg$M<26 zSfJ%O3z^Jp?`kXQbBtD^FPRDy3Z%kL8W(KFkAEZCGUSj= zKQr_sdK360>N!qvEE%T~vBC7mT>^p30B#8gct+VCY4=Q-FN@3BWd5VaFB_k%lzzv94iu~+a=-65`P%k^==t=I7JKjgcUG4X*5VAzZph5+~7 zhjZXkiL3M+qhbAYP+Yi5q93r%1%yote}}b zObhG*tb>z?1jubcgV>E8Jw&WC34Rz0M1Sp#qsHNZ67Kj!S%QFmU@_>Gm;wQQn$_m# zp6oBiB@7lmJA-fv?v~~kvIStj=Hm94(CTb8Tc?!jM$l&k`mLdU8$Z48>XvZ@b}4kb zcy{&#t*4FjaGI&@6b!c@Kt|mj`fT+_ARx0lz&mcMKx%wCe}Xj|>{8nOc`R}5M+FJ2q-~t4Z^cQHLB;jK^UxP(Urs@uFVm0w~{Z> zYiuG?9Djo@Eb}Er^I$NrOP+Ch^&LKVeP3%>6lv(?>Tqm9XZn13diN075S-o}i&^Zf znL&C2Nj-7^H}g;f57LPxX^DVpF_ZsA9| z-JTFih|}ALS3AM2)sxM)Mjy_IHJ6c6Yg6_6AaxS7Knj;zR0;pbQ3gICm;s&jq&D%4 zr{EK!s8l{I^xQstpAI<}1rHTZh>3!?SKjwstCaAH=cw+36DMPNupo_=62JKbtOF3| zol?_gaZn9a-9ShfCWh|A-Gj&4$ezxeYuPt z&-0MYmm#fV&g&Eb<@rp7DcTt_+{ZKV8Yba-a3YPsbuEf3RoC9;XOhREhxahD+B&At4Mm!y9yobdQS_r1c^Axgq%F9XIp+q;rLk zRvz-}2-H&}(F0F_`c>BzpKxV|+k6)mNrzL$2FyOdC9wd`C8e4~jVQ2{1bMhf(}NKZ zof~o1%SU4AT!XqVgPypYYJp8xzR-H4b8J)K9Q(Q1J>*=aqntCUf4*lrsyK+my`qzF zZZ0VlEAOL{bPGWvzsrdlp5@$Aky40qu|XaW|IWIP;mXD%<2;XNfN0ep3Jk(tUQK_Q zL?s(_jzFU25^}o%m;4N_G5RcfCv3vwN=_tVkX1PN*e2x5glhxUD8}~R7N{yVQoCPp4L3oSlVv zyCGu4@JM)4i}{vGp7I<#Zpfh154ulB%FIKqSeoRr-juh*bGLxhK+DU9zUFevl~~Ac zx9SUCl-VGa-_wahdi2ALc$5-#QsczY>AYPMRxAN_5pkQx(Edqoq5<=ncr7oUX_Af* zs9cTXkSdVRKtgsEbP3HA)giw(b1RMYKvOyrPr@fE z5U+TY==RHx3msm4|4tuCNGMSR4n>+Ms7{qI9$Bz7gmDRC3y)&M)^1S)q&1h8Rf-{m zH~lvjYH`3tI%NYEDE98L9OZc)J`h8Zl*SybHT3Fi$(b&B?%xvE7KU|khCdBobX1~} z3=Qut+uC1)5`RJ*_918ayy4pXJ58ODS_fntqWcic}XTIsdWV92Pal*d)Uv}$I){t zxSc)4;Iq}oj66=EBHOX%!SQ0ew-MIA`bCJi_K=X^LVD%Vf>@Mc+~6=*B=w;rBg=3$ zI72DP%`+|n2$5^m1T*6*5an>5IWuC2%R8OJQNH;A>ZxB_eEAvIumLp@$J6+1h|2q} zt)#HwNvE|~KK8U-s-G*v*_IXms^UTXK z#c$Ak+GdjOyncR53{pf=mMMgU+(dr3<5#-#s;(gPKLpr{n&iU{tzX{yFHtn~#ca6> zL#4%2{^onF7qM;Bj1D{u6MJ!g;Ly1Cgfa5;l9hb`85SVZWVH`grO<|*(}weCt)Sp| zmFagpm^%s1F=lIXi!W~l;}*7F+*$@piESNJe^PZx3Yz1(wBOUPf8qI&EXG=DMHr$` zL~5q=d9^PcH=BuEI+Gt&BK`(x>X{GukN?(exEx4BYy;uuK~t??D?8Y5xR6pXKJMG^ zwq82Qc{|A^O0HC4FiUxYh;-V!6mP@BD%A;>HZC*_eF^|Rb0owcIvv0rKH1#{#eOS2 zYNC=UO#On0w$ideCVikAO+LQVE9fpE@Phr}f>*pkeSI51Q&D++#IuwT1<_`>zU5wt z3rphLpqjFdxBYp+c{?3b0I?V!$Cg~0$8Vg`EH|Nn;;|qEK*HDyM&hAr$W-6>Boiut z5y@7m;SR>9G^?n54!JBQ9G?Mzv>N!&sBsfD;Jw@($}!JNMQQ~h25?{`hDY+Y(n z&yY8m^*I)C1q{$U>;$dwP-ml|2j2j`49v-gsT{`|wbbvC2A@Z501-q~qG!Is>%FfG z_R?!x`sx2t&nUw^30x}M_issLZ~p!vq{Z5Fj*p^q1+dyi0oak2WS=PL{?O@`n6A!b z^Kx?#0^u&sy{5H?)G(xSQTAi!$Ta1BE@W(V@yPaD!Bf>q&e|!XAJ&qOj+3#;P{TxM zU6vt_BW$YqmT2@ldQ$e&k!#BdH`Qt+k`vb|_J!t!t&YRaF<^hNp?kr&3*Q2DZbCh( zK@L}Gq`QH82anwN*9Nlq1q$}6bB_dKzy>JU*ySHEc+~uLv^6}U}tGepSAEA)vGUf(1TP2g33|6oP84}BILjYr2>4BT&`CT+|WZz8bF zKV`*V&OMOj@sZJ4yBpD+#e|)~;OMYaEUp*!rO9gJ+)Gvfi7uBBJYu0-UM-)xJ$A`I zE#BXfbksuCdRn1?0+y03sa(zpi^tfZ4 z|J=IznlVo)d!c{K(PI3p;tLIT?^L$l#jV!&!jmzt3Pi+V+U!?U(Iq|2OwET8D+ zwOB>>^2Iqgq)WLueUUNP{sLF9ceNZ==CaWdK*DMk6_vI`&Y}$FrNihMPHlwPeQ7!cbcdCJF zG|P!2bUbqDr{ldqD}EVXq3&bATLJ?pqQQlhiL!_uh$9w+6f$Iriw(h09ZW1=3{9TY zO|aQv@xT@a1rY?UM{F9Pi?I6`b~{VBLr$jSaZziE9sd}PDe;6MccPN1jLl7t9>2V# z{ilKZqYwJ}{N=3s68YuA;?RFx7N>p|`J;I-6x0i(O+12%{892TMjUB%H8{*-BFpc{ zI|^Ndub%p(K#>Z`g@{&T;c8F{6}Ai#@ZA9$d0O%Ta|$qXLW*b%C8H+C3cyy&9x+-z z?X4Ohv>T@<{P(`(VJPEsSX5b>q2;BbllCgh0!#%=V6?@b6^oRpPX10M*-TEbSjyjU ztCScpNkV6I6~S&<2y_uR87ivN!{FCf2~IO!8x`CuV>m=9nMG(xZ>kV5HbXS{1s=jA zsoU6fh#0x(?gPAIJBMF;Odx&C=6)Ot`?de!iU)+DcwMyjs05U#WG!cQ=Mr6qM1+ai z=c^t?Cb-wQQfdz&jK;G1#KtV8|HNjBBAHzS8;qdR(A%m5S<<|W;R3cmDr6*{VTB`c zRi0b>5U)REB3}l8Yb(If1jdDlnR_5Wg8j?$$ia}E!inxF>B_90tH*Y;Im3bG_TllG zX1!;myZYG&6)VcOU9jptZn>;S8MR`y;>sRpekF zu0g&$6TR++Vek*RsRnqspVo7OciJ8g_~{^~_pR*7@HcZq({?&HiKC<-HHL#ryk;McMi^ z45UOfc?fm#PG?-0oUmt50X4BOACX{;P0TXnG{JHb!EwakA{aENmX>Pu4owun+yCo< zod|*os|&1@IPyqDaWId+^5!L!xH$W|WPpS2p#bq?V!=1I9R&nczsSna`pwsOUc{L4 znpf4^*=}J9?g?N!iVoSzXg9XPZ+$SQP(4-f@(EZ;lIXlVpwTR^0XBRTIli2l0cuM4 zwi?FIn78zvmlAte?$_lxzFB3QP#yyn9q|t?FuEXBFy_^u88tK{y%~u8FxxNmiCHc- zEG09SkZbH+P{{mlmHC@WRlh6}^75=pdh>cAP=mL1r6qu_wmkK@;l#YTYJ&KcpP%=p zp#OEOBSz)9zsUD6vMw1C*EW~K1x5hP&hWb&ugRg)dw2NDUg;4a_YV;IFLVYMImgjEvk{RHYG4hGk|8QZ% z;#x`P&3|0mNq%k+<#n4+e8t8JmP@0>?_2pP_nfcVu{hqI?dkK6v1(6$y|{BJGFCZ$ z8Zm6_SbH`>!Q^Bfe7i`qCd<6}WDyV@%=NOhgm5ml132bAdJ|MP;O5Y@mQcT!!rvMjtAyR#DC=&PVlM=(PlR<`nLJDB8F_ zN)B+iw}_oJH3cXRgWWln%cK_7l^jVbm}?mV0;roR_^6M2o#@4k8!-M4zvr%#l`78r z&ZkE0)xAgqQnW`qBB(uYM3;XE>q2(kQK0}y=hN!}{p5gC*8!o%?;R%kRv;bGJ>nKt-W|XkRW3am-E3%7hGU)}0cGO7NsoP2Nt6l7#NuoA=le zC+EQieIYHfzsRNrQ?RF~ku30dvi-7jQT zgej0O)YsyDdUM5=1wH0-z;=hnaZ+ro6V}WFyJ_aph9ele&lB--G9hkH_51`KN+>QM zL<&{~Mds67a+<`d$I7Gkvz#84e=STW98eng$3CCzy@AVgatGT2MMBN1(yj99u6`os za!&V(RlQ#h`uQ1UQGVo2_opu%yoKmm6T9Bs;hzIb;|OC1y`r{Y>IY%VFd|5396mJj z&c*EwFH>KdvugY|Zv>Q2aiOyRl<3RJ%sq&!QjAw+#a-Awa-6b=sD!}0m#_O_#dahu zn|z5eOdz>j>%za*$`e0S$xmsges<>`>hc%7iPK0d(LlL>dz7u&%%@E%hw1i56Ih0( zyv-VNziD?J)9>nPt$enTQ$JE7zE#Psd0YMT3Ri5gLl*eZknrJ%3^R67h9W^5*XxU+ zLdbwKEPcyAL=G!y z#w(BHTKC8!1(uPg1Bo$Gze8}sR7C*6+Z;|4kE!In^vb_&l~fmxF2yZE6LDBF_Ms}l%4Moqwt1SzV$b#n#>z9mkJ z$Fq1B&5s1WnVkImB8w#sMb?K})b^c~=^Ju^&V>uw#4uOSC$-cP-uFpfFrGS=%a8hI1*lmkJ-9!3>H4!C5Qm7f9KAC zfybC}41qmjp)kpnn zW3H!cS-V*rmQf%8Xzo}U^XC1e*bjY{x*B#@#0w*RS*@oWif=5K14ac(ewCGyg2^c`7qRzLsk|sD;|jRO+zQH zq?~&;uc)kM{k-(ykU$^qZ36ns8UC``5djuRsN23Zl-~(#iMPUr26P=z{g?l7O&E~=i|Y#J4J2SYfYI9yz2 z6&pD&L?XuTQ-$0Yls!Cg4Sk=5FJ$F!yM6$SqzV^MJg@wRUrlLP($B_jT_8q;Bv=wm z_f?2ta3?1Jw$S0{*@8PIQtW>zFv}8@UM$b>Wa#%}rtAv1==eXq=Vcxp|JIxFhh;AI z*?|F>E*;gYhLrF1#zZ6s5JxlTYo7#8-m2eHM)qtrKri1sdFrQhvX;8+cOqOIDlE10 zxl$Z5W^clCqJ90s>76>u4Mr!*k_lYYJ664+-|rwmaMXm>hj#1g4#54VvHhh#X#PL? zeYqwlmkwNfPFjhBLMIk$-2e89O?cU2AN4GZDds8!iE-j`o^YEnde^UL@)|l$koj3F zWEhzAaFubUnBhg0z0QYiHoM5zRmbkbKHV0Ysa_I7pt&fq#$zwh$B2iUG(Z5zM=4(D zt*|Pk{uPR-h4CnjtapkDLn!yj&m0a2BW@uX@)XHQiX=RlsfZWV{95>*=RF%kh`*J$%Aof#WSzI=De;ER8^j#2<*{ zK8}|?9M30>3;5Rk`GJr|)uM0W+vT7WK5sd)C1#GM9U%5f6`EsZF_g?(d@-o0*CPH= z$;n>Bh)*cI*87e=$tFSJ_lM0skXuKfPt8cU#v*mo zScKy$-8bR7b3C}TOO&Q+`7WO4K~VAF^Al-(r8lxSgZhL-(Oe@P*0F}*6Su0X*BBrp_5!1l%Yyyu8RYavm&7*HCd%9YEa;$nbUuW_JtvACcX@wIXS zI8cgE)12WIvU*Axy7KAu(mVd&UT&wdo@|O;Df8!D{v~gDG7***K_d%Dll*-if7@t` zJ#1D>pIOtIt1}3zWje@BR_LyE^PA z|2?9;a`gL?RFt#!VRkIHP2GtXd7710raX}3+lI*jyB3BxV!b{n!m>Y4L-nm|WUP(E z+4z?4#|&zlAT7PA5L=Vn!MiL@Pp$y#kA&di2zzsOj@OOuvsTvXy-}1v0>o*`#E%*s zX?R%@`X|ut(K}koaSC`jF8ICRZlZ+e|8;N{UQKvy0A9j?F*X=oV;~X(MoK%nkx~&* z1}ZHrKg1fNOGZdYI6|dCK&8~tEg>!9Xb?og00j4WzCYofd(M0AdGGT)1TdtmzHC+f zVsYmykTJn$<7pY#l?b>PV%>})og3mrJe&3X&&p3(A#*zBO1XUO)=O_j=S?nx#kyV0 z9QZweE%os?<~IW2^M_3@HGsSNT0?3^G<_XXyWOXRyqkvV9o*b3HIlb(@1YN=U?#W_ z04jQ1SVcmpuWI1OeqAcdMj2xMo9*fdH{285*opu26RbbjB|mQfQ;bO6VuqbLDERNg zKToKV*IWv9)Zp6sj+69P-|Eq(<2j+oM?1$42_!_I2I&VwQ`!L&_D+-ZK>B5r*?GeQ zrqaf)>gcr|gOQtEOh3Ta?0b~(NlP7*_sha`tAB!2Na&M0uOP=cu7B(|jF+DEV6k9z;^)T{=)sn@x@eVzHvGd5{Z{896b))_6vsd<@*FfRmpIJudhzf@FmXRH3! z`}NL&Ooi}H;jTAs5});Uk80x{BF7brmo z$%l7p(D}c$IbRB||8lwa96c76;(UH)h>P)oH|M3)e5aFIrw)XC;u2o;<2DG^vRVsK z98}Wvr=DB2)dmT2udIm3P2W-OQfnuxjK2N*ouRtYs)qv+gg)w#FnYoaPHvp~5U;eI zD~zzQPH{I%;#KsRXi8h|d4PnOwm`)6s1MKDK6hwNziE+;TZR@FQ6zzIzoqIM26zh{ zN8w1dO5@#LixLy&cWF$S-XD`ZwGAypIT*P{_R~9KW&}XIeJ$@ZK{d>swY;Kj0BNqbGi%yAhShdz@pT8wZf3SA(ummIsf@=wf({p5y@e9$ow{ zA;!yWQw3&L9!>QLjZ8b~r-o&+*R&NOc&j)S>o#_ylZT})LuF89p6tVmuJ zd|06eG(?S9n=P%X$YX(bH_D+?X_ZpVD;a6p+)N-EtoEi}+UCmUlcmT%#efJVypzUO z>vzlc&;pCTJzpreBWl6gkig_A2Yv2oY5XQ^UDy4CxCd@O^u~#)LJqT=pcDwa{l$W#7-nt z*oM%lv|`I0M;W;%2P2D-Nlo^0WX#KuFB$Z+%1UiTc95bkT-_x}p%T~muKvI(hU>Ap zbd~VgIdTHk>vY!WVg_P!)V>H?s6kgPPN*2RYwBg7Qy8mip zW(=eb>v(=PF)b!KDjAe@BF)hb{Fh>lq>yBqL_pmf&P!_ zD4-Wbw~@98$m5UG{Q4j2b6OQN1YTq>Qv_mjD8~M3O7UmP9eQj^Rs-wt3WCzk-Yk?5 zZK=)s0f`G-;6x%haMAl}ILiiqsO=55XkCG&iW{eu9 z67S2XM|lz{r0~WPx1c|<>Mh>tu9{Get--TKfAx^w))~dzw^=kzFWN}mzK}K>P1YvU zhk2UZ+5h1T$^+76-Jjj0e+pgDV$lbC5iu7IhHmNzdhyuLL}9|qV5tkE3^rv>8knJy z#M<`a(YZ^}+#jV(^oQTrJoj1zuv5-RJ1WY62%W{ow#EpX{mHEG4lW7omTj;bNbo~+ z*qfy?6J8d(fJ<)tvqL>{FhHFBP11e&`_gB{$q2JHF=G<@nR@CO`JnqymfQx@CUlZ= zN*9Y4Q}^%1hE3oyF(sQTvE2`)~O^j$_Nru_De zO{;0xM1%Cta*iBy4h{zTQJofm4rX(8Wl>|IA>t|@kKIUBe1=-^{>+FH2A72FGoi%!;6XgM-(Xi`nph2_LO&AT7xQ(?5NOMqFV5(a1!h+G3;^T|%RlUC) zmb!Is0gRK6{5QQ7!_hlK5JCQLOWm^4941nb~CvHnXca?IDNj-p@K!vHprXUk6( zm;G+B`-uJ7HV-#fQ^FPt>iIA0AD=%D&ro6UIN^p?kZtLUoUY=1)j-_ zT(WcTvIZd^i}B7BA?-W3CIEtfv5)HCM45sPwe>gvd!j$6-I8Om@@tc&wIx*2_aE@- z&=lrsjOgJeu)8zS-yHU~n6IOVyE&34wut+tqL5OzbdRhF+Kn`dt%NOAkOqQ=Yyd1a z>_4r!`WBlx14mrgu&f{^#sCeiOy+&#!%;pK%ZUY!w+E{~`jBNY0xx2}6PV`XCS_x- zowHHrkf!yaAMp_-m)vfO00=xa;Edjo{Se4kgkU$9;fGd@NV=Ih(%BjxiSs369+e27 z?81*1)%r;MYH2Gg6|Bca{8>d|(U+S{ghH*W5Ae0g_4hOO%9+9#YvlC+*MIr;+B#8 zJ?&?NrrF7ub?9@sO^7w=#qy1)=XSs$QOxizIoO6A zzE_N#DPM-s5dzr_cj=Qu)K9s3Wj-nwI%sGe$o9BN@|2n@>{tjRnv{NwZR~76`fjP3 zNuMBgN=+O(Oj;CB7n#g%SvOiYD@waI#FGKs*wKx`8y8UJ7lb>!L8|t7#a0YZr=q{H zJVc^x7i^b?`6LChl!{wh27jD0CxY#r_amZ)I zZmM!9Wc!U67`_{9-5qlI)UNb_s_?j<9HiR_Sa%_967x6GSl-~uTX%e06}DqgH$MhF z(}}Hrtd*%Eo>l5RvgFK-cgX`O?Rju$sZ3-7EnYQR3f{VkdL%3lH@KY&9z$PMwz?=- zbC_x79{f}4=%UemZbxvItMwV&_(vjYMeC7)8#np72AP@3%e$?Vo#-Vu+2>SWgJO|Xdq1ed!oX`6rs7}G=~|D0)~@;&?K?DGmpCtywV2Dd zIO+T<1Ii9-taC*?6{*?`RWIS+W|(3xw;#kvJMW_|Txc40-(LK6wnkRb7XBr88dsojbOi_jKiz-u9xSmvuyWsb!aan+GOr zN~qTc*S2`nG!o;?6q{xdo2r&dNbpXXbaATJhL<~bz82w}j^pqY^cQpEA+R!y%j#wT z>Iey|j&|{GvNO~`xf`5`)U4-Ch4}s_=tE)($?DHKn{Qeht${uN`LGG<1)B6W)ED^BsmH%FH2zqon@24ZouEb3{hfUClRE zLuOF}Lr3(qBO@%o;*NOmxhc6(Tb%6wunfbE|DX(7yYa1@1slcSSM9!h0ZeAi7hFAL z`@ZQf#Apu?8}IAdzs-Y`L(Ho-@m@Rv!o0q4GUx7WdhF{0XJB8pqTW znLBylxBOCEpR*rl2+#v?{RQT*(DKJ}Rl|Y}Ec;`aJtg^lvYgV*6dQQKXKMULP!WAoG zZIFBJ1Lrk>rP7jnE~q>s;{5v#Eysb_+lvDJi|o4X<`p;i53lIt>bZAhOTSCK-M`%6 zK!@=>(Xu?Ja9^|fC?2zP)FuFCImQtFmN+r)09bJU7?+{}3WiWKEO(6thy8?x(>MX2 ziscsP1jK8%B-Z;ic3b{&G=#nwbWb2#mt&+G9iVcjPm1;-!jt)GKlC|ie&o}WYF*qMd<8?03UeMJcr$^OI#$6t}D6OBD{W zq4}=?O&I6C7-HTXP8b2EeOLUoX3?ONxI+yQbznax{i^#Y9qjb#O6fNNCH^KGH~;+9EL>c+2w_N(v-0i;*J=s4#R9t0rAbyZqvZ0tF&mn9 z+PVb=Uh9|1V&5L*y`8oA1Xp!p)Nl{ptJ#09<`uklUgE<046OswpJLe#GABWndq(0# zB~4LZkkwnU0DC#V4_gNCjP)SB#>>}K0p<-})+LL#tl&QIfRPRzlbX>i7#3EZ&R3T@ z8NKhM$u_Uln$7aNlAPYz&bQs$8C2}JPq_>Db`a!=KEdX$eI zBH?E^oS3}srbV28^X6HAxI=;Vt2^Szl`Bq(PKrtaZ__+Z%P^*kCDtVW(ATSVwYL-` zPJNQ@I_uKME5E(X{_|i5#4@oW=dvFuepxZ0iFPX=5I8UE5OYE9k|OJhTn~grg3W#M z)45#Zfig?H6qO^KHhrM4%h2~!H0}MwlM3)D8?|kvz(}w5^1Hu1u}plfxT86kqEgFN zGJ|S;dHDri_bP((lL9)OrECmqK7gyX)pJPI4oB@JP5*mU>Cne^<<@S zu9bQk=1>1IK=DXf9$&w$FEkl>cW|%MYF~f!9C)s`RdnDFf8AEg#aOjJ4$7}vXF1@%7D0kLOy9gg9t4gOjFoA2>kBSCn3Y_t#O7wl^vKI&+PT}$`vUelU*L2llGs|3 z*MADmu99c&(6)uY^iRf`(O!$s8{&6cS4-E7CO?wr+h}RPfw(WSYO>b{I@Fd6()qmV1rJR0CW6s;??9Cf3PlPmR-7UQ0CPY|D8qxPDJ-7Gufh_Fpakrqb z|FXTuu~W@AT`+iZOW%2J`C;Ix6OgPgYA4!sk4mT`07Xg#H1EL_-8*fVVWIkxiX}ZM zLR#iOFc1!)m}mjG~RBnmu{CMHa<#R7HvHVsw{Iyp>DxhV#TZ2B=CE4$%i z6gKNPC79vZ>vQ-aD1_A)m8>3Qe7%D8f|*caAk`yLR%`xtWgw<3U+eB)xMrhQY4P(* zZ(GKO;y^&;gG1V~KhO>+G8JZ#IM6Zk>WiA89nEq{N!iy4f$RHFoE($qtRAARX=%TK zNA4ocgHVOP?4Ia>F1Hwbow}T?o2vWv_@|YH{j0BIcBESRYW}lR$}J~5?V-82txo~y z%rlNRco=RH3ua+uqe4hBLB%X2=8BCOnJ2i^iZe#1%rP2L=ALYJKeM}&#A6)QZP``V z>z*Y44)*x&i<=Vp2JK=+mkiuKPuYkvQdmgOLhn0kpu&ENn4tY!PPr4T~7jkj+ulTBMb-r^F@@#=d*ts=L7oD z{<-?(jtvpm2n{<%y3S1zFF6(Kx^BR#(KvVYZHx)fuU3r7BuFiYB`pKug5uEVp(%f` zhLjPRrIonD2#=}3<%5d$<;c&Klhi5O=P2&FvcPIZCqRLy&Elmxf7{(`xlGrXUp2Q6Ul2QIupO4oa&E;1cau14(Kq#HG;NywD1VCE?DU#mj8Gd)$9 zKet*w0U=-z6?{Ud2(qq2{fx8{rldnG^0EshHtxE?E4}<_ms@&W!$@Vl>$m!_seb6! zKaTSp(^*CmnWIXwBK8elQMg8UAU}*~Zc?r}Zf@1))0=T(^0;0$pj0suYF^2`*&Tl7 zZKLy+T8N3;9ZK@;DQsSwvO5`_1+V2{RazT7@NZ<(W+0Iupi$_pqHLm*`r3dLH)W~^ zVHDv9y!ukLwD2B}NAy&zsJzs4;P-AS%0klgR|Yqn^{=H;9X6y=+7deiLZWjmy<@z)ROe;3~I>kIsU~!^`~kUIykb=f))j2$IT0mSkC} zWQiT-4y67nr@a|T0t9PM_i~fmB*ui+NU+{6iwa-PWzy#9qcL&PBYka6fofB6u|~;g z0;i}i-$jYcpEyq{>zr`nV(sA=75|X4h`Tl(?G8%@xWRf~*fpgwY>0T|V7M3%uNbdd z)=4VG$EbXDi^r@`A`yNtDAt3iO$rO>Gmr0{T77&p^oV&Of>*iChEIg-qs7t`qu_Bf z(JOrDf@4+bnHcgTX-)$3yp0Ioxq4xE({j?|W=?@30Q7vHxS+frlhCTViRR93D)NYi z^cKev_C3{*X`LjJ110Jn)%bp&ZRZa%L}HifC@F0``EQl+Fs9?7@*JmZqoNt!B{(m8 z+awW&Cwpq|XYl758Ugr(?Gd2IHg#mNuVblJG^MQil|`QqXI`C9jIzZeBKg}^1)H1B zs0Yt*=#9qVO84SYTZT*(@V0#0R6kU-qQhZn37dZ?g931*KR1!fjq4x~`D`R!80KV? zJV$NtUvHe1VIO0Q=&66iUIc0Y?W*W>$EvYk>|%RV2K(F<%bY!zSL*SCdtv5`)tNmb zkAHFWn%N?(EWO7_u7ORCCl)UHO@_y)NDBlZ^OvefOY6HuTKUvvdb+%@U>;-5{gC#2 z^Q)EUx0x(}ipu%xd#U&Ln|UO*O%MS`91nBm(wwZG0iC`I1kp6KH*?7RZ(v&cKzDkqnZY#V!`UOj@3B7jl!b1R18yZp7k67ad$K zhYyHSa9FynT|>G%YTeMyeZm`RB6n38d)y0k6cc(HXcp+Xf|^NSTZSw3W;t?jzF z%@&kAUB%?&pj+|BpO_13ASm{&q2@h5PDgyFa41X`q8q-V4o>CGf2OC3wX|;BK?u#q zB>Y!RVU=~{Z*yEQ&39>2e_?&|{nH`F#yK|S|2ye3G4axrcJ@$8yQVVG;QI>Pr|Ztg zW(yI##tU~e5UA4&H(5zucKcwszGd2;=;a7$^)-uf!5vbi=m5b zt~hal%{r5_4=`dls`$jj-vTLht0uN0* zdJ|WEb}K}yln*J)7j$$v`KrMaUj2WyTXngj%oq7g2~zd#t`C|lqJJ_kW90Z`7th1P zOBNsaS6UR|H-bG+<~i>@hcX0`-a18#m&UY{2jf5~1jF`ePJwog8A8&F&U;%<2F#7+ z*hH@%cY@-|;t^93T#4_Gm)6w0<(i7bKsNxJ-Ll52Dha?1wP%8jIcn1k|M!N`7v~Ht z7I|44plrYA8@J&tE}#DPU)7Fkz?UHznT2s;*B3vMzPDW-v%Ly0!wPYJnGJ(c4g>z2 zv|bizF-s~+tcy)}SVfFIr&1m`vZdP+%2$s_7bC)A$^;hSEoXFQe}-UDN}qAncTex`B86oDscaP2rHKpA-YA}1vL zfkq?Kr$DxYsOu-!$?Wx{zy`S9rKkwzn1Bu2wo&rtDBST-zKE{VdH`2@gSsYV?-tG` z+z8O*x^L8Xg`E@~2!0ref0zx8OWm-|t}|jGFmEE+FRRKr?Yb6YNGLb+*xe8)ES@X{ z^=?w%{g145gOO<42>*p)$uMQgXHIDFGCLjh_^?Wzvx(p(Giyy5g>4|wFG1fh{@6Z3 zi79~1Ch??!Z5hLo9~+-!e|IY|au@|wFio2EGTQ?%xfubBDey&`@V`nd5`>s#`a_O( z?Se@}jmOQ4ge$_K0Hc3%wU<3|Mo7OdvB8dQ3?H@N1z~xf0&ce2qcBUo09VivefTgQ zavXLQrk;b6Q|9__6cI~=RRdCc33@+F?+)3pf9?f|t}DEwvM*2+KEyyFCKS0%+k`sX zR&kb{Q8;@p=7}Sp3I$HjMg<1qktEnp8xEmaPLTv1pDe`Wf5PV*l>6|APC@{Zz%;YL zNWbW9Ry=y2kHWl1gXegOWl*F3F@au8C|AlQDH`X2V`_H^+Z+j@uO@c0NpFyjC_rXl z>K2>NE=Q=|69s3%Acnb_&$_YsWT?7de}yL?;&BpbzTsE{+FZl z&&<|$NQlKc_((3FCtc}%&*K-(XR;*=(g^_&0N7GPwuj1oh+$b`0o|Z6(&;Qz(HO)X zS^>_JV~&uuBnDIe=sijQcPi_d+@}Tjr_2~g=$kVwNcLY;R$KfHhe&86k}Ce>$|!*; zZb*91A{p^p+8NE zEfTLZlAsGPpwcl_HA3t${$G#Mt|WnDF_3)_S(E@|>!bPYQCW$|4EufP>s(9=wPa(L zX}%mBiAl0Fe{pq^BOR05+5j!>f40-i8;6H7e-vV&f{7GZ=Pt)4-mia+ZN!`P9i?O% ziP+rb*ubzj(+a31P#+oLx;psWC`bP;lcy#qboc4)L`KEfvjPVb$p8wx<2Bq$QaFPO zy_pd#P7F9zgCFg3Ez&FB3m|p?=p#J5VwZ_X1?M{PNd!Uyk)^!utUXBf9TFme2wCXk zBGL=W2dc*>+3#Qq9o!%Zbasvb3JWKzCkBcmJ(J1K&;-=(B^K|nYT6N>^2?M9wLlMA zKtxROXV$u4Nmh?1!I(N|0g=Py_}Ms$H4G0W5Fh=Jc{x}Cvcp5e2vk_)@haDOkgdDZZj?dbG^homsIGYDZ{Lt%NEHHsrTFAHbf9^`>B&qmjUDOL^l^1imrK za=cbKP4IgMNS4m@8^^y{9Oc*xWD6id4!#mEpJjb<{N`!p-9{wLnO5<(92^iB&`Iao zK_WV*;QghCIuQeDd*h&y~ zI#u~jfIZpb?KBCVJWxiB@tfIVo3wcQUPf*K4^I!Q(zI!jeFMF-TiZ4Gjsj!PrZM$J zypu5j??yn&lHLc5vb0n%Du3b8{j~R|S?|k|+IHt!W!``^>!5xVn9-+q9NLsN0^1!L zlOv^yE2*8os(ly;)C|1sn0*_G>yQv=YNRopZEM|Qt(9(Vk4dA+xRjmEhc(ip#c{8% zjzSfR;V26D3k!QApi2+erl#Ei#sd`6*#JnO;ZRq(PnUiqyEUz|aF?r)2$CdqI-GDs z5J4y^)A=H%s}wd3A}D#6%XX;Ke7?(fsPqCHJ@9WGISNGq0EKiG0JRGY0BGcc0d$Bp z03f-`5$e|k2<(cg>I!Y^@*C;{eC;_u)*C@#^Qr5V1OQy;p?8zngYwy$kwBA^{%ulU zGnE-I%IGv}>r1H`czVRkpIq=8EK(B0XA`zPJ! zi{SUSAq+s@)w=$;?ZK#fef5_8FRFUl{f6brdyTaLl7QX>ZNSyh;h3S`H&ufz+5>s{ zy_5Hbw=9#?w?DWhv-<>g51nw#P?-zshA!f|t*OimWDjv3T6}LvgTi*zW@tNkG$NNR z$g*#SGRnbTw@m@p=7XK!W4tM2{MBQE!(+nLB71=yVshi+R^w-Gjh{^!m#!X{9Uhna zHm<<_QBm%rveie`lyT0Dv5%k(wc(FC-#(sapU{(=FwmJm(wj9-u?eHLrox_>zzNG? z2G*Q?(qwJIo?YDT)+Fnt$t$0+j>D6=uO?mJid_5rZUBI8IEi+Xo7&WydOQIo`=P^5 zxS9d~YI4(zz#;RXX%oF^{g>0GdSiviUKgP#pSM%%V^fZ3pk&~vL1br0!GPu7OivX$ zV|Y5vYEUB|?L!%2*z|;4ow;y-hMG1b4(_sCWI<8pdgeRB3&4SG!|6gmYhtd7pLe^%?e)|lq zF6eYR>HU7nQ7$)NP3Z&^x+6%l8K0qGOh5Q9S8`ofhA`0UejiMi?$LIaF1+wmaX~C2 zQTruyT@DSlq4&=(ywhHMQm|Cm*1w|-C}`_D8D6pwTGoqXKRq1)6@oQLopx399bq)Q zW|oNSHnCjfshLOjEebF2i~i-Bob0f-Ud383MNo$?%rD8xuM}>t7HAJT%hSJo8|szo zue4h90jv$+d-V}$Lj?LuK3g7+&i$9mbYb?_^olit+vYEaGoUk4ek00yBdVqumcd;3 zXZF7x7HRp#>$=NoJENY$o0Of|(-W>!;YF97k?K>9ZOocM&Fr7IjJ|Es%9C5`jKHoy zIJ&rPv3Pj>!s7Y_=aMXC!%%OXun5u72I#z7CVz$|W7ZrWb#lwE(d4%++BzS$Er9E` z-v1r;80tJN7}UUY=cH_B4R@McTQ~p9apPpl=;Ae$8o1kUeVh2JDDsy~?XPWHW^Nmx%jho?v0h4k=K%go zj>zcvt=|11*f#!)Kw+oP?l4oqG0_iXjo(ZjJ&yiP4}5!Q=Q30@GGjRQCBe1Z$*-4u zi@r^rd&XF6{{DUcq?^V#s;Obtt$}avPFWLs1{4O8N0*(nM|DNeWsDgg;s{Xq^yByK zih$ANhdrk$n}vIaXGM>;6pu159A&wpa~a=;gn%7|jQJqHQT7_9Wc-XH0y*=S{V>~? zARo;favG8@o?QrI@EPr{Y|_ss^RYZ3{!r-XfcXTk2JY7m0#tc^-Wb||6tSpEwi36; zW3EDUFhO7WG58xbv68kGZMh$pJ7PIPq`16ouZ+cTh1^Lbv40}vOL};y#E)KwoV}W3 zExe2N>~I+fHfnqFQOu$#X!S36?AFfJwmUy}RzFRDccn!_IV9W8p|aWxWpExs*=*PQ z(r&ec^ufG}$p-DKF4wJDfzDqbH~Yp zcMke4LVh?5SGvEvX*{D!kzE<0|Fzts>pw3+O1 zpp{%^Cy!mYHZLQt8cf^J=DMj8{3dz7>!p5{{txzEI-WJDZ)yttqvy=`f#jM`VPt;fVfI34Fw*lejk8LlrS=Fo(;3C84K){WVj0{GXn^m2@--SgMHWw zm_!)%g7p(=<~aYvF}1qqN@CM)Nw4I}7h8zdGY{j3V}wN-D*Lg-$`Axl*;LN-23AqC2bjmL03VK^*U|VC^~izr8moZ<8xlV4T*rvv^_$L5dEcup^j z&q;HGfAj74m;HwlIXX33d~*yxn{Ty&o2kzE!(0qBW%Nb^cjGMBy$_hVAAU;qzdt+( z3t~bN##5~M!F{gQv|w7hMtiU_3IpMtp^c4o1)ou*o5)K^9jE!r9Yt|{;NvSE(<`+` zsS};7`!YVv*WUl0XZP#%e+II*YZ*HC_+nIlq^EvQAi$RzjNyTv@4no5F4N00VCAJu zN>?mCM=mxeBcNQNK{aeBB0tZpCxr~BidQ9C1WMW=)fc^GnfRCMTL_w5;p7x}(6T_1 zK}&AVn9;3761OL)`{?ngRx^OWTl36BN!15qTO~FZc-UvYX`^#5-au$=)S#`cGhQEu z-RZ(--`Lb6_eu|XV>;5Gz}dySDiR>IN|N6vRvsIVkKK_m(fs-nnX+zvO(5^zkev)p zZQVu|NNnU+*QINz@2z%j_ocgFL#!Yg&mQ~1%=~&@gss)Za(o%H3JCis!~m=>)5=rt zg=VBbu39;BUy9d?Jd*Jr;|N{#cjm>V;`B(?KP>ta!D60;#&kd2{Ws=N3jzr^`c40(yskO0ie0HPMi|0OuassQY`Ra`p z3Gk4jq+@2oJZamSuNxITS7eOaB5G2KFIMr$jhs*PnKI6DsIjg1e6DkL_~Fd${8b6h zb7SQn^7d_B1S|GR#>DgTIPC<#ec30tm`y{X7`g?YAz~-FvRrt9^@C)BQ@{hp9$f&^Ln7;3XsdFxQ|0-=IbD z{*J1QxbJNiZmV}@n)y_CL7NrXbwy0Y%@;Xv*W+$8UlzV{2P;{xRGHn9q)fk2dIwU< zb;~{U>Kxo!j>YMF&FduPpG(_L{y#6@Wh-`7h&(4A;mC6LbBinJxsTZT>i3_GzQm*C zi6*WOY{4uI^KaEJ#|!+Gh|y^iF?rzF6^n9iQ%_FgN)7MeytEf5r~T}nUwx-kR!~yX zpu6CO!*08X=(F9u>DE1%-r(*%%6iMP6fh`0_+=~~#p{M25C4FK(SBxim58+KQQF0+ z;A}?vO$Fc7K{rX|YcwyHwayg&VP7W2yxT7B=Xz%qJhKiybMAqiR<4ZPT?=`7dg4i7 zb{dV63@u{6?`3$_X)MVjv_$yS6CU04ff5~yz}@$@^mO`|w-)+B=hWLK&S|1V@^-n^ WeIJJxPLq{8ji_TqZy_cKK6IsoVbf9?Nq=HFdP zLG7;rq*67K6<|^dm{cH53ZNzxP;v$GuUq}~N{m${&Z+`Ksl-t#tgNh%_SGZ`6=z>9 zWnYQ^>(149=XwmaMZv9F!L5<(7E1UFsEtAZP@~opsr6JURV|=}7|@~{&`1hsB!;vD z5kesjryJ5@ACg24sV0SXl0zHGp)FRSEx_3YlZfun&`?T5i&VUjdLo@1+iMlu?Ht?g z7TZZUD|Cx*rz8zh<2wVAt~w|6QjQq#vmQ@ee#CL+>%Po($mQmG1+!u0g?fV}AwS%W9?T0#n@Lki~N^9G$ug-Hb? zXA4FmN*CfwyU$)7xp;NtM8(3@t5+|Uj-{54QCfttl}p>HYTK#Avz24%6=N4G=i;kZ zvnt2d^Q@BUS1T(k^QtHEs;3L8CsG^d^6IBAwrr%gtY2-MzS=l>ODwofcM32&*TA z-D6ALW2@a`>%C*Em2<-SY2nz|SmU&?cVfMBdbfT-*fJ;Vp5ASr6Sgb}N2b?DrZ>i> zH#+~~xsC1x;n>{z*xW|%!fxl1P&hI&F}E?eusb(5*SjPfSrASvY!5C8rx!LxmUeqr zg=0&*6HB`ztHSA}Uvo>_W2?f6)!mWxzpHS1b$4!cdwNwkx4OHqy1lzFv9S7Ub#-;= zZ*pC@u>NadeRpA9xU~LjX?=I~Z@3{`+Spy%5Uy_gTHV-P-4L$-4Y!4VONHyJtJ}i$ z?cMcl;l}pv_V)JbufISj+}POuoBSpGwf$@3*Y5WJyYSa9;otag(XZXzU%SHHzb5>D zLka;QO2N5_+rvakY6lNBRrY1#RBe}?>Z=?MpB&-@oE}#>kVUY|R&Z&#Gh9UUst@kq z$ZNUFpXPJL!x*DC$fwumvyA)QwX$8S3qX@?vv#A`XpAGZ~_m>$o(b>O7$ zJ9KExpu-)up`vSh!|X$6mz8l_yPj!~^~GW><9m(o0)Al{-wr-9uweeXF_+{uh#Y-{ zj*1$#L*M`KoTI9vh?vZrt}wn`TiT*N!$NB+Bjer{1g^0WYB2v4b)APt!9GPrh&bw@qiZHTIRz z$Y*eStUqUu?9o@<7f0fAs!C>N+g?;15w@GUt{#;BpAdi(Y0(dQjNTr7s9QLnV3E#+ z54^FO=&^pHF z6oD-sH)9U)fe+}SnD$RK+K)`aub49MJzRH<#L8i(BfmZ!cTHFp$at6(kGme2RI{tP zk!v=hrp=@Dy)sHfmQ9KrWB>eEb1}atvxMBiPuKcw_^|eNZB6|h?LN23Lk1BH;W;m4 z0`&Q(`x|W#XDm4YH=y~8h0Lk%mw9nVTlc^4Y#BwtG28o(9d+amZTXg&xKF~EUjNA4{M&>i^l-~ zh`omfK#$#p1ENAF0Qf3VuGsSVheY~S^Ks7eYdaZTg{lWhYu_~gm>4$<+@A#)qIDrQ z6kyq`Wf*NDNq30GoZ9YtiFvfouWBO#z2!-6im#OpajB&S| zrxiL0mzG$=fivfRen5*$!k!)Z02$SrmtWX^abqf#ggDUeemeTt3&kx7GtATBKJm#I zrl=&u~Y9e7nA0n+A1dLHoK@c z|04%fH~G=FawvM0C3M$DJ52y0IWkU^g-ALQy8cWnXoX z+@P2~c@OTqHf2c5-T#FKj^9h>8a7P@SE2P%L_BZ=hynf{HrhE{(K54Bz1`C^+Fup= z?{!CVeNW`Qhc-|zFT@@wIM2;QT)WH$YeA0z3;?L~(`BSmI)M91&LH}KXUS~e(ebHd z$U%mOH`BxLzc?(BxG<1~?zZC{jt|z&21`>rB^kh_c<2hCmH0b~cL0{yPDGJte^U`} zs$BBAxWkP^n)uzsL;8(mKuI@TUMEOY#fnj+yV|S#ht85rm;gIMzu#~_FK^L6mz0cB zDebS!kgzlpi7G#6N^iR3-ij;?#=O$NKUN|)PYT)OjUvxV@*ugyg{f8b-S8{Fm+Q8f z6`NRK>O;elxGVR9R1`9!oi>n3cQg+Vm_;tCs$Za2I~%HPZPRsucih7*$#iWbUB-TA?zfYtLdFrh3aYy zRcM^|*rR62z(JW2Dv{m}@kyGY|2hpArUW*8`7^2+ahkJ`T3X*czD@{s;y6Tj?HDh?hhYs@(JMD=&0A8D2-_oe;Rb z^Pj{A)?6KHb(5-cw&`}?z#NDAWRg*Yzt(! zW2hwQ76(Y=BM*?L!DjKrkqW%{P?Z1NWa1OwC%*z;*Y-kEE)V&C7njVV%*?H1QdJedX8WFLG9wH(~C=NH`XhlYxryrtZk+MeoUyq)LD06Mo z-f7-a^oU`K_%Hu>?c7{$LFxObf&K;@?&eg=vZQj)?33sLC|yiO4BQ5TZej)@&$V&Int_ad^GgUDj7&xbnus1Ds2&?qX9#2z2^eqT z8u2>CANR=TGga)$jQk_6*nJW#ycUOb2C*KemDAbZe`pr@`u9>U4@x*f_^`L;z*-aH zCxDG^SM1}8Rg~bKPeUq+*>hZoStayh)o~5dWf@4KG8I>(ff}R1BdKDu)SUa`=vlhh z`6ifV3ho14()&%0NG*m(26~6ok2+o)p{M5eB3ZChAqhKb3u(u(T1rG8IOhFqLYPvJ zD-@4IL>z()hzarzlC!BzaY1kP3Y{SziDnH^V3;9Rcoj0zBoahI?efy=La*!~QJaKt z4ctYDA(q*j1J=rZPUTD`a|X7KS~hXQP9s=Jr(u;I78%(4)Ph|h4O2xqzQ+YyHVyih zh_f&SL~t?c9cj-g9$FU4D>H>_QOy2_N&R#O4;+@;1iLE`dsBk4{v>my71u$RbV(_W zO2Nc&!X;V~AVA6?7hN{R|8)lLg$aP>!PZEqp90kKX1E3~AGw%swgp_LC9$aoV(D;a zPKh%etjaIRKMT&5E6q9!|EY>>`Y5upmi?s}9p{-F8=yN0KY?yWhgAW|G%>gnP+0K|%f%8h0~*WoUzx@@{k@x|9=;Ro`dX_hb6_9~S2txi z=Y+Gf03I9^)q-Q9Ei|E{R zKSMZl{p3(Ld4%j+14dWMOT3L$4~i#fA!Cd#9+ z32n9oHt3W(7YTdbbSSr}B3O9a?`OXogaEl*Z*_(b)ui~ds$el?N}~YAX3nK{Q*Dwb zmbe6!PrKklE3Wu~&SYH6uSA(G7H_B^ZRrqiKbHbDVm_Wp4ulhCB_>ZuhSyo7QDH`m zAaXrE2dAjKRJQ`xVohOh@nI_#z}`)0(}r=1~9AZJ4L2t;&o zrrd2Ds}?PqkgeUd4tYlxvw(pZbTI*4ESMxMwFxyTvpvLU7&}aiARz9LWMe$7&9{KW z(RGjIfyKl3rfaIv z?F`>AaC*H&lO=Gv>HNC{u*{~I&pr7zI`${Q3mS&`(}b390)*r6{nS&ZnnAVz0?E1X zuBv@3Od|@6k=Ef1*%o>vTN>kTw5``Lr6}i|*06W`6tOu~W zwD21O^b*hlArJ=2N^)mQj5sAnXvIbhpy4y|W{^iB3A@N8&TJVA!1{~~?E^v@B*i=8 zJqtbDgstJZA?c7EZL=XkEAF_I#~#tNkNS`AVQ1T)JiRBsZ&>Un9TOx#y=7^~k^py( z_UjzYH+!&sq|S*x(t@k5w6~KGD#9mWX*|MS4lL@kemM#2D*?V3ByoAqW0}*>LT65O zeOBrZ!ge#jL;~-5j&os)XF4`_Q~MAQX| z@sgjs5Cghk*ML5wa&31KuwJK@#()q{f<@;0z)MEBV0|;;553qTbLIy#vqZDJKafd? zUrb*=!pr=<BNaw{A#$4|?|K#uEnusDlTS zVkCM|#Ynl&&sp(m(~uB4#7zbMq7Lw+iDJI+-lh%-s)ov$`yUp`|63edZ)j=UXDn`P zNC_s-S{XuF`)75Jy8STuuz73G=JWov)=`yS2hZNL^S!OQAp3FbK^(-3i+x)D+z|7! zb^?s#_kh!o?)(Q=pk^%>REWM|6AJcqo?&(I=8@H-b)NgAe~h}Rj@fwIq^hAun=mg; zz_QbNjU*BBV~N;5gEw%<_uKtYDSMTlN`Zrl@j?X!2IJLkF1UOC6{Kk-u9p@StU{+l zN}{0+QvR+>MqhoLFnQ*;6p((vxXx1(=#HU&Sli8PMB)j1yqcMe8-5<=7tbhZm zqw@8D=tF{z9<8;$u(+{HqS@+obsKa^!rrM`5$itrJ!X>p^c4w%DkMqk5%_KiC@}#D zq5}Vw8FP|uWqprt^7mAj@r<2)qv~t!g;AuPuTsY7o_Di$UBl8LUegB&qs!k|Q&zy>bl5o5acA zm>D7!a-NDku5~s)fqDF?Vi^6FiIDrSkC5j≈77&zT>52K=bc#fADFv+4-Ts2`pc zUQUc+`J+wd^`7s4R^%UQDvx*z_5rHeaM+wC)4jZ=yu%Zk7bU(|PP{+uZ6me+C%mo%tekx=FP6$)N?i z@%L)&_5Z5+E9+P`1MZ}{M?6VZEKUi_v>T)4UD_hm7C^9xdd zE8%@Z>XYvzl%NSg=sq>oW*3+uo?1QFYqs;>EZB3N_2YKqgPx||^4bn_Y-a}Q9mVfBl&B#AXAcFR36Q|;k72+a4TxD_dEPz?G^KzsW(TKmo zZ%uwZ0^v}wM#($12`Eu2@HtYn6C2{kAbmB8xLIL$TpC!!m;`!|a=Cr_yzg^lDO!N_ z9!C2kn#hazHODJI{wFJOG!pcAv$Q?|CCC0;`2JKR?e{(bYLk0n5AS#WM5CD}sD>nZ z#`>^?@EB!QHQ)`zFj*8>G1`Y-*1yiHg>aK_<5+#^T>cTmBd%f1$?4k*(03mTm9AkBYX->fMw-2p**ZT)E+OJ-y&ro&Hv6z6WC`WyCO5qcHN5WM>9vBPQm{2a-G+*`#gFgp)rn9*T<4TE^BG`sWQ9TZ`WI&t7NEq`{o?n93ec zzWw!ES$BP~`7CfelQ0GA+lqWQr+q+#dPO?($mTbI_-?43A*mR8weir?%Sr-BS@PEd z0MtL!?&9q`evN9<+LqR@0N_&X@7~fsJ=RDmv6C%~@71=#C@>cCKgr@xqSouI%?+<-eyE|ihn3Kp|M?!=3m?kQX{ zWZa6e{D!UsgIpA&w(XsrXo@QBS%VX=7HRiCc3}fw_-Y{|%(Srxpz?(6#<($WdllOVGwk%!cwRFW9EZAM!mM10tGGDO<) z1BjiEN5}-+LVs53>*`AiKI?g5sjh?9zz0(ZddVf{e$|3t5vA3i_1XPYwzP|7C)6}5 zcP83?6+Q&P`x<=edDbU!;}O@jTpj>Bl`S4CN>bKVZ8&o)`%(CH&(Ee^(+PAz(fM4h zv&yt}Wi^@<^oXy;0-O`79Ac&*fKCOMI@qt+dUGqvg|LCpdx!SUKMp6880?HVwy9i~ z(fre&5f2R{`xmAy1*x}A2M5$%J7=`@`#2X>bFUwSi}J4wd(2paPYt0$8Rl1uiadM` zkxRE?+WY03Lkz^hDzMd=NP{#F$I>s~0U|d*qDEK~6r*V9$?N6~EM6 zq^-<}f4`kxW&u`FwpH{=J^U#eQ57JFyb9J#&T_aFO30*c`-pD|o<&`-VSfh=9_ctV z{_K|4AgGgyO*)=U?8VSqn%$)1^JmkNf5-ZbO&iL|yCB$Ik9CWe5dPjF2NP98v>r%1 zl-TO7SBk7fxGNW~vD8Tr#A#6m<}d$XOLjsFQR1rho8Y5Jxn5-6{i+Lfc1pW1Nn#i2 zs+YEJ9OW0^euQA#@98=VWJo;}Z6k(8ihBlcm(zLpJFoB}G29>6Dx}HIqEW!+6|l8u zZk^&WriStWBH-6kv&8Y7qhC~Z`l*(nQiJrh8@Bstj~#d0Rxd+ve%Crd%GFwt_&uEk zafD-Nebt7F-gLHPd$SrlS_k2 z)gB}67Yy$uD2v3d-Dq^yd?tbj6CeyJJBbT2rm7$3Yg&IPRTlV~B zi2vZCVrylJw2wbFs@l9Nn-%f(SgnFArQck6aS@Q=+I7d=zLoh9-JeU^dtfiWP)N6j zg^`BN6|3SsxIBotILd{;jO8i-vh6l6SqjXcPgA|8TkXd7a3!tuxi+#R06SnRQRZJ9 zbzk&umQk^dhzVXk#f$+lU}Ren_5|s?VpA@xen0-OK_q~KE21Xa=_D!KpW zX_8fTb+!n!RI{{P&zh~;R))DVN#h8+N-bMi(jx_e+dpvf$oY}Xf+~2h-u(iRDk|LN zW$#`g4P{&c!uXj?OAFN;oQd*5A_GR@dlq*xP2D`R&Xpq#A)ZDLA`&*WNo1cJGakBbbqAJ&K3h-{#x=x$dFPQzQ_swLZ-nV zP14@?Zsec}diK)`^?p92@nR<26R$umf44{x@lYA&Np z38Q(3M>%=>NuX;U7uT(Wn00+GkIA>&0w+!^je>@Hw9kCvSq?_L%slK+HR!NmYdP-B zVZ4M*3nJrjhCq)Y4C`Eb^Ngi{<)9nh#Y1j2QbCxgnGa95eq!M)oKsDrIpgF*O-YT) zx#`vKZDGnnlCPZv`lQKS*u~Tgzd}1{bs)a?vI1}OPC{sFq={NOvEP=_(Sc)##HK;ZviKbQt=K`+jdU4p=$v-{X|1KnYlnSa1OkYXdtq66StokY2Pv%Q zMjhcp4TmcqY@o9*=YrrK`=s@i-n_t6uI`aa5 zj4D&bo~>QdoF7qKNyi0H#H17??o_oS&jZi3v=1-)@14~?95NDrb46x;{g=|z+SgNl zS7B6JisVO95*(*9=QFZ9j)ON|!A@1Co<{b}bk_FQEGQt0GKAtE&>}426cJP$hOzAUen&Su%ne2u%hx>gY1WiJyP4Ypj{gOB|6$c;Llo4g$QYI4cn+1Fwv z{jG7j*qQqb*(0ts&i@R@Wo-kw6zMoUZ>n-8Z>ZGJwBu`7o0bwK{)v^O%T7<0u@YlX z^v&DW7@jUv++J)4Dt_~dszM)dj(@!uMQivV`O9_gwwTeNrrbX_)4OjlE@W+02P@>q zxj0^TqeusJgc2+ypl^CT5{4FRm72-t#YtbbIl9|ohNqeO{wt}7;9ilh?d6gUTf#H3 zB72S7N*oQQz~XY4x8dsE>mNiEx9W1EfreXIuiqua!>A5Ax2V*7M**;(vsbOguYLWE zwPf_cMF7HOehElV2en#2f5#2pzxY7WC+36XGe-vQa29U9NNlL_f@Ng5YMo@xqH58n zoSYXyXkmQW@OM288-TQlpd+o)N$`v0bbtJT(#KF4G6O<|{*)|sO-VC5opywPpi$a> z>*NO#GHvKG7+&L7!fj!YcCE1yxB)$%%D!{Ya^Z1jHLb~kgLX&WwajAslbGj*GSK$O z@ZXvHH%-bosUR}Yo}iu$ z{v{Q5iq!YiMUA-$ZmSf@5TOi(TQfZ=L?&LH*(!P#RL3aMr@?K+p`5MMBlBr4$iZ@p z{xCI!K0kYrjT%&aSm(*|oWzoy4V}n!)a_L3FOEXlEqgEewI@34lG(1)F?KcDt%^j1 zEV&gFe~s`ZC&<6VQ7l$0LKw zJVj&Gry}*ah$MN&hq@t!)bx1%Eom2ZGF9q|y#wdvT}3{UZRpVWkmGs5Vehh18LiCv zcP6?3+9Xl@iNp3HG0$wWa%b52n>L&^i1jCiQILwReV+ErKH0VO*eLm=`qtW3=O|?U z31y;Y9e}bJ*ds-e+8lX;xsuGy@xe*vb>%|5Ov)&*lMEy(6<0fdbstVihk~GU;HOBK zFI<%Unpr640F%lhJ;7wMkVrgB7)woW{gIC&rDc83@Ar0-9mlb`z(2NWcS)ep26UpE z!;?Bt9torLShkr9mzS$u0x~257#32f^9;6+AT#F1bu+d&jKdr}R#5$zweHFAq3lgx zgPu$fdCfrTkPts5J=g+f-CCvu+2fI$$2K44LMhS&)Zr=F3Vfpy77(;Kkl5# zq4@Hq&>B`P#GR_KSPW*c;m&tft2FERP~@yrwqQh_Pi?3K(I!OuZ`7~x`XJ?5NwqkN z|F~=6b?Z%IVHt0PQ>Mc~nz~Y8QT~~o{)ng{t|lLEw3&eynYhcAwj)ibCKc?Xrh=%4 zF|{)Dla_k7;Vm2_bq1W&G?B{U=w7w@kT|f0&v?SoD8qSWE5p9IjJX2UxJ|h1JE#i> z>K!$88*&A^2@0)k(fkC{wq;u@0-{KqpM!@@UVhp99(7=N6Tq7BBDe z85egD;Pcr>e)_zmuvWFZ-TAQn4EDXgn!60fiGLC90#PIpf;3E3^2)c`(Uo(a6fOy% z-xYusD6ws4TC;#Op!*!ehlm%Wq>@H1lVHdEdk8;4<$*9g=QPUbn-?^w+U6BW-1TRv zZ2fmoP0=gIRvxcL`ID8?6BQZp_Tun=TuL{maap7Rd#H6KDEkiTAXv&JkWHx0tY^%Y zB;~lw1CsBc3$uINQ+2-4(}<~(_XzM7z^v)##HDC(Sqi@I)8i{SBlu?EB;7WHT#Aj7 z4O>flg~}qN*A2}CHddny0ClwUoTgePdY0kc$=n#(?^HrHPkZof6Oc>Kk7VDMD9VZy zAk~QlHTQ=i{y^_l1b*X!c(2DUlRRAI=Tl&s7u-EO=?(L-x~EOqLgTfoh+1;W&k828 zbUjdg3+rvK|se(v>wuD za-~0${(GT04w6gYFs-mp-@dwEZW1NDGS3KF`Onl+$wil~4g9C922 z%klAdrHFEyX@49FzAFOzpr})#KCrdSIJaUDue+PSw*;LtV>+p653e|P^nYLBUMWzU z(ayw9aeL|rzS=BSFEE1)QF#35Ko4Ut{jE>I)&Jgw3iCu?Z%g+b5f>XEm*Pqu&lBd< zJdnc^@8$=Xde#$%eD1~psr_D#l9u2ZET!wpY zR?+XmIs$yVI=qI<@NlPEUqXxc%b*5R4R2LG+s?im|Os*ZJhM zbFeE2-Ta1dd&9(t`rTU{M1{A~m6;^ash(V+&rDyU3e!vv>!XTPjI_B7U;BnzOB}nO ztgw3g8Y(GYqHWXaeUR7L4H26Zh7||)wD42F=8=~ib1_^Rf)U9~e$8Hs`nD4_wc}l( z_$fIbwOE|3J(+f1sw*=pymUn##?6S~Hjb>bJn*ouLmg(S(Kml#W&N3#0ce#XgFBcT z1~5;!j4`n&97?8+WcNVC(tcCSx--`mr}R%S+nIJRKMi|bp3%7X`o3xV3_|3spHUIr zn8oGbG9-(_%e6flaT|;J^mWMdY*f!Zg)4m+`TZ&e;Ru}3hV2O6k>NkX*;Rvv(V}pmJ$hlhnJ=3f(HA8?LZqPw3D2s zg=Lzb64vtUZG4VruIUOm2aZB!=M%2ok6&cP(%v4N03RbE4F&SE$p;?}Vm`Y&a{R&n zmM{QDjG9~=IEt0#pX%O}s($uL8YhOC@})d#gTs;bHbb6Jh1BibifCHCJ`C={YYY%x z-zOX_9r9fBALP$V2mdP>umJrfRjcurk!@64pU%&*W0c_H!2YQ#zE=eQfmu7J(jKR& zYHg^a04yc@zrk8!wRBC9gt^D8?7m&{p7sE!wM}X@99K9!iKsTOxkkAk)(~gR2Tq zk;r-B+45{$GjJZK+$pp4FbV&|#_VJUI2<33-?@{Og~IOy zDQzlRWbggox4o!r1L6jXynD+J@~?oAdK5Wd6Z5ABft+ovtHqTjCikIK9z{KR>5Fm2 zn@+&bYHlSr3(e^~gbJB9Kt0c9q+aGA63=|Q9{)M*NH!Re1$u_@SVORJt1O&{@K)?U zn>6Bh2dmTfT{X?>$zX2d-R&18SXILB6a%C`H8W2Hon zj-f1m{q@|w3)l)XEyXh z6CiLbUNc&tRwKSuXn* z=*(Q@U%)(0Es(T^K>#1U*-)S&H1uPbzevMJCMYm})IF*WXX{{PDqNuQJwnDaDqFI= zI*aQj?>At?y(u5IBV_$We~Es6U0KGj{3m;F>^R)6HTo$n(exyttzGRlhTDAqyRQwz z;+2$fQwVXsg8ygy_wg0>-_OyA$xhCsadN(r-KFgB5)wp4Q^LowJ?2xdL?JlhAuiU{ zR8qbkM7#8K0KkNZ9b*-gUIQr~D^fG%@6{A6dJg~^tjS4~jSb|c`l&mqaQRb&H>s8m zC5DI0dX)QzNk6}MLXxhSMufQfELXEGzpF!X8H?^er0qbpmHgZ!uI!MQtD4CN3Cp+^ zC@7libo&C@bi!HD4AbFK7%f$Yy9CMQj9Z>c>Un?Q4~4`Nsyu3)IV=KUcw#&{MM*h2 z0+%HO3#VP>nIJ9W*}wNYsSic^i35kRRU8Kk@lw=&c?;z__Enjo3$sNjhGQjEKoZC6 zkp=zLRDzHWoxRY{_i3NRL@YWuqBr2116QCkyq+SIj|CusubX&5xkvkbMS?WkTI)!u z%$jtCr^ycQiM3rrluM0SXi66Cd_dj0xa*?g7#qVMm%L7p8Zn!Gxvlqjv7PD0=xXnG zlZBKEsKD32&a7OdI2~rIz>=q^mc>;$)*!Rm4SSA8!a?zgTyYx=^zW(w%>P1!bO1%B|;5BKKcRnna7*IXTG{NcIAr z-Y>5N7N)rTuse#!wUP511B6dc|<;Pkxzu^qIN{?^SLBd|B_`Y+z7 z<-E?@|Gj4zsPEVw2TU0l$}j=>c{SRCfiHB5B_VD=ZGrldH>sz(?XL}XOxKEYKSIOSRScm&uL za8SA@BsUH5XD|Gq?9jE(p)2Rkn{6?vCrI9Z(7;_Om1dAGB}itm-%^*v(5c)|Iwj`? zl9bReR}0smZ{o+LwlX}{8f}Yam@jCnPu6vpvETa+?g@KL+{N%%2d!Mu2tFit-d3XN z#NvTz5+Ksh7uRsl_20lW)*Npv7}4AxFC&3|(%cX*OJcrftvx%SY>zv;I0nBtQ$=)l zxq`17(1fRT<*@Y;{(qj6r?#^KiQ+`9(&4rds@;)yX-YyM^BuWBw2)+{{Lfpk!aoSI z0A)+{@8O|1O=K3W$x2kn8iJZ-wv7e!yNE51%+OYxa%1d_)1Nqhf(zJo|1ov%>Clwm z6JiEO?u0{9maE7;Vp?~2Vn6wK&9U(;Dd*I^cHy&X8iwf>Sw@j*;ZV2?DQ&N}au&8y z9+>|=l8K{S=(Q&E=Ly)9a9U&HPqq~t;OOt!C=D%&Rr#2KN=|6Y95p9u+vBN^BJTluw!fB@e z-m&s5oK&l!$5dZ~66M~3xq45nwc8i}5m~}zk&B*s@b;Tgu8Qu~YyFnGR@VRqdb6Pc zcdumwoOgBBJym6(W0mS=Gn&&Hyq-b*#mBW1f!&u#snWzRA{%WszwqE(D-J(P%%&3E z#tnQ_d_Q^kpJ+Khi5mUHg!Z=m_mt+fVV7D@Nj_7*tKj6~bnQzUwmDZ5QTW#4`aF!lPm!B(<--W^;4Cw@>|avQxD36JQM=$i*M-is3fNB4{YkTiLT_ z@m`XCW}QyEY3H{Gyp10`e@Pt7`oPJMB(&+AJGv7SRkA1C^mZo1vd}Xs&ATac$2JE^ ztFz1a!c;3_Dg9m%`OKX!{QYlsY}IC_RD*8%kM}G6y{>;Q z2|vwGA^;PZ$>jTYYrnSWdY3r!Zc@J@+|`@^ckLH*ZTPv%P@Mg=g36rMk^Z3$u8GSv z1yP~*vE4S^Q0PDS=eg03f3|m#Gi8+&o(s;&slI*t#!Gr|B<10@r`vry)hW(XK1K_- z5)ydjm+7l(v}p(#wOyZ}8_vIW_HM{&c|Ey_T-C(>?t=WKJIxj9(g|&EX%Sha-QkV# zIy((r0K#tSqF?EKORk=!fKp~&RHJVrdVqYT%#WLK;GSG-L!tRy+dhz~{SD=Z^3Kwv zr5p>)@|?Wzc`|;4?EXM)S@b^%!Cqg@0;tz?ei-Fi=zYQ4#>9YN}St4&;zIk_$A%3OtulkH@{rSzxxoG`Y z!h*m^#FZ%3Gr!ZI)0yp!JQz$6mN#H?-k`3##t`$QS%sP8LjfyC6R z7|df)hAI8+L2}X1MHD$PO)2rcEwA^$j!mG;k@pQjw_M<`1qHFzN3INH(*>GVSY$iiPD=XS$_qqWPJVx3n2)SS zMK+}4g~!#A(RYV!rLMx-lrC^GA0&<4-JG)n4!`^=(4eQ8b40g7Sj0qTAYMZJ8uWlw zKFt38pqg`VD+}Q~yP8)Z&V>+3pp~=A_>Ei#Z{NnJB3(4G%#O??Y1wm+y>&;CIvTQP z{W-Qjyq~GP;s5kblnZJ+!4Z*oX;1^V=yFi{Dlqi#`M7o1nL>#+4Rb+qouvp51eD8v zH8)WaeKNr7LX`&b?@?UHA#(G zyw%n1w$>i8++8c)JMTorN7cApiP6P1tDq zps4;b1({07NHeX)!P&G|_I)aj$AYX>ez+VxYUOR;Y`>lkSRj`)pd&J$dJZ7%oCy>$ zcBpICb@?At=UN3~UxFXB9XwPa*C-kiFsEugrkb@Crauz??6K4_7;1b}$+MmhCqz)( z`@SnvY_09FMyg)zFcS&FgA!Cu1N5gT?*L8R*2?CHH!oXDIOewO-59_}tOVBdPrxce zZG-)vsJV3MLK}WB-n~#$vm9E`71{Xoy#^Z#Ci1cCX?tgGO&BWL>(|)t4VAcrqW-Y0 zv*}mI*xwCZQ8(#9B0+cB>m&As=rx(c6U0se5`mIVUo-+A_p981z}wx zPl~&%w!WLtbs=1^3EV(FyKg_AUT3@0YhN~ioxU4LrChc~6k_{Tx<1|4Efyg{yyFJ` zB)Yf;yFM4s>uq~(UG@BoqML3&9%Vspf2?NqdfFaLKZ;zp*G3EVDRRxGhjL81dOP!k zC{KJxHg0I_ZX@fIv*Ngvi&s470_HVrWzWiw@GF?%0<~dlYxKRqRl_drvJD!MXqVHy zX14~OfetiQd0fH(ay#IZ9r)m}db<>1v|p?nhm3o*HUGb5uL5FueKGoJ@yNN3#jXTE zuWHRuu-?A(KHGXMJ*>a98vw59T(f!)P{BHaL3LnYsMWstCh@^B_nINZ!q4(&xsK-( z58fd{^BbO5DZ0Iy4JnZMLW!Z2b)^TAC)zo}0Xv@Tu&%7&}`Q5y?brF(!Y; z3{aV98-{7{J6{5Lu<+%Uu`K5+i)Q}&5Rmc zv>_b%oAh+-%eju^+`k1tO zL@L%*@RhKZR@wbUxfTXidxyRGHK@U0B|5{I_aJ)sl>XEyS2qpG7U&X@VySU zP(^{Js?c_zGqV5Ge{&{og73kgCY!-5R9ZAtbveEK+6D}vq?5?3i~)qOTiVNM=y+L2 zQe&@?66)SHjS?YUe~0Mpw))>#{~;;189o-HBd$q+s24xLlz)?KP9w#jz>Fpb+$M!% zgY%lhJ#*K>#~*T|!(R2zV;Ii1hQ-QhNgkYwv-o!mYfILTKAq7F3KfQk^8 zt;R$tXDnrB{eacAhPtm;FHV*Tf>*V*z=70 zs~^pVh^W+ic0Xt!u~22NKz+itwzsa|<5A#cYUdc#6wBD-X5>Nku_eCz*!u2i9;yL`>uY0Ps~sXzm|C1s;O{Wq zH-aw4Xv@D@=jHYZ_h^d)il$PV$_jl}2mb2YvQZ{mZo$3#5Fi%=A6<8Jf`h^{f$={D z&!KDVbkm0yW**iMF)t)2zseCF53!m%U<=LwWu75@pupgQ?eA-K6Qf|2qj8Ri1xGQK zbQBZj_kz;UqyMO1eF!UgTq|k9zgOy=#xmaMVP@D>zdOj>FLB@(W^V&s4;JF?bnw6y zFH-}lukBQIO;XmtL-Qyb2wfZSc1jZD_2ri_OiK)1skg!WQ-}I}w`4RuE{Jiagi9V3 zZFUU@DR%RuSFS%UVC(oluh;gPl-Pm{c>n6v8~GFA<=b{#+mm8{oACY6qJ<7yo^DK% zi^#~IBc}GpKvW7ti}T_jUf#B=WHOLr-RF8JZF-W3dCeEeJ>eeoZ1L=Uzjvdi3r@Y0 zxLp_=duJ$!@nixcvD4LbSoeha|1_YCH&w6AdYJ~jwB| zXY3^)c8F9XhN)}AR`t^VY=88q$BpYsF>}oOsXiYiUoD(DPKME&3Ej3P1mPwG+VZ}7 zn?m7{3dmmV5YJ4C$;`G}l-iyr@x@|davX?iEUbpFT+-W{FKK_}#c`rrpHL?0oKF8& z`GZItv+(}{9~a>0qo;=|040zKPDr*SZ^a$dh0cD$Hu!grvoA2LgDLR1kDF;XNbCX( z`a_KG4jaM4wmDOhLiuvRHmEpZ41^o-FH~HDWH<6GKm(=sc{n#iJLEwDQv{+TEIF3% z35>UpAw!uDK=3*`hf>3i(m*uu_DZ}nh;qdpi~vFSfHgD&a6fSrZo@J-L0%7l2Pmm! z)`A`n1Olu!M8Lwczm1#9I*0NDZJgE|OgdM`xFp~@PMpED41^Pm!!%Gfs7L=HG~mM` zAn=Oa0Bj4QDs00il=8eQhC=V~3-Bzqb0{E`uM6CIOE5yYlR-1octd!BDZzv(tOGD8 zJmlU&yGw!*Bs&E(!I>N1F)V|jY%@gMLN^>ut~UC=b7-|IK({+^Loh;&9|5L<#U(sJ z!*>86m_swDdy296Nqfh4p8IW)s947(ZCg4y$f zHPAs0{JfN8{>~2rIgtDSv;a6WS~N&3-j_ZJw?n#ou{UISM(FoxNrG{Ah9Eov*Aqkt zM1drX!#XqrFu20l&jc#mLhp~mCzJsVlrKSGKo5w)QEwiHn8O<6H3qP9D|a|RC>Ssx z2ep3(5hhf)kYPiI4v{)n7K7i z2P}AkRTQ*kE(SsXRFQ34w{PK2bsAl7Q#LO`+ zZg1befj3-5L-#UhqOdkWFwly(ysfp~c_IS?X_+o)(CAWzdw1{LwPeo@*1Bobs-dS> z5A^ldfwE}_<#ddklb9VA1=qiye_KZ;VlrZ!V?w#A555Knp_gI;TMw%{#6UuZ5v;4w z!kA2J0f{Qw5X8X`LG-A-*k-%xH7x`hzydk?Yth9Q7h3;hw1KoBhe4|@5h5lsoC{H~ zOWFt$i6KuI!N?<#JaWh(vk3AMAEEp(l&;(>twgIh0cM;kAy{KG7{LsazdS4$NC7g; z@ufkQ;HWOaUXF`W&N=CH5Ef|KsS-Y{ZXt(EGrMR<%s~nLjUPF{f?$qyfLT+e90MG% zz&a_d)Y6Z#B*zpZFuc;LTF8+xrYLwT)YMbmYKM#zEy$ytVkTwj43cOhXBbB>%~epsdfETx7N9O^;;;cA$YY&<#Z5S2QHrr= z5wzaB0S>HcnZ{gnX&~j^jX73moG!{7$OTE(xs@eGkXTN|MeKo9;g>5FWtecr0VCuA zC}^Tsma;@PhnN&lg5HjaCYm2$?~}t?FD7EObiPq$2GfABWrIiG^K_(-5A?FrctrUh{D@G4lQ87B(zUdRva z#m^?@T-{7rhZ$6wMq=BH7HQ`gruFVzCBFTRX@MKWz)BTn)-h%6#Dr$tb+q%mxdSb% zAtxEiRmuWEg0&cDn_)QjJa1Q+$$D#HNyq;Rm1M|SMvJk_eqH*-0XaUwGHM52B{<}+ zi;i)^xm|dLRT*ZQerD;y`q4|jN@jAbDMQ%-5})3F#&daIrV!)+U;B^{VL6$Yzzwxy z2Gzz_CsEu28unNQ9ddxKuq5v)p#VnK<`)7o5aWIwbY1@9H2@QQZyUgf)knl|gMnqF z3(JrkEbx{<^@O4p%^=4(7GZ>&4Fm%{Xdjk&5bfB;0aMZj z99(W7vonP~!qJRd1W$%q2?Z>eF%5gP;}cPsAI_$-GnS|#8DazkabjYDD69gBb+jKT zqOim=^r9crNCpD$&;vKc!~{`T#5n)#0gYiGu!|uPMJ<@IjWL>{3^~|gSXxj8^t5Xj z(BQ{1+^{-=DM4d)H0Ay9xI+cxzzxgb2Q+|zJCF1M3A>A<59rW~f9Ql6u8^hYLP3;B z@?#vIC<6^HIgk@HVPfuMpgpWX2Op4!b&fdYHIGON^+5#!J^+L@61hc?v;hf*K@1I| zP=;Ap;~(Le1~YEqlW@5LjFAk-KiV;iMI4iwF&RM*vTz5igyI&>SO*Su2$c{R@=Mrs zs0Z8O2rZn^0!BFGI+`&IdCoEmHy9*TOpt>zEaEZz$V_G8=?X?-Whkz2sb!|I4am%b zlHsu)RQ?&zthfRgHf)C^oDl!QnJ57eW_##S>xe@o2$d#uc+5K9Sqt1T;tUe9B{#*h zosrIB7P@RmX241ggrJYBv+zz1XdpqvJRqk6bsrd^A=X&{!i-RS*0~h5olCcM8xXK+P(BP(k z%>fx4LE8InYz7hd1(;GH01<4MAEb~&6htFg6a3dZBrPjf+3AoMb9JBJ$xbp!69V~? zqM;iuS_A-)3J?Pz0zO_yJ4itaGLXRsG>B|&p$z2}D}fC2<*|{c2V@~5KQesl9feaIVY=5Inu*YU63S`Jb zlJRUuEhFR_WlqHy05F3_17HY4xU;3lkP0$ig9=2RfdBvyhe=oZ&WY9!l9QZjRrlD` zrCszvAT0tas5$=vogTtJQgP=m&sqdQ?zE6QO$A8bI@d*R^|6udn^&h90J5I-7=n#! zT?=5=vv$X?nLTR&P(j+pPWHFKJrN+sArv8-*Le8hbWk=nD#cDK(xIB@^E-07b8xY)geX4m`Q-NJWN;vMjXmx$o+NO;39z9ER8 zp5N=33YJG?43l>Y%z;yRxVU2sMdLhN;vj1`i=Yx)-jCy@2l*rZ;@}P$_(39IdWyWB z;Fy01?H>|*xM;divyKSw6XN@bR3i5Do`K}&e0s0&hn_`8n~?vHsP9C!Ia zenI4JPX7kb{4fq7+~LCl5dQw5(j@O7#!vsofd3N00o~yOaShk(59TZo&VLGKC}S(T<;oYp!2j3_8yJexXsLF;L{GG2B|>wXwU}7Kn7oM24qdvQbE>+ zKmbI}2jh$ifUx=mpwik;A!<#{+H4134+wLR;(nplhM>qoOazLM+p^FJ|3SpgECL2l z1jwz-wvYIMnvmP7FbKJA1eb5{ z9%39+tq~pZ5g{=WRShwouOTX7#E1_DHIeq%31ZGk-LMZoZ2okw6k$-!+|UhQkQ7<5 zyKDKP~bLI!j2*3ePN)KU9F z4+^&|9pmvP{ZS(capQ1r40BTUc#`*KGR_o|=4=o6cuxRq5BFxE2+7aeB=QDbP~I+* z;-c{oi_#+}5+w62`9?Ak6OU+6Pz4tv4(9O`MWFNI;0gJ0D95nP(kvipQZE17?H?-P z528{pYfUH*!VBf?7iv&1g;Cx{j0NFsC>u@4wh$UcAl>$oDLoR+ev-=~O(A`*FUKIv z+(8gOjMEyk0V%FCQBL@7QZX|!7GEzf_i`J_^6{DvS}HLjW?%pV^B1zP31{HL;%vlv z^9B{r%LFqxYcJm-062#;IoHq2q|Ysr^9E@!-JH`n{ZYhB(>Q}O&T3604?+(~k1zqy zGR^GP#4_RvkPMgcAKb9>{(v~4vpW}}J;&fGKdmjptUiS^FzJywVYBRJlkqkt6O&S} zNOEyZQb6wo7;)`99qK^QCP5W+@gVeUBy>UxuR@FFLNWC3G?ZvKv_t>%?n65!L`8J& zNR(qt^hDb(MK@+eS@i5&^j=^zB9d&$&}z`c56G*}8V)VXd)Lv?IAy#1xjG)4x ztOI<2445lOO>0Q&rAQAVm8K2?lt6Ky6se>XT56OZ;AOgupbX~gNsZLR%D@PojBJ2( zORuR*p9Mzqpr1mZ3pAlk*#gP7NhZ3)O|c11oyA1QL6kZGul8dc@?d^mAU6HfegG9! zLUbJB#RRPBMH~TQ2u8yiwSyk@R5+9$ULYpAfYn@N4ekR^7f1FswNp)nL**bQDs@ma zAw{&HAp}#*Jd7=d5I6)8&e-A**;7>?LOd&CBNL5P3xz{xqzwN~B@fJmRL77ZBknLK z0wdu<1n812YH}iMPa=#J&ybZ+E|eN#0#(C=A5z3jgHbK>t;0T$I6tff$t(`uOaNR? z)9w@IysQ)Ja}I5f_zvzZqm#?XEDrax_GX~jXt7?GkzsF;FPkyUfUq3{v&`s{JO45v z>TzJxtURl)9(8dGGgc47tjk0UH?i`}I&TIb)-PL6J3q_|%`98tB3uXMLP?>DoMmh1 zt05!q8bsh4bWiu*GvXvI#JKGb1}?{a$g(`ow=6!jGj@sbrKty1OpTyW~5e4r3}*IB@NQ&1oHSa?i#@|A~h}JfDKp?f(q7C6jk-jN-ua#*DmQ$ zb+?Q%(`|dN*C!K#^~fy~aSwbOvh>O=-T2bXzH?sx4Swg(ej&GbxAiS-R!m$qCf0&b z93dv0cOin(7ID%bv)30F()(nW{*0{{ul8wov2_18F&@`(8E%>J?;C3g;8ZVttmCS@&S_bz$6ad{D<9h7B7 zjMz88G+t0oRjn`60FdNBx%zm{`#5g>X4n$J?~@l|{4h{2yASiS&-xI8Ua8Oa6p(v2 zE)Gmt-PEs@87-ADuM%)G1cUkh7|@lw^^^a7uUmO8m|vNK{~(zI50Xn#k`V%lV*&!S zpl5$$6|{hwl;Dy#l_8{W4l#K4^y7fT1V&dus35=y<_lUS!o-}QpDaKV#+LLR%p^0S)Y1xQV+V5L>TPyCE``Wmi)W!PnTV(Al^RDI+eBZ?3?#QpAez=8_Ny z0ny#u^7SHMZ>jAu$FLsD89DzGV!}hr%x1BVhhV}7(Rd5|pPehddxJx(AszCe6J$Ie zszJs(;U8+e6Wlt--CD-qz`lVT4e+}m;voh2n-_AA4DEF_N3jKAc-D5+&6e>!oe?7i zIEP)4-VX5+*^~65w#hqB7@^!jg)hV`&oE{88krCkeT>E9;zIl34PG3`)1eyf`yc8X z4Q|{I?EA)p{Lk+jxe-IZ8jru6^kh2mReXE@o%B=@ibB@)G4qfvPe6Pa{Gc@`62{rtC;rCYO%{0?ZDiLlMiILsyog)=O z-=&=))hx}yQf~Eo<3Ii%XMj4}vii_$(-EQw1v&Xj{wf2rEs0fX;cUcOUSIoD7u$T*RkYPz zWUcr5;t!%4GTsjadt)5lEg-%k^4j7T!s#_W>YdN%Uli$EgdY3=$r+*={2;%%{#mBJ zEvi24A8PH{qU~PY{!hK0M!|mWvAynz^zQK5YfAcxN^F9CbK|l0GfAmSe^iBWtQ9t!nf6#J3oQWnN G0028ffSg4D literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/wfas-designexample1.gif b/windows/keep-secure/images/wfas-designexample1.gif new file mode 100644 index 0000000000000000000000000000000000000000..f2f730c70f94aec61ccd98971e60ea3d87b6ed23 GIT binary patch literal 30091 zcmWhz2{hE-7yr(}%rM5-ca0@mmdO$!24h!^HESUXNo0vq&5UjALlmOMzNWDxR2pMn zlPyUak|czLq~HAef6hJUecnCq+;`qR@11w=J=fCOLhqyx1C#*@1prmxAO6pi{*8i? z^8Wx}^X0LIfObBhT?E%ohiVrAdgV~PBKSWsEJ7L<$g7{)V ze2pl+7-L70v@4gitJkyh!Pu2!2sLZ~fVz##6UvncH5lhcdFMs~fuQ7EV`mqs>Rf|y zYr(putGeaOyEU?rNUU4E8{sP8&sOzn!Fxq&d(~@uHDdkSasF98K0b#2jfR0mIR8fA z_M%`In-G|wceTUtYKK)|i&bPfF0z-6#S+5W-6C_XB6|rjEp9QzKrTBnG7`vVyTx?a zkwyumK_5~vyol{jD)%9E_>h=}$!zE3ai8QypJZlW0y7~Y!7Y6nQ_jAc+#8l&@0B$h znDvkJ5^~x8xwA3qETGhN z-1_O<`q}*YX;RBZWCy#bak{8+Ho1K{p?y2KePgybzp=5gsAYD(oK(}&Tii0A+_78U zGM~=e&gx*-v`?oq53-osHSP0R%-#0(4$>$)pUJN8n9uFqEoUw#kFtw;4{`_Djm*XT zQFielyJ+;FXq4UFyI3>G&Yxx%kF%MBvmJxW<>T!3(bbO8<)T@3$LK0^bh&1lJvusC zKh0*2FEhtCTBZ+b=Gl$2>;q;;{XBbgdU0@iqh+4WoIU8B-ELfD56*6M{L{~FjL&ZL z&L7Oq&UP%aN9VT(=h@TqtAmRN)AQTRW%lUe!T93A;6Jj=9$!9~Ufv#D{YTgbv(wYd z2g{4gqpR%M<%9XOVP{-eAwKvKLo(7grCK|7kYZ+pDX~8@tOJ2khnL z=mdw+DWZmxP;YIRS=YjBcg=$bU{npNFYGga#vNoL5% zr%Sr_7Nkhow$#0Ex;WLzm7{QJnn&|VU4H87gO4|*GT;AozPurxe|&zCo?S6PXr>4p zJ3s8IZ0s5s?@Di<8Y(yy_2+M@;u%k!AR1|1{B}ytw}~pp+7_Lg@3hAz^-~4**WOjO zg*-XPnXGI0@re<~?nqGNf*0w<)}7q3{rEa^5ho}2q`m#u_nF!zbZ#rK6$s9q&WRVPq6~8XF+dH-lIq$LoPEnTfi_mlFdWVxghs2HS67O+% zbu!=F5_AcW30;lI=0s^P2*wFz8~!{S(X+3}N>-}KlOjzA!Da=%zn!PWlbu#k6ZEiFu=KQXQ#3oQ@H97^ zkD^<+TvO|?3YEo|W1_dXjb{a$25b5ihAyd3)|HM*ljgfkMU&Qp)}LXv!r`}d5n&Yl z?}Vn*#%ey(zP6P|slEJbjYH<`o7qEE$ND2CcvW1|P7*nMR+86W1IHp#g}zKRlZ2{v zO4BtJRKyWd-__s7aS7H^r+S>730sJ@Ghy{Fl^%iZbbc8+T6&)t2&LQyJx_aLNE+5> zKwKmR&gwAa+n0{;J*JsLM9&GCoyG4tg^uY39y0mu#us;eXpKy@*F`?2 z}aR#Y)kj+<1HbErv}+odX1*da}ig$|zJyv`~({4Xs=pf^u~ z5og$Lp9Z*$xPw2KrP*%bpfsSsaf0kjVgho;$I! z?mAm0iu--0P0?~(%??b}MG|t_=PME6NfSbarO9qth6^|etFiOG$i@WIP4s?y!%bY$ zLaOADIT8T3%M4RR;Y-4vLA+seRx10D1m|iVfW*^bd@&Yc{KyjVb0*y)x0zh45)4=y z8gadiDYliDfDUGo&0M!Kl{-s1<@tF10ec<)70_6>Rqtgqw^*Q4sXX_&w4gdO>1$~h z;T3?f{})q16ht1Kpq+Jz^}c>2N^ z@(H3*4A^;8r?xNA1R6yjvd%7XzTYh`m~n#01(?JSG;$~vQ_UT3YROhD$*Bx?+I%Pa zaOzeIRd<7|WB6$KPz*7!fCh5VCIO+C9uyqS22C(b9y!5r0xT>vMqfZ@Y^hJfDDoac zwfIIY_>q3=$-!&x+A<4u2<~1)+IO^R)``<`&#j7SQEqk)M48lr5!GLZOt zG;i=8&}tYE6=jkhO)N!4)mXz@y%BzGCE^0FE?_pI?5{DwHyoC#B4tS&->1r=o2p== zC}jeiV_;o1Ijd2iNFP zgChCg#<@<*bGk2;XnAl!$QuA3XKuAom>7v99svXO2cLPLB6ZGAPCD7Zoud_#;w}|Y!H&D)7h!f{r2rDdu)M2=2@X0vU*~0P=GJjInYhh-Ho=~NF1vmi4i#P3iTOIm@g(({fB7I=XI+MHS! zsSa>Y(DJr82~{;=w^uhN=!w7mxVEf!E;|$r&yY#K_eg=S^+_`Sq|6C<33naU^va~m zH|K5_SUkbbTs{RszuDzl5gepgVk9St%9vxK8^m=$F!rmbj-0#h`6M+p5cDC7B{mx{ zQ+#=3zVJM_@*ud`@JDii7boWN11t5E9GN!MX-0jGeu8#}Po>0z_Opj@v!omX%Fh+X zlL`f?bolwWABAih;ax;yOrwKpR9Oq~ek#KZ6MLynMNc0BDu32FYrHQ*wrDfMYmQn>-@ z8*?E^q+dJrjz=HAVif{j=d*r)!f>(D{#gC*O$RViW=;K5IV)Tobi6Q+7j-T6A$)8` z5Js%~ym2!r-!8!#(qX@B6$gVQsru!}xl7P>=R_uu2EPGGOX)grsdq-r^TRJ@lzkL) zK3Wg(hK083xEa))o&Vzw3Efl?vLaEGG`@Y=>fT;Bt99D}ZS*KRlkq?(lI!weiMOlO zG+U*8A$)Pb=hy3#_|DBSp1Y5iQOK%fOvzS+yRHma)mixqsm*R+)v>&@`K|%oPWy(q z;%>~H8?rApkvS8PK{B!%chYDxYUPITA>bhqioAW}YC|(n#kf8Lg5{eBYCV^isZf%& z3itKC^ni7@Th~RUpUklm3C<;|m~t-=H5Jhjd_t(}tgptica7 zgueAIi#)t{y^2H}On@6)zWvT8L4`l8Q{lq$G`a8S1xSE+Zlw5bB)Ls6@kDgsG~l5{ zQ>`TMP{(AxD#rWq!L=IzGL7e#C08<_EwPET(n|=STxb(M`#Zu{l_To6h~r82WrB<_ zpdkXdDPrWST(CW`96cgKB+(ZDM#_@2EQpG&$%(Cr%GbHx0v>prdYgAt!!z%wJi%>@ z4Tg@y%-Br-1bVTQc#1fqEV)0zu}?7g1wOWF%R!40(oc~M9fSIYCivnmRW#f_o-01# zdg;{(=rl$48waE#B6OAj)#1A{D0_|W529mJt;4u;1URNysU_4K+!$_w-6Mnmm#K5a zE9T*YLcWkHx1nh907?oaG1iv`IvNmA>CHnT0sZ$?2NMw-0-S3Bg4aWx^DsQO1H|oh z0V*qg-<9G^&s3Yryx8aJBVw0jMIGwlP{eXa1M-cxq9!I)#G3zbGfvf;M`GE&A%{~!6holE#mCMvT|IU8 zZg71~P*1Q`i@C4g!x04W#xZihjWOrokp8|adF51JZ^A8WE+^vITgh_pKS9iukHPIy`W zeJwrfkT#7Z7Vljh0M39wI58Oy+-CP~cqE=RphiLoc7s+x5(38c?JkHFTg{J5CkT{T zs((!4(%u64%1K$a;&p zNH6=nZg!gxNj}qS_uq}P$RyQ8w5SjxuD%udr2(+KTqNm(%!xy^?H|bkw4KpBoYkuS z^wenLqk<;xEdr_p%DM2~fkW&9*E=ZF*|BorZe=l*?-^3N0UCdin}s_WNulwBxH)ce z%jQej(lu5$^92gz{WnkQy6{eJMzjFD+umRy0K?9?wFh+^Z1(S0EK$D^Q^7|_LfB>d z7rttXtzATxBmv+c%LQ*m7hEZy3}T`Uxd+Eg$HBaQmxl0{X@wV?-;}B(BKH7ZJuCAT4gZfL1eQoC~;#77J8n0gtM~ zU^+6q|G8u@4#*n>Rt+U^K5hcMaAmh$k$Vh;J_C7MrBbnkXE+?p3g?;yJT!5nhwf+> zn*9Ri3TPZ6GR;%{7MiU`42qWW;lOm_%k?=pyC*pIHhFHtky}(QeHK{VyY@~>EhwA2 zi6C$tq4SmiyIE=6WrIG%*ch?$m1ViM6cG~BK75rSvFNH_U;L9}u0Vw7@09G4tv$CA zs_b3tIz=4k;F>CE$X_CA~m-HbS@0I_$);8<<@i1b@PW|)s8Kj z$W?vodP0SciFuAPZ`5_}t2MGQ&p9VUseT-=zkZYiYtQbZF9e65I!vF9z7@G!=Fiy! z`yJ_D6$Wel1s1PVS{>@J{uh8@UcZ)jY3KX;z9tvmo%gx7V#_zXN&>G=7&Cj4+SdSF zG)O%p8st$+ReX;}VtJ;DU2-@b8Rmh%wf!qhdd`>Mb}~%+tL)#G(=%2HIxigc0J!aD z2`42QXly>R%Vw?(G1ZYTcWUKJ7|=c2t}jsJ9`+$*403VRpmL0NG=@-5N79(7j>$m&A#B~W#r$sX;!HsKcYdKTXwx52r}{uJ5rTZxrgS}116Q3 zy>1LnjrD=Qg;HWHpvZe-TBf#nw!z@Z6srl<_crAqmzzp8HGkq&iW4|jJ*kv^W9Eft zgnro=QOf0XZOhTc@a(MLY2>Qci2Yzq9!~o>vvE~wbEM!aa00VkxQ0nj__R!K*` z<%c7Cd3Q`+AqrLQ5(G$_7hyWU6*}UWSL+Gwg*>%-2YPEl`iEy9djBA&kN-U)RnP4C zIHQhR>}cX*Va1eAU#Y|}CTqQV^nt3)$+VI>ZaS*^w4Qzk;`^-^dsx&>n}xJm$O;kl zENDT6ys)PBTH?Ia>Cuj07LuU;C0>pP8xPc{`MIG~B-ohT`H0D9NX`3zwkh%LXvFeE zB-a6Y>6`~Vfd(rkEQ!<)sKkC1+86^GzkdJl_3r2=LKF9Ef&g$Qbly%tZ_LT(Pg}9A z-i$s_3M^yHzNw_GZr4ISv!K=h&n)h%2hXY%>Pt+$c*P?qqhpw;u7NWI#K!uXE-mUT za0vUeB)p$?m}PbYH3N&^V>iBTKjgYe9X6K)TXYPRp!&*2m%47h=tixtsIS+cic~k= zpIAX=efv1?)ZN{LTpCrntEa`HeyHj|Ag&vZwTPOrT*P~T??6{{v4R&6~%&P z{yP%&XzBIGtjU6fovlPp>o4~};K+2t=L7*hed_?U?Q!p)9pTGo zu&9*uAFsc|X!HT=G45V0pnP{m{PDuII!FQ?B>{W{k1yN|{c+|8lki$a!9&1czqIi5 z$GhFUG%$FXHCsDg1VQf>y#H>{(UE{fdGTzi17G**nP(WhcDR)RqrI(=y>%??%hoDr ze1S$p(OA&CuRpC6sl3I&b+SNO$tnF<7$n#n+YE3%b$oP1`3?5-py{{n4JiHT?{fM^ z@MCBKqwAdd-e$|=z6)AAq@a(C(oKo)1 zZ}WK>ZOp;~Off>cG`^|)pq%a67+WMCwE)ZUn72;+E6#|oJSybznekz%?8gNY2iS%G zL>=TqdicbKq@!(SRjVNsZ`co4kE|!X7LP3-|JNj6ke8Bh_Np>;gr~3Yc7ieW#A3F3 z1bux(O>uth?RDWGY}JmJ0qVXwa(ltQKb??Czc!!~5LrSDFPd8gD428@vH|I4C- zm`+WhmdMlNSe^COQe~*AFZAb8Z$hy$Rp<@=r`E9+_sh9hH95Zy5KhlRVv;qHRoq?1 zYC3CNzH*6IgY%bfg);l;VhN~#Gr&7#u*z_F@R-ctwx++nXGF5D?z)wPjIfj9X?shZ z)%%*c3zLmvf&3+f0h?XwZ?X;^=7>oOO93E^ssIPKG(Fm>Mder7uR$Abh{7XWdo3%& z>9JHmZX}VP>~v*f$+A(jirj)V6`UL7zCk7F=(ydZq0BrazPHr)TrSEP&sA+QmvlO@ zPo;Q&_^6#{5wN=CPIAn-SnD6Uw5Nh~_dsVx=P18x44-%s@-aTX+{E0M3ciB{7qVxg3=?t zO3}v10=*yiW&>c^9OtVFZr8H5!k%afGhU$ zUahK|seM7{e*D$vCP@!nk=A|C3!Hws=P{hP{wo^Me;2z8-#Ig+6&WKS#kACbo1~02 zM`s0e!7#UU^e$)g^6$NH{)AMn@fPOsX%dq5MLr^>_|dQXq4)k~kr5vGkn6kIqEey0 zQeHp`*Iea2wr@bGbP_dfpkoquCjVmeuUnGFo=`b{_j05bLkPZ!;SE#zd`6wmR`uoH zD@tsqck_3t`}k=pH3%!a9bQ9iR)U=a(pDt;PjmCAq@lr=P8MDPfaP(N|_3(u3cKI_B?|^@u-wWT-;8{efbfP@U2G~>4c21}e69Ipqi<6ELRFDsqIYOL8wJ=RhePfy-#J_qxPoRHvc+q|E1mo+ z=yRY?C-NcD*>^1`5Cv6o4Qj%CGIk#zLjBdz?|OoShP@H~ zp|Tn2iWwfxw!J04b9mcjzJz=%X4qoLTuxN)qYvH>xAOnwzEAVj$K($69_v*MiuE7E zSYI!X)tX+RU)J~b8M({(v!KT?KoKH77QkvU|Cu&AZ+#RQ@t>V&luM@hhml7TzdLzV zyaF#2o2UP#p57#n`zW}JdpCuU8wD=Wvm`vd`Jdm> zlDF6XUhb5iz(^F98Llcz2f*(==NEwjleMy$7~!_)-KNIIs_mFX&fg#vK2gcuwtO~<`P%Akq*ws1>K02L6TX3Ryh_?DLM zf8ty`9=Tb?z)9rehuS*c2iExjf2Z~;4^Bl*5oPphT%aFxA8wv>e0T(xUpQC!frwnY z!Y^V)n&0D^0!cFGN@r}0rq!a!0II7gp<6tjdipgc`tztDWMC=mRq6IX@dBzgM6!6w}( zSs+dU?guv@8f`^t#(xgSBgc~N{EE4rY`f_vv`rgOqpYWke-hn;7XQhAvPn?~9-HdBy-eoT>Sa8E(#4biZq3BH1%9;YmQvu`Uto=uFi)idtDF zZc}}JLh`OhGrA0+(VBEERKOhviy@McgD*+0oyM_7c*bizLCW_Jq|e6~QeyyE39lE7 z!%Lc8h&THCfx`LnHE75D-%3Fz3zBy)bS~MkDrpm!W|3^T=mS=oy^rQ z_GD6%!su$}a7niqG?0}Ui9%Fh7~}gb1q*w>$AJ#b7$gj!2k-Y*?GN;`5Q^yfcNQ|i z>ZD!2f44Ckv6NgRp+hKbfU#iLC42sK3c2pXoDM0G!3|OI;20e2XR2`YN)l)VlpzXM zvNPeKc8EyAFGyNlK>~PsFGZfi*RwkjX?oHLf3nU3{Ia(cX>)ZhIfx~3thA{IaVk?D z9$tpXlDAgET7NUO&h;B00i4lR33o*SX%-wGiW9aQJT(Ub;z=M$3*YY7U*aG<0I_`7 z!ePejv8oLv$ILQ5E(vOLJ060WMEL8)TY;aQb&Ct657t5l%-`BX3exe6Y8N-_2QwVu z{T#}npeDR+#ti7SAOvpL@#Tt5W>W&$TAsO2O31jmL^`xwqY}mNwV&P{zAnKw4gne zR&+hjZ=iM}q1Xo!A(|9sm=M?sGae(Y&W!1rC7z3$PC!>oo{ zR~f#IyCDh-YE3fjw@1FW|N7$fpJUzk>HQ?7-am1;&u{SsG%Ybv;DZE#?GXCh$dyw* z+)(YYQkH z+98l|vjKahmE!`P{vox(UpuskW0mk~lTl_b1%O z0S=T%QizgPMgb;ZQL@@IYX`;@Gz~Zo#~V=q3(3(*%*(Aq)lk8{p*byMEp0PM+$o6i z6g|}=wmseUtunS$0D!b(z+OKk9E1>#=FYgQ3|QIJ=kKq@<$=fXBsaBQHaF8$a@r_% z$d+=>fiOhtKDWqCwDdHqHjDS`Ny`-jPEwCMx)JZp)LLQH*cbxo`y$TMr%~`2#QqtV zKEc`f%4-rBB3eK_nrCe4-I9(ymxy~8ZGXX6H5HAcz7M^RPp^CKa{EDd&+U4{Akmjk0E%{9W~&(IACZ%R+PlG60|+ zkW@CIkN@D@WaEoG1kSyZ)}jynEx{ z7PqH1^Ah#pTw)%Qd{RmeY9^XHN$Q937ph=aXR*i+^xYa5THv_c6NG}OOkp$)Ekog^ z0#iJ0mW@zV>OC|ATr`f@7UfoCalWE{aEyG<&eXxXy!s$TV45Bsv~}%_l{bB?<0P&< zIW=tJ{t>R?JvBMQ;Gs5LGPOT_0Kw2_nwr4Y0Bo~{Ge{}X3-_jX=*h=LSSS^GY-|=( z1z^07lL>FpN^o;3@i3Pt!J3Zhe6j=fUW?V2re$#g$9xcBne~%*QXNo`1K`H9m#I4Fn@~r9XAet z*CaPu3GV_CG*-kW6TA>OP}p*g=rY5G_0Z>f)BQZCAZ@W(jgspHzco#Wy|0;h%#dA@ zeEIf~$i@mR0d|$qGC9C;m5_v8$pB-(MFsJP=A_ooB55v9uJq>GpyL&y5NB7&64dr1 zE947T5ZUt|Bg_LO9bFUu)@|n`#i>i!(~cHI6LA#SWw`B&FpkTF`@cx#Bx1Y7%$InX zAa(JSo46joX~gAP@>I|1LR!#03k2>Ox_0NsC3cftQssaRRSwM!Pl3$~i5z-?zwzK7b>n`EeCX?e`&jVpH zB9{6bY`;*L2E0Om0)3u)g~h0M+lN7T)(LCy3L{BD97%;5^oVe^He}uW*7`Cz;k|{V z`k2@e*Q9gF6^@j|$h>5X&HL2%3H_Zy$WXCT;dSx~cuJ>rr6uLt#>dssrtkmNt=)0$ zuD;sP8y~V6Wa*v|!ifL1m7NNTQ|jONHJ@}>Nz^muhc#y1x;0Kh?`jPb%%vy7n0`|m z(r`OndvsS2P0l^XaoclSY0|xfSx6M zOle6oz<67H+nl;{@$imT5cY*i^RaG&u+o9HqI`}((aU569isWH6E`$arZl6RR`Vx8Kp=OOZmVV9W(slLl?cTq2J%!t;4bY=fL{T8A zKsw724%3L9kogI|qW6hOL^AC`?kHYu%zI7@ICVU@_H?6pb-Zu%_h}ApxymdA*6sY6 zZEG1R6Hy>d4h-#WFiN^!3Ep{PE9PH{P@^ZRKH#~nuXS`~aMP9J${1Ln^yiQjRF?2a z3>`A!(rB{}#oS1<+MFIhZx~u8LkrNU1z_lyh|%5c<@R4WCXgqtfYs)8teCFW_aCBs z*Cqyp7CO@Y%eu#v=aoV5L&bC8Uvt@2CL{VUWsL1oSi2T6g0@O5iZIq)agS}qjJ#t4 z5q}T(Zr;GY{i^jRNq2z5m&ygz%aN_Dz^sDYK2btewvNQj)l#4e@QXJqKV{-l!=0~( zTm~%PQ>0yU1hBtHuJ8X%+>ZxAQjGJQ2KKE?PdUx)>zXLcA$}kCC0{EF`}vKN_eFw7 zUV_JdLTwUuG&$nAf*a}iPC5ZCN$2zrNNsx-BTe%n?Z*vq-S~D8^I|XrbX7#1hCsU} zHVJ2yej>^~Z1Hf*DZeXl&NWfq=tmI%F%^j}4?*D2@m@5r96atU!16+SX9WD7#sQa) zpk9cEg^wlNG;$8n0I>G}rwt193eb01If$x#gb}iSNBE_&!4=jYcE{7F_mjCiWe%Co z6Vc4pLYBO_2_U^c`=AvFh71zXY23flL;&s1q5lOsswCe zlxDRe^oExFX6 z-J=W%H}&RFMIYVf9xpbtX(_8{I~=wZV`?JJz{z;7At0Mm$o@Ut4;P1q{M_CsI;S%A zl$j*(PCN={{I=t6`i$Lg?7jYey_;_OkxrhrL&NE~n0g+Z->CM0Xp%9qCTE!tt@i&BV!y;DL|#qf(BF zVQ_s>Qa1yrCv2eSB$JPZlxN^p>vm);?^E{xyO+mibze1i>>0^)Y0@&i)kAzpZ;Dg{St!wDcHUimf8EwI zN&B<8=wZLWyUDX(wlnLb7zY{T04uByJ}~Ls2FD|t<|j;P{xMw;RB#f?a)M%^lD+|G zkTMic*98UZawP4YD$ygdbrU~i<_bYv8x9^D&iL`Do!|!x>|B&AaqBs?V}gwnES2u1 zJMu<{bA?O#@(91gaJ~zLhv7pmH`6UDvdL6~_|=#Zy`q*WE(w#r55F#My2Fg zo~Jj3H0Hz5XNNaneD7Vpp-cF5l)q>~zm1{231~2sh7o6Y00$?Y@3cJ)DMOomjAA5_ z*8r6G7(;kLM5e^NTeuHRG2E!^)uyL8hjV=ZpnS*-I{@~X)oZ}zjCN0pJJOFHQSRO1 zm2hI{4$?Sf1*)xrg3}}6h(rwZdN(#AWf||Rz!IBPmJW4`5{LVo%Upasl6H)& zXluM|w4>r2-8w+w@GHmY^nHU(hElwB_xNHXAi0l|{wa4A!xKdmOI^ z^^UbIwh-kcLds@;=>1xuMaYuwXQ}zuaBbpHW66DCbEW8n%{cCtT+=OSauP3DNp9SW zTx$Lhsh17YfGW0pDq4mISHKYT{hISAA^y@!nH6se^-UbI<)Z7ic;rL!ONf7IE=O3M zN=z2Ftg z*UM)YDh|3!uexER89Mz=1}-E?`RC}Zm6{{8V;^tImhor0#>=gFC)wcrg!Tcd_@R%> zxs|TOV^)^Hhiv%kk~-`YX@r-MepV6N{%-Fw2%Rw(`y0`yc@#b^5fQEOHpAKm_ z9+q-O?LQEFj7hi{Q_L9~y@+zcnIJ6v(F#b+nbTPWq5Ih_)Ll+KQ0QaM*x6xq8-d%} zPpbFUmd$|(*A`s)C7_>zzQ_acDxR2YFgotS`_}}M=laXSS8`C_4g(7gwTK9p{P=Xb ziQl9pPJ*l!Y+$t{_-7rLeU9m8`I761{na6ENi5e;(W2l+UDD$-pmg@lv=R+?|3`-u z5`tuRjb?}&g5F18N}fD-A^Bs!N)9Qb;SQ5;w!Bw&IOShNzlc&O0zqht$=z$eFf;c? zQ72-}+r;8Sq68Y|cNKi`vGz!_R;cpagD{8gCzx38R{TL$wS8fGD22Og(RGImqBA5< zXFYQs_rBu!0{3qGD)3Mm6zs$MXOyqF_dfMWrq{~nAbL%>o5C2!9nWW&He3=o*D>u@ z6$GN9lzQ@jA6!wEFPN1_zK{jp&@54jyc%Ik)y+mA43%YtX7rsjWrE^ceMMeSz^D!H zy;mP5ben-B-0HdQv@cQ4szJYi!e7@V3&VkPS-+ozKe>2`!ma`#E_IK_NCz9}k@+&Q z{d(m3#Ji%Wk~A(2LTNPa+WHBh&trW@PTk;*wi8i#FaO-3r6-S3mWtT$O3|B-ZE_=U zt2_pxl=Q~2@f6>PtDtV45NE1ax0%%I{T{VTpi~b}_5nN8;?vLTe>jlmFOt05hK!q^ z+&A#A;iQimW6p*@v@MpP=4A()Hc*BQO4#`~AYV_K>Qkgq$IqTGd!+7^t1pH(_zf`@ zB%?OnJ^YG({>xw|q4~!AjkdZu(fH~gH52t3E6c~-DF;pe6V z_LK!oBH`yVfvKj2;=YE5?e zOW|K}eE2HXEr(@31<@iwR-i}oL)G(qV|mxVWUU>C99?r?H!-(Qh`-5aIwREs-9LXm zdQ|p{&z6b#QMiPh6`s$ExFZA=MFL|v3GvuLRKZ8crWvZmTxThhf1lNed;=JoMX6cN z8WIgDGHDA80~$n0egUDx7(P{uiU;fOcj_Y<{CNDUqn|8dnVAcarrU|)J7(-t*Jq_h*#WDgDWhvEB1;2eW&&{6f&GlD)z*mx0qmt)>N0YS2o!h-U&q+*q? z1m5RZhp$!;LX^|$#9ARW^1QHgJXMXXDjkn?0F1}nQIaN0Q*%qtWSsDEB9a3p-XQlG za~ZFTnOlXgiU#JgO!GH6#hrMS0oW*uC<6b~it9nqg%1PfERYjPg=7{I7#Jyigzp4! zAhwldKhZ2lZT{p@6XX9bE?Jvs=b4#UJU~hMX?4V{fZ%ogaS9O&^pi|kL(?N6^GDpv zR=)rot{lc#6P&u7l~K>9ziDx0Hk_gbHrY%z-v`Gfu4_tQ>(k`ZT=-L-JtymiGxW^Q z3df83x$hx!ISHM=@i+j_23UBaJ|~fqEUYbrhf+Y7PnesQ^EoVAXV5=I&Go*p7W!;2 zE@(2ZTR?aC-kM<2B0J9gl3xb2%|z-*&iIjwC(QjWNgnL*AeHR*C?H9A z`PJk%LVQ4PC-4C$AQ{Z(s45Gut9Ufo0~}6A?N3QlhmA%RoQ25JgmRV5u8{3Z5zkCc zw#vHgTZXPe)LI8sVjkd~z{`Q>|GBB?^d3pGcqh^gX}249Y-JwqmuIN=D7JRW{`25}IGp(#AV=a_M5i1k z&@;Z%xX|8H`4XQPwZAu&2#h>4F^Kp8^bh~gF}L;WIz>}f z4nB8cEZ+eL#G0CD1cUXfYWYno1<`)zMvu7>x~$HBe5ILySX^_6$Jwa&X~I<%4&#j1 zNFu>Qt$L!d=N->*07$#)u0dhqZjIJQr_;r}4-!8p&OnX*f|F@O;H5al6Fq1YBdO+ULm%RA5-VpYN{X|uhy^XhQT;**R>Y}M}(12;JaK7POrBcyU_c^O;(~GV+NP*K7Q0Q%hzQD}l@43U6V% z4Ltdkx}~oXzu`I#5I%2uAF|kAK4UMB%|+uGq_dZn&{Kc6AZzbl?z5c9;(-$ z+B8%5Q@Z9*??Ld^ZqzW1CrdQ@;hjiSX(;(>(#e94uA+R9$0;~%v%_qwD-}ns%_Z`O z24BN7`3nKz{ihi&M0A>&uw7N50!ca|F45(Ryc*Um-ikwW(`0AiM0PqJ%@(iN?v<@L zBbQB93h0+nSl6!W1SF?mB9=%VV#-dh|0Jp5fPT=BrlVwr?E0o>SDQHd?buEav^m(( z&P>XiTjU77BRf4>I^H{?U%4*sjKcsp7K~6}LdyglyEnR_kN>kf-h?E|Gu%Ch@r$p* zk|^M5u1=Ap<3%NPgPJ(jV$Zq^QSM5;1onxd6`&x4=NxlLY9;ISLv}})s-YM5q|A(| z-X_t)%NDpjDDVz7q)aHb7r!31l)3OFVIM^_M6Pzbf<@&;m2)}~RX};7swg(a9}sqw zC$poEi+(CV?W?g)XgJo9j|w0E!}Z<*AXiyI!T7PHI`T&Zo6HAi&aay;WShaO z8_(fqgKr9b=-DJ6Zf4LNx4o@lWtK3a-N1XV2~VYxq~f_pt-FS|EL3ML1Sd|Jebee> zTuQv}SCSbJdG_iIkHD70o?S5hUyWK&J8XXgsB%AVXxHd4Y}O>H0tZu7iIS6M4{pD2 ze=^YTt0V0<2xfJjT7nGMtqrRt=y2l&)0jE5ov6w0T1`JHOzDn-vU@gt5`{k*|Vz>DtMl6q1{NjXW--AQ%L41g4wg%8G|SQUAE%^8}RzWSR>OR`z(ou32?r z(52mTjH`-^9Kqccg-#54@|p@G?ufOQVUF2rkSikkhjF}^CwTcYs;aaoq2EXT ziWnZoaR9AyBYL}nilMG>lNWUG5cAqhzt)ip|HMnh8f>-z_sbACDJabA!2`~7^{IZ_@XGZmeH zkcvr}KLLF#2f!9FU7~+B;(qmiSKp~fYMu=FObgjC;Qqv4r^Vs70&h-CGSG zOL=}%gG7#JJu~PxlZY3|w=!P{>%%;BJ*KyBKz%0K`izHcxCY>@(_z?ICF2hOmqoc^ zZ)fhF+p`>NChmP#&wQ^de|aE}l#DUgc_906cC{eS;1o>v8n`Q>6{#hm>`3C!W?FK`UF zCh4}-k`kGG`<+44je!C-F!^>$^U==?zG@)WqiQzEkkIAr{)gxm2ZvIawZg`zc!}gb z_rzf^3!d62eEUZ z_(uwxdxNDW30`o|7^e{it&%T)%ld=fnYxiu9-;3RqyN4oE%P7P`w6Gls@a!k@7v57 zi_ew4uTLECOxBsaH4(kq=~HJ0TeX9lqZ+_%E^190&LbNzz;lf!9_)8bcT$3qe$v-K zUOpDf)qmYQeexf%6qYDZz>Vo^*XP=k%IyJmcOdua$L`-aqP*0nR_3qO0ylKORN|U- zTk+|}HSXi~Hezh7n^NnraHgg{;DDR+xtoI0O!9icb64U9yyN)tk>hh01O5_01Y-g< z&5fAEE2!YsLG|r{fjcw{408P}(yvHLsVRgItZvC1ufG(Kd(Ot?szx+@kC(+|r{Jp) zefME?&5fgxUnV>AgHBW)PXIaSFiAbG3g4ifV@CpAlZ3mnUgj-wxKbVMqrTdF?n{w5 z?&WQr>yGg21Ky-LJc!dY!)>M#?0ML||cp2_->qV$wjNlZn*%KrjzW7?ly<;!so%oL_YnDN?fP};nDZ@wyg z`MRr_k9W{nzx(G#d*oB>qWXIK`OMZ;ICiPbh-4WqCStn&`HR^te8U~LXrRMkMK&0Z+Nt}>2BlF4LND!K0?*o3b)JT3=+o8G$&D`qPbZcQeHmL4E+d-2P%p zj&{dO^mkDi_rRw;}eo7-fFi8D)-QAwP5mK48k&8NCo!gk7gf9V9D zyz+zS+Wk$P!>H8?oE%ndLOB%&kMV!DWAw!rptO$y_1vNhSUeR@(SS@<_&}Mfggnn7 zP5pG8;c9WWrnAEPL{OoEkUW^{E8+VKV6xJ3dH4>?zlrA_GfNJCENXn> zlCsp@YX2~0{wyHD^M$KY0Z^oXR2Jb^6chTGQ%F2sF?9K@9-&F}?0>T>@7$%7Vh1z= zZBFqf1MgAZD`#!$hEZVAJ6}#@B6gN|EmUmJfq3rOEzN{|3b|9@T6aGP@k<=pj8AW} z@CcGW#cXrU`}ei3vU<*KKEdPpxNN!_fmn+Ki)tiG6X#0dbbfv07jgaDJn|uR&gwPg zhFtis?_Bp+>Wryi3AM#%JYR*M1J9kCrP*65a8n>jpF)Qx(nx7H#@zermx(u&NHBJjly5=PzN1}94k3L#+phHjpis03)-nE(Ajz}Uk-HJWF0z!2ea4P8LG)X{e(COR3cj86`J#m-fDo{HcRxker zWnNFN5+|siO1y+NKG8>*4msNhI*G{O;+yjJxS=}zZYA*%^q{#zT#1L4xRASKt}Kq8 zOY<<+wWcHp0nAB4tfU;{BhuYeKK18^kZx;wBwn1U)FDb5vknIo$nvB0(TKppZ}HY( z3l)Rhr+0F#%Fh*%F-2Y5@Qbhlf*`UlncuWJ zQRvjb(UI*GMuZdoeakIAmRLbWz%V|&$m{c$e$pSYBpH(>8T+uW#^)!&6kw0kV3?rh z3bYB&vgM1;+sox%N(%1TH5cHNDJ4MIX{f;OKoRvpsw-JmIXRv;>3oz;xv;cA;Z>zfjy3uW5!X zPj8jHa)vW3awNZE_q(NjbCW;{_L<~yK`X6~HW^2~XbDF()3j3PyeHp-X?)JlO_T&* z**UggOL1s@t+@QaEqUZHgHLKy%qdr2{#IypfUYT!Te7j>uDZ9G;prqQ1gU~kEMi(i z7Wh?kBZRn#U)KtNoLgQfF0o%qDdyAW<0l)Fj?4`OTN>_CqQ17^F=7;v=c%p_+-t<$ z#R%NN#hItLCS*UE56a0AxKni5+-FSq@eS-ZK)$5&9>XBrO~G4U*thN-iD!xRtOnk? z#rv3(FZ_CtuuNJ6aL4oB8QdAF>tNCmkwsa(KEhOv8aFP{C4lJmOm@&6$Q^aJp&>6K zo3xktc;eu^4KF3N&r}3)$mU-+5%V~-qV9D18pl+m7d&_YM*QvFt{)EA`YaoJtoi1REIf2*CoK+^m^h(O!}}!ro7b9v z%Kp^Vs`}F^XItApWmyuH*J!Ke*IN@V8@n@GjR%aRC#JTi#;sqa5yfVH3-XDcyC=X; zJ{5|kRHxC18GNTe9u|O;q$L< zpjKESxPCwp@*MQ64Pq?fQf{?G&`|v|6K%$B*nb4nWrhJRckF~8C*EZgixt9KFu3>V z8aYEm&I{fZkVsZ0Rr|ZeM6}dS;m5FZ_LkKGwp#CMbyi_dlyD8ghOa@5f^Xb*bI?=l zmqL~qY~Xt?v{i{`HEbsdqGXU*r;hP4>gWOfD)5QY_|DOqB`=c!%h zerW^%9}Q^E#DQwqNjz$J9xdn=YAQGgeC4P=QN!TLG{+ZzNhSxC zBsBn1uMyavV}f)i5r7xXVxS4&2oUqMiUc?mEJz*pO1PBxWYn5>fp~wo)bIJ2Uhz38 zSKw*B`vg8y)0N+TU5_KDECsWAcc!CeV%c-MfcM-=AYCBNO{?RquR|XwPj`LYD2mO+I9AsJI`Gh#n(emC=O~(Dv8Cg-VuvBi+ z)FV4m$(is1l`mIgKvZN)>3_Vzx0rokO)i%?ujLEvvzaoa1fx#YH@$QPM{;))t$`@TU`dIA)4F!$gKJkVJpLUOJaYC`Pd7M60()2a9CK$j4EUJ?OAm{&Bv(`ZbD2GksIs*I)#sBp} zoJ%AkjYzEmc+|qJpJ-N9qMgvXg9(LLvC1#m>?_evm$>I!98R7Ssw(yA+b&bxIpFsA zNP~ppLBH1Wd6>LaS-28jk?)P>x`2)A;osvoH=zq$uTOAKD~K9fbK^C5FvNc`3C{-w zc#A&^GW>CyY#3^ROPu|Bsp0n&%%hbiTSXAC2>Ymi5wFIoZ$$j*^WU(&1-J=-!ZZNS zA00R`u%r`E5Sce>(<3ZFOkAE{G*R&5mMjXYxZj`R@ zg=y-RgM_G_YNg`sZ@%`)vE3u{^|QgS&1EPF`sE>(!)9VD#@Xycm})?T>8mBioI{gl zQCWAHVYBYJwi$;zs^Z*|#tNK(9IBx-Rn$VQdv6_6la2dFxkSK9lEY`}o{8L^$JM1Y zu$@>SU)YmZvP)YY2iCYQW`Yo2Id82`XbfREf{38Y?)OVsG-A+Tu90~V1O(Fz0^i2T z{215T8$TwUhig@bl7Z-@c^QLe*k_TJnwGe-lw9aSZ?G2rLerBcGzp)1T$zBZMOJbK zTR^n0NS{YitVyoC56xs9`)7-5eI*N57h!FCa3yKlR`K$XVXq&c-#&PJeMclFojYyk z&7sqvit>ZL4wqAWzGeb7&@t{P6)mY;N<}bpx0&LQH~E6zX>G@z_+j@ zK;xC2?dKEj!_7egWPkx#^vzBeN!`{U0#C?$o#hL$NfemU*mNJ$6WH{KA|A1llUF3o z<~T?_Y0^9;Xn`UL%F#xUiNLXuVL~YMBQZoyTdjzt#*5|N>jPmmbxN~j^e=%`K`?`5 zpc89LNCQwMDCn*!jsShNW@!la9TQzRD9FWa3LT*WMbKcNDFl1@2=uV8ui`6sJ;?F- zc846zL>4&V;&57@M|k3b+Fc4J8K^0O75Huj)J!nUb&!tX7dFqAHVpdG#gc{f2?_e~ z+U{ax3E+i?kVQBThlFG=I6lB*#ZS0_0a%d0!{sSQbGvV!_%uLM@FR|NiHvZ77|o

#6c>~6Cly%X#}*iAFzO+f%*Ps z$=5Cbm#2`3w7f6yEI|X22U}GA|NFsy!HLKD z0MoJcC%ekee05Zrp=1(9NWCMFC>HqWr%J-ltVz8v{yWyB3^Bd8YQERYf-vg|k`GZp z3Rbu=;f^KUy63xHY1oN^g?$wg3J~Ofn`MN-JHh<;dNjX-^Z-4(j{m`hf9r~KCLK<> zS-wRGazF%d3ES8XgxPN@G#6BGBuYhn)AVD4Z03a(PX1FXG*T&4ExjvjlYnGU;DHqL zvOE-?n21dB;Gu8{(dVPqkvzh>-j9cLg>>J3$BvpQZxJNFXyG)YJ+3|W)Y1}9(c>0z z_wBv4sU6KNc!=FG!48S&ejp+dF}nj&LHNSVubi`S7it84=@Iezfc5fzb`@Rq0*Y5Q zA_0BK{Hg2B6U1l=Xbz4Z#cbf9APP`+IXo#xyZFvyEX14C#D~$IqWe z0}xYmwj{eqr7|w0M_e`J3>U9lp^+#fSMy8MMhd(%us8 zx%_ay_`413I}9!v44%6_lCm z2>_^rU?pg-9HK%7>LY~Z~pM`^mF+m(y1TvBKv zEavbCE}2OJ?BDz@wG~fd%3??35O}dZ0_e~+bR|;9WFfNmXtnfPUe0Y6>F`ysMb1pp z#V3v`KrcIb(ZwfOtQgAG-%2QH`VA?Tp#8jzI}Pkkqrj@fws3q#G;j>A0Eu@MB^~|+ z$%Q8pFVT141Rl*dR{mteV;zjCX1@Nb@rq1Y8cni_^?D0`-R_)764#5GsY6U z*^vq}5KW9pOCl$TR=EfYY9aA@kS&=w|%RUNMlW^Tku$%8r2qR=;LLNvJYZh9l1?fa(bVDQ-Vw@ zT}+_ucrab8H9^LSB{26)HioQKdx6f8Fsj3lG$nn@GR39DpNWjkOV0&sU)g`{g_Df2 z;n#G%6I-lkDc%6d)LVI=;}OC?8Xa6n5Mn0CbR~#i0p{TXMC<4hdq7D!y4`U+_#WY= zUEag1Vuf$$1!xl7mRyxxBKPR4^cEAS*62;2IA$QGI6(w`>{ML9=tymo z=ox$>ZfXt@dDR#5Q@iMzAB1wd$$zZ_@{-8yEMa^Gj|W10$Z;lq;0UI`6kE7XLUA>u zFB0E#+!yAi@=J`(#UMQ92zvB76!#_pWTLiu7fW$hh;;|Fo#B<&QS<0MKVTSMiB!_@ zNSxV}E|WLFtMN{Y4+y0Y9)Xp4_AcIyQlo0qcsppWz+%+QUiN=tX%=%iHZ0X&MkzKd z^cYSYT?6x+Q@#)zd_+iTi4AHrP!yMVp`)_mNh@ktgfq$fF$8X^VF%WeJCMvjahV~% zhx$iMyCx=e-9YMnsVE@yol5Z|`96`Z1j*Jk)t;UwKb*^t`GIp_N+m?l2(v!>%&TW< zQ@5KN8Ws^>X_LidekYT+cK}e^a(GeCkm7=rB#tj;Uh4LJu?bwlHnH+HVDUTg9>PyV zX=R*+pEwiW&T%J78tsoHEbs>tYB;lROp1<3lhI{#rmsoK|CC<@g{Q#2YA3oK>*hCA&7*Kj4K^QJQ@zjgy zMUvq4*Q zMLDadq0-exzDFK2B}Yq^y_2&1No(?b%f!#(juu~CO`9EY;*+k(W8S*)zD?IaT*0QR zO*T>-ZE2rIR%z39TnSch1&*;3b+kGP(g2=V%Mr36T~O>>d&IR~e(~#v40In3`MYsJ znOkOwCKFfHMw8xb8p;&~2-o{A|1CcS0c~z+eE*trER}-TYQ=t?JjQBShxToCOD{U9 zKJGK^5g&WeEEFKb-QgSw#2Ay zeY*Ahk(2;j9pe0`W5Pd}amO^^SP3$$>W*7-pMYSWjpJ~2QO7v%rc(T08hJ6pMqwyV zK0W4kzIU9#SzO)zk9F0Nq8%%PuU>0QYJB3)ubez9Buy-=KT83@t!c)loaDmiMxBE% z$VoIoBmn=`f<_esrZrJ7jfK!yNHJVskuM)k2yoR%Jy6JKm?1cQPPz< zxgE3HlM|l(2X>>R1i@EZGxS@+kOkZfWE~2o#Q1r_WXIm{vkoIh_SSLx@S%V^C#CXc z0TLq<*{Wt0>4DbA{bPEq6;A!h_o||p zg2fZYp8zc{HQMaY+0`)Pg{qH8@$FxuMpjd32~EGs!4h+?ZgJ0Z)_U% zMAWx^RG}IB)GeDC4({=UGWr}*b&mXcX;m@9c|krPzqdNCYC<{V+72c~Y7~kC?Ta5= z+H^Pq^3d{aHTShIJfE{WRv)evYH25@q#8otb{Bh}DKxCpHOd$OjX}QDEG@`6YG7_l zfr1-$Juc})(egvlo43~;?YHmvCTeEtH@trt`2xDo-FQv|inTflz25QykY1KLqOFK(E z&vV}2Nq-HhKib}Nj0uWqY=MkRU!4>@ZRV9IEEDz&*zV{@j>#Y2fAai4WI>z6u zIocxYzhHIj=iXn8=FhoBUWXZw;%P$yw|w%5(W6>T6j*Wx0aM$uzhN2% zcp=0Pl<|W`uKPGxd&Wg$eGx7shoU_XVNFe5mo;nuiJOonjz2;#RDJDBZ?oFwz8J(0_kvyZN(}U&c_QV!~}hz>yNL*z4p#VWTQVA)8>{xZ<4T5@zaz zAhz^X0&tf7{FMTdEtKXtdh}b2?&(cVZdv=tXGbq*nD_6mz>wgjBO!qUwtTD#H7TT8 z1Wg)E^Q-*pWk=>pDjx%WaYz_v%IhMPjysrxBk>fXQVp`E50IkC_+oxflj7keYa9cu z6|rTFN4g|JRo?JhzxC~*QNOzlez$t(6q<5M?!n!#x3BH|GcsbZ{{DIo)=uHI65=(? zFm3@;qURU@Uq0=I_=7%eX@X`Ms#=14^0nuNGQzgX?dA_prtNITshJ)@&b(8wieL}=;hCMTocvR^2|3*=rmi^#ZB3nP6` zrn_!rR1{wb57meCoS1xu;RK35xU86$hKYG4`BU?SYQYN%Mw1L6F}Y2m=6Q2rE&|uB zxlNLZDm)aN+ps3DK_j&j=m|hLgq=67o6I^>mt^azonfT5Hpf+a591zD#N9`ON20)< z?;dZ;kXtDx=6OIn2A49Pl_bZHLr(2k9V<#$AfZ45Bf&3@HwyB}C$DhldRl9c;`lUp zEco-B7|uPBKpm%mPE(B?cRAo3t)C#YQ+IQD-6$FU#Gy6Xi3KoNpHDYW1IDkzx$g9G$fhxzJFf~ZOapIMt_KfIs4#%J(0|LD&PdA!&p0=00`LMw@@qzPrD zb8W`P*$Rtv*H@xd$$TJKo-(zn!dVC7G{*pva<xblfsx1TlKcO!CYnpCXInt#oLY08B70 zZuBze;idGq^53!1xY6+eLR7|JdT=ekQg3xT%jm0tlA5(yS9nfAv|AN>g!|ZIuqbzG zp#$HhF0Woi*dr&B6|UhJUs*{~dv9a&ViWYXYQcE+by^i`t!W*{4*PkdXdZO-QQIrw zTM_<)31M2WXIgvC*?w+E9i-yVV#vx=+LzxYJHUd}jpU?yes zqC^DF_xo;*8Hfab%(`?dB36>b54{0EnbP6cqsrromM(|DS%R&Gu=d zeaSeJx+_|+3ysw>Pq#pA4oSQeaHYx_C$Cp)J^zZn1+S5|S>l1XTQR}@;@#xSDH7*6 zkYOj-mo3CoCtll#>m-){OY{wQ;w9T{?SOX_zGYYfmMduB6v>JA=@{aR6KoK0l~apu zbArCb!Z{JpQ~>w)7ngmQA;K{tQOp=SUnm&Kt;rYrDuT}k;QFNxQB-$vJhIIfFNHg_H*vnca1;4kh?n1gf=j0Nsy>zw9}gjVa!N~fI9N?c8O6s5OWzD_Btcd~&K z(4MQ1Zr+Cw;2!EgfJNv;Dxs`VNC2a3a%sG_7IPDEkz zQ6XHm3E4)<1!kT3CN^NZ@muEi3+$$iM=f(j2}xo@1+F%nLce>N3}ml00i7w=1n%*B(D>`L zL9&25DJvoy%c(BuC%|No4@IB_P@Ie55u@FaFC=>a03H+-5EgKArT7d>;BFB}jwXHk z1>zqW@d=r=zlb;hzq!gFLqGB~c$Os41b_ItD{We_+pz%LuSCkbOb0R9fVK|jz{4^^ZqMUpf`I3k%t^)u9x92>`L_A;v zh{W6KCo3$PVBbzb9s__NDwMNQwp`5nID)4*z0!IMkp%!CBk1M75u+FyU={YaP5Mwj zqbE*ZP2l~-C=ZPk_;e^Q8?%TlvKQG$?ES7l0)VoVN~9BNl)utCqb7(_S<+c!H&dgw zUsZ7*UL%B3AoHkfA*$AGbSnk<~vgfhfu^C*ljE4LBx1TO@AJCxZeIdd7m@T&W?{lf{MdZ#- zI=~4$neosXhz2uwwi$I&mjw11m(XPHg^W`}n7b?WkN8DV*COtTazX!M5iJyfr_U}g zc0S^N>3-lOZXbb|Q_7_L@+R@ z5N4Blrp;X~flp&68nzIPfspM81TzJE@wArOO3QIbD^a!8%&yhqe5+Mvt4%|z-OE;o zwbm1m$IgE^EymsQ?MM{%jO#b#Y2hZwKJ#9Q@2<&v z#Syd{gl#;o_D^8%I2{cVe8k%fG!*V`R?TRADgS97Qa^++#yNk`F&%?QcE1#Eb3zb- z61gv%pC9Wsps4Wb17Zlxx)RNwcLlEs2k`jf*1$)*?g4ug!k^wePhb9z3l~-s!H?KJ zA0o&>FhbhbTzb?`LY|yP1+g32PD$`&9bPk339@Kk3lXb=Z7YV_I8 zI1$%TC&c`zTbX3fli5o^3bA~J;heaCs zgBXJrO~YBt8mq|Ry!D3qk>Q*&-UnHY&t_`kjA}d8D)XQ~Tz&1G_|n*|(sDHbMto$J z$;1z{`XsBKpN5D)`!L25A;#EONYvl4b`|@pA5o@`SEZcph(+38d>I*ixd2^z3?NY5 zTX>0Yl{k2_5tZQuj$Q3nGXkXV9#$ zm7s)@wfi*mx~|8d8D< zJT*k{mXF!2zveqY1dUB7l$Y8XfixZr>i;bz{B3kAgFcxqn^xoWc?t39#~?!IpD)Cl z#Ck|!qD(de|NF09c#G05EWk`?Jp2fFmG4iTe>HVsV=CN%Ys7O9W?xh~GN^vKrYWAz zp>TDl*KjB!00$<}1k^J!WVt=o6!uQTo4Kq4;2NRJ!^X0hgS$43O(UgkL*oUoF-*pE zzBlT3);qU&9?$r9Wl&(!g(1)NfwT*#u5^^g`n%kbDmSn9ZS+^5X4PwCc<6QyE>B95 zbhNHEPWI}k_kT$ETl9?t|+gK340kI=dCg6z94W$yv6 zUe^8{Sv4sFW{=U<-^Bd)ZpY@K#fRzMo=+KBv(CNp1TDxU72VY>_|{4QpA#)x@!ykc z=P&C71atit-1;=c7t!rE6>veM9sAgBmV2G}=+U2n9`SLJkHsA;Guq|QAX?rVlpQA~~ODsl1ZIbPpeP)!!MwDAP%L=5OzkV9ub&=+NU= zHQqiFol;oI&H2&>VJ%aD4t#K@OzuahNGy5gw$w+_VdhXtf73yQ#r7iQzk%h@H@WLG zTI!z^j1ZiI*ZP0oWPN1sseg_CJALP0L-D^)S>!Uw3=Y@w>9K@U?9!gW*s)2d*YmXS zs*LMny9^krVktPhs&xGmTH{kA?5z(7RY&QL&Jq4cDAwfdj`7i|W-fa=msx3nJbDHm z_RyW;c><+pq&6C4u>fgUUz$dxXZ-Uam3s8>M%l=QMQ`b8$r+LOF}@2kmbsg+hbu)J z2R{F;=$R|y%zc>mL1j@(^)wOdA1B90D`!UEt$uiC9XXafv{^i|k=C;*n$;hq_R(7W zFm^2OkL%o|!23tb50EIKqUE`384?#I$n%FT@g1Bql#N9hn0-(TxLx%qHM`-1>v&SX67XW{^ z9xB!%jz$WMZB-X${IcK~+TY%|P{{jie`w_SuV!a^A0)z`WB3XAD=T#G1);d|<%gk) zQ=*|W^A{w(N$I0+h&<_RR4;GLxgL~%MB*gsiQE~FS|*~xAF{|syg*h2fM1h!cGq|K z{?v*1W!=4ZqVd%D9vk+@*0F}R;!6p<7_%I+Ne;iXR<2XZ|k zkYkX2Z8xk#k@lXMI4(J^BLW82RJ;&SRzMq7yuQ#cD2q*Yi`izUiL2s}_Cr*%{Y|7v z4&Px685D$Is-VSIgu!#N@Y9m3<14Op&UYQ}o__J^x?S74^wq1yQgrqvO|j(y@nLp{cDDR}F) zzUZ|Y2c6jhS*iH-gH(s3ocnU4z}c|F!FY5sGDUMF%a)SuxT{8&NT1`8b4V#aHQm?cpJ=n<_)fItD%C?l zmRCxHxK4R|ue&)lQXW~6Y+TBlcy6@(zU!InhR<5J0#QO%8Q7Uf_mt4f!Inv#g+(-P z#p|m`J>5?_rE|8K;xO*Mrovw?&+Ew=~Qx{?b_?&F(tXvXmxG0xM16! zT&R(3KXjubPyocf^5wA~r&HM--&@iI}KcbCj0vu5Y zpHHofjM73saJ@o*UU5B~c#*;lI_15?ynVIe%vj|e>E)@)RBi-wf(hi6nGm~ca%+#Z zc%|oDow@X_iM>g^f~V7#%)8J&XG4 z`vI!3g!$fwnDa+hmS=Ut_F|;G1{>6E+K{1^l)s+*y{R@zH zZ+4mEi>w$8l3-!;yB|f0E=kOKiObjUoaw1`pZv3+%M$eP`ceNMJ@2d$&wPO@`;p3S z1l>-3xd;3BAt~87w;XLHoaMA)+$LDSg}7>Mlb?3J#;*8H_MHp1Mvt6Hg}5<7hi_Ie z{7D`sa&#ftvV$*VG_Nqax+aG(l;!DZJ~rJp$;c-ADqPG^&vy#17#q-Zf8GT{ym)1)hx;xc_G_Ir3D!JcYcB_tioCASRI3sY!5 zG|JB4kK3GkFLqhh^AcZ?vG0#}*Ga)ue;y7H+s z;hUu}ED7LVJ4Q|4SJ*4w@s2py{$s!HncU$k5t3{bpPh6&MnJ?TGRtaq!0=yW z#K8s0rOUf}gAPxOb1Uck1vgDfab$|1QyZy}z0% z#vK+pqiYnsSL}k~-jx4~t~>kfi@}Wwt+uO|8-u*p&Me2h>-~3`k?OtfuXt_x)%7c_ TwcZ=&pYG%8qzfqkz_I@Ug;zfV literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/wfas-designflowchart1.gif b/windows/keep-secure/images/wfas-designflowchart1.gif new file mode 100644 index 0000000000000000000000000000000000000000..369d0de5630491c31b1a4cc4ae1fb8f36bcb37b0 GIT binary patch literal 17357 zcmeErRZ|;`^EKY!1b2eFLy=+uf=h6xxI^&*#Yu4Y;OvEpupQYc=arTIU< z>-Q_XJ7>U<9N=jNvN)ROxi1t5_f@mpO{$mg=2n6B)QF5?Qvaqmlu+Va_fCN~GI577-p=0Ui$V|5!jkT!2iCGigGH7Qcy)6 z6%`c|6%MG1oQVpLhK2@IL(xKm#rl8XfkL6yPyqu2sDXijiGhZR0o2)m$Hc_I#KgqH z1ZrVo;AO&NVPRoyVPI`x;$aWGLm@Oq0wKWUn%7O?WT6^tMHMCr<5NCM_LtUlK0kbu>ZuO(p zmw37lLWJavPDyOK;LgU)F3&?WGBgf%QwxesDcIcLe{DkRW18f#_EDWSHo&h~b=wz{e`2Rp|Sxr@vA(}vFW zb-gReA>bM*kz>T?vk2pUJ150n#!Yss^7Tt?McT<)TTG~BS|s%uDOVb@qNM-R)5sR5 z?gWcxG$gi#$`ZkH!{HSFEEu|jo!%Ix)@Z%k^U+YEiheK(S@=!mg(s% z=M_gu&3=*GvlmAZ2%*Ta6UdTHsS`w^Q=-BaKLdhBAV%2L*!bp7ZNek<%gQ)h%!kUt zUF_0T!^&nr#lG{`k9!KjN5F$5Qgg4;4+wL?VqY|C=OY+tfXzV;YZ*t{`#?%TbT}G0 zr(Kc=K{rdbbJgSl8Q*~Et^9XdPF02bM)!{> z1WvkLezCXHQ7rnk>RFOHHTQhUI~hv1nr5Xx`3;0=CO?7&vg>N&d71K$qm&*4FasqG z7aL2_sW^ev)Ipo{v4-)BHmsnTCx56rDzuc{f@@`LVAKVlR;}S^aorV6FJyli zI0(Vq3$QWz;Ns|i*E!_@nxU^+20$5O{02o8*bB_^YG*plj9ok%6MCHDI<=aiz7RjY z@4-|vlD~i6YDpn^?&g^>r7cyI+9l`x#PB(B*vk!JyGuGG?tTjf-|f7WdGzA-n#9dA z&zFpHlKdbqR8&lu!h3EQoA2ctu`rc9Z(c9$Pz6?h5>`ZVrUJ8Iu43D?St=NNnuHnKkD?jKuN6HU6xH4q4h2w4Ac-Y(YIeNZF?I-^MXsv{-i|bvhw(b zj0f@Qt}B36#VpRInJ7Y%L1RVH zFi~~je1nWvvC!a5bnbihXu-6Y(`nO=WeP9^Dks^^!~_h4^vHU}%dN&Oy`Q@qJ%TuU zjJTv^QB#)CUpJ{}3Jv=;8M90+IHd$imL$kA7WWv8!_?3Zzgbm@RPOVDv#yBOFQbI< zW@AYLCu|c<$tGX+c-+Ko36q4b0h;nG%EIynY_ay$Kk$z-<@I4~*6Uo_c4d;*dKgi! zRW($#bQ6QAHX(pfSzE~^iHWW0WdR$($KaocHJ-SI*2!5T_gnU~pH<@fH=4=fNzACU z)smyST8H3~th`7^$ng4z-$n*cUH+zDq6iYb%Fk8dFYS?^O-}Lo-&?I*AzjH|lhB%) zIT@mY0zS?w!5XkHgb!zH*Vm+6lgwEW*S$t1%mxg`Uev&~DN@B;uP~n-4B&IwR-MkN zP1{)JWW{F+F00Zbr~?xb-h5LK*ICM^?qFw4%8?V-X^rQ)ckba@SMREvWNVFqE6>(x zso}f{9r#}SOE4o%ZbS-9Fp~H;lVWqH>RabdML}LrwYi|pfKBgxljE0qOJ4NV{%5k{ zg}?PylT>R%)c!mn(hW9VrfZ{;uestv8th6X)~9q?TeD{yR0QhR=lo%9Mfki*a@-q> zTCnyi%?mkb{l;=@XGdiSubTq*<~q{@$fNQ-@Y+y9e8Q9jp8;RCGP5uyjNsh zo<}!h>gvux3HL=6i22SWhPJc~^Gi6#I&-k(3|i{3j@)!Ky*0|e5n%e4Je$6)QY@c|mgM&{ zhxC6Q$K?oGQ)4uam}s6RRJ2;tzZ0qQsMcy8XT1H9-Ec@1)iTC4CYaSVbIkYQY1(SX zJA*+{nxZlefd(GQ{%95DW+Qi66HK2gAoa8 zpv%3;+pc5r}ES9sP$B;B|f~->0Tb0AS0_&mQ~CBZ;;1>6{k$Y z@>0+BcS8@`jjwj;DSwCcc%dwfI>6;`)sY4xe`jm8_;fP4NsJCmwk|GI%sI$xk~ zUJj#0`kJFm?t?<+hAO0(bzgaT7j1OtA<7`Sg>GZ{q-d{I@pmXqP~mt-d+KBPMw_kh zHN!qhwdwhzqx{ZL*87uVl7c|n74ml^5&_?s7rV!_I&ae(-0R6Dhu|{LwPg@#N^3U5 zDnY`UA=}Mjx!rGR6wcx5rn}oS6tYWGMKJ<2Y1Ga4r=1bQ?gx`3F~qNnuj$@}78BgPSZ#r@oyOn*n-^EGfE@8X(MT&S!`#l$_zFu2Z0@n$V7 zo7adV>VR3E*emmU$f1bPXqTe0J~IZ~x2`oD6(C+GuRkgpCQYizdZ>)D3~}@gy;Y#6 z;RuD;U_@1UXDkV#MLJZ%Bdqm-1ZWyv?d*U9)rw`%A(jT_ty4?8K1hftA={KMKr&z1 zO2HUhW#r7{1+&+KAxB~36)-7OxZxq}83I?dh2O#93gz&tQMmje{3m9#EOYcJBwEHc z`UoB^T^_wR8ZCJky@?qk!5p&!iQ%)2`3jHWEsvQPjbS{Dp@bM6#P(puEi%P*LgE&N)pWZ_as%i!?uo9u;=~u?PD**ynBt|u@h7E1RTJ;! zNBnEViR+B%b=x_ay;+1FKG+k-x6}aJjOiOmB*V%=NWUets>F^daw~c3&XKKCDUlnd^G_nEU~f z%vu(A&l#3+4N_EY&Ar0u*eBHCj{}xy3xD(gKRBbB5(4^*gE@ zpEz>Az??wrj1Q{RA+^}v&J+xQ%oUz@ai; zt>H9LraL@|3iK85K8Pw6XB@Z{DfLw^LQ%&TVk9DFVPMv{QRF-~p=+98>}}TM8HwM^tXZ&mSberpo)*a z5vDHN+%V_IPEMzG$X8nyC^IWtjWFI1YUXkclNGC8@eb;w3Rn5l*8EUbL7Q%Ao^FNtmTo0v>QCO8I`>@ zRSry*>gfp_A|UTx?ax>$M&VGiXSTq)^3`=1^_pH^q=CGnOudgyCej;|t5S~FpF4xN z8YhSgSgBz-!t$Yx(_sW#?1&HXL)dDHTA-Y9(3gJ}?TrP7nkupHgBa+lRF@YGrzo}D zw}M$j5~PG8m?fZKjDfR9BHc#(UgHjMzz8V_uPTybZ<0qHd9IA2hLc%~i!uXVq3I}j zV-hI{-wuf=q%($;>td6X{?e&WRuEPHRyQqf8#y9bNdk-#7RZPa79$aNyLDn?(_aZv zf8UmjOWkM?n^uF}Y{Jppr`l}c)J!B%$5h_@ccQu6Iyy@Y*x^7z-s!)uq8TFG(u~%^ zf7r~tUrwRZ!oFXA=nNzw6{7E>gCBDTIJ%1;vS3EK-Q+Q(AO{&z*xpNdE6u-l1272} zk=F-;wD*-6Q!~nc?>niuh8`+0<7L!Mmt!HZ+mJ(Tk)}mt3%ZLD@932Mjlw;2gjnVy zn1dtPR9Bfk>$8B+Y?XwHZ^Y=Wy0WOumy)Ih?dg@k?Cv}9Dx6+cA z=F^gA{AR&|T|5?PA0=teykL(gQ-ALtZ&zif>G$eu$W4$#m8$0tojF`!Eq5J&Ci>)z z#f;nkdBrCSO}x;QrF6uQ)wbcYn0gR3(AWmjEY=0BW_kz$#}BewS9YOT^?W-lB_w9# zBvE~Q?az56)X*o)>k1-L=x7dN@c&Iuqb6`>+J#thp4KZ4ph!DtG5_*F1Tll^x=PTs ziA_Iulo>Km-#ERx^>=|*d=GG^3+|ZDCt-g>#^kC;F=GUJ)0nSLM$zYfZWgWnH(Ax3 zigZ0BA)iDWkMw}+wMB!Lfd{cvVfiag^%q>co z4Qu3VgUK3G3~hmz2xDZ`;e-1Ovyyz@zGT%ovSKWuRC3Ukb5TKN;+CGSntSS2a&%P` zfr6rC<4Jm;v*r_@N*b9`z(T6x37du{Hc+x+PWsvP36fUl=XqYB(;KAMmGgvLT+{KX zbvyBB)hE(NVD>3>Rqx~WOi`*9n}*BAOphf-M(Rq-r~A=WP3aUwf0^kAKhJO}tGLTU z^YG-Z^n)8(6?*aBNC9wCH=#p`l&qs}pxo)^f_lYD=oBr7158Pjlob@f8=|NEq@cfR zUH_qC!YX*yozgfBL#<#>wdP2aC`ldbhbW1iOzx4|XGMTf;cbeX?;>VWF=7@mNtoJ~N5eGN z(?FeNKLexd-^Eo}K)V@*H?tJ&?1mRDiD5qtnxq7fQc&N+niTT7=|ypo!-m(3o#?~b zRc_zRq~$oBSS%O$=D%p_^;6hvfIR;)kr?PSNd;yX^b?5NCNFjbGlPpfHTlU5`gB#o z3RvD54f)b72O8Iu%KNi_V@VwEKmNOVHmo22NrqBUU)Vq)Sq=4EM<}a*ZODd=r$ZYb zeI|W7CL#-Ts4H}(=xfL21r&Kbpqs?O(dXVKy86i3zReo4&4tmy?sHiGRe#l6C+zR7 zzJ@{KorGlX?7Do8R*Ac}h@8^M|G}d8xZ1Zal4^0Udbx zW@MT0a#-s^1OFen1IJ2K?kE%p3!~hO$Xz;E+xO5}YH>V>i#=GYIdC63Sm8X-qyh>N z7>jAO@a@D35F|+?8_Rkmf(gi{M$P9s4nHg&E)ZKRjb^GfrTvCkEMjKr%rR=v^KN6J zC-jHj^6legZdDy64JmZv)VrzWUp@4JhZGD*_^k!CiLWha|g z9yDTw5a;iZ7ABJy^O-xb(Dw`vvFZGf_4?tQ_Tv*P-Pj_VxoZtg1Yr8AH-;(Gt z>G+lM$p5hagFfw*ytnTl9rgKrk7v#=<6FTTymRF?vYoD%#*K)Xg`^kdY9eTZn=Qy7aSP+ zvmV#Kr8NSZqNE+d5rG!?DHZyea6`g{ipyX5d4l^L6Z7r$6OeIVTvSh?<6cle99>_y z(_EFGA0K^KmuVPyjaQ!7(E_To@WO_RcBjz_C>7z4w|`9m?NbdOZh zSv89k5xU2dYOf6kU{rc18hK1Wi(1639eu21$Uh8f{hG;ag(P}N{EdTdVWhYaoZ8^W z*D}3E%d8&KbHgT!{-%a!12>~a+u0&WzKEM?r}A`@Ncx!#8*`cXeuLe0(@eM0@5msW zn<+dT@lE>V9`fshf_DaUsWgI1crgX^5AEC}H#*Z9%3R(75PaK3MT=}Dx}|GnW?_eA zznW+?q;*dQXM5)dI0<|+{y~jJ%5<3wJVe(Sdf|CHD%FJVTCk9z=Nhd=XZrcZY2T8$ z>!W##@nrKCsYAVDe6rL;= zWZ@(G*Vufoo>^ns#8%9UGC81jrd||#yj|kN@Jse#GZ;Ij0>p%5Qb-daskhUHfXF5* zh^IKh1v5?@8U&RSq?QCTw!80$6}adY=OBMx&tPOq!I(c*vogC1l`;L&AQtAK=<}Yx zMYb1clOhFzVFLtz+M%-hSl$@}iWDzEx#vUxuzZ`TwXK?oyHZe=9lyd#MM00-_uFE- z2sDYFtP+%Rc|=Xrs|&2V2Y!`9Fb)8h68%;f-1{?Hx8p0E#N#>YU}&PfB&lDqDlaAh zYd5}RErxv-8tOX6?K47sH&-L(5pu#^+mgaQDnPKl!K%5pu$~xGl$890SjdZX4ha-x zX4O(Oi^ZpCY6Hht-Ms;Ebs)SJb}=IA%%+_tI84=Xn53&c-$S+map z$Mw4Y5+{wO*%Dm2u47bOc|J-%9E!roT^vi`H-S#&uEfty#qox{&dnPBy^goYvMR~y zih4tLmxiv;GnXaa+3Nr^n-!pwObtUCDQU zD8?9EUw;2GMAkjXqBN<6>oZ%SzVaKaVTDE**pw{MJ`R#Vnw?21Kp%K&M38t6MA9@; zrmv(Y>W)XXVaz=EfFyr;QXwU{f~_^K`okdQRH`+r)LT}RW(Ab)p=g#5`(KF%zo`H9 zv;!YeQTkJ&GSdTNB(_Qk^VbAfZroxa1!ZG(xxxYhf(fRvp}2|UQYW&p>(pYLlQPqPHzDj&v?2{2~R8s;X@|UsBThY^^ee= zY9y6qh|_(z8FY1Vv)zYYv>n6jrRUgQ=#LW9SOyZz& zbJ=^tQRIovGhn$vtnZ4BlHYo?{5zKlf0=(5IX+-@Rl?4vh;Wo)266O65gU=0a!o-dn$XY+1-b~qW|xGV52vZh%d zp6Dep%Hyy|a3zroB2ZPoeH75)&8?Rrhd$@d0RU^VKdy7tA(|22jUV9x(q2GJn z0GI*FL`y%gttfd4)Plci7vQA%5Bls2s*V*oFbaIf!xQ%+Q<8$0;%afF$2l(mP@08@ zBYW;B7#`I4$C8jGBh&5h+1Ug%@iYg@EFo&=6_nMO z6V4>9JFyzfAA%g3L=0P%0$w2q^8MeFao%RGdmr!FKY5s0az{0BmRekJ`mk({ z5Pd7wu+FNQ)AyGZq9``$;vsO463)HQ4e+hjs{xg5mhApr`}!X9PKAkfKT6REpJy1L z?E53`7mK1^Jcn=84|Uqe5O$KX0sc__kTnej%&Cd`^9HeVhu)ShiG?BJ{PNCSkNZ{V zaCR|Tk~D|i$K+KnGyi5k=`F`T-VJ!6|NHv>PS@|$6;msh>TS|H?&Xb}D=+@2Uklg0 zs=K!A&EC5%;SUD9>e~Jl(zW&@smLLNfA{U???B|UMOT;)?_MoczynUvXHR9`eFf&u zdIGIHsVgFsmKFcTt`+Qr`X68S_{?zqyRR}J!3HGNj|756Ua1MQBya8>$G>fRRu}s0 z{85l_ZXnT1qPZX>D2yTvznm8?us$_|qR#`tmqmp5C>G(*OQkY?b?^7l#KMC}X$SAJ zx$#kA{yvMx$;HUZ+nir|NX`#8#dUo5{%J4!W?<=GTSr$&*1J{MdXJ1x^*4)>fYmn} zeW4{R^-@!<{QEHimx_bE>+| zHS?@uB7!}o-gCM8%x~W^#03t>n1iO8I8Jm#&42LSyex-&W+{cM-n|li8P!KJKYD5Y zGH*-knA>H1D8RQCZ^_@$e=R|AmdtgYHdMw(L6!VOL;Sc2V2y~yDo^SK$Q=map{ruw ze<6NQNZdz9abFPhscxR|XQ&w_#f{8Lc zvNwYyOGMJuUY`?)gnMduPfiI|TdE_PWpR7(-BDjpI;D=+3V-2DY%C-AK`HOiL&PSS z6*~x|Q^3Y;AjXqQWGF~DfufV&k$kygMZ)G=gaV0oJ`59qKQH%2>PHNp3#3pl4|5#B zzHg9cKlWqc43sh|{0q;hD+?!r$sffLi|{1J5D_pO3bT)VAvbS|jZJf}g;7c6s5FoZ zQSl7#QP6LFYOEbNNJxL$#KX*N|LaQrA@B2o5Ya3+IVraaRYDFuG4{YSc`X(ak^4E& zYZU8xXNSzhEJ|<|iUKL{OXpfYymZix2h#8~ z1_#RO21~baju)(tk(`am+{W$XBYx!~p zs5TN!=4_lQu?yehfkpL8N`pJ zOaNz5q*JOz-l=4I7!7&{xNy4;GE)96vA zho+vUhEih*Hr1wgPo4?QqaN2K8TBTqG=xVF85tLWP#qk=C4n#Z7yPAm6!}a5#&_p`rZ4l=3kc z_R1h?7(9R9ti5bC|B;9<>NMRtuxb1TrV${Bxv9C0N`87RSZxO&O(LHLED-9>t8mSG zedus7A=nNa;s8#^l?tovt54>}YAdDzAqlVQHF|-3^PI#-CIm&|T+H7{q=sa*#T86@ zblDqA=%o?sX;a8wM{MRu^Iga%kcf`2zS+Q*~4oVMO}-)341q+oNNXnNU+F zyEBIObL*DpE%YgLjw!*9%Th@U=-9xV;CfSuad1eY7+BVSc}W-!JY7%qR&BDFRer%s zicI^8f@7G@NG~!10P%1^`z3C{)2N&&-Lc6ha)ufDEAt5qdO;l%DicoahDEmvV|c3| zGb8{0l_yS}j{?xUz?EFYYEz9-R*Qb3vticyYI>hh&ZJQjz!*fmmc_Z&C~nMtplxZe z>iahj8Esz-GeE#capLd$V=(iyYA`rcBh^k}s|RbvCKw4B80mE5HQ1P_YmDetJf>#r zHC~Z)&#Ql0)-r~S>%~n_R7|q6)*78na+8dg6=>MIO$vBTN=#tIn5N~t`RoBv0ivZ9 zm>6bd=vGtS)fyT=OfFjXOX+}R@DjKQrM#gm%a|s7j5{=t<=jXSb3k%DGi@2mm z;)Nsj<8PJ;Bq;2;QA1g)U;MHZN_KvHtDL!rb1KE#!kI&$gx^}gJo2_F2>n&x~h?NdUQ+y$RDT&Zh#xqz~ z#jS`YG!36om_G~eOy_OwymjW&Zh~_pn~LUCiJ;_?;jBfyFm6_CDxWE_`tFD)^f^OxRuszPT7GV6m9w=Est@u-8qSa$lq_Z6Gv@V2j!kK39-kyiSz}z z+4u zTkHIhZHGY!fcj_L1dK1`)G<;Zwn^@L3-o*Gys<#*ai^ORkC{`zu_^M8gi|RI|7HFs zgkQH?dGZ%e8Gc04d98io!_d(uyS6=Z463<$j?>ijqngx34fnHHaPOy`VGmyW^-AmdcY7LWDSizga zfStef6S1j;=scvE*-@uN^->NWq3*2$krERq2?-ZFD;^vF00*U?Z45F^(#|gEO~hxG zOm(SH|taxf>9sM&lu?vUa{M@Y<;RRN`F z=p9Q<6`|(L(g?sXc%sEO@%$2D?)WJ=Iu_3lRi!@HqscQ-)6-&P!f@LJU`M4kCMPQ; zTJn#NuQM6PyO68T>1xsGyG6k_^03qQkOacr__!h_hOT(^<_J6$6q-kLdct`$7ZZAK zQ&w##W}OKN$du!wK1E7y5!{Pg42Q8Ro-NFquiAj~qc>9U`@$UE)2Nyex}?@?CrjgHjla za@ZYB9)oHZi`qxu436Ys>wyv-U!Eaf=;EE`s>l}975cVV=WV5~m|v;@@%(9OUQwL( zS}s%;X!w=YDC}NN;^N?`Q3M``uZUsxRo~o^&_ayO^4I+fXz}WPHfN9V1s@Yk7%ymr z{usidM2WI-`|$47Z%>NfUhKcU#eVxJ|MoTdO=l`OC6xLac##rt;rkV3Ri+sF7y+Jt z_>>TFb9rx>jK5`k31r8nk4Kr;B)lJbAM(*s<@7f)EXHpp7r(3ZU9R}!Jj9>aBp}{9 zAS@;TdRCN5n}b^&pSb!M%ut<-3^;rJl;Icv)qP6o-pq2meOeDtkAI2{;8~4T%_E%1 zmQBm&?~CbjH@L<~$$h$3Fe+DzTb8)vZ+)ofek%Aau$PCoIzNe8OUAyQ_*9=TS)%}c z>S$sh-YRROWX78=`aEq4Xg^{pQBH$b2ccxz`Yfc8!(IAH@JL5a))y!~xMToD+^z?S zl2J(7lJ)qP%WE9tp@R`PR{^QUjm^9G1P!+Af3g)a}x1c5AM|j`n*a8XJ_y* zG0T`^yu1opCQ6|Mx-2$o_Me2FxA(yd3+l*gfk;Nqms;z_u4*Z*Q__!ov@8UTZ~;8k z_Jp_nRdIrYRBYK+=?S|rLEVI3JP*~4>{3^AQMFFTr^I=6Y9OaT?ZJwqHI+~R*rR7H zkfQV-kM2vw1m(3^P+AQVCoHZaChYvXlIZV1Ukrc_+ACrnrz_Af42MF1IO@x zfqHdB!Hu1+dg`!tU!DD;#f2&BPE^&$cG2{#r9>&09bJL4u~-99(i^}qmzua2#N3NS zpKo4o<%?Zoc9Eb0(SaK2GNq_=)E~Uc#gDl%rvF5PG8&iKzEf_Nm}*re;gZ!ju*1j8 zmZ>T1KOsX)En1eGOTE~q@SbM}Rh@ATV7YQG*k#djDaH`6(;xh!9Q%vFiG?7Bc)-F3 z%-XDRv$1=uEkA0d)3@;^s5LZ^SacJ+@tuN?A{cp`^)G4N`OH)viA4RTN3)xvZ@V-tlG%tknV+O1}#(_B|vAb zXQ(`Zz%HTQC6`8tUBKQ+TFyYRW#2+P%}#axWf0iygEz}hsJi8wON{q(E$sP6^miB4 zwl9D3`y8dDu6MECO5RMeJAWFTeIv_sN2V_O67x+xSo-0@87c64yZU$km;D6oUpFx^ znP9ZnRzaa%2owQXB+6OeOB~7_KbmY0)x37ed60lCDl9T=KM(!IY5dcZ#8CMD#>n5F z)nb29t-=WIvXLl&K6;|7$Q}6-H2A6nrg_F>uL^YF&P1f} z0Z)>vTRFqN__*lGb@IjJA@x)4gczD`Dy#v)xLz}^%BM?`KT{O(k00CUuK+NosjExWo`DMjOEFmP8g#c9Ur{G~S%bOk0Z6HTAbmN||k> z4j`RCRRmRA)}-B$5W<-Q=WekWl_cCaze@lcqtPPR97rv4lZ}mZ{QG z_MR_7{JrX&(U>sbEv$;w05QTEx);ajR7OH|g~FBBR;&X=lcxxWvZh4wet_%<{v~QJDK+LQ%NE7!`R$oO%0BD z+epa#MpkRE^wf}^b=T#Psl$ZjZyn#lgRkIK#gv&ymc)x1~cWU`}b;vz!5SG zbNZ3Haq&Q>rHq*KGSzQM{h161HFAqMVu(D;Y$Ubw*e3hXXPvhj)KscKqzcO zv?FkqEsD4C{L`tVU+X&0W^Vm8U04isY-sk*r`yUXhh zi`Cuvt5~BWA1&H2*~r+c&%v#JtXo(p&A_!V_tomS#n~hHf}XHxn{GunOs!DJ%4d~? zX5e*Chppu^5kOD{E53TSdR=|aaR;ziz%D1~4%zMbG|P8k_t)lFFkg&gS8Lh>Gm5Db z$~tK9uU!Y!X!6FrdP*BJ*{!{S6@vE)q5^Db_)TJSJQefC{Y)SLWfF~0DTsBFF@*c7@#Qs}W|spYr+Lb3z0gH6r$O8UQf z(lpmhUGSYC$ug<8b8BE2=>Db^2%Ry-9&V`DV7m^lRdho8iv98z$s(xAsKQFB6FBqc zk|SdX&xRhnk_d5YcuO5}C|ykSY>IJ@6<2Fv@rIS=?MSd1^&0{&D7~(qmLH94Htz zH_93uHQ3>f8@Ofex)J*A*9#lozLWOwX9=f!j4>bJNLu)qcEy-BO0TAj?j>3MG-EX$^*b|M{WfPLvGKknR(C$yjAzUJNU7)%3HJbu`X5DvCgu=EDzk=1 z<|I*&>hAf1#9T4C#|hV!|#g>y#037Ec$tBHAw;B-hyZUxmy3T9cn7aXQ&)Ub>g>mPNx&ox~} zV9mkwE#gv-u>5D}XUM2Mp#&9PW^1SVBeOe*aB9|cs>m5F!@ZnRs{DW8Iis_z13c{b z8OxUA2|v$5>Z7+BJ;r>Uw2`E?HM2XWM-y9(anF^bS@U!3ML7Va{B~zEhD%6ER%vzv zlXE*$W8)}e{P34bl_TrkaOCmJS&=f&i9|BS^O@$19i2L@L5Ls5z88a| zkm9|C;-2)$tp&r7@9u39hC5c`5{4xd4+8n*pbwBI;hLSQz`8zD3&(a;IE8zM!fb6u zelIX6ohItx3~QyrO%ffl8Oc3gE3%o6=pm|R8WPpxUm1vem(P3^Q1P+D@fMrG zdO3$lanC`c#CEINF*f>Sol-Y;vy^qm(!69ZX-uQv9!ZAvzCX{B2-D%HIwF2-S6bOV z(HL_MGa^0lMSSj^69LE1F)gQ8@53W;3L$2vuuzn_ebv%;`i5WA%0sP`ea~Ri3lCu`0x~)Xpgq%Dev{k&iNBHjKzd4xa@Dukl{#zpXaMwH;5xfO@dAydyt9! zk&%fCc8pUDJ};M+_zw|DnEu&#oMMhoKzY`va-axf`w(6A3#5Ky{NW72co6dulL}l! z9mz4_6lYTFFe&5WRHT(R=nQDs*le(XK)0v{7ED_@DjZeoN_ADm5As6?X@6{S85)m$ zcsAu_!hoX1*;Br1D4LApKqi<_tF=D>n2KTnHu?O|F75`@y%Bl*Q!$)ew*3dr@@_u{ zW$GJH-@@P&9YX6>7Oq_mMmcBa6SLeiSxPyArA1lwfpE57oZY+z=00M~+#c7=PgD7Z z^%bJ|{duKz7vqQGwp}f8fMys3)v3ekG0JjQl{xq({FNmc3*p_32Rn^pg? zyPuaA2O7BRxF%NO-b!I5xf@T)t65#b-#%i0)!C@n#+HaKnSS0-^=@qGKO>!+=;u?* zY%r`?BPxw;oaA&J@-{2}SKE{cC#8nW*MV!I*R}$wD*sxPXOHsHH)eUMdI9GAFsx0? zQBjP4_W#4GX5_O8KvF47U+yr$9Yfug@ySQr4UH;F{C-Sn^Nb(Vr23_f+T`N=a4EM+ zV+P$U*EduK4D#XRZ9y0Kp!4{RQqiR>>xb=X4zo?$Od}~WV=@173)5S}Q$|oSfJ?qtw8L#4O=8eEH3YKlQIe_6wV=!2J^kUuqMUK1#IZWYf{NwHeNb5u!E8|61Hn(auB{GsXKSM>Agb`k!F z_DL^?kIB>#C#Tq;0}grpVT7~N+irK}ODttpNIGM!6PT0$1p-6 zubIL3rNgwoN5cHdR);mzcRXl5lI{y$Iy>EQ?$I-!QI0VCVreV=sK7zsoULb>M_`ZJ zoJvsWACG;#Fbmkbf@3QMejA^OfcWF*3cNlL(%J(?<$oQ{+kU*N+9|0=RRu6(BszPv z6necTSFJy*OPDxHl~C^JCa6|He4*p?OvEbD%=48pnT{mv#^*6yuJ)@#40$-OaA8zf zk2lWkjCqqHET#&NUDSin&P%T~-KaeZN|^pC(Jr}~oYFbb&s1++hf<>Q42;sJY-7BN zU2vFO%HyVHYIWxD24j$4$|dvyDc=Q*SD4tYuXq)a$L#Q32LOe4)PCUSZCG*@Rj6HZ z78{*-BU?hAI3c-0U#$@dse-v)aY^yTFAZA~OIS6Yql1^Ou29e4oSou8u*{oWAC}a;otjr$gy)dw+>WElRaUmt&I% zyA#)y#)mj9_u>GwB;BvLQ#CY-QXL9^F&b9hDk!d*)lh`DB-s;_>F8-{ZG#}e*-a?n zP76i}Q1Z7AV^Pj4$Fxe}_~ZuUiiA<*Kgz6JHOGIROxa%FpJQVRp0Bj1t!S&P9OESz z(IS;_eq*U`&izs`FiFIUj3@|0L2)j?4C^tAlFp6iys@Q?4O-`+xqWp=R2Noh#QN(M z>`7noK^cax0?&#rJ~bkJ7wxo3?wk)9cJKV;*6|7Dn9!qibiq7FXD-#ww9u*4<5TVo z8k~jU!9C@k`JbOrW0RlBuY4btBjXMB^Msg$$$ZWeGMO(7goDj} zm~gtM9yYD6qC+(VftFjvJrhZdqVfE*AGq(zENsfp+xrHix1p zjP#WTN&>h*1mezdfiMBu_XZ`GOLTvKIakDcSt0ubJ>o3q@ZG!<$z2zE=J> zZDM_GvTxdz`&ts@2vq{u3cwii+Gw9hyWaP8g}v#H>FZ8;)05NJQ~aj4y07;m@&n#Q z&*t7}hw@;|9_xb+c2m%xI{Tl_s4j?}Egn|laecxmM z0ttXUEVkN0Z7Ma#W0oT#0q%Tzl4MDfCsC$U zxsqi|moH()lsS`TO`A7yMifZUV8MeFcFx#2(1;?RqJ)y{IWXbEh7XxW6#2BWWF<8e z9*Od#=n93YIl+b%JCE2Hrmf&5wYXpv3_<{4eu z2x?J^TF>Bw`k)}xP%#G=KAd=Q<0e;+^yK(tPf#h7lVq;-tKZ|-v1ix5z4B7--@%6$ XKc4b*^5@Z~SHGTpd-w0b2Lu2+IvA$V literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/wfas-domainiso.gif b/windows/keep-secure/images/wfas-domainiso.gif new file mode 100644 index 0000000000000000000000000000000000000000..dd3040653f305cf35bbb999093d7d6fdc30a4f05 GIT binary patch literal 18347 zcmWh!2|N_e7vFmqyX(%KCFIU+U0Fw3LW>GTEhQA8kfYcGyF`{!&Mc8zOC?uY_eQi) za#c$b^3x_sqW$-OpZ9t5eeW}$&%Dpfd}iLvygBUbgtZ9x0`vk#0sy*zfAoJ$`&UXS zssS(o0JRu|T9BHW8bbFvz@R|Qz#3puAZ8MSFv)?KlpwGrve+1ibqUhC1c56P!-*iBbKp-Zj>)+z&A7kR*hz%&g1~j_{WCa8S;DVatef=TV=Lw;y z`0z^Pb%AwM7e2hjH$2ZZyxldXkr37HA64KRlShbY*Sszu#5V%+1Tir&`0GP}0)fEV z+Bd%I`1SU(a6$mNEZ};3`1Q);sXYPYo*;71@$|9K)SlGT)X?;S(5&Vxat@|a5T9P_ zpEDhlGZd9Ia6PLrCTA%AA1>$$EtnPr1zpb@vThXQ<>mR739c86k_$$o$|lyyYB6OK z@nxgrlF`(Xp{UBm)UvUaEbH)EL0(x`Sy@?DdTL8bnkQ1**GihF)7uxDn;T17rYCCCV+I82U7M9H6D92* zD%(F~^=vk_4`uai=k%;+^$2SJ8M~$hB_*|8^94PE#;y-}1KX87i(Oq^B?Ie?J@X|4 zf|j1K=AQY=0YSm2pk-jbWK_^KFws6RpEn`cZcl9=S}YqAbPX+5{*$ANU85^Kql>i@ zg61*7c2Cae=xF1Fpl58QWnz1K;Gb)Pu8Hl&4}yuYv7w2T(TVw?iM7#*we}B!q3N}O z>Fur$g3;+U!O+my^xE|F^!8X|*Sw%-UNH7yePCWNG`~Iie-@0*Zw@W~lY;5__0dJa zhxwI>#m&(b!Sv$hhsE^|i<=WG+lz~f(<|E_R<;H6qaRiT^DCS4|BNf^i~qoyU~z3z zusFZCw*6sUu(Gzj_)o5HudEB!);HJIx7XL#S2hJ}o7?|tt#57%{^|eJZNcWI;Geer zj|KlHgaGjSnVkcR*-b@AYWs0mWxX`9eJ;iLrtLM zYW-d`SK@t?EQgAnA3Yc;!d_XKtzm(6@8YP!N-oFLb>$D;()J&ETr*xpxbIRToHuZ^ z*5?t(ruIqQyNATy45gyC+Eb4_+sgfiTN-AbMjkE9I&!sgx;^g4%KPD`3$tAb-#~j^ zTUh}$$)eAt>sy;X4Kf7kH(l=-ejd&@epFIFRrh(6>CmxptQ<#{7`k`D;(fD=G^6fF ztBDu$=8@6znxxT@4s(tpK=`GmxOL2Ud`sp-6O=^TdR`@Yesee4{O8xg{Q%bPLt(&F zZ+M=-VEp|?iqOK5A~Vos?0=xuyfT6J{7$^_`pC>ZAb_1Bx1RGWTYOP{J^R}6+h*P7 z0xABqt#SS@rt^5f)7vq7&M)N~b*J_P00kkzC#7Q`cQJs6dA!2dme5~kB0o-2RIh*e zN&ARwEZ7`LJf5%e>Eg~@_5IAAP;)ANM=pmh-uxmaFU>sw@%c7YTub7Lq?Cauep+tn z{l$;R#OE@7FAI_MY}2IF@b}bw*aaxc*3rV3F|@!!BX^8Ml;p8FXBTNtx!boXdkXK~ z42$)7P|z~D{Dt24tfe|OWE7zSI6Pf5Uz9cBTvdE#ez_DsbbI2=1F3_dnjR^QE48O~ z@&x>>Yv+b6cvt7kwmvuH4mpPw?zoXO8nQg)zgTl}gxIA!Z&hmVsT}Vns>VFn)~>_* z*Xf<^dzP+swG;z6q)ck5MdQiPx94ZH z&cc%Rn#qrue|*`i93P-foxL+8t7wRC2}@t>uZa&FsE55Om@Pg+n!IQO~!pzB2ETH2q%BXdssZo0VobHcN8yWw{Ttmt5jWNT0|22=f9(Fr% zeRcQj07Ub!Re)!G!-5H$a71s@`@`R5|G|C7hfN=AU*C^@&h$XJP826sBG-e?7!0eKmCdsXHGbZ6|?- zEh6Qg^JExL@Rxpk#V)W81WjA#mZrC5)Ghn!tyGmXT2)^K5lrW&cVBExJ{0e~8~(dDxd4ijk`q zXlA3~sMN6M^#}W_P(51qpK?*1e?8j%^K)@GN%VS#4zZ}q8gkAWo&f(adKmKdfe%db zgtVY`u@asxq^7>*1^j!Awk-#9gIY~;Ts94}O{+3g_xa*oV~sM(veb}o?trgi^Y-?f zx9^$H)oX;={7&T{8a+HD9k$p8r!Qun%gm7LpblWnhLDvOxe9mVn&Mpz0==R<|k2gXD%TSETkit6w(qay2+tWOO1{ zV34HhjC)kSfEUw{NU>YLvEO15kA6*7-eH1iObMH+b4O3L!){&~8#iCQRioNXQ>(BL zgUQ`?vWS0tL3Z_nt#v@@?qph}pQn@LH)^gMg9l$A!mT(>V5u;Wi)5Wc%pEa&p+UfbgIS;URBHC?&CVg^ zw@e)D-f{^FTDFGaxzWL41U$~f@=V@}!o7T;Wu?o(ZCMX$i^PPJ!!h{2$$9+sAD{69 zCr`w!sy5{7_3QIqpODH2Sw)R-{eEEa{iY#7hu&Xw&g7cwhaP>%daI-RyVY(@AbrtU z1$1&q!=N)+ky<~>3Oi4$^Bv7Sey>ERA=T-Kllf`4qxj0B$Bv75&S75Hv7Y348K=Jf z6(I3Y*3~Uk_ME|Z+BwJqYcME%_=Eo>SVm)s5^?*6(&Cy}t|Vi`>D9Q$O0L?O&t;9V zZRbkgu}qH4l9z24WmW$$8^9ZUIQDe+>CMKs%1ZeME+?M<7`kSx81`N#)tS z-|VCl@llL3bEr6}DbC@0h7lKBOB4>oA8>Q(xs`)CpF{#Ho)|E?ljHgc_2Z>rcv8yH zzsLH#k@0=mPQs(Ysm>ttFUZl6Om4i3m{Aq7UMu=C#^xUv}b#dbIrPfsi+|2rI z6}iO&yYWoD+=YDp>IOmL*^-m3{Ftx1(R%dO=bAUMOvRCo3+rd7t=i4|UQes{oqycq zG4jRvPkc!IX|rQy1!iw@ktb<&=j4BL*4)~g4n7@?2=kS=AeZNZs8ABkiPxzTx6g35$kRq)hDCl_(VSr#d#1taxZu$R{B6xB zNh{yi{Rd(b_Lk1Cr>~!_y?gQJ<#D~1TJSwxCDP!{?$Z}C9Ik&WENBlwCdW1P@x=cUA)n5o zmla;uqI7o*Z~A z8CWe>jscuxNm%3HLe*iYNd+7RfM!a7t3lEsiI;DoSpX4;IMgJPvR@VqXHj$~Df*K@ zO*#btu@iR*G93a6bYT z!iL-B%T$x7AU;G(1&qa$%VkUf2$>yXia!o~1d-~A2NM~vOZl*7G2~?|?Gs#L-GCMs zhlt3Bxkpk6trR5|ID{p%^F{U~GZoED(g;AG`htV*!UB2iq zG4xy{iiyZ*V~JGwWQ63MXdqd(?3>g=hhT>5q_}~bVNcRZO+TN+)T`MA-6$Fk+OkA3 z;b-o$&{L79URI#6?=7?VTU7#<$SWRWmy2TXAWG~M6B4WxD#IoT`ywFt-&D0I`dTYl z%_2cVPHvV6-h#cpm*8#$RLULRHLOTE%5Gi?o)NSil z;AtMzHT2Tpq}&Sk{8=kAH9 zk(i7u$VO0@QAmI8T{su$PegrVphgJ!^n$|L&|6gu5p=vLgAdl<0$*d_2yRNv*8&iI zvhSJXQFD;~Vz+hipinOATO_Kwt#GKVSU6sIfPvZt2)ht+bn)P8gn~d706$-%psmP5 zE3Klh&8uz<2H3uC+ya~sFZd;&Uq?g-UR)l^o{>(tS z<4WLSU>f(1m*M^W9{1(7^Jv{D4=zQe9X-O!bDXX`U3)?&0dd_T(Op;?!YVP*25htz zD7eVJh^!=qz}Ep4XHHhdBnXeN(0G@UbHdVS9$hOZ_2N*GlX03_PU7MV;ct9ogMe6d z^Fq~A1JqY8^x6e@P`ebGN7njIqHdRLPRh{RDVl8I&j!fsgxZ_a!mkZ#@)Bwe<q4|hh9f(8)~KkkwjJ#vU{m}_B_7>WjU&~E z9O9P&Rd6nJnTQk-eq>zqm^LLmC5F^d@US}7yfa-C5daU}0!@ga{I>7m>mHvLxzj;F z$Kpy133Rva9GkB-$Axo8T>kWnWseF;ZVM+vB zN>S*fceN{dM(P10&4YlxJj`V3w6_eOt|A~`V2Z7XMTc_Qlm9$wsFT{^LUlBO_qlDS zPj)<==`4s5d5?kU!~qXEOC7}kYK!jr<{-U)gWfYlVgy5-qgGv23{*C*gvhJa&mm9U zxPLMV@g^NMM=1B#?sBY!85BL=?s&d4^Zf6h=Kw`E$eR7T1E_!ljJW_5m>}dV8@#o{(;c)}uBmWkH&qjZ%}g`(^n((tVak2Fz!2|LV5Fa&t^1oF<*%GwcpjRDnNID{#*Ec zWS$4JtBx{&Bj;)$3UxJsCXAaof20>6BDR7|5nj>bGuO&v!Uk!+T{bL=6?-sseozM} zRGw0+C(~`6B;Z16c93z4lXBL^#ZjI=MUm z2LQn~=so_o1^}WvT&_-jmxtiH^DHi10`n^44@V>6l|1UsYa&!f7TO%vubqQtFmsdf zAQx7OEFZ1gQ1}QSx=v^`~HatXpIjETE^ zp->c}lq(eKhN#2{g@#XrG)#n*Oq2lLh3*QSLm^_b-UVHs2z@pYwfip0UzpnPE(ezhv(K_-%WS5ZZr~fFnc8PFef}a{ zZqtwbMS8Mk+65ysPgn?_NPrdrY{~+{#m@M%K72(1Tf#&^9ffU-OwtzDg?xC2osAL` zsrGwHe8voP^P{q06oN3g3q~RcUuMBBG7u$f-bJoZE}M6mFoitLqp*2GUA&7JA<an-fc#kh#P|UYgguG$E!xr>8%Ekqv=I@}BTT6}yltfVmY6 zTI#RplgK#%Y2IdZZeDBw*@zw{EF3;P?>x%0LC?9N=bHQ%;0F=MyI?H61;8E`)$5x*@hi`763ZM8#pCzXhz9 z^kvin?*j_=@|V(Uj7qOgzEIZA+n=+Qz=M7%#Ch8+?o?zRgYm-2Mq*)z;u(ql%R|3n zd?_IYjF8X*9(wm#@d#0LSr=$nD0LQ66(=@W_UEH;`*P`}TMaCfpa05DLk}7w?HpTl zllV9kiV(k<^@xWeo&H)EFVecV(8pg29gWc0g35<=^!&Zochk4z^y(CS@W>>v$u-H{ z4yr>3z6XfDaQ^S%y{x!G(XkKrIxwPZO5ne%5-Ycm(pr!yZs(V^d&~DuPziIZH?yAN zkkY@w5|yiw)6g9*GUE?&!r%>y^_3d{0%O$3DU z&@P$2+c#^g#Ks@4QeK0*gU&s=dK^Wh{opZoLl zng6P{kpiM9#zS->a-&>$dH)=C8JB*5(f4U){pIiVuX}&#-Vv#1JvEQ$*A4;g@P6gz zAt-!=k-}z3-mMX_fC+<5ILY|tz9JM3t*5klDZ4kalp!ARdo}O*T^?kt9VoyEBUkCs zY_`-E1c}TpX~o4g}!g!oyLZsJ)K)gfjbxPr@x1 z&ObbT7c70B|L3m9Cnp~hvm}U6?$JX>2KL-@Ebt7nL&=}$@)L4k57}KNe&{QZ{4Ajf zy4KwN*$ZH6c~EHwJTJ+yl|Hz zhuJszD%CyFI{6SZ>4^$3sUuZhDRn~WFl#-o8bMPCXP202xYFo@PH{Jsd;B*Rglh1r zzMM=Yi{uH;w;r9Kn- zu6N)a&H=)0{tNt=i)Vm)>!zP;D6MspDeLd-MIGYfYkk>HvoMy|4?GBMr zs1PYVBS`w#_dDC9TbWXrILcgla3i8JxX~A1l;B#8$YQXK(QV*WO%1!viE%NNU!Ju! z4&u_nb~K8+bFhi_*4d{1-JO{T8rbanc^s+_t0```S5Car%Y9m1`6ZeMRufLWzeKs3 zv}$OEE|OYuxNV=(JVY&&TPB_LTWB8sKzx&(0&X{aF$6i)6pa6dUFTpgMSr?4XM8kK z!bR(7`Q=gc5tF6cSDpTJAF+dvAYSeW)UeEZUtt-2G^@+A9!HDaogbCYn^;P;Dx+~_ z3L5JDHST2O_p)PNM-Q1EKkjyXUzwF1H0B`nvRuEXeMHP_!Y9|7>QZl5G}>~Rn7S;T z7>MP8GA%C}x1QAw43Z6Wc+!ATPU$f_75?-z3vtKBg~;`zC%f#SeDnv2#hLi-So zE}{EKW|0RK#9QH(9k;D1?6&`&Lffq}$znpPnMK}~>dJB+23TyyX~f}`yv)<`Pw4xd zoNrc@q>V(q*>cpB@ztJ2UVLpg)^47}FjXl%^Q=HONbyJk;B{{30AFUU(JFhRVz)h33a04yFItj&X6JT*49yKoyg3h~Rl*n;f{j8VjJo zuO>fDB(Aw*yU9p*s;urINsyQg`AvPe6zM*q$-7&!F-874M%30vRzhBpE%acy%>E_K zWa#)>=v_pG`7w$$5uAf?H3RHw`r{g%I+);n!3Lh4(EdFPE~Vqz;MDty@7xDP-N3!b|g63;m86~G|=Hi*(=P- zsnYS;yRIt)!G8d9hT4RNP_CvT3CYKDgnV*DBX(S*-*DjAq!{4~8@&>G7`p!MgxT|g zD9W>iQvfkC0xkP3){gyINQ*sWvPixfQuOJ_4w(#Aq~t5ei3&~Fxdq9m6hvP>Z^vwt ztpZZY&C@^HWdbuYc>9Z#XBM5| z6G6Z({Nd2}yQjhn^&`3qw;%XU-RgUb`DpPluBrL@Tr-hF{&z&6sA0m%ldT3zLn7(u&qkVO;ma(>V>rzu_lQBMH2x# zP`=Q~$P_)#9nfdTcq zaA8g~d2dZ6-&Qv>09D#8CsPgBH_qu0@f^I{w5;vlEBrW-*j%sa?sgKcTG_J;mdxLx z*)o3nCAZ3rZW{dPK>|~e{8q3D9=w+lFxC);QQYO?%_-t=11`}7kVaB!%{gah8mDH@ zIefvc8=(+Kl=K?q%bo9_Sg=2d%4zO{_i)orc?RFDv*@>lwWPDA$zH-24-{T056p6E zloQB;5jY0q8mC}%3r}GU@QkrWWFpdSXJyW9hbT9`@d!n*0 zDfS2<79x-nj>~&YcTu8xZg3PjeaZ$e1<#n-dlwc`63d zmTJq;TMZCU?e-M)iO2foph;y4U-Q!pTd&{pH90H)jRlk5d!2-yB-2+%k5aFuO-G)m zh-VVvRZxWsr}0!N2U&Z=ZU62p$v#T``OhejSc*=4lhB3R3IIR$O4am_@Jqb~>(c<6 z7ARmo=;#aM@)@%9nwc6R#qp8Fsmp04ol>4gX+@!EO3?F8sfP@U;Z#&`Keblek_fn3 zOw789+c&Vk+sEaSVOAn!--2`wKz;%Ev--eq<7{iv!`dzZTx|jH)q8)x92c0SQcr{i zD0j%gRk5OJ9u%ccIlUO?!#6t^lcbdps1vSQ?Q^+HxV>a)ysMzeN_5rgZj_u0v+^zjiBG7`$pHvi8LnT+ z|7~eIpI}QY>J0h>&-Aek`U4-P=IKpZ2=T!2q%?&i=>n^C?|fK%99ZQm0FT4*2sk+{ z2+e@L2LKM&1gjCCv6EmYPO69>S+N=t%>oIIB{GxGVizyo7d^MnGPeuWv;V6OUD{9R zY8;j8Qv6C*NIs-^^YQ_Cljl+nwhGsvN%L6gcY~8YST3iEOF?L^Gk^r;nwA zNsZZ}zz7&>2uL5?O8#m@m81*UHF)XFy)sM81v_kVlR|SmUPiMlEiv7f15Z;W2gPe@ z^Y7;G}+fk#td#1Sx2wh+K5x()rfI~#juwMqBMFsnxei+f&T^q7Zuh{eB@KhtHb3LO{MjdtuJpp<&O16S#l^Sw zRntWfX~@???ifH=ROek%nul0(`^sQ8aVW=v6pNEfp}VMKs9-F)J`+W?%sR1TO_hc9 zlGR)dt-GyBCYr-{A8S4~X)92p`)$Fm5y>yk0LDY4&&ftn^Jogg_Y5 z9UesOiH-?TBh%0nu-cA3F-P^hjx~W z@+OWpTSAkFZbj{BNs-VsX3z4=msvPwh(#lwb0q9_v%~Edik9^6w>w*AJCkv*EDRy{ z!bl!*gKybKN+*Y%U%*bCwcPb{;Vm>|U})ceS0A;cpJ2k0*r`jaBt64i*jt1|(a2D( z+kMuZZ#zy;RwdW_AaAVQ3awskT+4PQ9usihH_5z(Z{5jj1b zt4l8ho*Za2pLT}CID+(oK~YK7bpFMM_r!#iv132PN1`SP0cU|R1ls=p2zp_;E|U*o z>{OLQsNWSwXX~XA`wmrqdX>q8Mem~p<4|8#a}J%$J;jG5GvI^s4>coSE0>Jtf`*>v za(~Zy+4m4A0Gch7j2l5jVUCHBj3Y@BKueMb+jELNER~uWh9yPX#$^Q-M|xF+ zgFCzxi)~E{kcB66Xl`-iJI2R9##Lu%8rs*pMZ_O}tg0U#X>9-G_*uI3If6GnnjD}0 zXWg%)gfBl!O(xI`Wx+Xa<7D2+FUM(u*Nk_ofTI?T-b*mYZjD$6f5s%_NPUGp3zo@* zhs&n&dKq*NsU^1|yYNlI6swlGzXQOR@q9DH%T8@t7Gt9tK)y(#NO9R?`x=h-79{QV9I8 zkN;mI@+Ia>aB8|2mf)EOX!-dueHR|S18kN)or2-z89?Hr0U*ZV@-ROj*J$c`+Hq65 zZyc;_oZ&RtG=|T%;=kQ9Njd0ncOWx6a_PPZeO$0C{P7h7esGIisbGZEJPEi((j-9* z#Ec|E{1ch5?}_Q&9FG9{s4VvQ-#E=vl6@)~fog6-wIg>xa`cPhH-3@JMV4R+Ntw=K z7%6t@CGMbd2t08qjZsI^;u~zRQSW&uu}#@alPOLLMt?5=@?E1YVe*=UyNQb4ai)O6oO|s4VF%8yF@; z{x{iB8hbQd@;9mhemr>il1{Wd{9FPwatUrgblBkEdX4`Kee|WyFjarj?e8>MpOISO zK6eIx;V}K|8iA6unah&TdT?Fm&Oqw5IGXYn`6?e4F$uSpMJW+N^N8n4BNyadX2a1o zh(p=JEK4VY5Dht4B9Z2A087+_5o9|y;?imfwo)@c&r4z{&ayIh2A({q9^ZE`#6%upc=^EV3$= zzjQD)nAxQ0Lk^@zz9Eoa>(gKLl5{S#c+1kR(t+Hr(>aORk_XT}bbvx6T!!|2=B8*Q zBS-M&L-c|pcg+P*>Y&X^s<0R zcyt_C4E{QU1)H=%>AgZA`Iiko8o&tAn_SuD=IlRjBVFtp0{K`wikoO zp9^YKt>@BkMi{ zr~(I|giQ;m+W2%U?GhI7_I!32qD?a{HiTx$IjPmWU48NCvG6aO(uALZTR;J9^2ghd zlmn;XZH+aZe=UuV{jxCp21dNo4TeS#(~KCu!1)`2wp7I>Y7`>%znZ}f1K2rq9J$Jb zvklJ(S*9lcfYZTAELQlp%}-#OEr~==&LsB%_G@PA;wUy;S`sJD*pHlLF8SpWK$epI zQy+X@HeLY-3f!OSCrdlXA*=Y%z;W>#k!ovG(S;A=l_wC)(C88YJYkq*PS|1|c1U7_ zXNH9I@AVWXz~hJsYMS5(#J$_HpQ3z<3@6g9vr}+Q^V-DGo&MloBblpH zJ`rjpw&G+$GLB}!zV^vD@i9#_*}Kg6dDQD)vPA;;DTVJ6@VvdR$ZyP(E-8bU$N$#c z-5m@eCvs@Sx3s!HfBVc2ex&6dbojQ#A@u}pe;fuTvT&b<$rdUtV4MzK_FD4tTw#`LG*E7?5ZVTV7XxnG%WKaR@Y~ zX~)*qrplY|AIxB0A1kK6Snq2$el_`CzWTrscN;Fnv(hs9#_Rf%I!ah#L(K%MlBu}W z6z+3JF;lipLBeEEF*@7QAYavN)!+nNjlMc;c>g1t0vAZG;Uy|^!B#Er!&iMY+=}qp zmH&PI=K5CJ0#DXjk*z@~1Wl3?E3-W+je;JW-%|+t`f2iN`=*t&)q{Lw(5v%yV`hid zqm%UwxUZMYUi!Xof1qP6%lff2R&~YNy7{a3!t@h)OFrlQUbW!IKP`K=!}+$TXltjH zvO^Gs;HA&QJ)EL96O94NFCV?Hl!Y@`qsa$8x6Bx9GAQnf64sG@QP7q*qAv0tG7`}; z7g_@XCa$O0`%dApf%XIguAK%i{ch>`?*6E5YTo0gH{rC3vxly2Y^3#F*lvh?Yv%?b z0YE^AovNLeBF+JeZ;s}PE;HtM;vkE3u9cD^KuAE_8#Jk&A8^830$&uZenj8fa*B@L z|Dbj7f<;KPJ5}_g#n~)TB}uZC)n>Ia1F9kcPz9?SNL3r zr{~LDFVLzgPS~0QYTowJ$_?8~D!1X+|2PB|$3+E)F_+mRwzK@@FYyIX7lHzi5J*sP zROQ)gnMdNtIf`OZIIV68=P;HcBob_Y(^5sXW@W+);d%~v06(jO^9~&zF$$( zkdn3($wovywoJ{O=_h1ro3#oLH<;~CO*cYRhPzQ2s@wq_0&|(#12#P6A~v+Q*g*A} zY9Y7dU2})wk=eZ@SevY`tkH`%1z%qaMB#q?o8gLrV2=1p8cyJS{a38M^V)KDuvk-@u~OT%SaIiPhLJ=(%#ECxGZ@ zPnU9D;Ej|kw{D8r*8lyF{4^&?ke==IF#HajD7^Xo#UI=A#1CBQ6ZQWRE7+&C#O$mt zTpuO4g(%I5iKpCXV?)CM?>D1~^$w609d;=c}wR5Vfe(+De5x~6Q3&{MJW{U*k?Vh>bPHl-KX=;P)vrsOUL)M<`1 zgIBxxOan-EAPit=%pLIIs`_UGTITs{YL48=9Ea$BbU!aZ{Ew5~b0t(L+-8Ad>h*Xf*xf&E^m~w7i zZ7S!sDM_}g+<41k9Z004HIn;B`ckCHjJ%Zw~kMfGx+ih5@i#CLDOMY@`N zq_&RBHUfrJo$94z9VNv5*(`^@G*HhQ7ZEfd?P7{#$+$KY4j|e9A~AWZVSC)vTSpyL zb#u}@l>zk{?hjD4bi?q#6U{lY+EN?LY}b&O_VrF4bne=O)!0v14{Ih>MU=L&f@7rN zBurIqf!llpvchJJSEvR;0D>a)1JixOlzYF_0Vip8mnNi9>#M9szduo(cdP{%xof?@ z2hlO=xpj>3#xqRgx^}B0+Ozs<1&%PRb!TU)tj1k$-!ThHS|fih_r7)b8;qs_W$ua3 zVQYDKMNnUWP*h>8S`}W)mLTSrIizKm^~f%Z@c`j1HX(WTAt(`_?91Z=7L+j_pw{0zP`C*`YaP2JE=Wz{n*qW z0Y~vp_VRP+{BuFji>3H`VPRmIzNUfO6(?Uf4VCi(sFbZJ)kTCke$`b9exL;w3fet4 z`&dR??iU9tYsRYx+IOBGxUwKCF*$5_FJ8d~Bi0!F z{z`KFHAcH?ibu)5*G$$`C>kjo@bJp_!Y`*Z(PDM?Nz{Ftn*0wM3uReC%cDR_RG{?_ zmq!7HFg3Knte(hpa>^n?pD+dt?wq&%mZ;@={DzqK#a#8RXC~>L83!GKYaxxjd*Q72 zD}wu|BgDfU-8mFIP!LJND>5NIXD(B~SYX2AuB^e^fHu)z@_x@3=~@JPO1PA{S=54G zo0e1S*?yVEM(bJWb22a)YqxYMqUwLg8u-^gkR-T`D~WQ~p~tUePDu!JBmeBKv7)bL zb~c(Xtc{4fq+L+xcXAh_e+FGHycG%LRR^F99w10Yexq@V0bzV<}8zX*v zrP}JJ^Lx5x*vBzt{WA@oU$2LcRtz3q%e~s*x^T0NYy&U&)bJ!wNfQX3Y}4J0$`O?8 z109<(Jg-#r3^kf(_n~7O_fcn`cnbY}W61|c7Xz+w*45jE4?C&aP1gVp8;T%IhoVPV4)D-p~reBr!cYkANAy!|!3X1$ow{S;7aAfiK1x`9-m_ z_D0drh5yd1zbEGJoH?B0>&@&ok-fKPt<1;79-;|5JL?py<;H(~`*2=B4hrsBC^1~!MZxfPIST7oQAKQ|m!u`;-9I*O~V$A13-(VC2??3x2VCJ(yqS{X8 zjvuj$`|RlRBK(>Cma6If0nG0ERh;|zoL>FfOkEtqW72Q8rK_z{!z@F%72g)AI^)=+%d9MQ0l+-;l zQam&IG~RrIvM6{Lbpv4s4kEnrZ@@I(;0S;_IFoxJ_lF}q{Zmo5!1wY^lU zcvFJ~2RFMJLVC-TND^-2O8KgLbXF!|jUYGQXs49K3J&?$Daq{b1 zCKdy_Q7^TusS44bG#woRFAQs)qn=oiS5CQm&hyKmV~a$;2VP_B*x0HQm^&w=(^XIq z2~_&3_1(v6V?0?DIj1PaMXK4r=VNBDD+;Z;G~R0W5-9!RWll)0y643wCC$f<`})r0 zbp~5?c3+82mF8+JB74mqR}Aq$^q*D9_i|$FM>Rs`bEO1J{+N(hX%+Yhxp{Hn6eG7h zEpgm&zZ^9`ixSE1;;Iu_Uzi3We^LXQq;eliNt_4b_Qpw%t9h2)zGbb#&extvW>;rg zR*Hqpi$EOAuBi;p+GANgZu;p~mU-EKmmC4rSCGpj`DHRpx=$)s#H9Nn;EU{O@0V?X z`JPAiN_iHpWkqX^RqEdu)18nr(x#|}oV*@-4oj26)!yY_}u%b(B-N- zJ57>EAYE}@O*~YlqSqvIk-lng7VQui zeF(`9c?i77I+#-Cez<8bTjbw!xN9%I-I2AhS6!1iQc!cR``DVr9k-ae+7@M%JxA`U z+TXoY4Ha^>jamLuU1ObEH*`n)e)Do|?ZvQSieZX_Iib5_qV5pi&ZfD@6jRsyA@$`Q z2ZM^tvzI87LaXdOx-p9N5Q3fgmhO?xag3qcj-l`T&pXuD<2F%fn1D`u>C4pX#sxy`TyMWdWLhGni_9}!pdz<_>u5mFqm!s#`YeTZPkL?%DFFu2B z^jeulSJ)ZsIAAp+j8}W~>3%xAZ^qUU78_Ju67Zq?x1ULOK1paV#HRnT4C?vdfHiTz z-u!lUwa2uRY8u@=dKw_h`AX#UsvucS1K(624h9>&jvTPiCp&pAAZJWl&0r0+m!GX+ zkRSQ*m;6^1jsw=Zx4|XS71?Vt>tGNq_?JrxyX%Ly#DSzA^Z%GNNtzo9M|W%BH0*|0 z$z!bi{2oz~n)|$+^%$XG9mWW%no`BE@Z^s<{AJCQz4P z=y}pGCNSy&AFQScl%csOM)z8}QVlowTWcWGu-=0#isZ{`Qgrv#bd)|Dq!HY_SD>l< z=z%hISi_O5b_*a)vbXH)H8G*e-d)hbMqqaw4Enm!NF!mUox<4zuJe~^A>UAi_VVUY zaBR0qG}!iBuQBf{yrsv$uU9bCBWx9goCLzZHk!)`Bdml$(UBRZS z_K@*uJ=xxWo>+0fI?)24WT}hPB**k>rRl3jj@OJ9cod}_lDvYBbf2982W*?tYdZVw z)%jr^Y=qhEURxiqW<@vpWmGi*sD^lG^NO(lsK&uRM~xKirKG<7aRH#ByAi*7tx|rN z>VDJLH2S>;vaI@{Q$;n_>9+c#BkTJ8(2ro7FB`UD8^}tk78B?;9tG!;BrC`}u-@;f zV3(>51KxpS-zfXnB948EFs?9hec0=u=3roL;z(tAnE_CQZUr_7`D4Q_$mI04iP0QL zE##4-l_5&j)Uyhx!!S4v@6|g35&mK-q-^j14S*tD?R?_pC{Y z*)7U4Q1WgGIwRPWJj3?850uaEIjz&OZfNFdxw)VO)`dJFyfQ`Mjm}#&oquI2%_J)k z*L|t6>KQGrxh?yHFKc)=hkrG?6j5dzKQs(L9kMmKzXD=TxkEU(9f7!Tl z_-PD$HTq0+%o+2m3X!ohKVq*wjhp#=_0^TQZ1aS7f$?X4#8*8{EcLtk^jG4ms~i(^ zvv~@>t|jT4dGfEP$pUi{yp<%1CCjvum9dolt&{^;s(CBb7MlWZg>1!MJ!2Gc2AdY# znihejU2UZ$W9hV3dNwxwZfkleHlwOF<01A26`MM4o;lc>`3jr$t~Ki;_U4z?o8Pe6 zzgn{eSO#3s#t^m0k!j0Ow#ePzmV3bBmiceJX^IiH?e_hvKq*}QBnaTjz8zt4)!X9G z z`Mf9mHIMm2%!9J~IRFIunsdZAgt@|Bygl23p)We3W4y;-_cyS)#eY1>m%PcJJj$m$ zkehakx4g^0Jj}0nZL55A8(M_lJkIC5&ObN__$tlEH!m-_NB_Kd%Qt8bJ<)Tw(JMC6 zC%ttqJz6)t(?hpoAW#czb1&mZtsneE2j2a;#6grgXp(sR=CRMtWX;Y_9p+=QD zmH%p0t5>mRO$v*KQgwm^>H4<{?6QAg1&PCl_Mf;~wahN7HE2y;yK)AJBZ`lOKoBen zCbb2iM2P|<|1Iok@Y})?77s3*0eQl_lFH1?FvwD9&<_ov#8D0}y@rBL zI_aoG%DVdKs{=9m3Q*=dGdyZcsEIa1kGqmg`-j8ym^#VTA)zW`Zm(Zv^GKunTo zkSJu5NS0dIp#4_dai_JG+;a~K7u|K)t+lIm;Z+yjdFgG@+feH86&T@#86N83hDTKx;)x4>nBp}hzF1>?E#COdj6Du{-Hu0{C&Yi|0WIa# zJe10l@IIPpQrAEh*=BJ`7S%9MAY4qVpgMG_fJAI*$QIFN&hMz3ndbQ2VH+DW%&Da` z1HVaUp41bo4^pOz2M^N77RxLgTbZpx1ZixsFY0>AGM8>z?sjvw4V4YN0OqO8G@N>| zc`~BNLWl|gtq#ospMYnOL;`xA!m98@p*^w73Ce#qiX3vlO&h5SEUl_}?$KwhyEaq= zNF8szmzuyr)fQW9yO>>4<~@gI*xJ)XvcnH(5>YF_GK6lTTD{VmJpX9;szfKw!q!djVEQs!5g#^V=cCAvD4aBO3bV{Fe%w0qoz^^EthjW>Cx_ z;9ass>a3dgJOQrhUXu9U0TGx$1ul?*-qXT8hGK+?uta}T8x4eB<`6SbL`05aOi<{D z9-lR4copPdX(XhgxDAkn!1|XgP!U5J&X9&RwBZeDNCyPUfDZ9M$^`He5i`WjA&IDr zh|mKbO5x-mH?hz+Qcu;A0}l} z2T6paG}A^5G0`Bot0T|;!MnqNrYAU=&_N1ghBjugA|#QcqmU$Z5tx(!kIWMz86hbu zGtLGTYHV5nBbiBJJx!DR!DJ^v37biVGAf@Wnz*l&f@QwK(}onmtmMwRDXt zZ8?-y=8~5OfdvX+5lmqYlbFRc<}s0(Ol2;Unay)r?9yc0dDdZj+nc f^yW9g8BTGIlbq!==Q+`tPIW@Un(d@YKmY(c8z#BD literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/wfas-domainisoencrypt.gif b/windows/keep-secure/images/wfas-domainisoencrypt.gif new file mode 100644 index 0000000000000000000000000000000000000000..3ba2beae45a8951d68f399dcfd95826d6318a904 GIT binary patch literal 21039 zcmWhzc{J4D8~)4;GlQ{jV;}n(V+$pXCHpcYk)`JmVB&29alGOaZzxO=nx$nLAy!ZX%o_p>+&wH(GEDeo(*FgrLZ~)K%{U2Qi*hsu%V$w8WI;n( z&?K$%HLM8;Y@?)oxukuSp}jB4z8rZ#g2A-S9FVnC=@rI#Y=Yle< zLt9X{SeWPm`{>$p5w+Nec8};B--vudPy{x*{akdr^{rtbhZP+i4dk=D@6qfDW8U|= zyzlkE3t8CsG2 zVX?fuqcest=g&ptcNx~Q?&S>U9LR}YOSQgLwM3)QQp=}q)ow23coS;pyxUo+RWtV*Svj>cE#x2k2hyk#b}YkRXiy1Zqn zrKP>GWgw$xzr1T^t}&yqXS1qnrM7F1FviLlVCDC)YP(j-d)B(Tx(Wwa8B?tMF;>gK zO5qr*Yhb2onAJYKMw?=F4X>5|$75@?|L4t~v9+oh)?rV^*w|S49E;W7UOU6u9VqOX z+H9FQtXg6<&aoPoSi>`$V>2tmGuvHrtg)Hx_9a%&9BW{1e|T=YYl+pq!kU|#JDmD2 zKdWbjHMO)owX{31!kSsy99}sbTREIsIhgb&8+PXZ?dM=STk#f zW1IgmYi{juX>E6DZGUF-aBXdkwKBZ4dAPL6TG`xR`EO)%cWrZ@^So^#G&F>$w z4*vt|{|09Pw_YNx>#5ywa6vV%p?X?xBA>i%fptSk{{y7%)fB_^;=y#3d9tKUW7+F0 zm9te|uQSW?6e|6O3v8O6j6OEJzPa$asbahs6UQlK+gv$WYJF$y)@0+;=?ZMAExW4a z$lGf7rmKs?&#T|p;fhQA#9L}U)Snx#@_y6uZ2m>KRa&aui|xVY8$UJ|-@N!f(-sT4 z)34rIzuZfn2Rn|mDlQLD1@!*uS=sHFTQ_l(?`@)DJvPz4yk83EFI`yuRFr>3;ZyHFc$?8yU5;` ze~{h`save|w0>&x*A5#d-z6K5l`t2{R!XlhDb82zb6e*6q{+V=6rLgwJTA88MQ}M& z0Tb1-2MWTq!mZ#je~&JW8zB7xM|CA{9HbmWK|lE>iUn*;9&fMdkrIG-zcAzT!>{;U zj6?u<$np0293dCx!%QK-dYM1n7V6V)jU&fB*Hl{+evB9#&B`kmzI34X zN>;v9988q~eW9O*WOL!wX*|FNz-leoZr=i9Yg5fu4$_5w4F5^LX9zV)N!{eRq}66H z^=G^t`1AW>TP+V`_*n<%li)s9pt-f6)Sk$4eZTaZA%P7Qr#6=# zu#H~ncgA?hULlUDOrd#w?JOpr09#JGKHXemQ0Nchm`r-euf>=wk4T-#W)>t}>D7J< zSY$Eb=T@uvTuRI+`I5JF+h5LO3ZGo=mqpz-0H4r&EB)b((Rhx`T}^A$EL^ki@{j1_ z*XK0)A45&~8o5u;Xb9RZwXPT4QI$)c9#=!`9yb-p?K=`Kwt?Adu2}I*IQ%F%-5EWa zC9|kYZEtZZbAM-CQk!l#>h&%15d?_V-0TnbDuUoU!=Of^e?NI{MxHqk zacsHQ z&2m0l6V&vKK8D!d%ooC-5^Z09axTEWt+0(&wf{*LM4^c4(9irvd{14oGo6av&ODVS z_@CvW^l*B#N{T)jRbvOA;R`R75NP(5SdSUlinSgxTY4rmP;Yr!k3c%{)0r2h$Mq_* zIbUS1;TSq3#b~C!ae;~FWAY8^Fs}@`JQDDy!7cR;8j_WwbU-#LlI{xnrpi78nGe0} zl=w>r7Z)&sf9o%*I@*l*C8UVlyKX5c>Cvm7C;#wRx1!!?qg{7MW0oL;Xw=A`f)@Mn znBniHQ3B$%LZA&yfqp%h>tM8>K>EWk6e-4f`gIue3##>)X)*Efp~a;PvCDE zJ_Q?v^hQNjX1{)>^>pFIr)xeMpqd5$>yNu9Dl82yD7jhmN1O#G~djGwv!!F7=iTS=bt5GU-8z;dVvm=6P zqk6H#Mfm~XjAZnsW(Zzr#*o(S`*wtVG>bSLMM6un3WJ+rQl9qf7joNM;$^OHCN6ZideRP=A9c%U!W(aVSlZmgUs83@tgs7)q;}IAD{2=t3 zZ+|x7XRI8j(;33`)24CKbc4!Y=fa|7@ox*0pLYF9RckWyMcgqg$$A{h^%n2i9+C6F ziY6ewVmYrT`TVDg`6X0G_^LcA)eVFGe9ZH1wFsjzv~{v|-7-U6X%DOqeB`F%{?566 zed1dWJNT*`X*?@E>szlk)F2vr*Zq~!dHaMjA<-ZTw4cXq&@Ol9(qHkn71H#flRWr5 ze~r&{+vifSB4ssy5rxSQ8qf2l#=l&(B)xUqW%*o&N=-GZX*JxlsFfSwOd4&3swo0o zOlxhc!M>GEC>0jes(Cw==>xFMw7+*S=RJCqpwJ`=SW@=<=D$vx$$xlxGN3V~aNfIk zF6O0kc%9U6$CCQB{Q4A1!y<8#$Hnz6pfz#U-EeTORP}pYExYLb5q(4zZO;=NDGI#< zT{mMK@4IF4rl^~k{Oj*;$r0olm7{RUiAt}#|I;i@Ff{0^rRl)=fW~t3!o_dmIj{G& z_A7F}y_X3#T1q*k?|UqD>08U;5+(QN;%!+T&#%yl%fAcQ=Gp71{2I?$F^rm!vMN|E zSIx+cryDbs^MQ5}MR&EW_^+R34+)<4$YbH+1kE@mB z2VX2tKdS%46J5Ue=8N_R-^l|vEx&oYS?4}q4x3fZm>^j=p$-;(9aL42v2Mn+8 zq*F$urLHPIHQ>+Ahx_5sOy9hF@wHMi@7qmpoVZ=^2sO@ix{q!pY$!iJR?^Gw!Ux(r zfI?Km&15WR-oN^1yy#s2D+hwT)T481(0(7{AB0)`)?@fiH}{var26L}@#Q+>*q<8} zvF@Xv4n9^HG;iOINHbzaus1FU7k%f+2@38P@Oj^7kW#I2VwK9Y3^BV&FXeKHQii{n z;fChcACzdmtFYwL;;fYL*|L1z#frzX_;1*HXrX@!#=2{=J^His(`vcH-(}O~srr*$ zX*@K$yv`}7{XX*!2&^*UZ}R!#;jfEU2`6a`u5~`P_6)XhA?=RAJC4hD&eITbmjMnG zbc^ErCKEpRQ2G*;qi>gcazYm6$MteTb_T@*Sis#UY@j%hBc5a4E$)dc=M0rg_#F@o z5IPhI9;O7BZuTESJZ~5dfm1MjJkY)aj=}M)FcIAt+fhHR0VZOLf!HpU;0$NWz{TOL zty@q$i41Egx`&eh0W&0Eb|5rY4{nqt`rEJ6-r}Rd!cxm>oqb^Y`|yu77n5O;&cuDzes3W z8DK{t*W{g~(Gi37ItEPqxNK4uSs(|lXoGXE4kx{tVn^^LKB^~JTU(b?5Svt3nm;IH zB6%#vprM|-BM{)GIzB&$dw~>g%M<8ini$k`Kd#ichXtn@!q(}8J`3C?mc2a#eDNTK zxuHRuKs?NoaK{-B`9ApIE-)V>(2_{FPT?*MRPv?*Z4r=l2G_w}@*vh35q^CKnej#d zF@(lQQG=^!>3<9b{#pw#!wFIVg0oGd$U619A%!8twZcq?GuQ-vXI|;yoJK)E=cUiK zW;n1WGvvCt)U(*8F?Rzp;nEZdH9nr@A?Gdtp`HcSgJ(JZ=AhLhsxgW-`1G8pEW_6c zx2!^=Gl8@TM1P=C6kiGy$3BhE6cgFfcz)Rrthf-suDI^h9ESAJl#p=w#&kT60x!T<3fG zNFeA@>m+aq`nci4om=_BGWik?Xzm0LrS>2|eB$wrHCGc}f)icPmtWX4k(0)v7Q8Vc zjNTHS!#ew6^G3{I_LZPQ)r=M@XDdG_@t}}Dh|4%%f}$dJBPoBrlA9+J$YFAgPQl_~ z#jU?nek4gqPh=l(q&J|sH;u$tw;r}ta?eZxRhUPC0vt#@VdqQsD-1_l2AE$wqa4jG z8dDS>LG$oPVgec*Xs*{&8moc8@y)zfm@FuYO;tRdhDV56!!tmoh944+fW#BGOGh#x zZ8Vttm%JH(t!t=t$EcCrC z%}IIWaltx+8hI>H8i|G2(V^dwPsFl-nLK1bd%Brns>`NE5{oZI4OMt>i*p{U%zL{c zp2XpePkfajrPn8+8qS^(&N+mW;$S{XjHvuzO~?!aLUGhFVj>5c+qLphGnJz)f-QH` zJPHeeejvG{Wo05{_nG|d3}R%Pgz5w=%Qp4NVaY>}BF*KJkUR-DIs$c_{nFvXgAa)5 z*_5`blQ*p~rhxrNCgNg=hMVEB2hCRP+TiP0WpS)a0-@@KVJHbGoEfgPhqKL4Pg9t6 z85j;0Cr2@=o`U+1Iauu+#Z)-UmLmgQ5BgJ=OfjILc*J@EzQboX%wgt6`Hv{PGZPN- zS++A2-n8&wBnG7KpF=RM%WAzcjF&LLBc@rmlwu4)^Z4AG*P$jI927>=6(&alqbZun zagEW0XL4L+G$qt?m~l0mR6~maxaA*?Xlk?l*Cq<^{IqBD6$X?81u^*pb+3MIHvinr zuKE1q<}0`sk2}x=CWo^`vx(>P(CX(7>MwlmKwa)YU4x%r32%<*Xueb3a+9lt;MsCT z{YBK*CKD{kteUHl^5R;@^EA&F!RoDXD4tYClMW8JV~5y5HSaLEO};`|6PzaVa26VF zGSA6kKux}Kmw##5`D!Ql6&}Uqjs@v3q3PjtJf?oH zgTD8;9$N4UkL^wXUctHOKe%48Ep)?2Uj4J{0pIPxqhHA0?dCwd5)bL&F{ZO0b&DAH zTw_AmvB0$ncq)#IC*>8>vs=yU`Hp9g-Q(Wt5^%F`5NJ492L(x|@;;;VAM){f7^Im?3ijh^|{od3+^m zOzy){Xn;fl4adVnERp=GkwJaRO@;Mdv2I{;59dh;;WO@nnu0exbNR~8&S^MOB*yrL zZ^R8JZEz)0B$f_`R{}vrLOcT)`vE>4QTHn1@*5Y^p#qI(N;K~1NXQ31og^H^ol^I^ z6b^q(UI8?a!050G#rZ0?ad659Dy%((L+ejX*mB1z*O)>>8I;=eD?|x<0<=c$G8N|< z3@_geQJS?)ZAXs`ta7z8tS#q67bJy&zoSl*WGI!(aZV$HPP&a9{Zl$p6Uco=Xq^9) zQhx}bz^dm~Vu z`o_i&#-NO0$*)CvgE>=`$~Lu7O%uSyq96KhL=!1r4us*`KvZ>KblON_-`Yt zKeA3_-%1^k6y_SjOGq&qyYJ22pdr%m?DkhCt`~uT^DgzU8*>oQ{nsWq{R{e^;Rh_b z20}FkNHwdG_N#=D!D}_E2@9O53`h`SDEeE!v&q2ay94KId2iNywkzs)h#gSanMTp9 zM#?0(@a$n-&}zPQDq}6I3wY^kK6+@DG0N3O;|Lknn4JTdl#gwjZ^yiBZCJsrUh^;R zceFnAY)!udC7*0ge$ae*9u}s~mGQ4Gn5)I=YfExb+v(sJX^yS8J2sp>zYyo)=NK)G zcAYQoK-)SxUVeSq&DC`!yxr{N*SGT>@4q&k=KI<%-BSIvX_%|?Rng0yw9ctFo%BDQ z&+P<&QQq53lePwMFrMotgMWKs>)V9v`-!c^f4qOGJkzaZ0F3etD_^4uf6N?r*=lBU~LhImDH0>i^&7wb@2Lz1Ea}m=6Vv#eI5$j2=`^m zYs29(0(Y>Wwg%trxT8KXk-Z9kFOxvV z@4|p7zg4=qxV}p`VAjLJASUAyT#Sz9;*$*k&ryAq6y;7mt5_h?=KGCHvrX5mlVs8p z!hjo9r`7*CWbmb|e#;H?o~XMhVttjTv`#`D4V(MNzlYjhto;E@@-C^NMZ=gUf2>WL zC2&ibkdQmF>bE;ZkZAhnkCtgtr()T}c8ihPaz<*s8ydM5N%{z8{eX*-oec%m7UZ8b zWnXmao>@pmH$JQQOsaIKN*{(8UO_R5KM`?(n4oe{ODNlvO$vPj(QrInH;XYZN%EpzdQ68Et$ z`3?K2lYiR3U#u2HY-k5$^H^SYv^pF4=>Q?QQW_VeL&YCF)?Jjj;c?sX#jX8f$Nb(6 z>)%KBYu8I7!x&(#*!S+LCYJYC7Sudj3E0Z<7#UbjS4S+#a5%iBBvgv9*`etgHkUsX z<+bON*SIS5rJF*;P4<^~naMrcM&9{0R7uofaE{2mc06f4`*;k0$!#jL*~hw@EUNUU zJ>vOvz-pp|O!|t0HP5t#i>XFmIGgb0rG+6I3M)Xq-?|iy26!jQkS6Wz0}C}v$W=y) z@!$fP^iq;dK4ogMHH3(*U0F>o?nKc2idjX&XI=BnXfWG)`UTSzkE?ob<+Bl$V=DIO z6Vt}riP`TeFVCR?$QWwUQT7Mgln$7c*ts?ON7~aR&(@gEd<)=2;<8 zFt#fDdgY@}p4C0i)yyCm(7NC21S_2^!S zVI?hD!w0T@D_+E)UzJ_XzNQ1Fk&G%v5TaD~pIU|RiG_#t9GXo;^3;^cG$9rZ{3#v+r-$T66 zfW+YRD14F;!))nC+)U-~-PWUgt^DjaEF_T5i6tYS^eZNN2*yV7CtGB}DK(gjvIL1$ zubbHx*ufKd9|lESTG{VS^u%8(OXOW&heOa*O&WZFBu9fM?5&*3`{GggHYU4E40G4K z#_65oV97myHE$l@lIgea1uron{K!c<^=Nl6-SCQVGau6OpXnp_1M?I~)TO@zt?63g z<09>WNY@_dgP4sp*$OI51Gj@1t08kWFMM(?iVznE=}^2fCe^}K#opvE!y|C#H9Z74 z!}C7Lar60EF)VvZsVo?-@5`$43#!BY?5P-x9!7?`ix3*X<<=oeIqQ_gu8LtqbzGI4 z9FzEC4jRdl1W6+i4&mcvD6nEooVdsoI~QIN>`1w2EGv+5!waWMJs28gKs2uHll-&} zEN?dE_h=_OsES!oVXdq(t&;ym0VOkgw$j2ZgSQGJMESJ5VQ(EtP z=0yocH1>8ia}`ry;>#wF%yc#RiFq1b1``&7T*Rwcd^R)mzg{gwCM)YvLFRlC z833xhfu(DN5tkHraHl>L%up9nJW1qqkh@%cY^qY(h|@NGZAyAY-?v-mDS4mReJ6vR(auCqS&;O%z{C`E4Y&S@Lw7Io9h_Sx0xM`qW1j_a@sql#;>#GXcFv6%XaFo%-Vqd;(|-&T?x z+RrQ8@Uzec1}Z=yq@7IYLH^3?zt-&s>a}F+D0cq_;-L@_dMz-}kTx3+K+u!K$)5Sg zV&l}o#3{038Y~TgELrLjKn2)W;>p@AgpAWmBNt6dCGbY77qFX<8c)<`Y5tnLcahEA zrAZdHF;}UY=&Q$bjntIWO`STD`y|cU@J8QO)5pa6(WXOINm70fVp}0a#S=b;YH|GR z3VX5!V-Z3kksk+RSAbK7jTzm+tB}A)vV|t}v%EMM9O*lq84ov<4gw5PEt(|xA?J0) z1LiW7%Kh~|<)7c|H4*rnx~=k*^Nr!7+8cTepgYhMwM^ss`LFGIEcJ!#*&usfeYPz z=RR=L!mOKDZ5P!f%P}(6V+@64inXl$2!w*Gl$wSwF7u3G*77`@pGf zLI!0X$&N53y!0InN?3UO@d$bi`sB#{bkqfgXQIAEX2W{ehZ71$O%g6%W;>JhAbN+_zb~6 zNzy4&GkmS>ueRuyw&fPCBd+Ako9+rHNnG9*K5zdm;1^~7b69#T%-F^9pV{?BbD8-2 z%?r^=iYp3cea7&_5?M2@+m$^u!*osq|K>7T;>fjNTw)?T-so}Cr25OLlP{xAvWGDf z?+nF>pg|u>PbHCw5Ww*48~old=DtLu(=0u{wbAJfUZIJu`UxY5=#o0C28RREc6DU; zlMqAdUoKEMuf$KRotO?sM5oy4%&x8J*ciWP!^2!@+;9Cb)}k?XtR zp{@Cn&IIo!6YVVXeRtgsKKbi%J@M!sjHE%Odqx|fNgfMyGuW*zCAm~WZw^89DoKq! z2yr>k=sdX~2=y9`L1KabbT5cK{rw%fBMM@WLjUlf*W@Vi0TBP#SDvMl?DVut?{!nW zHJfrJNI4vN^S5~!IX;F`Zt4%0&n`DRi|B1t2ne>|MzP;EY$F@S+uX$nqT=j2&HCX9 z7gqc3^CgE`8de_r_WMJYg4i=|q+VvzvwQeVqgJsoTj0u{Iaoe48pDdRB}tVwGEJ3ao6%3!=Z#+HOJSg^FuPWg`E zc3g#}FcMEzJ-}w;@8c7rysV}#!Q4oL=kA)HFB@zHCvFE3A1}v`9oE&}=Ev9MdUoT- zDW;!$$l{gSCbHFGuJS3B)?;M6_$=)0V|Z9N>~Yy^3Te19PZ`4KD;BaF!P%t6*hFXB zJW3gST!2YJgQX$*Q!(8YxJ3QDW7WGQ)VJpQbP_(h+XxOTAA!eU67L{2QYtlVZ`n?5 z5ETQ5hv?)`?CW-FoCO&#N=;z9YcRHK`{=D@SYJy0s>SgOpdX-q9Stxt&?cx6|J=X7 zC8Ylai7fSlsK@nhmQmLl{ZyqH3(kh2q!M$|&sD*jd*;C;Y;0ZQ|y1o?mSzSnY z{%2F+`$q64SBIIJs`q8Y{1k^;k~uGS$WFIA9;;@FAvk%$wKg>2WH2;m!U;!`MuXu< z6ZkzW{F#n8wra(k@Vy;-nhN@z2|owoZp}}9s=;~Ooio-y-GrRJswe8nfW;zDh{kD) zJ$@ldb4sDVDl&8`*~Qa{k|{X6B66yPI=M^Yv=1ka2jYz={6F>j{TYeBNaF`W4zGa< z^&Y3C-G?>HPNklsteHN2Kp1O~?O><}unpNbnNKDh=q+@f5QpQX$zZ%L@xHDWfB`K? zntn6W`0tL8r)VhJK~x}hz{JFfcz7&M!VE9*Dk8fy#zp!nFH+d->i_&{OMjM?Y5mq@+Zb zWSstvc-;{AWWJobEBPZ(M)Dz5qL(gqLqaL+XK2 zOy_4#7%OT*+9eOqlgED3og>E1{tel_ctcJle%4ZG<_>Z;o>~)(al3rkO-uOo5H9{0 zL_~8Bep~=_-|*~|1emLma6y9O_~kd_dLX611czCmwBf8xf5WQ!`5TMP%US0m_21uk z*KT#D#=P)7d4oOLJ$V)wOJ$0BYH;>iXFI+tn>q`2;+uWod!pj2wGRAs{Jjis9lQWv z?Ntt9lGI}yBQciAo=6_sc%;cz>8PVoAgYh&n_!FmPaLmj&pBnD8|vW}hq;$6GE)@p8>!sKl2gzP|%{}_?dFz|ceMz>j-+ILbV-kNIdpY@x zfHL$BEw?#_OK`@-T?||d9|hoN2&x^^h@rEU&lj0G;6Gq}l^@_!4jR&S5KgH&M5}i` zb}|$H_&z3^#-;5xX*%M*^iHE+E^z62H1D&KIB)8LUG_ZBmu{oW9QXec{qho}xD&n~ zll{nm&FBMVl_H{llb&5jJc)rZy_dOFs=_B;^?I#S24*>J zT%3H4cR@^0*=@p+?2^a}?Ejn-$!`#OcF<_-w%O$21$c#;jyMK%R^9|&sU>vE^?nxa zdQ}SFKW6D2iD|N&9V= z!d!lG-yUK+M*Z|7qGB(LL*)t4zc4X4k1}}drB)@o)9gy_)=K-qzMjSE63psd@16Gvba=N}?b~CtFhqIu5Dt*S^ra?^uj)g z96-YPHZ((nu1Qnfsj$R$kk_BNR0gan+^-m4pPG_l?>2oOn*f7v(w5drG%ptiP8CrR z|C~4PtDLG$Tc(Qmg;73>&_Pd^0;-mJed5R#Sb`cE?tL5xwI;G^bA6p=VMFo6(+7~I zZI>$!U!MmAw>-h?;I`LpY_A7|S>Qn6Jdkt!_Sb>!Z!_ClYuoy8!dB5Xs-A5_>HBW% zc829lpk<;l)#3)7lrHow%uUJN?=c(mgWx|{%QATU2gk!9)1rVY#Y^x|dI(KvQ!;JZ zHI4kq4OF?&t%yz*9ot$o**eKcOb^+5s=2{hAxMzOCb+NQ%Fsmm7N~;hAMcg)WFt8i zyz00unz(~}xFc4vBmQDXVsJ-N6xiblP(=4%I7qx1@}YZ7u{YpxM#hu=C3t56@Iafh zwP&@cHUvEW4Fa<{2Rsl!PJMFRhFWo!a6E;tUm1B9%32EhWDvDwBr+Ah5vPMA8OxZP#osA$;^8~1wSW|L z&-TThUB#ZN3a~jwbo{mF1pA2<{ptLRz={0npoLeZ@1466ZFfG?4^Pw`fkYiZWX9bB zLJ7v!iE8j4dfMpx_JrXcxLKu|A}g`|IKJ^%axO8EQv1L@02nEWgnay#B^@6`(MG@r zoEVYF3cPJP$&ea#UL9ilVoRACWgv6Y4h4WKK`%sZru-wRp?^7HZc34_OHs~EX@W-< z$sY7?y6JSiYeA>qgFrYkrwWk32WY`|SjyJx&-bqjV-Dgg@nWJoPLo&f%P?WqdpVb* zH2+P-$3%(V{924se`JXoT-JbK*aGe*7q1YbQC}e;J{Qh|35nxgPKn1`b)mESqBhVg zxfS=&?DeR9zgL`M{Ip^^$3Q(O_R8l!gm3S6GN1FpoY9lWbq+6+`=reE9>J{^#mxR>=kDX$-HbKzE-X7=l- z>QZ!Ei9J5Q?)Oyi(#eV6Sz{#Db>^+Oxp({ShOy7&Z&oIr%Lg92+^#+_gD~EfP@dh5 z_I0TGElWLA0}j;c_Or$y;jJ)QeWwKm+;}Be>vXd8_R}t{y;l#dh*r>gYr=Rgyz>0A z6R^Yg>WE~!0kbBmZ{9s~J|datZvsHJE`|zd1TxQ}9iZYz!5d83KC*!FKl7i&l~=-0 z&55tkO!*-~2pXx9kAHK*37cH6VHRJQl&2lxe_~M4)CPhmz;S;0p*-RAa^o-Ja!T26;_&+Z{fVaJ zPTQ!Og2Z^{WHYi@pe647i&}q3k(6WWi%n#>(Mw!X#CI{PJW%ySB+};GJr0+IV}Gq? zY$3yC>?b)iRnEroE_qP&O_3CEg706NMX*SC<;bPkd{lmzKl-{8HxG2C-|UFZDiNl* z!%R(m)?I%o)Z|~DgxD7aUqC8xw^vfuc2k@`3#qD`1ESWS9e#M$<;9r#-h|v(u95FV zKaCM@#v2RC5kMIJdwVJAwxVLUU1pg0U>wNQ{dyiBw3F%3d{NPDzDTVh`ilx|Xo zOF)RzctmXTTtX4`M_?JkRlLOBA3x2()78m%dOj)Je@qpbdqK0RreQ9#`g9A$>O_wH z=Wbd}$XNkaYe$urbA)qu>5}+gW8Ej&(_$1na*gs;qxleebMzE#FLKo6A4PtM-RlNA z@pyZ(M2@0C;#qCF;Mr%_ii{5p+>R}z^rVQ?J)+c&zofXh$ffR{XA=SoA|MFV7@H&4 zeT@`zdmi&|=h&bOQ=jk z9w+oo@i*lld0_pA?@Pln9+iT13nFs3<|xWla3m%Sckh0}?HP@~?<)j~n1U^{$0p)L zH)klG;Fy;$PNB;pFWT}N<}r?CEwP|Ey<6s-+o317_ktd;WD`abwyXcR!OB7KqHV?u$sfdFTUX($h}w!3|P^=G#7p-%tQnH96MmNh#>kbL1?P;G} z4;0~t#H8^csn8Ryw9u0GE%)D^2~ipv=xr9wc8LJ#P3k~wl&~COUUI^yV90d~F?yh$ zsdtaX=Ra6}w(Ssqeurh)$s*GS)gVQomY9T-|4h@2G%#%QvsOCSZ78Mq?uV*>D#U3e z>XAVV$)+QYt6?!yCw+T3#`Wk@KQ=1zC;Y@`U1c`?A`tuu6-21vAg?|-jcPU!7ibMr z3@4h^RR)5$+=F7ht^xw~r7{QKGEdC+YZZ)u%AA8%Y8j^F!q5Kf!S3uVC<{i!bX?Q>A(JtvOO$mI2otiDZs&o z1R8N6U+gZ~j<%q?MW<2KH+jD3eij2D=9`|7IeHrPa9v=d)!aF{*U%PF2cwgbm!$}A zZuqXivqwitn#sMF(5 z(=$#Ni?OTPwtWy!`@`qwXQ3)Mn}Dn9IaOiy6Pq{sTIxYJ_r)V(&LP_+je>|C_2EF- zs>{y=y7=Z>3({jBOvy#Lpx+skX!4s`n}%O+8jhqFU{Das-pHnJm*%4b~0!{4jKNuS>C^N6*@84gsSyBlwO* z31q~5d~)OYI!M)b2HdldV*^EA~+!>Xi$&j^Gox{kZa5i4}oRLP&N*(Jz?WT2S z#+O$@avO(mahr6~yjMMwa!%~D-V{E(PgLcnjf3U&4=yY&jm@asfCQJKnmX(sm*+*{ zRu14K;G7kgK8K;zbFNGRWa1BSiY&qn#>543KT&vaJsDz>c5*4IwFO655`Taxb4Wx?6;3=PkmY--G?nsV%2RVVkd=*FU%<4u!hVu zgav6$FxDSWKK3DZ<%z>obBD>s$gc5<6jSnJXD>$n=~G9K z$3ErkKy<&S-n5o;9#qhS>;q`CnR{UQda3sx7BRD+Umq6V-6KjNsGvhradZz53x1z} zQGCQ(eAb(dha|HHa9b~7EKpz~&YIM79G4J8Sf~ohCS}l%7rfoexCr=T#Py1QfH305 z7x#>0wiX#HAdC>^=ig3rz^(;bH;Bl|OaY>R*TWrR<7Zk~zPVf1nP zo1dp9fFvP+6lny6gL2CLKKF5Pv}h}%c%P$a7X*OEya3nY{n4V8m)=51pC9iSV*iSr zkdO!tj-i*2oJI*+WLX|g6m*U;_k}T^@lj$8C%4V`*yg=!DrY+4y`2BiRKxr(l5W*j zTysuV^}_Oz_t@dN8Cf58n^u%-zt5=R#j&4&e9TAKn3sU<(C$6zFEN6Qq|cZQc^)Kv z_>Q^U<``DlJ;!HxN)d8H(Y9dwI4XZ1@`)+0>&FEf#=>vHFB(RCR*u(l z#jvGtY-d^7>!ad6YULeEk}Vsi!>|wxToTGHF}eLtSbVSsiBYr`#~!%8eY(iN##j*vNstCF z{d~6|X?u~kwoqzhnXx6|Ft&VBgiY{p+4OE4r)yfF?~=;4yz}lS)j9D1BwfQ@02@9o znm{|QBxh>xzZWgfF!DDY!tpwm@!$RU`zO`XZ}mi%)X7+q7MtJeq}6IdGHAoi)XN(X zuz>C3K{_aIJqA=01!8m0Zss(W(Jr_;PoC1iKR1q_83^slLuz zO8nB8rL97#p~YoIAJZeh-|S1jCO!FDLKOMR2t8}(k*rrtchWJ)3$h6_SS{^3Lq zxgofK-gK-u+ph?@5{eyIZ}f}edZcEctMyt06MS8dejM#;9Ygaxv_C&qdTY0QT(9?Z z*abY4B06kC{>P^3eC9}1C9YOwQ-2-219l7qbg(Mc*|uPf^6{ZU5}OYY9@udN{v35S ziRkszo`pBM>xEAs8qM->U}?#XD%lqb&J)0nQFJ}j7i9(TRfi3VH1t?OYFL8z!xBds zY%ZtQmvhLX<=-lsq#nH^1(g#|FIlP+s=GLA*EkEJa-Ypt+8n=e~x3ado5CU~XUJ~#my z=O#Ctyik0^8cCB9@iA$L+{Xji((`>_Qm%!YuLe@FXW&r1d&~zHTYf9~Th}@N^Z~`r z;jgaGG~Tp_yjlBN8))uwfuN64rQZN_?y6a%d+gL`pBj#B$T{({M(D%2u8i=9p8LU}udq}uQ zU(;~qbONc>@iSkoul))RG4=TU-##4*`1;1NkIDWDUI;$iCsQx#qs@8cA*p@mvTYw~ z!tVCMOLbGSBwwY5^IY}kT)DMv&eKQo93=Cm*uEwuKv55pc{}9ojZgEBG*8S)n(}?u zjfIG2lfd6Xzq!aOMXAp@);U>U#g>5x;%vwMD-}KE`aJw)*QfSD)%o9=Y^u0Ar-^P| zMbo0gK8LYIW50fwEzCS1|Bgz9>Y|w@74{XtGPqQpp;{?4O#BM z!{-rrA5%gGUcNa_8xi7+pvWs+hO7<~x3y*7TqI77b6aZ#JbCamFHXOcN!ueDZkV~q z(FIf*6dw4?MOC|PfQ&87TcXcsSwM_82;Jxp8PfG=q0+Z@FY%hQ=6dzl!{27=ug1wE7n;br1N){Gt0W^qqUKSr(cL(GzIk2u zUW0<((;Hyf5#6TG$Op-hCXfXatqh%*M(Kh$(>t0ka{Acxx-nMf=#4Mu`iR;J%}NN@ zC*C#Yyg@RCgwa(CSSP@nLU2*n-&oXoNTK&#uCghPdRD$Cu+u9ZZUx&ggRv|`y;AHA z2udNnr|+8U0gt>!Gt6I~Lx(gQ9`$PT5uMg8I0J*RKem)ox}hkksUSLc4TvcH)%EQ2 ze2-}H{J5`d-9`uCOrB`xhkaan-AD>i({=y!EX(}zSE781DPPR>Cq{(WrRP%vJqCf` zzt)(jB#;Psi7T9doXC&3wS^PBktnvWN;7kTHX0V}m?{tjvoVAn{foL74tz_XR)h*V zPM7{AW3^6a{CKF$!%(hiNkbc0joI z_@EnVelto!(f?6z<1?}*?z+<%o!cK9Z&&w<8@^^k2i$E!n((&L9Sp2T&0fIw432hV zPao*&#NGcYCTeKl+xvo0EI_<-PI;ZgNg)~<8j?=OsG@s~aD<|6%LH?_gt`N8=z*UH z(I5*@E$Ed@KZq?h(%FIjkytNEITOOY=qFC+m$b%2*g1DMmfT8?>{4>~XRxkT`}qc`ZEGw3io z^_$1}oFn>v+BqRudJ?opq(8cqhq{JOI*ZPNpc^$I*n>3~10icVBS%9!EV@xQI;o5L ztsl6lLusXR2@iO=ILH{R=Ta@fvn~`Im3(@xQv{?h`+DsY{t?PNNH@mYp8no9bJUBuS9RFPhV8JmEbT4SKwi^U1B*QnPJ6V-P2Z(`t zmwT1_dtsmZy@Em$I9TPJb3cd!puPIM$3ik#13zp79xyj#D-ghc)u>;*l4N;N@&Xq) z^?G0dDZs-y*fdVVx=Dwmuoyg(fnd@JY;Ia95k1{BY`7q1FI)P zwmWnw6xzz`!Wg`Ou2oJFT(QkBNyb0DdkDN1!viRAfs*CK1n>YJIKw}PLq_+)(7$Ra z*upYI!^*=0DPRG`b9oZz0ZB`}agckt<2;nk!Wz7MiIG53lY-ZSJ)n)fNS6KCr@bz; z!H6yWR5gJk1h(8WQPe+vi{`pA=>I_yfc#VU{oj8>Ho%o!rK(&l!!w}0;Um7%Bb^yp zg1AdQvqwJbzih5^p2MBKiIKny+<;PRf@S|hJAA`85Zf}OweX)5D+oVZ6C3F_ggI1p z8;n7lDZaknfEYLesK5RK(Y>?V{Rx``Dy%``3pba$*;0=|8)UZm_d`T%gZWpsCX7E4 zxEc6I|MXYC^@Et}Tfg?_GxxLEo5jEX|35$&5IE4liWfn|hygY0UqgovAx4xqkzz%Q z7cpkkxRK*SR4+P)6giS)$&m?7rc}9-B|KE9^dx*S^Ti5+H*w-jK=TEUgqBb#V>y&) zQKK6_9#y)OX+)Gwp+-H*>;Gj{RNACw)w-2qQm$XYPJ9}cY+18s(Mt82mhIB9ZQ;h1 zJNN8bx_3ps#k-epU%wjd{uK;S?_k4+5u**9*l%IRk0D1cx>zz@F&cPg*1VZ>XV0HO zhZa4WbZOJ4QKweDnssZ`BtTZ?>(Xj%+qZG&*1el|Z{NRx2Nyn^cyZ&$ktZ*XRd#dd z&!I<`KAn1X>({Yo*S?*5ckkc9hZjGde0lTd(Wh6xo_%}w@8QRnKc9Ym`}f1U8it>L zf5QU?Xv!4;9PrP;1MdP*B3HV3Xqf#V8pf4~x`EIkR|YH)!3{Y)OTmYT0B`^h8Ug_T z005NYA6Fa@QI3B=82`Y90RSNJpAb(bY zwR`c+SKod4?fu9H0gw;hrr3~am66Y_s5YzR&Z zy9tAnxg$q%zX=~y8cody&`%B|otzqT%klFXaE=5Qsg*NuFZ}R|66XNziKNgljJD&J z#{nXO-~VrQDO>;{?qTNES_%+U9A*F_LY&Z{5Fh<#Li0$;`s@EEp8Wk+zx$QL8;!u-0nea2ion8mGuvI-zIQ#yNuh1) zBhdhu7B}bpV;DAi5{!xkI?ahHbr50Ee%cf_A~A_+?t`Dt6e`NPUj6{ro_sie@0QkTD$#H-METRG>ayFw4t#J-9V}YDF!fvz)byS*= z9RKR(JuYf*gbpF(0Hip#6l%y(gEUYY)o790h2(a*Gh9XVs1F7zF(SdkP$3{0w=hmE zd@vePH_%idDxt6t4N;NS{=tb7I>dThBcuarX-G1vP|0u z|IxQ_j?;z9q+JZjQq5^Lq?-P$h%yaI7=VU_fiW1ULu3|%giZvZ6KzN{k5V&|1sH5a&Z<5uQmH{iz>qP;>L}w`PHmnWz>A3B0#~e#NCR-M9M)?l75~L|zAhLB z-gG%y2UsqQnQ{QK-s_6yPK2J5QeS~TS0MloU_We=!s_$`CcMQroZV#Jjm*ne5W7NY zBO)$wlSCp6%L99Z8Wfu7+L7zdE@I82;Z8UTII1i%Tem3 z@{?ov5L6}XHKe0;+o zs~4?HPOMIrQB>P4gRa6@}cv z9XB7s2U!R|9WPTPY9)s;?9QCa^}U*^^SoJ|ayZNQ*TDXVze{2RXlJBq$4gdqxr#_~ zI&HIRRj*?~>w+l}wINpbtXf06pXtfL>r(?2Z2wUR>dBmg;r|XUY#ke4u8w`F)lGZ% z@<~19I*mwE3j=YbOe)sJ0{3(Qp%``* zZ9Gpo-}#hi-esW|y{}Jy^o6D#Eu>$W=~*8V*M|)DvFFI_Jyv_$YXtWj(>=x@ge;eS z{-(b#%JeFtRt0xNt@yNvS}o%Cib#L18yPy0GLqE}j+5_F={?4bf01$6KoR!H2tV7} zYU`7As%g7^M5s^jki=j9@XyEqrUpG=VIC^quUPmk0vfoh0Lah$DB^SS44=5kdPYP~ zjz>)(MBeC$gR~9;8IaxZN$tQ#9>hsa^aE91WOZc3A^&0|M!<`0$VddStpn!(S~gt8e$wo z;T;-68AQP$av>KSLKG0~9Yg^N|3L~3&u+^ z8l(^>sjleo{kn?yWU9{uzy}&a0N0=))<6KR@E?3Y034zMD!?H|u^~i308a5AQV|*& zq7@yY*#gbGz|fHdk$4=3$&kqnp$K`VC)2X6k^jmpxa2KB#7cT7=)fL{B6i8-I?Pez z4M?Jq+sJ5;Dy@W^#nU9>8Y3roN@x>Jjggu{2_L4$vY^P`Aq%wdA95iJbnzb)AqyO0 z4Q}xt=CKs*u_5x23i;6=8^X`d@Vg*_N>1f+-tZWU(R(;yPn4!2Z4HVP%jD3+lElgZ z@CHL91Rc-OR5WZ)Q0OD2k*p?3P#l6&9`PYe5(F+$l3GoD=r0LDv84d8A_Q;%9a17d zpd(XBL;i3h8;RW?dnL#}K>+))l*Bs_id@c0V)mI59bW;VNn z%lb+5;FCMDlRn%tVd``D9wI*rW;D5Fp7mWU#Y(;$Ra4ai%25^k?d_nY(&8>P*2t-4#7lBNQ6b!q!8j% zMkUYzwy#CxAWrv5Od6ydWl|!t=}xnWPC+1>yeC9rBw518Q1wPo_wvBjXKmglP9ZaO z=JY{8P)#n#oU*C=^bANt%1j-?5(e_d3Npu_p&oGzA93sy`>|DVObc`D9iSn{{y`M7 zAPRm_O-p3vl2ap(5&zZ)kpG-!4V@*gjIogrsUf?lr>3X^YkKSyGRk>PEp820Znm{ zyJE2wXAxlkLCBz?7P(6x3k?__Vvs7Xn+Q`WA!kIgsKJnRDZ5Wo)`Z&{bz?!GO=r?n zw1{IHiNa`7NdrW$cur)+Xq+lC(asH#9MxX6k+Mn@RZU7&!2(SOumB^Xd=^zA*Of4% zv(+YYDT~GAq$n)Kjh9Rk{>V~k$uiv7%}>2ZYTYuQYPLzgY!90j;R2*8i^4?3MM#G> z4H?Wr226z>4NQ?Xod3XSOP{iW;$~Vgr%ip7ZuvHs6bWBr?P(jrNOzMk%WO)!PFF66 zX8~89+H^GisDh{x+vaxHwDDbclPJ_STpD!z+?FErFSs^EP1d;(;4ZzP+#iAr3h%?!6hN|kkG&{5s)nJ{MdvbUw;gI`;Ql`uFq#*jolz^a{9J4!H9Ym|GUu=o)xi9vIjnSX&4oConjJ jHF$$LxPv|TgA_qHghhCSNw|bf_=G_?0S3`n`NmEl3z!qY#R!Ue?s9q@?R|+>R)ikw7nU?b5%WW*1bX1s};D&(er91dSAnNKj5IzdKbHZYYX1q-uR2nq<{o`P&p|m z!8_oJcaS$RsMYjJPf(EesVnIhgRXI~So??vq$};jh#pczJ6}2n$m2vrM4Yh4lpNwer!MrR}uxu7uK2TKOokl@nVvI+t$0l5W*pSeRZu9`Rtkyu5s+ z5IvQ5k=8I3+pv=LU_7CDE~{Z?rZnPOD`%z|RoF1oUzMKFy4ldsu-U-Z+R#wiJae;s z<^q&3LVa|j0x$>@+tbR^m52vAPF0X%g zx8X`v&q7yMS84xdX+NjAXQ6PEQ$EZo9p!LFfd|8!m9EnE;g!NEPWd?J!6>I|c%^Eb z(>}W1HM&wd!|57be=x;q9_RFou8)q6HcWAP##dVZd1g30Q=45=oZ+d>);Uhk%zvUQ&fLQK_{#q9I%jHScWPySW@UG7WqWRAcV%T|bdxi+&Y4@^om=0ZTjwmS@2;%x z?yoE?Z0@gY?yhfcu59klZF5#OIqRFdE8F`k+nn|7{q=3m=JxL9_Wt(v_R212`=7nL z|NqS{XZN4(bN2r!=l=rd0304^Vq;l111_xYIoMdet1%u(=W=mz3it#D7&u+qKk;-6Q6x{~7pJ zap<<=c{`TvlLv3>+ywe2=bhiYOh4Y6B6Ga8{(anzufE+qMnAn?|5P9Jadm^2Cv$t9 z%Q|Gfv-A2_-i%-1Ulk~FTtmI+5Mz5A4`ls`x^yiK)W zI7%qBa%1NX9wP&WT2$uKaVs^8fotx){KlM0$cVH$z03vSp$E>tX>U;I=@NJ`Gl$nf zuV=*kXQr=%PV2_n@@=v;`nb-7+Yv`o4k_%WNWy%jyX2k9#if#Ph5yb`jV_}4q?tPm zq`}ad&`Mdn*nXMzOY%J_EKOP-;}~6i#j`Zmb!O~H^cwcAL(#)-UbCNpM;vr&(3jS0 zYv}KeANf!pCZH{C$MMVIB`5oTe%K~t^`^*rZig;%o0LG$!|uV;LV^q~6Dn|C!us{g2w##u))^kEkdYRQkx5?J@bU3JJOT zTKI6|?_^>7T9ea3PijXh9$)S%k)7umC%f$Mp%FS1E7d=NIrf^TpMGsEZxDIRZ{DUS zUkY^|5!#*Ot>WCXc?nx%eKUC35wtg-uubPTE0?|^4EHb{F`VAfYhI{NXZ1Sho>biY zwQ5qK@YC$J=h+E(n48J9z5~yNHU~`oJiqY}g>V0B+i}%>+zwPB+(8Qpo>_lZ4dI?p zJ8t1%IuTy@`v>dzn%$ALsK?gt9f^(yCC_o*IZy|7sDJ_P`p`|OV9lm@o{gt(n5TGK zK6Rmv`^;M_jIDmF(wgWaydD?(J+oUf2@jT0L2WX*b;9F$49mQEEU`2=AECR%lnK>! z0}Foy;D4@dk)|=T-|%Hg^ZXR^&jpZee^g48(!DUjP>Aq(Ca8``HKtz^B=5_kE&V0g8u{=q5id~5Q zPOx}d%U^qzAU~zFsF&ga%cp`gL<=`n_^{nVEDVqGzLWR|;sCl*INsUb>F^z_7xzjd za@%5%-=u)-C?u>Ykq(iXTFdx>pF;Q++8XXq^N^W-Ij}wqB6jB<>_U0kuvQ@Sn2C@3 zUU^bNEnDcPf8y63#haRa?AWesdY(}3(01&I=*U99**NGfo4o|FUn^7pk(A=o2N5^k zlSMBny{cLRU9%x`8@Cc=@mNrr;g|)6D%gOJ)fN+zgqe2;rl@3&=ejfd^zIFC5W!Id z-XHFGN&D&7<(?I%5om&OtGE5u-Zsc^2rta)PxsX$#yhnz;E4D_;{MQ|1DD5#yP~D!R(ER=m;GNysG2Mj!;(^b`z|1RhVU3S zk8H1kP55VOzqWVpO-*96%E9)#*NN)IZ9$8E9{4#(Jk_cpx}j#1)f0oK@Kn?L&=zF0 zeyi@p*2etpZ^P2_)t6kSu?X)Irc`({^JbRa#%uI`z9BoAL_8Y8yH!Q|txW}OnKX}s8!~0G(M~BrD#>=PLIF09}#kp=NTBqaIeLUI7*(9WiU+oTgM8wFsG|TnB}=GdaiF2@=Jgk20*1kgjdVp}r`} z+h`}Yjcu9W4^g-|lboa1M(TKEYsD8>F&U)?>E)er!hXEmF5n~IXN>4K-oZ%AP$rtH z$VI#b@_eYv=&R{%*c8ND#Luo>Kpgiy!|ZBWsE=?;7)8TO;W=Pd*4tcyvWyg9y2=Q= zCv{RbZyn2=(YX6c^dl>t;!)NKGN^btiA#(cp-iZ+zT><~1S{#^=zzrb{PKKBf#pmz zj=!y1928*gB zjqp(R=+AZ+Pbx{@s)uDny>Spha^2; z?1Us-!h`>kWG_Fq#Cb3yOZS>WBp*o>1mLa(vgV!YScG}sfh?@1R}LC`-8A^c&E)D} z;r5@VJOGh7&S5bmHD^U^Yb=DwkAJ>nmVYJ=#BR)Qg}b0*e>U1$3J?KmcW?Dpvp4|^ zQ1{*~$^NRQ_R2|*F=oT$e#H&Oas<#JDdw79zds2GJTRR5ZX7}ImrvS8l2TG78HZ#; zpV}Fx$^2FN_}6XaXV{W>l+`NciFl0RLYSQ)^=uDfj$$Ovy0nxPo%CJc4vW8^D%`Mo zz3Hdqh#`P+gJfW1Apihj!>d`>Z@}m>Zgdq~6i;I$W(}TCqHC_jNDoFpah(Reb#@(QU1@t9loI$$4-Me@QD!+r{g z$&1*y3j5)1PA1W9NwFVKLzet*EU$(wt-|~KVr|}qWeif|m@!KD8!rrRJjzOkPhZa` zhqwC0_WJQ0g-OM+!j~d%Sr1T6_QIaQ0i`WT>vs@Uw;LAsV_@z#2v0McuJDbpG<2!a z3^!pZLHO}gS+KHX)=$X*e>y*wUfq@)^X_^aK3==#rZJIj=>{qE=dIX_sdS?k;Id_E z=`x(@EPYCROF^Vs4Wk_=+p)#hslb&zAa{V_y8naknX;5G%S(vK_fl1Mq%Din=$5$T zG~pk~lL>_sK(8CdLL?XgZ8=AcVpm}FiGj$g??9n$k=br3nsAs4Gsk`~-v*bdjRPDE zv*q0AkfA(-wM>6F5Ll3CSrD&_X2hUx>f!)fxNJKHsT2ulpsqAq&=g6iS&FdqP}29c z>`B8|Vq{Lt?ZoG|Z^{Jl2A~T~h(%b5+eXA&*I>ofw%JO*U`Fq0PgIjEjAUCe$lC-+ zd#l_I#mExtzt9a$`p%cHEOqJ`_h^A!I#qaL52lU2Zo5|eL@m=s{N{N!ypto&I3a%X zg-tBskW>XcR#lZdA1KahyS}v-9#I%s7Z6Fo+<}m99r2GeBlFb2Wk>Ea8evg4-sQMp z?o_LCgWYe0s7d9DxywcVH~!$)HFm19tFXJ^-1|IsOuGKckh2L)vGOz zG2&7lzO85+u0jMWCo@vf`6>nR%0#>TRn&E>OBcr-2eup zG3BUQN~a;$tpIwPM6voW$-=#A-NG1^w(u(+#eM-PR}aO<8OkPel&^|Y!bDWLE@S1? z8@Z*2!*U9MBHpO0ZIPo%_phI(@>8P@8Qs4+7^QtJsT#|rS_lwr?(yTn4^nOwJ*ZV` z%q%mmyXSF(2mhdxH|NfNoeZVm?K>cF4Z{L>RF%E{jPZ90!Fw>WC5_%N40HjAKG%jF zf99sQCGdEw>d11q*=c$^Ptu8`>elJv-x5+Gy#H>`V~f8B0QnK>H#-d(t!?-Bo)yIz zXVZ#emDh@{8fO0TNG&AZgi2K}%kveL1q->AO9qIhprf1R`JQiyATFs4PaZ*uakdL^4|*eKXmwvAU*A;ZhRve3MH#z_Tma&E%yB z!e8T?7RL~MtR~cybQP=V3DC^Wf)|OxCspK6sU?bg*G?I^)UP);%GX^_it3e=Qe1n` zIA4yL2AbQV*xpG+GoXCdgRFr3um?)y`bSw0%-H2itNC$B^s?gGD1Y8elPAkb z+0Zj>HDB7|Fzu%Mm`*aEy`oPI30W#`y@09mzs%cC=IhM%dF8|#BADkOA(c%5b?r6b zobyhDs$Zn4w{P*?Qt)XaA-A#!bP(S%IdFobA=OR|($C@^zS5+&Sh7IlA-4cmiWN&> z;&;Wn280kFF?!xoho5FycO8GRtD(0dB_WMC*1uI!LUpWXCkTe}#U+cXQ;|EVfeU0M zUMjaBpGr*`za=CsLzgK;Vva}q!`K}r&HU*Tp-0NOiXyvfgb;$)0N$-e%@RckO}(JY zVzPWa3lCJ0&iwtn`cu`4VTS#z7Pw@4EyW;~^Uufd(z9U!9-ee`g)a*m9La`hu;fVBWFJ@v9qxcD5t^ zd{XoFOL9o?78M#n7SPS$oxlhrkQV=RE(nb;yvIWm$O02ABb7O%+Sx_+SDS!8K*pcx znoOi~1-N4aC87HMX#Kg_W5agPh2t4ekJ04`MS&7L^yJxPj*Prp1~h7vXS?k91P2gE zV6VpAVL#C83XzAJb*zD+K8n2;LzH`)Ca-3m#yUElBScod_}wc2_qyh}4bo z;N_9g^@qr>1Q#`c|!9i%+t#<#Jf-wcr*t0=HM09nQIH_C6Bmu;_dC|hY%csv^x z#o{*p#C@aj$oJo0bLPH=mhCh!1kfIufMjq)H#q<6f)`2_PI=fr9OBFem95$OJ>5$Gmm^X$zsdCP)7+K zivwtxd_|jQ78_4|(_Uwz_O8dR$DWgAI6_-U{I1x&m~(rHxAx@A_Szrqg&6QAV}F_4 z{b9`EzCnfOVtK(id|lG7pS|7J}r318@Z(e9K3k`f+8vo=s_;mv9R zhb%khYU!A2=6|z+SD25AP7psM%Tw;5<+p!SzdmUiukJ)IeCyqehlvo!C0#e%nlHZg z;Ok#!f-Z2)A}7Ph-A7MKD60|Mwl>aoAu z{x?=$a>3^4S!qH5-+w!!leLj3-Tja6a_b`Cg*AyXXIeRz!qt(`YhUuuB|<#P0(?R- zgpT&d>0t+Fgm?tA4=Fzmm$=##x{`JGXW;hZa_zVR0u!^pe9mt=S6#4&u%CW+;@+<1 zL?|0{e^KgZAC5`psowuHRP9yw@FRD-RYQd5P;w3o$+{=Ok&RI`TDA+_H14Y`4zN_J ze~f+pwOx@nF^q|@F!f54N)W0UFTP}ErF!Lr=IJ$e4Fp_c`20f^{9wonsklB>S=lFO z3PuKrJ1>>~5sR|G{K=v8@ZNn+YT`SzlxZj6Fh6P{xGbS-8t1s7bF8MaV)#~F%Zy4g zUT0EVjP~k0o^mnTBGd1P9!*!n1m&-q>Vkt`xEz)=0Qe_XVraQdv(M%Vqw#|DbG_LjQ*TRgW%=m7S z&Yl|5{m3736Ti5(Pja#1yr=jKbE!#1;>;q~H0~^g2m92$Xwv^CVnQA^xVIzfe zcI@IczLHGNF3tN%re4ZRGA)*9N53}MBA>`Q;GF$)#Teaxwx<*v%zKjiWQk_GJbQK=F2XE z7yg@G#2HM(qJ5KQjOKkdH=iun(BnTA5foDN4$o8d({7y8T;*rnQHg>!vjWzF)rQWR zAiJgHcW!Am5eGazvNEf)xG(9XjJc26WOBR$@!W-~@xP_p1OwZwV8P|Izk5l7_Vo!8 zvy$?mlj~JsB0;I8_yqa4U3xZS{fJ7?CDe7$K1@l8rq9-cF>S61DTBbcj~tiggb`Hr9grp z#LgI42UtQhkgOBQ1m2K^!KWzshT4`*cVe=aMGf3iP-t6z)smBE4EtO~P zARR}p*tx-zG=r6On%FSDEi{jeOHaS4hmxS$)&=bd@{n(M!gUYbTYLR)@1&6zKoSc~ z!Fa<=TaT>B@)lyypmpXsWzHoLb*Y=ECXwt zTYTtJ8s~XDSH{7|lq$6gn#5catLR$o1Z7$JO=T>V5^6=~!?EMT;gyAXAFJ<=TB8gD zx+SH4;VoyxoKg$q@2$t%$o!?*xn~NWj?slQ9R_%=ihyOea#xQX1wpU>>wo#Git3w9 z`DQy8MN$KO2=GfJ(G5%4rA!->)H0F|Yq9+Fl0U&M&yhZ;BSIX5pY1`vP4)4%kYM$h z+pXv2^i=aABxyQ-<(aZCPb!|?QbZBSG&lgdt7}yu^m9Q(?3cwULSC{HqZ@TPo*)~a zMdQ=P)6^})i#e@Z{T_GZGc9D8QIeoOk4-1t2G{t1U`Y+6qZ!gDog~aSFPI<&H5 z^iq783d%Cz4}(X(fXeen1c51IXWC%B8zMS2epEZX5Xejrj5QHel%>nf3;k4RA`e`! ztN7@5b?QQ=An}j?)z=?XYujO6$$HhTldj4DzOrf4tV zzRCIvjN&-yW}cbJL0%*_Nt8bQl27g1HCiTo;5{d00K$kO6_>6x6O|b?ut$xn3R{^ zpvqS&I|LZYkXbP6W9CzbQ{l4AbCOwB-!lv^`TltS#y$$l?9b{^#x33dd<`Oxe3Ju5VQf=KUG4#zsIqprh7W(gyl}ZsdrBxow|{d^E(DI*4+II}i%%#+ zaf*G*r{4pvT+L;ohn#CKan)R(tX28&N(|qx%(E(sfwik?UP*}F{B1jxOc3GolC$3c zbkxfdbp!7K<8#+%j9~eVdgl}CVY6QpRxb?Q`-8D-gj3+=8A>HxVh=9get-G|fks!J zEqpuj#X>IHjE1!kIR*Z31JkV&qQs+u?f&|6*Kl5PEMm$1$L1|@qo5EES-LsDV2>)R zN-j<@*TnmK*sb><>5x8MI9>iKh4$G&o?AT4jK|DB8Bq;f5TBmksr4Ha@nmr_m6YUn z9~&lMF2((B`qCwDwq-`}#Be9VKke3q#BO@OK`jm3`6V!XUG8U>cwTCuyvy5z6}ic4 zC$L8qyCwd>VIV+`36Tv1@Jb&aL4l2)KPVLS_dJLy+!iMekRd-A=D!$8!T|7x0l-=2 zf5To70X(SQ{O1w;A7Owi+#Dd$xnuBAW#+#%mZO-slK}JYkZcZ^aeIh*cOv<-$DO~|pyKGFI8wZ~YPN!2kD^tNl2wm4g`2iT14w3^ z!J~-jE-U&YleMN4w?_~ZNb*3i?YhLR3Ai5i#pV?dPyI?6*)7+m z;2%f~N&id_dX>z%gz?_EbpsDSu?PEA-keS{SaAZ&Vv-vQ`mg6&OP0atsx+Rh0iFU{ zpi**l8T|+fuC7WILJj_lGUQp0DxT`uLP&3G=UgHTEH>)4?!i95f?+CiXHU|40J*UY*2;D;5Aw zI0ldZEAZYh4?qP|j{8tv#qDu7*$)=C99KuZ;@RUi7=cL_bp4I8_+!I zR~>B;r@5J~kHZhhcB6%00F`j6((akR>Ir}PaW~UxPuuq$uXqOSK93|EDR87`vZ7IN zgg)4*jkGwD5Vyq=${d|#wCC6Ooc3Bj1FroG$ zQcc$wCsE__%Hs<9xu4@T3!e<_T+=K*RG|u`c*8q(&Gzyr)gWH z<(O0T^)C6EfN{FxQKsE&$%J?iVL!E}b6yK=Khg=9w5L$18VEwdlq!byWDrE4x+>;P z9k#UNT#!oMBW9;#Rb5#_jkaL;;K_g(S{#;pE)&T4h@->biY>oF{ek(A-{&tgj<~tg z+uqW!qpLCR3r4v3XWeOgiAOTu)7IV>bl4jBFt{nu$E+r6p%aUZ@p!f(0&CoicRQ9& z4<84oT%Jyn8Bcy$p(PEX@0mV)1sA=bJNkM0R$jjm>O+7haphq6^lSGL&1~D(ypsQE zN#*fNr2^V6D6V29vSX9A=_ST}|W zFp=}xTD=TBDdMEgBDL#VKA%mdY2eHgGGW5T6%&SCjGGS}CgEi?O4}2kOjw^8l>=wf z{4Toor$mIKT7i!;rJjj}!|^p| z6U)4;o_H0Z46mvt&N|3{;yP<3dKNa^k}nTGgwJMmB#&f&RC`hwER%dASztAdvf0vFMaaa=mSafK*%JRJfO{9S6g8oF%I=5WIxMz26?&7(h7sns{M?g^!YZb6R z5%3O-!&4)|Q;Zexcgj^H*|Y84buIFmXo74(Uy9qzo@IVmmYnNzxbes_e3@2i9b2iB zU1wCnhfE@qKFy`m39+C4b{nZt5aCzsCL`dYCQSpjXKFVR^-+tuDvSEm1Wv3poDQA+ zBn`hEoBAwbQPR~?3;8&3;)7hF+mAqY^!7b?Tb-iyIO43XvTPv*Eg9xdgJ&)XWR$11 zOwozuz^S=#_4$GMbHtPJ&-k342cBw6vo$Dv1%A!N^K$rP-lAg52U3lxEMgk>xlj8a zbAv_oOaXLI=ei%xcK?D!Z_(?9itO1*H>gPjkEO#!54hGU=*bAy1$o;iOKw*G3e~a@ zKy}Z1wHj!9lzb|oZ`f02!bLm#^Tm`Bo~ny{Vpk z;W`+s&%C((_9C4K6Igf@6TCD5Lrvps()Cd1YGYFU$fHt2nN z2MZo93AxBBK7N%DU*b*r18WK#J(1xk;X3G)e;R%2OB@bH%H$=H*mE>Zp7qrB;3=g! z5a>!x$JO<}?h?ObGWWJlq`@=Zot5kxwLW{S=h@58t#^1iB)3GV(fNU2cVO^TB!wo6 zVwgw4#~ir`ga4*#kn0$p1n24r+0UK9o`%nEE2Md*zlI-FC1#e0)4KufI+)3>#= zK`KKR*R)93Z*e&CN>(*_DVZDd&Xpg4;y~ib;L6~sm9F$qGVC%d$=R+Z!7l0k_+_Qi z1<50y9rSy|P-f4cC#N|F6kq%N{VajBmvNDjiWR)|#G4f=sz*I7E%f@qTU(j zg>;03eg!hDombALVo;RB7F=MRs;UKm8z1yVR(=na;iE02^Jg=SZTu?Ri7FVvf3Ei; zTu?v`PU5-plpG@LclqfJ$lNHu=((c04`j(vLUi$mQP=nlUq&QsTO}gg0g4bucMIsT{6NP&YZ&Di> z?~B2D0)Ptz^r!0^037ADUKfT_JYT_2V(Z-=Y?{bz@3~PEEiIK`AxUuL1IPYr)G1>kep9{{wv&5_+~xr+oQGfl$=kmAsb) zC(;%SxPEg}XTxYxD8?t>WNsYoQv;cUL2!Gpl64`S3*My z;GYs}*l;v0(m%ntjO!ZlY?>-}ESpQAEumU$d-F;{Xr^4)Y0D3Qa#|ar+p*9S=68Y` ziDkliXShx&mJDTI6B5jNa`iH)@%Qs{i5J^`wJ%Q#W2kB<=)vX(HGJ^f8g`u*fQ?GB zuVIi`Nj0}EV%xYBu!i0M=-6oViv0Fzzh10nf_hzYa%PZ^?r+Im=m+A#lSrXME3+T) zi?l&l0Vks~>1D~!TWV`mj)xxCzZc#M!vvfv`))`=UaAqbs{hd8+U%HNfux&^ z^BHl{c5x>S!iBR3;0JG^gXeO`Z_Q2IMm!NnI%CLX@Ppg%nlml=&(@aEOl03)Vy5|C zyg8lIFPFf~rzFYF+{+?iFNE0@%Z!xXmM ze6|$3k9pZ=X$EX74d<$#Znihd=%?`={2i+g_@OcyjzEqG_8+z$39s=G(z4UzftJ|a zJ{%N1k&^;JFxiOJl&U9j&iKiZpUPIra;tx1`Aw$OW{N7JO%Jb&Eu(F!Q2;<5a0H;* zZq{L;cv|JtU@i{*0Ih5}LfBfL%n~0xZ{qG`6s>vSRLLGGa^b!Z!Dd#qI7|@#m8&Wx zE?5ix!-lc4^H}pSLZ01Q^;hI=$Jt9g|J^;^c>Z#}%+cookKU=v-LyTwZZ#`hEvZM5 zzg?s4d-t~LIos*x?p|H}?pM|iN>xx&_fB$$pu&FcX*xZ0`LxjHd_w}+fgZ>n@|#>! z_;h)T9a-kE(?ULT>h!}&gy{=ZH(kAJ44Ojm8x!$_pTpFg44vgU{PL{XkVdew3k#FTnKO1y$^?d=S51APLD6yOW*Z3uolwpJ0%XpP0#m;Xtn3tW9}AO zDBJ3T3x^dJ9>RvpEHa=qF&*q}3G}6@rFY;Fz8WFPy8+I8_pII3YW)@Y=1<_7>P3#@ zmZ%cd1!Cis<<5;~YoP!g{oeq;%ttaWDB^2$uSjeEs-2OLG>UMauHxY@lC1K;|Nd-w z_UH}u5vaQPdM##@qz=lXk;a;rz(CnBH<Kv+6?R@gQN|v=c@UQ=wJ#S36OsSJF0JNz~osVOtgfBg4+HJHuuX-iKW6hTV6-*dB z@|r`caZ@}Yzte82GFXw|pN)V+vHfzu(tpW{7m|x-{Vc8OG<%PUFJT9Qzc(*|0{ZIT z`Y}h+gs3pLB0amiM<3=65~CcThqg0&x8t=Z5I?3IxUvTN`uylwAl6ZGPX!d6h@#!5Q^<|8eiSsB_X>+H(BAl}@_pfblfWCt-_3DJceAr#QQ-DNnfsN_ zoVN@d5ANB>r=^Z}tmB;R)k&okE!73NY6u|u_X=29)l%m2rHOqz1>A)z_>eK@KHRW8NlQpTJzgM`GlY3|w$#OMPH-EY`Uy7@JkycGpj+iGR{J@P=@-0Jgu#<3UBel_tU|7JdKeCAUU)ABXi%4O%? zZpqDJUAgZx;c`X30Rs?ENsD(+?BnktiCdqf)Ij%Ap@YPdC&Ix z>n}a&;*l+*w;ia^TIHcC|23=F-=i5M`elpvXI}V4SmA%a)=zQ{LCoZ+0B$_ZwYH8a zC#}#p$iAe%=Y0Hfi|t(`6B<|(pT?`3h?c182)&vvygLXLEP6(0X)1@J+g8<%qmJA- z&o4TLUIp>0vGRPa(P4Y`C}gzov<#Eyp)C&vjS{v!s+p7bTw3t36Dzg5pu>Jwi40XIz3j4BK5-I$K?e{s1bMj(_;D;`;Qt8B?^;;^PCJ+il-< zHzzWs?3`xmZolT547;Z>`-&GLbhrCqMB(_mH(2jBHFt2V!*Qjpe*2Cc&){W$t}cI> zdk@5kebG9I^xMG(T@HmIlqd6LIl#*YGw91P=NWF&6%ic|xk@#?IVQ<(q;cKh$6gvN zJ)o}}|HJ-PxD#!gA>(J$@sf^T`9+IAR)E_=SCvufjTSCQ%yggAu>^y}twOQ2ColaA zHQ^oKXC8cB8z`LD89aDSP&lX<2zcDw(&nTuSo3aBBc02T916&g-wrth^!X_@rvAF= zsxMT-Rr*{QnX zw>r7ubH4*LYGUNhIzjG|XXHa})BN zz#A3IeZSuy+~KS^Nq--vs3V_eRCW&)6sXemHis7Q#h~JQ(=j97Xn?z{oXws*W<1%k zkPt@{xH1(V>(Fyk;y9O3&((B|y{uc-`3mY1IH*aYWM}4=Gf%^EKcvN5@Y}`#W!f*6 zbqkulVm69bDhgk=mNGY)>yz1^vCo{2f+H}d6DiqT7g*3Fv(@e*P>!#s`{7qbn{Dp$Rmk7QAxS6qw9QS9mMVGeYU zVCnH%Vme{oLjS#e*o7YDTFDdrW51s25vmUg7)?r<*I=oZg8rZQ)Z@$ldy|a8-g~j| zg4PuA`ubJn-s9R*86#-}g*rWy`JZ7b>N)whp- zC+vzQDDv^y9?;OaeQ3NF6OIV;Ou`f_eB9%+tyi#(p`+U>&}+vvh097etrZ2^ z+={NU^R@@)ZIeN>BSdT;L2{!H6vLD?U4ScRtE_n-Oc}~Ow@}7+j6vW&zpcDk#ZDh^Tt>+L_MlB521Gf2P|#%|+`_4=b~mgjC^hX;j`FYW7b8#Y^Y8k#0*NWlwoqA zJ_ZWi)F2a#l~inslml9)HTir|q+WwQHwDubP#RwGW3NHWGO3?__~XAcJ7pURgzT=Q zwSo2OA+}w&kBc38^tRtm+QJym_>vW`bkZU>cS(?KX=+bMGgD9(ff!cyq60si>totR zuV$869?4~h5f=wfRa{%oKXfnyB6b^N&irG*@#W4g)>{~tG4x5kPhVOd4(vVZ309P) z!hL9`dHrL`EDyIqHeb3+s;<%dPb&s~0Q=K?MrCa&mSV|x+fXGm7Gh2&=uRpJedf^h z>j}nsmMG#P$drk6lSvUu)==#YTAw*7;+r-uZBCl=)5Hr$K@6cvc1m>A&V>?v3)PRk zID1IOdDk1k5OXX9y;L0-;g=hICn$r~@X*@Xw^n)kUnGEG5Je~5t?CN zuYo;52lZL>v!$+EFYaTnvUK;I22Va83(L9M7?EBamT@&yH1$`2;5Gq+Q-$l%P4K<3 z*;WcCE%*YLuFG^w0|fJWh=CrY;7Nwo$#vWTMBkGxra5zU6HldIQZRs2E7U>#yK5^h zndO5OtuGq~GV;p1ks@bqW#EOOVC+FJjtr>`RlV0|sRP$Ak0Pj2Io;&^N^l=uR7B#j zP_h;oVn+FVoeP}ieEGnPA%YD+0lmh20mlKba38*6cMUL)$cC!FgYun;V?M-mF+-#av>PUV5q zB&ILFvI{ue2hqSTfQj8LGl6Mmd&s^_>B?T565)Dtyi!@WP(70+q&1d79pl~sGK0R-l?}Ea8q%N~JE}0M{9C?`!w6ku<1<(qr17!W zC-~d<_jLU}2(~ihmTb53LEW#J`a{$ZTVLkoe#YSzwFA4;n&fIjf7;eKb9M6(#N16W zO%33$-(tP9zF6&YODvgS z8b!chzARRPtn#q}_l_A>f=Yey!k!$kng80O9xQvUN6%ATBkB0A*DE;|Xoi^~)e; zJ`aZ0sj?dsN!Z~V8(?(h)^%Hp->#ZE9gQ-Ob2@Gi!ySmWKTY2JzF02(FK@Go&M{+8 zx^R?MoRXFqPQB6~)OXGD2)WmI2ZF7qA+fcV(iWJOuPX1hY3N?*w6*J877c$P#$>`_ zGL{ckSM?Wi1ZpYl`5n{(pv&%PnI9S4VjS}CrtdxEC0Zzw2<9gPv3r5<+rhH82+tFH zn$&|4M35livGM6q?KKWfSoKIb4Wv=oYer${D-rtX>gx5E2l^pqZ17Og#v*&&zu~dP zJJ!!C3luffevK)q*E61dc~Y!bu-Z1+6f1Q<4)z8p<+#{(6I<6Cp@V8I|wr%Ai{LBc7^(}{= zs_+vn#+`f3`yekpG%I)M4(9|NL+W3K_TtKV&7&aLk?wi=jdNnI) zBDovu6$pM*a08felEWw(Z_$S`M5lCVZt}8cG+#DA9FilZgc^`6yz=w!$M4e))##r& zarNMJkFqK!yrVgo8yzH!($)YN4GUIpU9}AC9|j!%>TmwgnQDN4)IC3rcPW01th7)Z z0k1e41i!mrJVKYP1a%y~`lWdjfeB_?M$F4b&UYDH@w-a->5o7MNmg2TOoRrXj?CZO z)zplTl%|dGhKI!&Mo9&stRgWZJ({^K5%(i8-{{w#{?r_?2p@QE#Vw4(Qi*=6@1vg zE$OreNQC;hqs2FnnzCQ}*5m?|4>{XmySK;JH`utfe>=ICySbk`x~IFk z>;L#8fw#NAJG{rcyw5wm*So#nJHF?;zVG|I6Q`3M=ekdMbn_a(2fU6Ce5DnTalf8HiRlC4D zO~PlqQr3A>bUIB`I)2!^5hV~>=zLQc`Aw7nkjMCsbNQ7hLY*Hu&&Lch01=^gJ8ql2 zZlOF{r~@Tj!`8%sGmC~O)cFP~1pp(lL-D8lFidFk`~>C=3lAGwQ@ z{y)q>(qj`J-2UOyMBHn8O^CP=Bz=eTex0X&(mOp(l)&24g!1Ef3GjZO3%~WV{_gkw zKb(1;pMlUxc(1$%0 zI6Xkjpz?1*u73o-Ts0@TSP~bs>2OG|qc#x0AjNcai%k>cB!2%Xf{yXz9 zB}b1P35q%>6Jx=WDm_xsIN^**g9QwN%;*v%!+*#|T6}mW=gyx0fF}L-?f+&~t5>mR z)w-2y*Q{yMcojR=>MR;sDFLytmTgt zl2Vhh-mJPH$QgX7k`+Fjc=3{8jVHfqR_i@VQ{YaCGo5;M>({YYC-FAL6lYc=OUCTl z^eUyy(O?;l#?rIEM?-s}U_Q@y!%g+)BuUG9##f31+Yjq|D6g3$qE3 zGBOuK3p+!w@Fnn5zdZYm)(g-Sw3Jd!rGR8c~2a!9fQC=w6Qi%M9~ zq=Qmr)m5GdBJ|ONJe{mET60-RRXUMHcFttQvU99^?t$~JBZ%g_n+^)jy_9k<+I+xjZHCz_nt(=|L-h1)QSKod0mH(GtjOzVY;DHG)*x-Bp z6*%C78E)9&hatWx;eQv7*y4*Z&N$AA`K?&vk3kMuWUDyd*W-~#zZclE8uC~O^zKJ)k(v;MpfQM^7b$$c#WNCb@qNtI?oA78Ey}{!udFbQcE#~}@kPJr%GY+) zll%cnR`wASMyMbjgE;S1R4GC7NHW0c5o!hi098s7D47M8&wU;8Tfv+r3f%#KguEjm z0DQ-yte7fHG;$$to&uC_kYt7s@km7~Gy$5>1Xz4g%?zIMnBL4^}lPwT37wRCS64c=gLT=$bgft`@ zlz@RilF$HKP+?VOFay0{h&?t^Q=86En8TE^ORpJFU_|x3(HSN(&Z|+YC{@Y03Ix%a#HTzp+9mj|wafsu5+^{sRhwXxw~u2N-~4HI%b(rtcT-313OYlrL7i$iW8an*xMXL5%D1<;>rj<)!9)ow`A*O z4I!q-_B^0rpB zTGb4!q}xOGwld=B$*ES$Dcd9}dwio*PnHQy$xJV>Z95-LR299+RQD!un?Mr@r$FEq zFqi6il@VXHz*`!3SnHk41U0fL+y7uNzPdbBa$1Wl+`$%3iV!PVjia~~3MWJ6Y%o?7 zJiDx@Yh9^v&q=0cm2jC8D;pMz>&B94ZC_t$2thUGc$C948gO7->?Q zER78oV>rzi$36D(zjXX29{-rgMeZBJhHPXdFPTF@K2egH9Azn!#mOIn@|3Zh<*QVg zLs!=Fm$l604SCr(%fL!L%nW8VgG|gIIt#zP5P~0^qblcsK?uIEW<6u9&B`G&apEjz zI%CAnA;5Ep(d88z@0rnC{vg5rJe+(4dd>$a^r5pdx55Z>D~`*`8JTs4r~InXD(iD{ zA}#4382ShKxOAS~2Ak))>Hl!S@$};+7rE8us9fht7q}`+#9miL#HEJuqX(Ais(=C% z%Rul|&arAaOZyAYZV_x`ViWjCrZw)f$q>^AtXHiTzujXm1Wl5>w2Fr+0R#>(1xxy>M*0cE?p5rhCL=pOxis@4DpPj6~&gE z;uFaV1tuQ}$x#H86pRzZjf}l_!A@}3Z9&;OARX&byN|NjeJ(2e;h2W_u4mj%=<8Mhy+pHifAe<;-})0zaG5_)jUy4K;9 z^5UEf&C787;~^h;$v^%JVh{LDCT(aKVDT;4QUH1l?*XZtW0{i8wl6gVDy61D#o^iK*dhIgGxC$wabGH}G%5lov z!lJKnvzsgYIrmU!h&OwQWh^P?eqV|wjOH;!ZRZ9q=hAHd3{Y8i&t(4ZUgAsuZ(gaiG?Vj0kG;0lle zJ#a%TkSs9p1OG|z*pO@iOE3kOCIMXr1y%3`Q6>b(VgzBZ2JJ-#o5clfa0f322fcy@ zc`yj!#0R@#VOHS@kT40Aa0!{P37zl>ov;fwPzY_12)SZm2w@RYVGFsi3%&3Q!7vQP z5Ddvc8b(ZH7EM5CO#i&%;;teM--N{Why`tC0kd!n@h}hd@C(cEYr>}lGE75|A#YA3 zZTR4>;Dyxo<<^EHl&D~8L`|c%f(pJzB*a8ma)eSuOF68NUhGf{_b?Pikq^!ADjo3=6C0hy$`X*>b=+W(d#Z-=kL0%3VaU%3eDu9TuYO2ZT&}TmJ8c|XYv#}~*5m25&H?D-Y z+Kob<;u)8Tv9@UZFk)&r>aU*2NCd+O>Mry!B!RkRnZ(HHBF7d#he#Huh`gvLut+9^ zBI15SAsB+9*ofr3L=-v>CUnvz0Yz@G={#=8q7XtI2O^7Z1+YL31WU4MPBJCwG7ML8 z`u{j1I2dC|TthYX@>YJgI*uNqFFG-~@Npmg1B&AqNbZYW2E8~_#!6O#4F%|2jzzNi(;^!ixN;s+|zvx!% zjyw`*G-+g{PE)2*vn(MBJ@kk&{-f$n#WrY4E#Yz+tD+itlQ(^HHQGiI?B*rO(tLI! z^caP--s2<~3$)6Ult6+xRj)Fth2eC~Dni0a5a*C6B&c-6Iv;{2uxPJ5!ss~dfB#NG zuoy=w!ZV^^0~uN@+YX25U=o{rgqtul!vw=v=*T=3>KNzKXms;F>oPxAV^9iXjJlC8 ze?@#mMI!to;k-mwf~&r6f)W>nIirsX;Ao@7hcDi8Nkt|4sOM7{#X4<6-l9>uLZzin z>bgixG&h1$+K2k+t6Zq>Msp-m5~X?~V_Rx5Gx8=-?B-N3QyO`c8bQ%Vf3y^{A{h^l z(|)nTwt^S6#Xf@RbGQOh?~f}KOb#c^D~geExS~^sV^O<8Q>hF$Z>L8M6(xaGLm2U1 z2$2f$jXrO}K2udy5%oma5LSDv6SV>h3$<3SaaDD-1bH$?)Eb3uW z1%^~1Vk_WqSm#hyOM+IB6&r6gRJ_kC0Iy(1@+$O*z9P|Dh00X>2vxUr4_8$oZm%KE zz;vb}Ta3U6a$!f};|zERdZJN4z7=3Olp*qUYA)jEc*rsG^~T-*n z(D8drMMg*hBPdEI2Erle5hBC`iXK8}FJ*rw^(1B}A~qCOHU%&X#6P~lN}eQ3UNf3P z$$WD5ps0yyD~u0lRT25m*$ou24x^{_A)ZoK=jH$Q5SM0v`J?GM_OVp{}eOOG9oiy?66a3DlqH^X@tLKK23FdoD<(2*lvH%Mt>gZ~?Xc9ldCWCDwjK`Up- zicoKg27>6~moF%^erv)(8W@Re4=RGnHj`If(@6&}Modq>1`#~oLsXtoQ|P8Lrb1K%q9;t{cp~u|u-G7~_$X8gGYo?-f_R95 z#WC!rFglX_`nM#25MA-uE9w|vd^nH&I9c}iAny2&3Ari)`5y+kkQMnK4mpt*nUEW~ zj~{uGZxdT7`I0%2hlxs(F}ahsB9c8hlq-2qMY)t~N0VKPlTF!_8yN(^;+0`JmSuUC zX}Okd`Id1xmvwoUdAXN;`Imt?n1y+miMg1KnFdf9SsM6Z4ve{(o%xxeIhv(;nyI;( Nt=X2lfnfpy06QRbT(tlI literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/wfas-domainnag.gif b/windows/keep-secure/images/wfas-domainnag.gif new file mode 100644 index 0000000000000000000000000000000000000000..9e35fbc193b37fb4f3e85155e26f08ad2fe20b14 GIT binary patch literal 17902 zcmWh!c{J4D8~)5j%&A7}iVd4weZ ztha=O1b{2W;36b&I#Bg;gjP91ryQeGj>1=9@Z~x>Iv9Kf!l(v^Ct!?fgpIQBcs##R z1r8t2Z&o8=R*E6C2wOF2S$SivYOsVFCICnf>SYM^3J!$?0ztu{Ny4QC??A@6G|9NP z0RBuS24mzNqwZeg;^KmHZwDe~&D`_Uy<4=rTXeiz)cw1>y}fn(TXcde@cu0k?%sr8 zvQ}shG=a$L>(_N`)?2oas}!SOCJ#bz-*gqY5}V1GhLwuJ* zd=F5{Wa{X+#CN$QbXg^jc_&vO%9#Z6KhWi!+{07O^iS?_$eMJ|>d`7>24^+-XAO|a zWNZ!7y>LDvZy+zLJf?7@g&gW%x)@Q~l~6oVTwI(`I+k2I=3T*zsF>YPmWZzy+ajwk zXX%j3$Bf#U5jE@Nipji+$@u!kii(Qjny$i{$@r$NZ+f!dr-ZG!nxt`U|Y-wpJZ=dgMX^I(OW_2CZw9mJ+cNTW-)O0S^ zch2VZ95r>0wRDcucP*FpFl%}io4OX;yGCky*2!bcuCA`qfur(){fdFDrk>^E5oY-S zv!!Rby=Sp>j9EU$tQlbz&oVnl)+;8NT_fuUU3oQ=%+9f`uCeu=vGw{{X3HdVY;26# z+1WJ9tek=d>GMdsM-*8J?`$ox+GGP7%u*|T`m zv&fvB-R< z^NZ{IlUvNi^@H{G^|2l1;?@Ckd1P_xXmN|Vymhd=bu_=jT;Doa++i;N13L%nJ4cKA z{{VAq=U{8+h`IG|gQN9*=JEk^YoEEZf3&~9zjJW3bHHTo@9ZBO?H@1?4w(B#%!4E5 z(Z6K=KM+jd*NZcTG-`J$f?LjQh*r^?ff2VTGi$Ew&*4`SgdRMu8Z5vXW(%9QR1e>f zv8&%M$x9x%jq@ETGk;S1xz zGmo5~Tr&O@{pd}-{mX0-%l44BO#xGXQIFai7oHMrD)TH)ODuH8ecNeJ6HgPUF4L;0 zHhnDq;-zdM@ngMR_~NsCam$0b+fxk!?D;U0VgJ3Cy>dcCU!78=)ycZeNWtBSuX<|l zwiHY>eN9BV%R17QQnsH67>QD%-@W_qo2OD6bCRw3F84+fJ@EVA!L^p}Nv&t^yw!DG zeK#F!lgd1G|5gsMAVBqW5Vd51r2Qn;FvBzBhXP=>JWlP3yOngnTs`r@(`?mrT%ok) zG@BSCSCft^!xp-DGY>T^MPhQli^Th84Svk*>DaI}?;6p6oTRe>&% zQ*@M5K)YC$VYb#P#Z?oBhn&0m#`%VaBI~Czi^kb`&ydQvd!_H2OV@7QU;8zm7`)?L zN6r2dRcp2xd?;1!Jj}XTZR8zLnlIVDd6G*FMRO+J24Q?F#9BU`QhgM`ybP-3^F|F@Bz$CMt1FiKgcz~wtJqB2|D`sY-h2WKv^=T~CLq|RfWNEjN2q3(|; zJl&3bg_vXX2~eK*6gWOX(dx`nj?w}gPv$60b{_>mh6SwWNc2~VYF@olHW|qSCkT2k z)TiVJb<`x@nvt<32C-=XXZJ3iyx>kENgVtmeF-=XG;i~?jM*Tgz_%9NW2$NZDb z9`x=boA#+a$k@jW%POtqjGx~oG`og4)7gb^FF?ErI=wt85#w8uVtX_CHjrIexoTnn z!fDmN=LI6*ox(wg10yym?Pt@|QBEjC(ay_|Kk~5UwcaL4JWsW=)plfm^z_%`Z?6U` z+0-XVQ)7A)hpKJt&!1T7b4L-Qr*nTdJ5rM_1X!#plx^^Xf0vT~R8wBHW$}J#d&0B- zVq>(scSe4J&Vy}czs`>q?962O&NoDdsXpfGbQadDynyJ^P(+YR_z5lQfFEt$l3{x) zsruVFm5aN^_8@FB-zsooOwvo#2>Ijx6`JDVhg{kmt&`%!GGTLwh8qD2hb~CGr zNQGW1EWSu`wFK?-`Njo=^UUoeqF7?BWkpPD%FE*y6vJbZ5$1Uy*?!4aSlhlI{bp$3 zH@#wh&)0aIXn6Yh1GLA1=W)qB%zbw4WsRb)=uO8dil}uekghT>CyvK){Ot zDn7lssy1jo_Ni3t&LKwpRUNh~F4!*U-6)%E9ENVNu_D;F>v!hoFmv3tEGjc<iFXVHHjn8e76e412v0@q+fy0qoQz_YkNiuA z#>P&awm#JmJ~jKduyyK)`wKfiWaum5&I~}Fx+2)-^^o8+&qg%zMaowJ5{WTW1#8m^ z)eIRB|89CT!7$$N^(EuW`s_X)?69Y_O;i0#XA5tw3w*bKdt$xUJaqPFcATi=4F`v~e(Z-`R?0Kyz?4|H*5Ba#fL7UkTRSZZAxj2!$?8;06fRqQpVW8){- zNmnDh5D)+heAO_LP0MllaqmRe*Dnnqxkny`I^eE@@+LyoME>dP4p9$8=VIKtH#5nZvhuRf*=?exeWJ;tPms#iv8o);4>D zK9tEx!D^RSGD>AP%;Z_}3vfhlGwnic>?K6czq!x$3R~wWVx(sul1rU=%^;Fpj&|-+FeOL+UjEi)Mu0!NvTi z&r9DRi9_E08s}gC_p^AX(yyulO3+u&RQZ}BR2JW_HE`>8htkE=)(?14I{wx5_0)^+ z7TR{xx$PanA)3bn63HDlxMp=|Zso)Yrp-6}0LO2PYv=-bq4MP>=%zf-X zOk@4dktcG!Sl-S1m&p~xddykB_b1<7Pe$BM#NjUoPb99jkVGa(a(1lWP9*C%x#>N13r&ZN7+t8BtZu1NoAf8}f}mk#Z~0X;S8`L!U(k0YUPzj7v9sLbfbqPxuB} z!N%W?%l=bvf24s9J^pYaPnt% zw@hw}GtW1|8KEWiTCM!=hlb4RTjpbX= zlKqp;D#y(V4WxKw!p~qKz64|u9ty_;Qk23!H&NbHRh2=5&l{YZ1L%Za$P~WNE)%W* zc%1wX0G(#BOa*x`G05M3$W6i-$z5J{R@u#gFa(yPqa&sW1Gf->$KeYqun;*lmTx%p zwh8DV7QIeDOSShSPY0 zD+}VwIDn~XQWm9HeHjq`CDo)<7Y6wq>epGfDN$y}zXQ|*Ns$SfFjeer<F=tcI_Xp%3v%q4Ef-XA1Z;AN3rMoMuZ)lL98vIkG(khsB9KTcupw#?-F`}08{XV zNV4+Q*AzkVEMqwP3L?v`dQ~|B;?C9`*BK;(!7=E?5_=P}@Yaeks}oNRj+YL8&HZT9 zF4%Xg+;SHf$HF-oU~LA={!;Br!3NoRn-vB@Pqy?=CeLFm0f|HY0UE>lO{yf&e~GAI z-X^6H`Lo$vr!#;}Ml+8?laV&d2Eg%2Hr$QZ7Yo221-!$)*@k-~*jN9wp4v~)?lxtx2Yv2qDGT{cu zvD3!>k*bqC??N%Vx7U3IUy$eS3qIzqswV|q-f6?2qm@hnAx5L=o_(a{(?2{&8|-Zz z3dbm}^Wsmo70hM1RM45 zQXqfqUpW4@p1`XnY8sNMB-`qlh zuL``4%^&FXVF#u5Pc#n0aMB>dL=qRh`M+_ z=kV3`7XEy@ry;;1xO=g*J=jLmC4TqK$nz(@jZ00J4RoM<4NEp`_ zeRB$glJhNFxe1X=js1JwMGEFwClz`X<_9fLErwm1{}il6^)4*;dGgcHML{pCf7P3vtpfvW&@mV7PnzNdHpZ>4V*ffwH;Co!} z`q0nq5N8*yUL420A>?D}-CU{O&!yj9u4bb% zbSD}daPiA4?Ekq?*ru?)3YZlhWA<&$=H+c7ou;1U#Zgy>WD*0~umtD;2 z3wEBpJm4F4jlqrVQh@I+m{25Lc=`NC|9G@XdP1#Z4m6w$q}&Jtm*N4h20jaNhEeY3 zI@>vxuQ=2J6*cDdDXz<55MSi;h3LxzImT~_#c@mmx{X-&?6D0V%q(<=TTPv%c*CmC z8py)sg+iS!W_u6x>*yTTJaxE|PJut?b<(?ivE!+Zkrj+s<5n?^oS>F0Dt<2bIjw6o zlppY)aBpJnZ{oYZ(Ivqw5aMgEb1Frrm=un&XqJN8n@Yd%m(K&7 zOM3|ia33t}TP<>vroQ)(2WofbA(ee72o=w++eSlYVeOQe#!K4p5r&m7Rn^FA>I_q- za|vmA1EhC+IgAQtxx${r0!cWhD%XpavnioOJLsf-hl{v?_nj}K)1TOG z+|v~f5A-Cy0NCWF>P#k-(KY}RzisXLb4#ey^SiZzfJFtZjEBaqB4Uy8e#omX*J<}h z4TGcDZpF+qsM>4nuh-GIFY4w?kkXNHaTMGIZ839l?@yW=f#N+Fh;TnL48a~6vT&$P zFTONEWP1^(N%k*Gc>e4=IeMXKr+(jL&f}QMa?B^}5iju`*gReqm(1KieLnxrH+=?A zJ@;p(o}ci)Lw1q%8s+uBo4^g4y6m6fN!-hHL3y5ER!>K%@U?yC zsIpXnv;2K9*b|yFts4menf29qT!?FMjL7smS=2lVlNLJAJEON<3I=Xge_IeTuuc@y z5`yxjO)Ap|tA8!mY;)M>RG;DLG`?$VwKpgXl1|y_xKE`%=8-{pi5J-F_^ohqiU>CI zs8Z*GdpShJd^5|1xh!5}w+fH}*x|208ie(#iD#_V&z)(h(YVx&au zZ~YCv#?!0@pI*ggrkY*MrvG_Fks1vZI~7q&kbx+x+MYf$@_pvEhuM!FD~RGd@(DFV zQQ~A^PV__5ig;%9yFw7y);qqY-(q)Qjq);4;kF=aT&SgL_br5=I!ftR!wsejCF879 zWO0hYe)2$BP~F^su)`%4>HBI89!uGu;zFOgQ$O;~FHWP9#hel}@LQtel*kO!`^G0)Z3Zu|q6p}>at{}jHoyF}jUd)Q7#pU7p)nuf_x6NsjfE1CZ^J%i ztM9h)u$M$>qvKDpUPX8gm)Ns?J2^ZP&pGjpfvMcgITlOwS;~)kk5wsgD0RkSGcP-5 zcs^2cU$AXIwBF3npEJMu`&InaLRQcs4iz6H?pSk3)>#7Km&$ujp@zDR@x|PS_6%FA zSBCq-liW;%Og2ha1)q*wdo+YX%6>)SE0n|vR54i8`YUUG1S9QdW1lya!~$7)YM4hd zWPv)rPrJqYGWt3RsGYyBe?Faq{Jr<0peP{7$4NHk*(G&qW$0#t*slp2oD|B$qM!QY z>tjeroJ4NhDvu~HSK(EK ze%S>;_0ZkW+uUBPO}mnmG%Asu$fQ)L==e%R~N&Cen z4BuskUMvgLl})w@S29HW-u@&Q@XaRvmRLE&T3YK3eLPM{z5GemeRaPfh#TLk-(xHu zwccLj`F9DV$mqtkUC2`s6laqrNU7a5=Z)vtKux&i7*y^(%k8-2@ZfWrw2nS&<*j9I zqdzN>nOC!Hty1dlmq=VlwU{<;y1`{GSub_xX!<-Mrv7G$k!-`!pqXFHqno=%PFZ)@ z2#$0PANNZluPtU;ZD;C?*dN)-c2Bq1_Hf>t6IH<{7v*!U`fYGORIZr=qeDJcGiAvp z8b!l7w+Ga7)rwj5xK!a~xB8->8>Sm_T*%vmZ_(Kli2#3FBk*^8TmQp;6`md`w|m}89$Sw8~mbCB^g1bHSokP zNAVG72KYIfP_qn_pR6k&g}{Q7R%4&CcDUDvg5Bm44J%@rE-2BWF^#>NyDk~d|PDD25=1 zi1RgE#I;LC=9TKZET7n9QTRLgB_$-fTHu%e3BrXi0{qQ%uohX>;|}@CQ$ewN4@;;a z4$5pUh&M6j-A%l3Wf`d860ZtNv$CS!d%voz`QpqI{Om6?JxQg~=t6XzRF(h77F z0Xpoq%RN>t5tIIP{RvPIY|l5Nc;D=z-vL#UK5t_~c+R zYsA)J*s72G=J5&d^3~rYlE^P!p)`-4NR#;DJnRJXDY$dIBF=io#$uWCMlQ-oLR;3% zplF}+V6lePMDF4Q7KQZe~=AeC8c;~r#JK8T8x37>ortF2G6(7z@o6XPSD z82LbB7nzQf2~UyXQ}52|Oc83WOTStta8o8*?18P9O!TsTtScmo>w!drv{ZF>W@ood zNS$n%K5HEieknD{i%dL%r~8nTf*|2Xuq$TL%qxfK3EHVRw^UU>8S$kIHMi80*LzO2 zb{}0#F&;|!Ee?;zoh?ausJnryCV7 zOTY1c-}CH8U2?`=I>z2cat`kvJ<%R;vNGv7GI~*I+*Fxn<(&R$fvkQE*IYFTkIo1? zP7m+MxW;c9sXiDEq^bdfVQw%k3dsxs^NQ|&29|H`1cc(?_H`+eq|`7PS>X_8pp&ew z1$Uau*Aqn}5YK5tcLL621X1(Z5xGou9ZKjUrCdU%xnJkbRRp<6tIm>Sepfq(AqGREq%?=3Ji}X!3GxaQM$%gDe z&i&db1f@?CZkNd=Kb);KeABA(sVE{5S1BR=#WvLO1y%x0fd+HY%;Ud3skHd})5f_&x#=qN-|M0UpMQwe1J@uUt+Xu>MDZ&y=06t}t z4Zbr~98+ndofXz)+%N6TIWayI;=R_Yw%X}?EXkY*gkizkU zfo7S&@J?__PH?e+6+1{^3c$^Bfj43NFT*-`Vx*8do~hsd+bXE6v01VwdG5|qMvBBr%4 zYeKX10#nc-Q(_1nx;s%yfyc+$fjIM{mf(q6>3pguV6>ErS`WOB^@r7 zX83yY{15@OYdf0Ff)xi$oLN=#RMm>d-z`~_`B@Ubu8B~87A0MQKg~- z$96MDY+E7Evt>@G2iaQbOl!)poVDu7qC!j)8gEovIa(t^)TBYh9yXC(RDhv57Az{!%-K)Pg@!${7dBd3DBySoHa zIs{@;j?l*d*to`p=bE{3=Pd3z`M%B%+(1YDmm0qdkEf)25*?|(SweUJy>Y6;QpTk_ zn9w@-<(fC-n3*SLBVDZs)Dp*CPr%B`y-Sn$;x6!tyNU0 zvlfx%)T#u;dAE-D4vmX{-Y?~;K9m5SH@uns1NV}F%F~knTF-uJO;*E_cVDnvRyo1R zpB8xtzea+&m)O}cSb``S5Jik>?)hVl=i4~#N1wI9CGQXQp*3re=$ZGm{R)THZofiX ze#v&!_b;^%!{p~U9NNI1bs0%!E}@tOkz261lBJ|NxM!Ugi~r1ta~IYqs7wW@oknoee(K1}&%M3R#6Q97rU zXx1_J!>i+_=1<*^e|O*W#J1+zWh$;O=Xa8EL2RESSGl}acK@uT{)YQMo5)1yS4!Rj ze-Y8XhcNfRW?@Kzb92jCo~Cx`6|0&j{;tfvU@_BzoZR?e&#|Po0cj9kDe>*zgpY_Pt=Qcar`YwtFvdOIoKhG5jD#i^ zP416$nA8R!b-3oPMD|!*5Bux?m~;J&>S+E8gkNl{Y*a-+`g+{0z&Ee+UaTeucOV43 zCUZs8lYlf1ASnDV{32f<53s=jq$MqNMmaX#xc!y{6m- zgww--fL|<0=Yk?n1||Q7hu}6+Ygx$Yi1d38_r*wF?t!38)sh3d3j-Tvnm)mrIpY?~ zx1aM}hY^y988{)w$lR3XD{uoZ5EMy!E>@X z{31wt1_d-%b1o=(hn(024?BOkIzJOk+A5vYWKvjpshd*V4SBD&8V@e>?`#z<@lVxf z3LOOp$OhH^T}ukO+^@9Raqn}$qzo9B{A}#9|6<*2+s4cF?NIiRA~S?*TPA_=&}6Zw zFY)t0;^)EikeQa6*_LgYYoVVvK99A32@1Ob7PV*QAWrmf2uyPXJw116Hvck)pg3#b zmPh|AGI^Mv5n5h0#a;-Co@@~vd4I=RV#PxegI%+7ox63KV@MwVd5_Fm5^ za>vq2-p!7QDA+4mL%$ap$TYbF{0Ye z?WEW)*9kx@NfGDHef&N|_30N$Cj3#db9N>~iM8+j3(_56`W`> z(eWtQ6Llf_k{&#IjPHBt!?A3l^#{Hij?U3qp23B)dn~a6+8Ye842h!#a?+;}I~c9& zq}Us}TeSDx=I3R7J=T`4%>HMAKKe0^@C_4YhJtM@DL*=Nb7sHc$KijMO2;yle>Q!T z%sKxx#tVILLOP3`<8yW$(OHE%E-p4e4{o=V6KJ}Tgw4o6jPK1lj~i_Rj6ur;055f*CP+bTFtc zHhR6}4B{}{^jDcuTu<-VEpnz%WQXD=%b)aUr`rez5?l6HQgNafD`xzfo=EoRl1Bcc zdr6J=pMK!=yt<)un51=-_5e}w2OKb0bmajHemC6wL8jmM@8W~kwut!K0U{1&8OkaF z6(@k!E1{P^ey)*^7<` z*lV!Rjgm?pAq31&P*^Oovd480f$8}1RdTdMHE=RFe%6M=)dSn|ElDs4CWJ83!efWZ8~-(r>MtE^+xsRUgejTrRH`ti77rmx z67)(qjsPS1U`%Bpq*F`*QqKV0tWQX}vL=9x&#Kf5w`dCarMgZvR7pzK36m3l>{;?c zv5{b#-Vn9__FFIBxHXEgUt?Q%zp zkZuZ_y?O3Kl#*?OX5K;w(B(7GCp84kd@gmeCZU2N9Lf^E6Z<<#^%q-i%7$vb? zA%4$VtNBnY_haD|0TeV>(?Mq7Eigt3&s$2?JHYr76ehRD^WEryQp4-ym@Z*~Xx%aS=2BB|Z+3lW7-BNri{CS@wBqZWxunE9K?!TW3yQ zC}||)waryEV3t*@;2Ib45Wwa{J0h4O%h)zNFJCL;Yok>ldgrd}A}XUhJ*Z!wuKqhn zJV^HC9Hc;rVlai4g+iUPqfXYlRK|2T{;-r&@b;0ucMW;A!Ai|F_GVtSb$^fDg;4F{ z%3XzKqpAWvzigGi-+hNU9$4wqpVU0;=ZXr?yMq$W8H%dc@1%dLQ~G2-#R0P6pMK++ z{NB|92;r$tHW42fo-U)T2`DtPehqH$kD{H}uuq9=Be#5%T|w?R(?=M zOnJKG8sf-Qm^d6r3I5d6Y{awGa*2Ykrq$egYbFLB2M%k_J#^p=DM}a+Lx-1!9$82?!3}#r5cWY zuD4}7^Ks}&FYB4FxtK}2W^c1F7Sn<6Q(1%jG5#Eo>@A~;>RAtkV4=Pk%@V)em=n9X zZU=8axQ^Xav!~p>`${oxm;O%Wx3~?TbV={i4+r^Slu77ucE|FIS95^@c22om;sXgd zj*?*Czmo#|(SQGYE0L3U&7jYyhfBYXn-sbLEVCc!u#wTB8D(6^iC~e~nd}Z#Q+XxFB{z z&1)xi@Y&A@g6iIl+}(N~4e+}P{#y&4%zJS9#+Pn^_AL5B*n{lgOv!ZAs>hT9PJe%R zEQPi2^~UUAS8WU}(*ShxiZEQI9+v|YYu%jXku1n{p<<4|o%(JPo1$R9!uRsOa@htI zVen1M(+^*Lm-0#i`t~ms_DEnJ5@2$qd^|@Y-SD z6UKP^JpMw?J(RF!+=z~*MPGi`ewDGP3@E>F@*ze}o(@Piox-(`s{QKObT01E;-(Fs;1i@vY>9I#m<0FF zo{F`|2t*njc~-&a!-F|$Tp=i=OhJHX6$iTH@vgnp?-_MNm5jIHn1SSF_K^N*CX zpq)kWrW8Zj{xqAE+n4a-wHlDnUeg#@`hmJ+LgL0!OcU*niY!X z=Vl31)=Kn)@`Ft()mNTpF1`Li3Va1af^QNAQevtCnP7z_68X| zeaVV%Y2K#|lOFCxFYsN^di&y{W<-K7ND^>LsPNG-+iuW-5`p4XOC7siKc(~&g3t4YVfqUh{RgqO?|P7JQ_-zn|7?#Mg$>qIDc}0L%#AGi@0O|BIA4)X)3xBFDugyeYrxc-UC@`)^)O-SQq2nzW3r-I|xDm%n_6 z-E#Jh`)@C0;fW8~w-qAT`r)QrW(50n9)ssB?{&UD49xwU`~t1)a&FJ~!^n#K&Ua&T z4v^VmmC6vXErjn?IZ|Q&Y+A}cZ8oSw>Pgah52hF&PQ0H-%}$8|+JK>^pWz(uhmB^> z-;(#s)mbfvl39Ns#NG72H^b3G`s%w7Ei;JvM$dF9SqYP>?$)cd1d(y>-j#Ia2zn1{ zFO${k73KlY{o)h6-mMpR3S_o)bb;F9!dzlG#|sKtsy)_6AM?+tkl3#$3m^7m6NLLO zq^gH}*xxEa*s6RZSU=_c()$&C19mPkzr}Kp#`n91wjxHIT<36=3j4S9J*w|X z`1wC{V z2GsEo6y2JGWX}PdIEJXA@K)3Mi06F@UTaoqbb#1nNz`}fO0ye)N^7mzr31Q*KAE69 z%kM-99_bbyCc24$g{0(JO=}T#z=~*akppiX39EB)LjJr=J^z z+(~wtU)KXZg`Qhis9y8CCFvOXAnd>>B3&v{DW7nT9q094fMmFa|MX>aRgVZhL8@`q zT(k2C^if*(?}3I5^u^0b`5&w)Y)g?Yt=nI!wW^kW(I~Ci{$PUrREX8dgiCn|Jy0%a zV2FW~RnVG4k5t@ZAcPQrsPl(}_#;pcytRX@@Ef&RwP}3D!I6VH5+Y!u9?O8bbWL_K zY;E{o!w^B{x{uE%6c&^<))%k3p2f8p8VQk3leALbOic+$o2`p`w{Zn;P`n3d&lMG% zvosR}CvlL9xE=@jqnU<^lI^t5W z4RP}dHC6o_i-H8iDnB?l%@6m_q&f|%@sO(xsILu^dk`yE>nc~HnHuP`nJc*U75YZ# zx;uYv?+^X0i)pJ!D^kOlT;ptg!nVyzVP-1Q+zdky9GU^ZWJl#gZd zuiu=K;_uhJLVowys|~c{M(59eu^Pn_d!%wB_3!+JaPfq`7b|~r?(!nIe~!anbaV-h zXBwQ9F&qkz`8Wdg-VeTiRVJ6K);YF@6506Pr0MB-rTa_bQZgUyM!R*aQkN_g=fn(s zo9dj?@qs;Q_cbNOyaKYDg8EyOUUu$qy00ptu>b725=*J8y7h*MVVv*3z+{ze?8AOv zn4e++$!w&q{@UOs=XmjIx<0NZl_#ULS^Nf31+BplCrSO&Ghu{hCKJaOZ?sgGyFX%-tgJUxE{`g!nR z?bcom{@&}_eu^@^8oRxk|706cJU0*DYrd`3#c+6q;i;jpat(da5QyGC&C7`S<;wQjSBuGk8K8CPf`l!4C=Cnyu%H8YxVW@WqmdF)F zKY_BScMH?~|MWCZjzpOH8;TAseKP+jTAQLQoN5(UA(PsxHI$~DCMvjHCb)2l_j@ud zikL&+Kkpn#d<~H;OXi&e%tw4g9f<q8E8{ftI^Avx_O6_}p7k!h=ujk>W@ ztFfoLNnoo>I8Tj0j+W2MB9Z^8n)7Hw#piIr`zoGe%MHC-0NuAFlckQLb2Z& zRsiUiJ=&appLcu(O+2|7a7RC7R{nGe=tQ)X>a?GT^C!!V zKFgY_>aiDR+b@lSL*yTZeQS@(f&1zyh#hLUv~NUzZVPyHfRa%Pz2+Zz;`AN4*kHZW z@t!7oJ)!qg{Oz(O#UwWUZ?E-e`V+@Uewypn$b&3R`o~+RlLj+)iX?s6f|JmPzungC z&nYEKccdt5rJn9c)zeDuZB4V$B0F`EpFz`}jmw*Pn_lV2NYcto(t>!!rOS`W&*9@2 zNE)}}mdoO@A8X~D&C9v*G+hODzUl;m(*&hj25oWzH$)~q{4RJ{`J0n@mdD60 z?1DS+#66t3lcPYBqX3oPIajNtZ1%)}?gZC%dQMpOEYQQA&Vuf;2%;xCoG&_zu)-Rw zfgU)zPTT{fOL+%adQNnufYxM_;-{hiIh1ncOSCIl|AV_WZcMOgP2MCo)a2C)ddfC{ z)w1bL{_ZT)0i0S!s;fGT#JNnk!#CW+J$wVXi#xeLI=FuWx}X31Kajhtzxu1k`lHhX zHq`p9UwTdGx`}Rj2yC~sTP0*NWw8G{GMwnbnx((HsCH83imvD^v?xbGmcsAOzAx3h@1!^AGUy1K)=J1oPix4}QWJ1hKy9=!U>!#m8wydEsWOwfY8qW~@F z#8!uZoXX~I4m(!Psem%(k%j z4*=F4X<@>|cGK;WB0ggZepN!f;yeAJySd{(KC8dT+Eac_#Qog=gUwfZ=F_BLCg_vu zCSlIzR$BI0Lg`fwcc5|tBJ?FaaKqu>re-#2lA37iGpORH<#oO*W;FinV+Q1Zhn>&5 zq~knH^!~liM8T`&kh7>uHWJ!}JQKnS6l4VPmE??PrIa4E(4mSa9 zq=n)p6PiDP2G#gcXi=j_ktS7oGUif~_ilE`$&vq7RBTSMA|;xYYgeydjWz|l5fBqv zB55(1I+iWUt!?4PmCIG^T)TJOg2cO*Z{L!2{RY1KR&Zg%aRDDz?3M6h$B&UFhCJD5 zW6GB?r<9zTGfT^zL5JQPn)JxerBOp3otpK()2(3#ULBkCYudN%&c@Bz_HN%}bswIk z(F{f|L5sKKh9m?%PBSiIEZX~bb-FS!n;CGNV1wZUf_mQw-ed?f-x19+vv9gz>+gYM zzY9!dgF58@iO0{0%fNrb|Di`Z0Fg0+lZ?1AP`r$08DN&-hC>D!dS>AQzy@bQrVj4} zlsFTa6ic!--9H{>G6e~=jf2_zgO zZoA_Ks3@T&U(`+^BDvu2I2VV+&!rJd%<`w;zA8X~FI8kwBqSE{vAgg7d$Az!$jpyN zB=VE40c1j`_|v1h`bX#PV@XQ1Wtym0|`zV3_;a7^;|Gig78D60ac46572)Eg^`;=-9yyZpk}kf z(o2ag*4Sf_P1e{7v}k4{P8txDivbRtv5tpe?M@&%U*yJ07y)!O+i_tGamF+QMbf{Y z4E@zzlDPD0SOJ)Iwxb#BB*=`1X7tl`xP7}*a{x6%fb*X^B9e#`J@W(*zXlLFxYj?_ z%+*X>MeOz6jaQ1dD=+IM30r~;VrU?2p-nO)Gq}r@pcxvl2&03bTbG~>9~v3jXdA*d zB7NE8B4&eMYM0}q3G$dLJM2YzD2<(tx+A5f2FvKGf2A7huCCttP_4bjs_U>z1eLT=2mOFWm6M5l=kvyzNFh8yg^x fT=K~&uiWy>G0$A{%{lMf^Up!IA)CgJ4hR4{3uUAO literal 0 HcmV?d00001 diff --git a/windows/keep-secure/images/wfas-icon-checkbox.gif b/windows/keep-secure/images/wfas-icon-checkbox.gif new file mode 100644 index 0000000000000000000000000000000000000000..5c7dfb0ebcd914f6210f28586eff8c84bedc97e1 GIT binary patch literal 70 zcmZ?wbhEHbJe>?cp*%c1FhEdHKmZU#p%6r+6hx&MM4=c& zr5H$|7)Yf=L_{1&p&U%ANJvOHOkp5QrD03}Bv7FwP^utRvQSV^ELEx~S+Xoys#R50 zFj=lFU9tdi!Yp03L|t_-U9L1;s&!oe1Zn>`U9vP`vN&O~JYlXpVX`!3x?y2q5N-cF zWwJnJsz7D3P-%r_Wo3nF07PlBIBmX2X{tPJzEx?JJZ-{2ZMqnB|441NJaNKIZLWc3 zOl@s#AbI~lb;eb3szi0dB!$XZb(JK2|8a3~P<6VMbpR}V|8;eBU3so~d3jlVzFB?3 zOo7f_eZFCVp*V&A44wa>fdGAdeLRuQ&SfxFh0>*YIL>J_X@$B#mC`_s|6z&Bg@uJg zk@jhgvUQ2FvW)P?i6Ejj~Xk){TvgagoY(k;ZwEzS?~#)_pW_nZ8+} z*4lwIzL@}Jo!*s|m2I8keVNXMnZkjY&S9bdVXE4hnVET^&f<+Ajh(jIiB)l>=FXu2 z@{J6Qq0*tDp>eAJ=9w6crP6h>-hr;#|Cs>Vt^j?q>XoY2d9wd~w%-4p2+E~#rLMZJ zuC9f;;-Rw2owC-Qvf7Ed=7qZQg}&m2y88d6AhNQu=DGm#vJ9cN+Ks~Ewzjs7zW;K$*h-zP`TZvYG$3OrggAp~~v6#^S!h&Y8~t zzQ)r3&H%>7#+lat|H5Ie&j0_yZNARt!p`Q-&d#>d|Gv`ds^0(q&V9bx?#kBc?#{aZ z(v8C2|JvHx#^UnQ-tNxg^8ebM&f@>_+Ro1A^8enY|K6_N=JM9+_TJ|9=H}+s>i^p6 z_V(i1-s=DV=DyzU_U7vL|LVr#?*I1c=H~MH=JNmQ^7iWT|MK$k?(+Zt^4{|H`ttVw z|Mu$g`v3O&|N8p>|Nr*?|NjX80RIUbNU)&6g9sBUT*$DY!-o(fN}RaR+OLZkGiuz( zv7^V2AVZ2A*)bi(lPFWFT*Ufw zUCOkn)2C3QJ~eZ!s@1DlvufSSwX4^!V8d#Cg;c89vuM+*UCS0NRk3j6%AHF$E7`Vq z^XlEpx3AQ({VjFGan&_UhKMbL-yCn;~u6z&qpaO}w~q)4zi&Cp`SP^XJh0CSOjy zaM|eCvujT~eXuTF)#XP2sye=F^X=%vabp0x^tnjE43dBR~iU2oOV6IOeFID+mM`!ZBkEX=8*jT(L=z2pBn^iB;(+K!Z#+ z7=ny~P>8@LKrm_KiRN9$;+SNn*WH$zgdoU}TONbJcp)C+3VjS#MdN$*jR7Q)2)u`Y zD?schCsqP5`JRAyy2s-fMIIA^0GqgZ40u)jX=9Wqidp8SoF3O*l2^zm--~e0SD$_} z>Ib2n`u%C2eDcZvp`##K2{1+^k$?xLjT7{W01$g3Fh&fK4CzV;55~DGYnpcI?6a|T zm*oTzP9R5vZkCGa1gL7bYO0RP0jnHFZgRy06g~+ercr+ArW`x|Dk`3DUTQCa%|fg1 zzL|ArBZXbktL>#%7#V|p6W}?4jAQh9%oVmCL+hjiMhWG;AqaX*q&PDP&wO}c7E%w+jIsNt7c4bZW+H9v}Hrj9>6L#Bl*S*l& zUO{b@AQN-{m8({$t`@jhbK7nB;s4;>RR|uJry*CHOsN&gpHco*;fQC>w&GB~9BHJw z2s>VWTh~(hOvtL#4_bpvqK~UE^61(8?JN7w{Uy8F)=+-2Nc+t;s-5Okd zxRtt1^v+%cv=ahYMxV#!=Ywt(mcXoa)x zfeTy-lM@h<7b!r2v3OXUq8ybL!8BE6O+5PC2+f73D=^Vf(VKt=a})z?9V3B76IO%# z2%kia@IBX>(t9SPBSS)Qj+lgC+&1~bOnS0Y5#%Iw8u-alW+#-QR1PUk$x7#-GL^tt zWh-ad8>gKsNw2F5-!=voLG&3sumD52Mr-z_UC*@-2A>W8U86aFs4`lR}#)q>R*TyY6FS^2tWwc)=aYaWhe%vh038Lw zAP-r-m*F4nwz&B%RW5pp)N?a(}DT)K7aaWJJV&OC7~`q?`fFimKvvQ zxz(*P2$IHJO4Yg&R4lFIs!pGJudiBVdz2e0(Tutk)Gf7qM189>MJ83dI(9VL>=ROD zR7jRaf}#2g0SiL_0I%vtvwxe@T#FXXHqB{vMJg7qhPYH&0rrAKJ)x|sh81G}KK8b4 zk?HoUeh7stOy7WJ_`{pw@Fp(|;u0HV!y-nn zhfU044W}4xByO>ZQT*aK%J{}^tMS=ljN=T`SjU&_v5+H@hCmqk$Vg7Il9$ZnCOf$g zeQ>grr%dH0`ymuV&ay+`@r^Ef`O9DqvzW(B<}!yu64ofQn%B%`GQ&gv%W!7QG&FIK zINSMIbFTB9_gtnt^ZCy#@-v_ZeIP*-`q1bxG@=(B9Yr(x(Z+E!q$j-_NmKgLu(33z zH%%H%bNbVm@ieGMjTnCbgBPsO#4dQj3{tzAF~HD-tYv+TSKAsf-I%qk^>OQ7^F<$^ zm^CkaO>Diyn%2cmHd}JNYh^ndEx^{qu%AtBsl>Y0)y}q4a?NXPds`{`0LHhurVm}4 z``qYGx4PHO?smKT-SCdLyys2tdfWTn_|CV!+0BYS-$T{Y2)MupPVj;o{NM;rxWX6C z@P@}47!8lO#3xSiiWfZ97SFiGH_q{Zv!dU8{`WKvl{AQLa9y=Re=ToWcY z5Xx1~@;kfSKqWtU%Ez>Fe`{joIET5;Y3_5NuP5g+-#LqV9`c{RJm%|}InQfu=bIm0 z=t(Df(~Yhkq(@!pD`I-fogQ?kt4Hcfr+S>N-gT^hUF&1#dV0KmcCf2R>^3L+)yq*~V?*UrDqtqcS)Ti4ju^5bOF3c?s1Vvldde-vi zk&T{pnA;ucxrVMm;g19fUe$MgJ>j==cugdJJBycf;}bOb$iw;Zm5kB4B9$&%n@q#)lyHFn%i%4)#Y&lTZT;*nkfBfDjmg z5;%bjSOgS!ff$&9H4p_0@dY;Ufgl)yA~=F1Sb`?_fkkkFD!76yXajqo5c3cOEjWWT zh=MhEgDcnx3gHYm*n=&|11ac(LTG}{04+6e29S`1O1Okf*o02_gisiTQaFWFsDuWv z5C-4~TDXN=*o9vBg%@Q2S*1A*v>yx5Dr z_=}AQi3uTzwOEYCn2MpOhNXCn%-D>Y$cl9ci_SQW)Yyr)2#CO#joP@4j3|rVXaqqvOXc#g6Njjkw-=-7_Uc#XNZi`+Pm^q7s_co5*|j{4Y%5EQD5Ky_5%{Y|=QI%%t zj957kTDg|`*p+1Rm0?+z-Dr|<>5OPO5Nes1#@Lnu@s@shj&eCBbjgsJzzB-Ti??tK zb~%;-_i+d>$eQAu8u$F-N4}!^zi!hm$SePtwnDux70dN4O2?vch1yk^tcv*`P zFaWX{0eMi2ix2_fSegHDnY6eC15f}3FaS+pm7Cd_zOV(sSpYxKiA^92lh_2qnFqhQ z1-R*n%jt;`@R`Oq0GcS8D?*y|cmO{CAc#I70mX0&jNk)|K!|?;2B>hJj#&(-00!%M zlaMJ8lBtTyIf-sC0B%5ulrRdGI0^#l3z=Do2a1UaYK*$co3c0x15lu&P@9vupq)sd z=UANVXo)FM0GT-o9-y6?SOD573(gq<|LF@N%8A_Ri6nZAEsBZWsUqMxkK!qaAE25( z@Buq|0P-oGKH#H1FrHu_o*!VIHhG`_ke{izpOc83zAy^FSpXg|i38vP!TAHg>7Tw3 z0b9BSDvFznFr{3|pcJW+7HOLU;GC5>rofp3zVHJc5SwF4i7z^(VoIe0aGl4fp_mAv z1zL%*Spfe@2_Ar)P4Jr$Knc+Q>6-UOmiRq(*IHbi80PlI8_W7E$ z=%iNKrNh~!U^)Pw*`ERmrEE$G1)!qSx(I7}oYQKi%IJ)-=>b1*pfBnR1uzO)TA&3` zo6_nF9+0euYONI7jDC8Fb!v$b0H#u^q5$v%iy#Z(`UA@ut}QwMwV4NQ5TH>Su#{M@ zQJSru>H!2g0GUalDFCO}ng`DLqHX}G!wI3?iHiy;k0N=a=NSN*00##k0TK`Z>xr5< zS`0(V2muh5O3I|DXso{fz?~5~iT--ClW46yJFR&zs@z$p^E$8Nc&0y@rkE+GdrAqa zs;SJnvrk&3hkCP`>ZSV1u<+W71i7J<%xbj#`mfr_olshdTcD-P%CiSM zw#8}wQqpoU+u!>a)~(vlKeC)taqfON$Mvw9MF_PHTx$Yo+{ZrGXl{(-^Oo z2)bWOqKmM*v}?CIi?+x518|zKAu6q(`MJ8wyOglInR&KOy9JAo2h&Okph^jHy1Upb zxE+g)BzXWXpqNwt5VHrMnqZ)^aL~B7Ai3iy0j-G&)ONrMCw=(LnAPKS#`2nbT03Yz4e}I}h znhAf9vIlUhtcjy1+nVqjiN_e5vq_;+3Y-v}zdZ}7zv%%(E2h!f88+b2`Uz8Ub$mnGX!7 zzUi;wYNvw#jHL&g0(3j3h@6>ND!km;p>Dgq@o1Nt{E$q1jt1+A7AlTjJdL58!WWvM zZcLPL{I&W@iKDOuc~GDW%DX0NpkE81TX3LT0Hz7byHN_urc4QpdcaZIw;#I8fy$^N zng_$VqJ(S1G>OBTJk5l7xuB`7<#^41naWwY%G&&n(43UgOwH76&EHI!0-Tlve9oq5 zyX-uTg?k`}OU{-Xzwc~{qkPY)=+63ljPYzB^W2EHFr);13rb9nneYL{aKt!i&!{L1 z%Y{jrlB#%e$}E*@?A`j{Mxu#rV(b5zveXvjpt}2F;MU>ay=!kLE0kL2JJ* z>de3YTcHqqju#z^iJAiMx`~5JiBb!lLdnf;>CKoZy*+J-vY^2~&CwcMot(JT2@B5L zJC86+h$(H*?%TLiAOSA$p6~kyjq9=t?E(_;zANpk4c*DK__~YG1PQtYO<=B{NeRq+ zw<(~}aXr@+%D;SFi#Z*OiJS*pAfZh_%%8i<2RgC)+R>wM*tfjP+Z>IjIHyo8uMFGN zoM^N(jftF1)tO9>FsqpBxzaFu)_>pvAHWDjs<`V}tHqEBLiz`cVAjQu)-6qsFD;8w z`>AuhufFY}z8e8}OWd-csXvehb;_@JE8J3y#YelXwfLe^ipc!CryY8%;tIHKaNL6b zoCiBAox+=~s+t0tT8tm<(;O?RQ*EkMDxAT2z{q)}qFSi~0H*HUrKL)xOKquLs;X65 zozknSer(?o?1>_+9wfbpi~s;TysNj(tG`Oxi|ebXi3(HjzC!E+F^k&`x!bWQwKE*2 z!%LmMONsp}wRI}IPny6fn#i&k*!uaIV5`9DI-IWh*tjXRA)KP?db4b**{GP_nYaZ3 ze!$vmw8H5N{mH)t;GB4Sv%}fsO77&(D$D}Pu~iPCpVcKCnr4P)VDn6}$9=hTG3gfXT z<4vlaQv9DWy0a}xw~Wl=o(t5MuHCdq^G)%go?yZ*Cw!w+V zp>E>Gn&_Q9=2gv&XfB9qK8Te|hyfr0sDKKn8QZ(w;X<0*^9bUq*uc`;1V4`GivXcP z-nky!>~$*ZfSt~Kxz4AU$gd2s5L?q~yT#LL={I|zk{;@{$ms(ro9r&2NuJrEuEyA# zneQI&o!X_vtGn>d;<4`NvtGlszKyqj=PNCUX04cV4%>>$s{sH8Lrm;=zShH7j5}+< z1+KZysp=#OsBy}j%K{Le&ROrrdi1b6iTWPu^UAT-{)q{m9t*CB1C7QN@6vj1ipa^|bUVBT?#G!)wgmv|nhMttJooB) zpdKLRr^x7){iv`!s0W+^)5+fIs;Wny_d@Lph=2Eruixp;^PK7PcAB95tEr%BrBSZE z;_9t)dg`8^=~Q~hf86Rf`}v~kt&%_W2u|j6Y3B6onrscypD6gakBREurnmc~V5*&? zun3tcqQ<|*J$uVhO8hGNwS^7*w!HkskK%nB{nj7*0bl!@jO@GrpNYEP{gv4J;7|3k zZMvfglegqj(>tPM$qy#`yyA)DWLVjUGi>@L)xzO`Sf4I`Lvjs#UFCEqM}R%A{Sr_N;j`=U1|2 zT>=$K)a+WeF%3qA8&~dJg;TNK#hX{8)`wi%{_Ps}Ax^-Bk)nM#)bQf9Z|OdU9ND2= zy_GHBsd_99wq($jl8lr%wI3VQAdAOE)~- zTe!>Bu8kkJh;jCE<|a`N&uw$?Sm>gEGYno`dvWC5z1LOVTzu@>3~y^UteYWk^oy@A z%-&u&_wV(O!yca>Z~2Ai<+oLDA@=_J>pg|yBM>$E>|;xd3kKruxXS7fn87hhaK1QcMTu|^vwOsGN-1CtIk>UJ!vLxesA zvM>=zL=viYnqjg@C!d5eN-3voh8Q$Lp)yM?x2y&wExrUZOfknKvrIG3L^Dk_!Gxm6 zhT2)c06FKRvraqj#4}Gl_vEurI@=Hm1V;uXv`|C;4@ERlMHgkXQAZzj1carMq_k3~ z?$Kl#OC7Ss5Klh^HB?bYCACyjPenCVP@CDb)ry?4Ay!#urL|UDZ^boNU3cZRS6Q8L zHCSO4!c@~?k3}|FWtU~PS!W$8_E~ACrM6mYuf_JCXtU+ETW`MwH(aK+6}Mb-&qX)g zR>@VjU3cGwH{OcamA77d@5Q%Udh_MCUw{9tbYFl6Cb(dO;}ZB_g%@U6;e;E8IAV$8 zeRyJvFUFYLiZkZ8V~>ReMiY@m2F0I`PewUqB*Ph5WMEW=IcAwz^9Pic!xaOw020QF~l>u68 zv#B=3Pqo)(yKT4Mh8u1}&ZZmOF6f9bZ@u>}hK?@k2Atcw`6j&Z<@^pjacc)Rym80x zLR@jlpJn`U%P$Wp^2s+>wsOor2VHZ{M;F%fjKKIn0v|FdCUvY_-^le$4v^p@Mi>d{ z4qQ7c-j;z0B_m7?r$%g;{aQ-gq zfd}A#jC7yk_`j8Bzf#YAC?Az#P^o=-MpB0(BUD@{{tu0aKS27%x4T;mFnz<5zyW-K ziYYwL2kFxuM;KAQ^R145aJa<l3dJRkglgTs3v{`B_&1wIfY$ZKB^?c=%c`EMi5dtUf55dZ}?&wtH3fc32R0RXrF zgc)ICF(d$h69&KsR4kwIxF>z(sNz_CkRJBhOZdki((l)0z@G;5;;T!0Pc<$fLj3aegFUiBc=cVAAkV>DrDXC zHmSn#W$}4az+ENBXvPn2WP;{1BLMQ(yjezakn`i-6fvnuP9D;HuPg=};>X0>Ns*G4 z1ZFXAIlW3YkC(PS71 zBoltPb0#u-dC2HVv3%Z4UlxJ+$~Jnle%rKV8J7uAMu1b9itGp@tGUp}cy5LVkRScZ z=}amfuo#)}Bq%}nhisPem&&AK?N%8%zl1v zmeD)vQhNu}Us8~YOf+UrBRSLZy|9<#+iD?wn$T$m)vj?dT`^FnI@Y-`BQC5Y10|q3 z`3*01>GLZNGm%&yf`NbkE-)f0b_c<57DIQuv#bv)30NH7VuByooe>i&Si+hyec3y$ z4=wvxFyQd7n$2ttZex4lKKZ?8Gr%goNA z!{s0CT6^5&R(B%5Wo~x!rcmp47a`cyZg|JTUGG{KydB{oKB?lp+Jz*&QLL&YWy6T1 zdQZL=^=9!3+Y$QqP6A2I4|&U*-1A=Vp5S|KNIWY%kaUxF%DiuEZh2CTbk%wLEotvE z!H7x*c(()guIGsNyaPlyo-^#-h>3a8|1$9p&b{jM@~4q_Y6NyCgu?+?_krh0AQL&( z@ByqiI~UB3#I2qGa3o6#%M+70f43x_@OaEbR1_~G{4*ltJ`7^>E_Zk?@WDe3yvHnl zIm|2#z!XsD*4{nzi{W&z@k;4OMobS5aG-J)XP8w?W&*U{TVs;%3(Q-5?~9vge9 z)ld3B0(D*^J@q1BF5lI3VDJGF4ZPFM(9v6Vt8<*rO!jh> z2EMPV+sM0G17MRJMW^}Tr#eFmx};3}zyWp5NkK;wi=B=%Nun?(Arw0!$3`|oi5R_S z8#t4jj2`#@`u#yZF4MTEn6X;3O}#SHQ<56?qZSd2Qm!sq$rVN@ApJ+hYIhrV&%@n| zTL-@OlB5G|;D8SYasKyQrS zGoB|Sea0l-&f6QiGbV*WyPMjkc`LKnYo^S@2zuc~uMskEVe7pPN z7Q*w>U6wgq;Tm#e!*-Ws@Hi6p!fv?3x6?=mQE_)=R?@TlW$;EYE#J8xUVpli3_ zk_sRqAFBuhH0%-f1dN~^X0L96#Vg(!lCvZgsKY<_VUJb30UP#!g#j2)hk1a$x1t}t zc6W#W;gO*J9NzfHD(uk<*W05L26%uWYH#~wdpY;d#|!G|fdxAt;T`>;hb`>j4dWwU z`OMe1^YOA^=w}!8@8HKWWbg)Wcmf*v=tUy9zX#-Bf*;_g=KG8;fh>=Nz2#>v-*bXl zK!RSt0xU>`f1rnV2!=#Z2YaBu3m69cYozz#qAvoUEMp_QvmM^MH2~xr)cXf{s011C z1b(PKJAei!_=kN6hDvxqD`0@-qd@ktzz^CaSZc8Vu%e>#BUDPN*&(Xifj4ym!Ms5| zY*>bWK!QYYf;aGlWxxU%06yUhhG3Wn17MXJv_UU3sCUz%0Kgqs136T{ty@~QIt!@( z13(=vI>HD+y?n3(EYJaUkcTkPfmt{Q9iYB2z=jsg!Y$;&UK~$bX93Bb+IkuZ0{&}NY8l#Hq z9e0bw=4b%}0G5Bi0%%CVf4~MA7{D;_1T3%xQ4~Z{$Ce!dMJ|lEX&v7=#Wm02A1Te}D#0@P;>#fh7zBJ8%MMP{(yVM)3;?M!>ND2s@uY zU<5piw|?ZCe+zv<4D4xg9`Y_fA9oK)B!43 z!jx1=#bHUSSi6|C96E4-fE)*eV1r(;15e<|o(!Cy6v`uPgBQ2}1Gs^9kcV>!$)wGO0a~!$l(V=cmS(x2bH_Uv;>^BWXs$Woq2#uIRSzD zv&*}b$h^cxAesk6Foe$wOu-~fu*A2;G#k8ZOznD1$P63FoJ{7bOv~gN&zZNl0nN~q zJx(ou;)CksGPO5p$*u>886wm3@i0TYa zToBLe)XsZT&hEU-<^<2^#03SQ&-x?--rRsuNKe@$&x|ln+f0G_oP*q~0{TSH{d~^# zY&rMzN%+LhQ5c0BPyh&h2Hu=d1np1Y6wcdJfE*YFN*I6vz0CorPy~fe1?5f#O`7i% z&jOvz03Cn}&4vI~fGWs_3mt_GDADW8(EqH>8kNl|u+eOo0|gj>6qr!}*Z?Fg(j%44 z6d;5Y*Z?9mQY6iW4Il#}6;VRi00l^a3f+JhC4}ruP8EGh2MtgE7nMy)kWE5RfNZFO z9B9)U9ffC*QS9u|4Yf@mwbKEm1O=$j9I(*=SW`gF20^`11)zivHB>|$fcqo_Lj6-@ zAW~e|fB{8@H_c5HZBH|`8Wv4cO_fbDkWfO+QZ|)MMa|Fj%v0Pn(l8y;6i5LfmC$S; z)ES-CIDJzYl~r1O(_6LG86DDWK!yPj(kd7L{lra9^;EA!Q|wezTdjgoDArL8QzWI& zWM$Rg^ikRb(j`q*GJw!gK+juM0C9y-^pw$a9oKT5O+rWEl-r*(Q;x*pm1zrXy z1nM*aZb-Ssjfn3QRO4GlQTYQf#=MHnIxU@JG8yps4rzY`zl`2Zf%<_O_snDgalfM$gdW`uA9Dt?B1{s#hZgJ&>fX8wnJ z&S!m&=8bq~W(j18_~Pa{pzQG_bP9m~83VKfn6YW&L37G6F)|+*vuFt@pg@{}*-;@I z`y`F%oz!tg2y(LFnI2*~DkfSi9n+!@fM|&(F6|v-9PDhyWoj<9ev)f5?V;2IzWN=1iVyvW7GU0<(v@g)LH@>`^kYrXZzrw0WxKURpcW zVLA!usZ86YGUA?b^B&`(illD7CRPY}E&(@q<7|lPf0$!8$bw~#fE-X}gdl({_~Fqm z?M{|v7-mlywzoFwh%)0I2Rdy3XPhciLn}J!=1~Ldbd#TG(z}hg>q+V`-QFVH`Lyu) z!jr=7dYY;)R4YQFAo!UvCwjzWnrtOosZ$mS%myk%W{79#XN0JSdQgaLAcQJL=1PWd zbEr^+aBui7XpJCmWa(;%_~Jy<2vvfm-1Z{g`RMzyqj`dY#L)H-6o)D z`|b~t?g6K6+_CO+azl*D?u&~jev)iH!yQ>1?=3#$r4HfPF5(!5i!UB)jLbB1lCfF5RdPjje<_lJmwct8ky$9EWq2z~JHedqU>Jap;j`@Igd6!4y5-0(eUx+No;}WQ3Y@hh2sQ84S_kWNAMJNL)z=VI$ z_hzN&iVE*QJ{^y?tCJ2S;r+(;% zexGTX$Nz_gt|G`Txmqvx3QN3?SSc?8gXXcKliK==QoFoEs9eWJNHBnW;D>T3{SH9= zVmNytTK(C_>Ujo;2+y8H`1gi4H7U&i9o@L8aHzMR|8V9ki|5N z>uB<%6mA-&7-ZSC-1GW+GCFJOF@EF-8Cm6!Q@Pz|u@j zj}{9cA*73^03>_}0H#=`08B+n0N^7essI5{`2f&$X;Zal868mTHK|bm0m4EJ-~-H4 zwNpg@5-x1`Fyh3D7b}Kjz+R$N_R5(s&|whCnwmFr?(F$9=+L4^lit{c4q+pwCYp=* zk5EB`6rcU87g09sgbV-WAe3#QK#c@^87x77cIc0UGnf9Ca^=gH+-PE=+1#K3!gRW9 zUbhpJvULVE5DjUR5vmVc|14!RW$RR=VvD^$!068h_E%j1_$u-#QXv7@mJ5uO<-;xf zou$?-x2RPW08=pH10!Ix=U@Qnf#Dxx9eVg7h{ZV8Pd?bNA=x$*7{CB5*SYv2j4{eM zqd}*ow%SCLL=Zt1v6V29FFO)Ii9r!yl*5m1U=%?PukFa>Mi=c!2|>SsrkqI3l_mxM zmt1n=l1t9PgoixJSaoFxmq<#DWt3Qhg?K5Zm^y}!LG(cLMlboKXh09m(0D4Usj7ONjUuVm zQ7b=ogxo|{8l(_MwsJ)4Xjq1%<*GEM8Pb}XxueXR9mQ!L04`7%(wze8c_^R7_$ktR z>bX$ZfoQ447FGI9MPYl4m@6q^=oW*D3w4>5DZKGEW&l2kEQ5_FCE5{cH3pDcO|StA zJTR)QhV<%0B|NFCXSfRN>qsS)HV6w9TYNFb8Lx5Ou*DQh+OpPCB~qg9!AI@?eD&S; zfq;6UQW$%Ffnn6PZAoa8 z!R+IVzg7TDFxOps-I>9~AUx4Pq}5Z;zz_rbHEA7xJX**SWLOwrdes@1d{-5dm0o(6 zrFUU)xEsK>aXDIev~&f=l;V0xCAVLL1HLrnnQm%}JiX|E#WGIFV-GfoSdFy-TC;sR z>Rg9CcIwH2l%>S2hvqhSrG=~*dL3r+a!6%yXc#I1CdP<*c!nf=q{COfJiMC*aasT)FF>f^nip$ zJYtO`crXg)ph*TXM+Y%jn+OmIgbW!DYtr_*U$GB~8ZjZrPzb{@lCg}7*_1shfdne> zgC9CTLM1AZ2s>aw2L|EC9*XG2J%(?5wW@ z&oR(~vQ$;u{6`6#$jyH&lp;hr$Z%{G9Ca?Ii+sE&Xfn#tp%OJDocO2#Okt2RQP zXyZFp+R~}c=%u{5ULdm9XYq>nd5&+;xv)1+1DR z`AfoZ0urA6ENDY3+R>7>w5B~RYD2qWFAldew=+OC;w#_z(zm|$y)S;1CNi2s zZ5kyOqXi(?E~-}9@q3FHzx+mq zuHPMBohv}cIPZ3|6<}|jrySk`@OhS1-tA|kfDG|X!5lXJX)}8~)F5}D$R9{@Wr-2j zT5dNb6d-1Q$M+!v@XY{LZfzhVd(!ru@&+az-<5BG?k(3b8PZ<&Ecblw2DiJsv%CSP zH@faCKeT;0?$fHf`0DM;x&yb)5tHNpxZU-RFBuf@3`OVQ&{-zL(P`dgn>QQuV%|X1 z=iB$otNzNUr*Gi1@%lz{``c3wH{+A+`0zo#eUgV$*B`wB#J8N+DY$g7|Ltf^i$33^ z$9%JuUiQ0Z0~rHQw2u3p@|klw_R>cN(vS?fuP z#Os~z_qJ<)|F-LUzEzm{@l{-~!P^F08Nsn!0m_%f30=I+n*d&%>;)U))tC95-^Y;} z>-5NPm_rWm3TMd1F8S5svDf@k!3Ql2v;ajp%;r&(M4NllL zf#5_a36;BQ!>%G)^NmR--juBQ{neKWN5FMZo(#Q9U>eLTQ9-*hVRi zBSonqHZkHq+|B~X8a&4T<8zHb2M|UfG=Mzj<91QkF}esMSilMdq(BZNK^CMz9wb60 zq(UwvLpG#CKBPig03vYXC6ePexq)$HgDn-I8(0uc<-j0P1R?PT26<#E_9JEyi)OXr zt@TzjtN?)3KsKF%5ujvq7=jlRmQLP}7Z?IX-pHwk6fQWlqW^VTK4@p2Y5f4_=~|AqXyR7Mh;n+SI&O(dOhlM$#B_)zD`Hey zY6O!=gfGBmXONRg$c7inh-^w)R<_bsy5)=9W?I%oNzgS!BWiB#i`Ig_Qb$+)NHf<)@PE=RW`v0Tdwz z;gpbsP>@W?LC8uFCd4ASMkWeLfj%c`9B6b%!AwX2CcuPslz}jy$#n)*c5Wg^glSU- z3EGUL8D>ETIZP)`C^=?CCWcTJB*}%c=80aVc}Avsy2x!3%Am~2(L{*ipu!Y53x6EI zE&L6F@W;)p1(EuI55y>8)JHL>Pz$w%T1bF}9DontjJiAsqhP696cv|_8gf#^Z2SW$ zW+K|4;g`~eZ7?OI7DS`+#zI7Z88)Zu)MjVUshBv2O2h+8RHq{Jsh?(+VC|)#ZbU*g zkwWzUh_ZI#j_5{_5E4eRpLk9yP1$P+m?&tVC?u%pBe5v%x#*`NPqj!3td<2*fI+Y7 z#keS}up(@!8pT*Z3tY4X#J0td8ij94%CG8)QsBvZ4pp&g#7lu`a+czkqN5n*E4}K5 z%WCVD$mwW!E0{>9o+?5uz=(rF=&gVivKGlv4n%wn$uk5=%nrvVqRn!aB0@0jKsfDa z0Ib0B5y9HvWWK1#{7%B=39Q0us=5V^Ml9Hd?JW!n;hZXA#7wO+!h=wY$RGvCLJF|H zOP&y`aU!Odsw}dCAOX0nK)@`cy1~rGDYtS4&PIor#KcVa?4OoZpepNekj{Q<&t6( z+N@|S?zc8Bbyx?-L@sen?mt{a4)|a}AR?1=VhOayL(Qu%gkmco6e0C1yAl%2>hHal z2I|u0re4Qw?u}MJZ0sgQU;s#2s0GCSL136m1CLD0K=8#LPhJGZo-hlYyvzneETaU5 zR1g*PCeg88t_oA{1^vdE4oQ(5Ns?^u`eKA}AZ`JNMwfU=&PoTF{DYaCt4gN-t7CG6 zFB~O93@8%E>u)&aGdQg;aGG8<f9oCtw!r>H-fKNXYS&aHRZ232#VJ z1W51*&xG)9VNAitl5x8DfEd3m%=9K%jO(rQCWg7 zXkfw`#Ih{UGA-BgAXM@YUovSvW~LIb>KgDTgR)}W0v>NvEWZqi`cV_9B?t@Chx$Il*;IT%nf4%ib}t+aQ2R0#M2;r^GOi& zitGV6U)@g0&O>)iL>Hyyl4Gtsk$)Bh!)&IN{O3soC`VwlXlV3Ffb>V#Gbi8kN!&wC zkhE49&lsl*^62wo?9TB3FYX}5dq6B<@H57G^-!4t4}ohlW%e1V{e^Dd0gFlz|i|XjKct4>yNMgN7!s!Zm0$M;x$)K#oZ84SduM z#42xJe1+T~g;OlZ0Z__<^o3W;4FkVL0QhEM)P?V8a9_YJs5%Al+(lS01z-fJ950U$ z+(2jKg8`@j3X^4WDop#*aB%z~k_=M&wr^i0?#Q99drdC0(zijhuQ_ByfYa3b*#>be zD*-fXLF`lnFeMhPFixS3j?inhKGbHEHfWr-YIig#oCy$j^hY!3b=3A}=mc)-wm}?l zS@aA5_@>I>M<(b691u^Qz=87WiJ$09089a{7Q?Rg^Ph{5V%dT42k7Y%$sh=foG ze-uc3hzoxJJwU?0(C)B`3;vY%KiI=Ip2R*t!!Q^?Nu(@t6s{Q3l+*qoEqRS$6AWT^ zldLENA$*e}Rm4sO?%y&};KI3a41^k%fNzK{h402hKXp6@>~&~(YNz&w|3ewng880A zH%tShN4lg-dMH%7rK3S8OuD9TdQY7AKd|S6SP08pi`gaxq?|{Nzf0`iZ3df%kk5r# zmvn#RN${9;e4Am3Pi8WI0D*!75n)tm4dz3$KjR zxLVlwgYbt0JZ!<|Eu+A-t1JA$lgv`UD%<`Hg;0DyQ%j(`(ot2%Z?*@?wbDijbkO>0q|V=W%VU^+YZ!mG|9P7)gp|x{32-~Nlj)B9Mq(=r z5Xwq6Jc*CICWSAF(3%8>f5w;WaJ!>+N8^D?d`cS$pX zK`>wk2=u@uM6Z{^rVthqZ&*nYGD$rQqIdFC+OanS8Qjgp+7dqeqDjMOqY<(xp#{3c2ym|C^IU>IljUHqd|}gI(ybG;#`NS+i$R z)_}y)C0e&{&l+G!rwd$y8d9+|V3)65iDxac+}L;C8pDSXCsw>>SYMTFU-mUv6KZA4 zmoaD7tXV3-U{+s_vUyWxNwZbTN__K zpMHJit01+QifyZBCzZJJYP!-eI*q;Gw0n=c16}*BnDFcx52NxJWH3F9e5}RD#iyNZn00r73brm0Rs$}|4N-ikXXeYg1iZkwCXf;Ex`_ZY|TLk;gYZz z3WMzKLXFl-(y^7cvkgQa0H_jx0DQnmf&+rO%m*x43{yoV9@xeTM6&V(3Fx8|kRa+z zv(8DreuQsMxQ47tyu8Reh!RS2`$r&i68eV{LLL%mAVm}U^Ui;k%Ef{7w1q1$>Q$U<9zA}F-ne+US-gc9zI zw8?1AsubG3rUW3%V&J&4m;(a1{}liU0_eBX0}g<-m`(!*fDumvX5`g`UGNv+0A2<4 zkAHj3ctTU85kne?mhnW{Hwi2T2P-Z~S>=^kZrSCRVUAhml|fi5BMbJJS?8U3?s?ih zYa@t|90vL;0z!(;VjxP`J@=n;3D6B)MU!+FUbN(u5>t$*ytkNu_wAPv01i0u>jN+X zyWwK~nAP55Pzm^!TLNy1>=WZg`vU-4)wtIN5IIMT!IPy(I+9sx0fZMAZ`|?6A&*@0 z$tkbg@dgTE$pRBB@7(jxLH{|zYL6^v+oHKO*O!5wiQs8-6C!{hr>o`-!*{Pv2}%XE zW~pn8;_jDUfA1ap%76nH{~PU0-&P)@f=7H?ON9ei-fv!?FaVK#k{Mi#b09i=AUF$@ zGxxM?=KXw_L@$zbB(p{R^?`Cg8X?!6hI)3YgS2{m-C0wdt(i!Ady_!eh$kzuW#kr_ zSRnJV1YbMjvcgR?sz3D9>};uqO=GQ0|Aq+lQLfeVBO z04qv>5mUHZCJN?)SD|f+8DW?PHO7e!f*>092;tzsHxOqSpc*JF9}+3@EIfwqh18Pa zKw43PEQsqLIiMO5{|TTpK}8^uhD4XQO7IXT9dVBZ$r=+gG6jMW3{)8TzyZP7NsPFF zUkCVrCri1L4-m{J9|)KPb`naK?Cq3j)EFd4U;qEN7&W-?ygbOt%WldvZGc_Rkrmm{@&+84M0=nGBKhBv1h75C^hGOLD&{7ZkvB#b7 zY~Ndqgrs+($97EG=s);*DS?i3q;z-@jA}3}I}+1;S%|=(a!@FiRlF^T% zM4y!msbu^~|5Bk|&kIQ~g!xulOmh%Gk^>{-!D~b&;!ug`)u}F(9bRuZT725Z zrpjcjSseS=gYRZhlVa=eouIe=3GpOo@sb=H7 zh1^yaWQQ%&4kVEixvCpL44l@EHM$smpKKwU){okjFPD|@jVnXpgI}r7@jpO>dgho%ZynK^h5JHZ|Rb$+KZ11#T2X3J~E& z8Kgbuveua(9Tt?W9Rgg1%$k1*UvHrd-j{E$FWhGtx3H@)0F7@z-IuOH6^5OI0VqHL z1HeT#INotzvl}Ds9v_bl!sLTE?JqKyIYhpi4STOJzkJa*MdA^Uf&4q*v4Np<=Skv+ zm?HvBC)y(!nFae&m9N^qYSRa@)rXR}=>#Abl8fl=$g0(+lnVj`z}ZXhkC$d(p*YN*rINFHOzF&sTA?Ts+uozw{{BJ^+z#02w4#z}vIo zcaoDK8{SWO3P?Txkn24gdfz|}N}dh$ll<=O|2w8r0Dui}9Q!0Um zukqB&zGldEJa2xMYaj+m0Rf8vL(6FFCy16xH+Ih15=$~rZy;3f=i;H?|A2Xjgd_!F zYXv`xspJO+eM}E$um)-B27Mv(Y_R!m4laD~YJd3&PXS~R(ZOaePGxD+XVBA^w3tA1FL0beq89!>&p2rUY+ zBhWDs6OrgJ0pL*Z9h=EoOlRpL@99RbhW=rxd`PP3C-SncP)eY$oQ_?tav z%np+tB<(Qn{$>%=r18?0unC{gBU8YTpb#Q2EeF;QE>i&H|IUyLWf2)MjS%=!{>aY> z&G00%0U4fw{iN_2=#DN?(i(XS8zGO85@M;Et^_8c6{yO`Mo-%|@AoLPTRzV!6XNRD zg(uC?=cFJt^(`HP5)TGK5fq^)!Q<#$?2oeX=@vzjWJhW`Le@MY6bq>a#ZJaH>L5KL zA$tuMHSG<%kL0}2`^e80$FKan59FGVl}GHwqds!ccz;=XKSCtIT+qs2Ho z0y$OABkQj)=MM2UZ96-S8Ziw+>kiY{FVpM}4jnVS{~%MDdJ-a3VKGotF#rKTA(6jU z(6b-{I9o$TMe!?(Gc2sgy_0txAQo!icnzO7v<1lp!8%Q65V{o8?I%!a=JvP1UqLLsU!Q4J8PHHz%b_ z;pIyYLdvos2MGW-%>vuG+OM`Af#-s3J&L< zNsRdO%4&Q zAQIxzf-F#+X2=3dP>4)J9<^B_wIE`P5VWlz{}PF+Jgn&!qA4$}p6oI5meseY5?!v! zp1hJcofJp=X=~2F1Pq~E&GlT-HC@$pUD>r=-Su7JHD2X)UNvA4ZdE1Ul&Y|W8yjU? za)4d3AY0<6ri|3JS~SX5Fyhd~ewJ@(__Sf)tA6N*Kno(8lJ6-Ev_`!(P{EbF9)vcR z6kdJ=0U`7Ez!4{RXuWh#CVQkICq+;Xg3mxUWSeDVaTVF_h-M3}0#gUWc=n|#&u7oWWgi7*2O?Ro)ed{FAUbg& zXzINvks$)M5~a3V)q_Ez%{7pAGNN>8|C#ntoEBfBR%}o9b&{*c{7-2+b#Lo&ax)BRO)lmx@o@ z7dMHvg;IA&7qv)3mC+8?(OwkN|LWH*?zeM4mlR_29~9wpLs#|)m~?MzHrscqw6-7+ z6tHw-wK}zJ4??(p>mfFfA>4OPwRaA=mqgL`$vPO;K6uKEmLNu0e@pmtp?LOcfheWd zg+*0;{SYFw1%UyeG^KU9rYZ-%n0CF6a&;G5w2F6cQ)<&Vaz%ECb9JL^*GX`9iD9gX zhmLcnIDeS9T*3uWF4tip?;#9S_i%Q-0?QXBQEZDZf8^IuZ9s7N$%J-BdT~i;(CEYk7JLI^Vg5_H*`nv1fOJs_pEMrc!mwa7c|T%@rh}uvcn8C z2ZoEOBv26B)?zcyzIfJT|Ks>xRkw&WxaW=(hL5sztalJQ!hz{GbM03(Q*)K2IDheA z-!?aH`C^d&p^&H6EY_Bq%9gNvnIT4xkxnwc!j7F^id}|zeJmOp zrj4^vXGu&>0c%-XG6E*KlGlrJW0EUbT8Nn$gZp`pJ~>E2nSH}WTYO=u5@Kyr>tAUK zuV^Y@h0AicN?W8!uLQ{{T|M{GtYBVoJGXVaURiOi-FJGk3*vZ;B!x@BFSE(cB;!*tbkl-hN&)(%Ho zx~bMSP}xb$8J)2gZ#Vhfb{da*x<`l`en=U3k>+oS`MEtSaAjw4saxUP_IAKBwRdf` zw;QM1?PjEnai0q`%<))ikAn09o>hR0qqS-xsQO{Ttn^N?$HLtBb%|{&f z@L0CAy+XL1NS3`1|6=l}if5VIvx?~5!M)&=X43`TzQP6Hua?NdPPyrEq>uaehW2Ty zo6^Jl@gUi~VcHHekQ_N2&Cdthm$cy-zezPk&nazOMmQeVENryULG=mnYe^`<;U@d4$=S?RIhzrCtFWl*k09f|(&KshmrXC_Z=nZbF1`?R*XTr^P8%sbp ze4!QaiX`c$cxxJnVn=Fk2=OhmHT+%7S1q0iV4kHm?5Uk#aXxpjeW|LBTY}oYEWf62 zP+M_%^)1B0^9;jP+jOsP>ak6v^VHa&r%s3lKGNy3Q=o=a9}N(U;6|XEq!FG8Y%1_sgnv+} zI%WCPY0$0znyvT}lhFdt} z#)cg~_I*7#_F>$07hinqm?%c01I-c0l7m2Hf!PSO(%kA_jvUW&0Juu1dJf(QM`H}j zoi1vOyVb7#-8j7Z^#x<+rM>s!ZT4Grr==g%cQN2Q9}fpih%Zb1Lr6UX|7DXy3DF6Z zg@OhCqg)n*;3trG7lB7%S!a=VA6e(^m)<~xl#m5UgK3pvc<#-XP;GpPlps}aN#O=rPd(YV0UCgO*oy)RF$AoD@Zly(7q-Mglce*Egg}oPz#i>YPI6% za8*)G453yQW41N25GqCGQb}F>@Jk|3O%S#SxhP+k%?(sf1PkUcApr(%otdyAk2p5P zBhQtMoAt010i|xNoixg`9^7<)!tKcRLsCy&HCznqS>-?V|3KU~*UAchF(uoHjg`a% zp)HVcC|2(FL2z$7kQ>zsPFdg}M_RC0HC=VrG0Tw6 zQpR+#r97h*1SlEoQ1+f|fl45h7!`!RH6X0)Zg9`S%#;E*Hoi5mAXQ<`uo{=Xpm3ug zBRt4HYC)Igndx~3FoX+V2*Vi4aE3Ijp$%_{Lm0MU1Rp7c2670*APNzORzM$()W;fv zgo{Kb^3#GCsistLh>4vs6Jh6L@%q9KpaJ)|KwHfAF(sY?B)X@h9JsW=7<2# zq9Q@Rfy-`b%-KJhlP(A?XgSXk%mkI^IEBqb3MCW>9uUHfGNjO7sbb+68*(|QWzIb7 zgA3~(X%_^t=xy3UW8qZ7keeAxAZ{ugbGGA#no$ZRiE~qfwo^ErN#|Q5n%V0PvOJv- zk{~4hxj?R5(lxov$u0*X z1%XHb517EiA%%&KG88gDjC9(6s96wZn#`HBf+jr0RK|jwky}C8W|jiUm2ZkuockE4 zF!8WXcG`1=PrGM@2zDWZ&2vLxLSmjAicd|d|1557>*gTW8P0!%RHXk%WEp@-mSf5! zU@QeT{F%c_Y;?jqbhHW|B%I0{AC7%uir~`rNLGnnTX{yJgGD#{o z?poB5hEteIEhbk~IuVu*gaDiB96`hwnA&wNu`NZ&C?iIa(UA;hph3wpYZ|AChVYq9 zMQe=IDiF5f&LIIbEO+QS5j>P(wPirZA^-7O*!}|@iV%n}YWvrAI`y4^av;TS7894e zL@+6lDxtVqf@8hJw;+4TTtwtsifv3(|8jjSLF9>3iq=VxLHW=bC{Vueig&!^Ew6YX zPzY;oQg)r}(xbL$vx3xPcrRPZh^9HBEX*`FLfr{Fr~%*r3wXc;21jleip-~OlUNL_ zmgxxc;EUm{C7UWp4l3+V$riAK4>K)x1y=D z0auVHS6DNC>>b7S%b;qp4$!$9|D8grTVb&ljI7#yoLP6u<`jYUAEMRWb2(gE%7Dyl zQ8W!|VFg%;2$o`n#oz`bMu=+F_*o*$!P>-_+?E)Y!Hs?$%(P-zgPhq~Y1YY_GfkmQ zce-bDR&4H`?6AO?PVc}b6Qje1Rk3q&?Bqz* zaS!6|gG6`S0|`1={}7ZAk5v;d>op_3r#5XqMIRsSt>)~~hZ|6)fN7VF8O!jt&P3#JhFa7)HT8#7otjrSRn}#4?2?qd-~M(k znXw(;aXZ&K!($l$8Xp0dq=bQnFZ@dg(Z+65O!AXiNeQ-7T$7C3DW8|>Tr#$%aR)2f zZF92%>%O$R%PH>;xwbE+lbDphrth5k`$Pf{C>zUHZJ3{9>omr-2$&;UQQ5YfnI+ve z9$$%igDRzRJv!r1(BG$XO5&nF7wJd-TCT??>`f+nG10yu*LDua`)S(5@Lo>7mk97- zR`!7iXeGY*)$kAp|8O(&e;^}9(dHS*;(sea5R3*PpbJv$ zQ(SVDF}4Fh(c%&S5Z)-|Ahy!YJ5XS(vcm5coc=0JW_F7bh9`N5`S>Z_)@9@7TLhGC zBGYc8hiydj7giQ5zV(dCsEo-7Va|nli#J+Wp?QlJ6H2Fa(^y5!bYVu*ZfN zGZoJO0B(SSqqIAGvo)!NKf7pfSZFP)Xb`O^Gl~^~ZDoNGkPSvNfVM+t&nADEbyFZ# zY22k|m^Kq(Rdy8@6#2Jy6loAUcp!79flilAU$-@UqkUN+kA@aHrsjcs7IUgLbK56+ z74(m-b0z6$6|eSe{=|z4ITq`*4+V7)wcwLv@rw=teDyY09jQ-G_bhV}l1%w&c*Z+d z7L$7R|8gIga0%vQe8Wa=G?l8yKyncsI#@@D5^AB*iwA*J1W^kpbP(zU7em<)MQN0$ zg_J*~lymbBMzehoB1I;_H+mUBJXaU#=Oy}B5UVDNJ~K**X<^-lDKB9=fAL8RVTX2@ zkYlwKX*m!*`42sb4y52$Zdp=e0hb9Omvf05beD;0QZsv*N|I77QzcwEgB%f%f`~zw zSYnt2v3JUJmIk4j0znF-@DHRgPM9DC)bI~(sR+2W6{U#~r}+>9f+BF`Ik&kwAcrM0 zn1Pr0daKzw=D;^%v@ZE_E_Xz0Qt}$Pi6px@5WR^>zez$PRh-003YZ`em_VHBbX!8% z|BzO*k_`be(b9NVW}w;l5aXDKGl-L0(V&L%CEjU%;CUIT#3mEbpj4TPFvnzAxo|Y6 zlbK1M!&#rgxu2MzNdAeB#s-ljmoF!ng0Hx52Ff}hvn+a3E^QScf>Adbr)wBR^yLeGdNYF286;Am24SUEcrff)BVhUu@JSXZ!YH^w|E2?h zRCje(Bub)bIznnnnr^Cboi&JlDT`5gD`;~`71Ni8HDT`76kT~`uQ*{MLRGh#4SXXp zmxLe_(iy*sOLe(cN*Q}znuS-nQes*co^h(X7otItPOOCoYxxi6dafv>2!4f7TmhX2 zv1SoCtirdKq*Eom`g|;rZhIoE-WPcndS#x$I@TqxP)R`-v#-m+Y@AB1p=GUCSd}W- zq1*aYqxdHT@(c|UB!ZG_&*CTrA}LuA9q*MC4-zO?#DmEdXf-+ z`w7Y!6z^&f$2LkZQ?ERze3{`K;F69Yqot14Gq%<@Ng-}Oh=+$GMn3pC+tEgC*o58^ zxGVv+mg~5hp|H=_omcyvAYlb7rn)Nz0*+G$s|&j)CaPR$LC9CMMCv}jlY-B{MHuvi z)1^AZsuL}XAAVa9$A(oY;S`LyI;O`aMl)sxkulw<5a6;B(J~=&Q37IQC{xl^1~EJn zB1$XU3Ph6w^^m-wSS_L$zR8QdvqW^HRHY5eY1+aGUVy*(tH1lp|G)j~zyAxs0ldFw zkP9C%2m*}239P^i>;>9_BMOHmN1+vAqZNl5E%t>$1auk9cYto26@(|e1B028M5~+y zr>JRf^gBBr!NM)TNF)YI~Ov5#7!#9k>FZ{qB8o@kRyIgZ&k}%*TCf#a-;RPG+$Sax|p|E-nLutCL(Q7jTW@ z$d6nuszVk`%pOiW5KwH#xQWMp%*mbX$({_zELpJzQHf-s|0~sDk0Ly2m@~&Z6`+}{ z$y01bQ2+_GY|FQd%ekz}yUfeI?90Cl%)u{Gqn`X_ZNvdN+$?IXsYXOmy$PzU+ zKwSqsGvm)s;f}!qhKfpK>*$m@Q!FcMcl6uPbNSGuwG{^KhViUf5j$_4#e6%FQb568F|5y)h)qqQ(+wC^2U-9q@jI4 zvK-kC-I6tyF9r!QpNAq?VH{?oEEn@w92SAO=0;qz!50kDeI3U$y`gk`!qYbp`TQ+~ zA}(A=jW{?T;}q158P@$=Q=&Rm zaj4nxBlg`DtBq!@T+`#-v|Mq@fhZFhn$pId-}Sa?Qgk?K5`}tMF$P57&8F25Qr%iX znYV+Tm-XF$P17Q_P(zm!&Ya2(VVTN=-yQBytM+-eQ!Ty#0N-*PsYDW=HyJ2#sPa}_PEFU=g8Jt`{a1@xaWB5Wqf(R&Zf+3b z2|-n2H_NI}zr8{zwn4(5*3vQaHSNZgYIz<$f;c9LeF2{^Q)b zWw_zq->S;+#>%ZNht(|UG7{;ZKIW9}|C@@Ab&SrUUM}k7h|R0cQ%F5EP8}XljmfSK zNTF`)l>_TgBkSBj>z9!|A{X?9V=}xDM_Dqbjj$?y{MEULG-t4VT?`&i2CWGv_ zq3n)+?_>no|IR7-elYv~8vRb;0$=ausPN=Y>hWpneuwHgyX@dT>ENuw@vY(U$lUNDFY@$pZRy6>RV7#Waq_1z@me?U|IYF)zaH(^YH2GdoM#8Q1;G#_NM6P7n(&bB-F=fuAS<_}r4XI8RGaypp%AW^Y zn!8!lV6zoFA=NP2)aWTAJ2i}R+R%`flXSX-^c7*Hn;alJax|EugqyPz|55VlkPv_z z1jhc006=bp5&-O$;OMoLTmk^RJ`)@m0Hu{?(Ne6aHd}-&Svro5fY>I_k#bv zaV`O`bqgM+L^y{)|G_?et5sX#HrX8CX<|O9dG&ep>D9LseUkM0^{7uSh2OdL$*G-V zo75Vz9)XQO%B`W@CJKuou!;jI8^NA=i?6yqVo0tDy`pd;0Nfy~BEs4d@IZsOt4P5K za{%$OlFC!5J{DVav8eV;dhf;3L{;P48rKbzMKm&!wvuGP^2Uq5|N{zIBHV7naDHAyd2wfGshTtD(xZ~Z7c>y zqqu2kpM6BCrO(ZFET+fJ_A918h6o|b7X?im?m92|Dv+asd}&3k9GrBnm1mwgj*wRD zaw7{#0mx!R|F4wG!40|0>GI2eN~n^+N-u4!u>(i^r#CcXQWK>W-xPLO_2QhdGeVjx zLBjg%#PcR@q-dy?T0|;C&p@NX@3lgIJT%COh>KuWM?uO$T*QPEE}IhY@+Db=vS{w1 z2te#AtX7C4Ad7$UtvA+O?<(lA<{k^noVgfc*Ijtw4HvRl4=Mqpnto-ISd267%vgua zp(Ma;2np~Xjf65;B7`ogr?QWjP3SylRVymmJ^SPn9a7LS=vsrYeM(y%xvk1jL^ZC8 zk`rCDI9Q{bc6ug`8OnE5zSshbug4;rY(g)gW0E39PhEKSrJ8?5|q%Py)F9bo7^Z<=@i#w8gRrDZz$>z`DG{qiX&k6yXU&5Sgi;o zB;??PYdrhLv~8l9ZMR9m#2`%EzE+sL^#*!Sp`9WcT*YhuXKCAW2b}R;q01thX9y@^ zc*#jTlIv$Y#GKiV1~e_^rbaiY?YG^o-fm3F$ksLe{H9%Zz;OqEe2jU2h*gAjE3@+C z5v(Y4hH{XMD6>vF5(>_YO}1eM4(<6af1~3MG5FQaaSOM*JDcX zlL$o6bM`X|I?8ayGT?z)|5zg%tEC8?{R0m^yGa1Mm&3>DWiS~sh(H8q5d?aPe$N;j zL+bGi4Jk|@0a_#w4?=)WaikuU_|CiNClO1AUENL}ipAwFVJil*`f0IHT9N|;I{U;)cugeRGb z^hRsU`UfEhpq6J2ua~C^BVFnhmq%4Gc^?^zV$xEPB1y1tz(Qp^Q>hd8z^82K|8b>F zU};Ny<`b7XdL7?n=RF+);4cIS6{?OjnJH1|IE8db@_^SCR?gFr$2$_mIzkA?wE{x3 zn&{?qNY36F5;#RHiYeWB($A=JiS?|V9dQVxfFjZ^T#^!C{&Ae(u?mZwYe>F^2gwn( z50bs4CRr#-7AX#|1YrT;$Iq2RJ( zrL`EdI8r1)(r880pjt>m6E$jGJCcJF5>>D9%PahlRKzMa35n~xm{twj6t03ME_lU= zaEiJauO<$xed8rv0PvAw^06+flFX5^1Eq~b#v$Wc3sBqAK1VUCs6(|Y|H%j-5p%q6 zuGH)bQ6l2kBh?C1nnKZ45Bpoh!c#`-K^k+ebkxp77IBmPXJs?>lXK1MT+lgCrV56a z2}Q6g5dcdzvT>mA8l*NR8XQ~rq9oyHRCvwF!B5)j5RFdpz3XaM3Em~$y!KW_z~!$^ z%=g{!6hu*!h^AR)<-lrE(HADFszrw9hI%;gqSqXf6SJ@=jX>BJSqKkIlnXfK4iKQ7 zF$Zt^D-x5QSj8gY9m1+}7H^)aH=H7EQ^}bFUsTZ{ks&KcgBM8-Z_+EQT2*g4r%QJ+fg>(BGrQ6 zEz0UivXbzq@=LOfIB-Y`84}X6fS8h5#KH^>$*46}>Y6k!8x#fMYD#fl1Hnj+ z3*v8$BKgFS-gZ{aSDoao+9f=Fk-am9Z<@RrVH5|Lt5$O)lgFDuXBkfX9fO5)UuE5@6nNdN~M#J>BMrnO!S>XtV8D^IkzmkkfR)f{)ggS*Y?+e z8}{*yeOP6WNuzsH?Wt#}EP|;EU*6L35kV&~{QB{Vy>9mk;vIZ?7Z%@Pa_VZfYatWK zYm!WuC=(jIF9Wg6Z%E1C$3vcclGh#O-(>lhV16@dk96u)5571#Km)tyeeZq$d*BCO z_`@fD@q2%P4(y~54={f7o&WseQ=kR9r0mT-vs6~w|Ni#5GgdRa|9$X>U;N`IfBDUS ze)NO?5+_i~2-5$4_{Sgpd%ywpn``~;x7xS)M=9%b=Xy7RJ(rL@{(}kaD?r5YKidJo zHW9#80o6#{7sYqAVK+eU!wNTb*X>oEvw zsGE?0BhDB|h5*7K9Kw=>4^^73rz#@#`np#vG7=BOff0SQ0cm02u{GJ%)+nn;i^ zLFxI2p|ln{0-%qqzK}GRb7Kg$_?MQb2dI3nC}YZ|ES8gOC$q#Kw5*$hU zYfPkxOk~6>;&7b!Nuhr*hg@5h&yx)3sFEhRuCVCM*mR4^AP#i_4977GYqE{xvPgQm->tqil__3@TKDrjJ)Uw?K|zc@G0ybKnUR9FsZ;%N(7Q3x z2@M+W{2LARE&+Mcy+Sp+|3C~ZC5}9rj>AZ%WqAuN{fJLlQ7^qxK7u>CkWnq+PgIkL zQ94k}RMQu^vTM?aHw_zrYXuW2hzN@aBgI5gxAfCH z^CpMz1+3gqx{?gLV9!hSh>qin$rOweJytI5(yRkhxu8-l(URbSR&tU!{Ub(D)y%$R z3xrsnm8p(?$(-5>p0i*SPWhuckyCq$rF@##St80hYRmik&W50qHr&@v;Z%i@Oag1w zhbSrnW0pnol2GEINOFinvJyHJoI}D0;5i5hX;?3DNt8)K{W6?yEyBJWp-O8iPVp2C z@elxc6BCRDdTrT#|GHPzbhCmq8We>Om*k8z{n*e5*|r#23865s8KJcx&Nc~17C}mb zP|7yRu_|1RA03ZR)mf+H**k-urWzTcjh`cO5u>dSr2Pk_UBR4{TBG0{k*zgdtB1d6 z*ONVn94IrJ00=3+=8U51?d>QeV~;nszR#4hTytx@(7!-QKP6_%Y~Z0 zL?z8#56Q;|^T_%d%5}ey-t6Nj+TnWK45em_By{UQWFhkNbF{!SKpqR(7 zoaB(-66+&PfuG(0&u~ezJG8IC?2sL`7M`2|viVP79^*7=9snPm~i;SwReVlB_-xO}1W2?1}WhVt@5zGag*;S9) zwLVAkjy$wrjtJd*oxHQ!z|Tk#;X4y1DWVMt(aNF9&~ka0 zp+cCXDk0Wo3D*T=mbl@kA!PJ0WM5^7{M9py013S<&zN{xhtTCyri(Nys$Mq0s8!{S zu|VB}K4ea2Wd=UvQ$FTfW@wIP-jhBE&bYhPT94pZ-3b%*NM&LUiS83aaUSRLTfg=r zXLOdoJrIIwe!6RZh+Re{evPwX{^p$(WWRLa<-%9S#J_a(W_w;7@Lef=1~GnKO@A&& zfDUMbU}dLq<@12$?@{P_W@s20=&ma0B|B)Dtt?D>!-H_wp9qRVq9i(@6A8(&pWs(I z|M_TCT4;tgA8MLsw`f|0i9?9R*e*+?&wyyw;Ap$8EGaUPa#|G_+l}TZE*)AGJG)+X zVQNE-VQ(VpQ-bM$Hrs@8nBmaDOxe#N^P1P{8l#4}(hcw8jv^%C_z$}9 zu6DVpk-13jIFJ!aA1bDcS$Wk8vTA$A>V3tCi%j)O=*wz>{)gc%jpBYBKAV+oaGwThIpb^#0x1R8|qe^00-m&cW%rv5x06Ou3_v6ULc0-io6;jyrSjH z=Hl`7;(pfGs-PeDoe9tV>x#B${|Z^4>J%BTwFB-K+jt~6ZisVP6oP^Xhb*8FRa?lp zsnu?XSPe>BElOQIQa-KFi8cy-nQxis?W%5aC#MPCc?{q+At@d>_WB7r|JTE$LW~qf z5OJxJdT2R0AGY5N&a)PBnmEf^1qq(n9wJ9*BmZYRzjK*z=%xu$TBQcUtd`Q8p2URN zOYi7}F2)zfVox`kApOkH9L-WcO*V&}J^{KAMeluqOW1W@?{#1Qbzl#6VIOv4FLq-; zc4SX>5ZH81hly7Q(h6^hvy7qrQJw7E&OOETLOg>9cmZ$!c5n}OaUXYbFL!f4cXUs8 zbzgUOZ-7Eb;AVGPj_g>|9PJDRp6;*#ro)DLsRR3KN8n3WJ zi!hBE@mIwt7(+L7bD|c1bZ`90j1P68teZbEh+O4PkpE(lH$#$t-G!WN!l*`kLD#R8 zW!ngjiqJK|YI@`)h$|-uYIMda6qzgUNl2H8dBB4;ID52Dd$nKtVaRrWD)Lxnb!Lxu z_MqA~Zl7^EvaQ83Y;y1O{?%;AG1T5`vETWk7)r!Xe8pe zuuE})T$G!8x?hQi2XdiejLqw%7#7-TOkzqt3oIgVsV;ob@yK>IyMhewK*EhO2Q|v9 zjobgNq_^D9zx(KrxF+m-xI+Cb8(imnwXM|}5Ux+I!XWNEgSNqmA z9TQoAi16>98#n(5Q1VrR06~KV2RTZ2A=^C zShYk=0F)+1AV7#x)K*K~WGUgZ>C+qp0dN&c$!v~iPrtS#SpyPEFNX304lH;u;lhRw z1J;lVr2&eq+z_fqXrSbQzOv+q?3in-oc{<#$U=GYKVPJM<^NQeg=*>4o>2$Bh>|1X z+Ja4@RB78K%#1Q8)-y`!C&-;dlO7)^l&DavNeLi5$nb4J=UBB4Ee$s)TsJ^V0BA+I zs%YtNiTZ*IK8sW5yZ83}yL&$U`u6XWRLmGZf0D8_($?R7xM`%@ZZE|&lSdI4^pSA` zMUY%l08I8w7S4qw5mOLZRn=8lomUiy615T*0A4AToQKLWR25OzDaBqvp4kSUMt%vH zqmDcBIFNoCHP)k!|78@QkcbhOk%6`$=$nF+Nfg0X*#Je+gUC%p$x>gfm?4A!y7k$ZMcEXhns8bsUQxB#nEw%uM*1RVAyYw+iJ@34HQ(qkN4bn{1DT7IUbwwJB=kvm`ybWNl4S`lMxU&`2dk z!94?1mH&)8kvWubYtBH~jEZh@<`9xoxNrGlR7K|a!tF$5Qlc)oZuHAxy%J_a2qDKw zNo;)6GTiWd%sT7vV9_!vF-X-$%H*V#T8yS`9*4x~VSN_!r^P3uJQBny3q~=^6=6Id zwj4{GZ*;ZUJW{!ak!O}04^vumX7wf0fQ?nf?vkqtwx7>5nUANtLl zzBdIYqItRCbRl8Y;K*s0yms5C^9XS>tFzv^ z>#xHeyX>>mUVH18AP(RNw)5V*@3rqCMB*|tUeV6uS}wMRAc_5Ws5>i9kx(U2LP@5n zs){^A=9FviK%sjSeMn8CUjDL+0cpNP7y(!@&{r>>b(;~;4^$5HN1$$~l;E#tru0AM zQWW7I{lr72;Y6SW*|~>HALLUX3;828^HuGACn=EP5HmAveeNG*8ORPJWDZUJFij0&&b@#rkWe{~G$;(> zKZ59n{82l{)kEuKnY#>=-3)@Ja7nU!E zKZBnQix;I&eJ6pL8deqwaH)kHq+B^12qFAMMY?X#-C1w1@9_w`qIX>~%0+{7)cRNZ{&V07|clt?Nb1_6~2 z^NbQ+d=W6i$P{HXC5%l6(*F~RnA4mhQEW&UOOdZJPmLdOtf~TY*0f^QBd2sL4;dsu zQbi>yg_P#17Stda>Cz2qVGw5v6WEgtb})s_Y>qBV+uLrIQxS*`Rv{RaiZGKhM%myp z8=4K$Mo46UWnYopH<*2pVj|R_#zz!^j@`soFtfcae{9QL%;xrchRjqp5ZEAG2KO^8 zZD0vGy43YZ8MuMn87irUthD2I`{UgLb2Pm94BuyQx!3O< z@sa$SNDj(#F5=L4HqI3ce)ap0>DB@dwHQc$2SSQ{945PgDJaS1sr6#rIasGgZHUcnNlLYkv9|2QLMMec`GnP$K-Z2~N_K<}`5- zCxeD zHykILG+y)6+U#aGp7L~0CP|b{yl7i*xeSR$5}2)3$1!J`%+hI&TU?Z$$ZhB;VS%M| zQgoqHp_)|!VKvlT{puFRx^1%_Nv#`wYj1D47PTltZBz`H!Uj9jOvy$VDajm$XekTn z5sfDW!jyuX5&y{eYGP5EInioo^xEKEYs64lUug{nzf)fLw;f$#MUZ>aG!(O?Az5bT zXlg@fx{&qIs5z$mm{Z_cidwR+ zWA415J3PwCPMyqyCZ9C$GXQ|8x{AK!d?`hOULiC1f`iYYvApG|d->F24ibLgVGUv* zJK4)__F?$E*8*NAf!`8BSScst?gr|KzTztO-0vWqaw&LJyY#N4oI0%zxYjqyb*OnA zB-)rR;~Vez$5SI7X{R*SDz4{c=fGbjh?4+8Q>7AFFdI3*l|eQyk^9-iASMst{irlj z_5PV@g#RzRH4p!^#6RojE!i&Z36u5SL(TR}!@aU}&l27P-?Fn$KDG(oLgFXO_#{C- z^IP)!>H|&qMuR@Gq(2hsV}B&q4?oMaKQ!()%KIY0RvRv`gZINf{_>wc{p)Z4`{O_V z`rkkQ`~QIDli%r>AJCv5qNra;V9ObpfFUqo13KUXLSO_+-~>`&1zO+*VqgYppau-W z!USOX4B*cc;Gi5JNPyo5dc^plpu~jW%Z#9)l;B64;0jKJ3eq6Mv>?m8V4%dHN6g?2 zst^DI;m|Nk0~o*&B4H9L;Sw@o6FT7&LSYmtAr7DfCrIHHVqq3uVH8ka{8-))nw1cO z;s47p3rd*b8KPkts^J>4VH>*P8^U26%HbRa7{z6aM@SY(j7tjD!_`rQIiwJqiQyOq z&05jnAtGWTD&itCq8s|!fQ?yC{gfX5PY4}^a(Dz(k%)3GAGrnR?wOs_n*hdgTo?+r8>Ja`=(N$p8MD(3uIh2Rs$=HD0SIn7mG1dPN zgibM4UkwX0(GN`3$RH*o3l0J#=;J=}V?X-iKLTVx3gkc%WI-C_K_X;AD&zyKo&PkB znN93bag^0`Y!7sZnn763&?U!mRK=}iVuQpPMCej_smsmek3s;|S2#}|qKyaMBg^PP z4anq7(qv8Ah*qZ8IFZFvydIXI1r?EtN!6oEs%2xEVqrzaKxBp}Rs=#|WnAV{ zbQ~8({!)7EVvGo$vRO%a%%xL|O_Z#Py7&Z9Af3PXRuj#l@7bec(&h)wmj64hBXHr5 zB~oN((N8x*NGSe8iI_@x)I@`X1wH!2rvTa{N(5*C5J5oX;|LIhCD1p%$86T-cCKaH ztqV(fgkymx9-8GaCYHI3=Qtgsc5-KX(%ui=AX>WTd}0=S(x80OXMSFjeXbyW>gRv9 z5r3kfe*$QMmXCmbAb}d_f=&&KbrMo=T4i03F@o9!RZm#y)sjWWarEII#tS$#(Q!~h zh8p9#Sg3FUih?reiVlrU`GhTnQA%awC9cYE2F06HXJ|YTY7C1{*iR^WQWlg7QCw#U z)Ps(Gqd)0gTEL}{s3?ma+TlCfs9jWxFsq=V7a49J?4a$?o z>7qW%ZGr}yLWC_YPhkEQCQjx=u*a}`3O!QPEE4&@xg9;K&_n5wd>>yFIUnI_ATp6f>_ zW{M)~y4q`_dS_n>iYGAzin7GK9!a|1>%i6rf(D?#5^TbH;r|^rCc-N0!xENv-lM}p zY{ded#3m!fTI|NIAI6%Z#&T@PR)oQlAIOUA$^HY$hM&ozY{;rC_OWcsZtTleU(CvE z#nLSE+3d|eY|bX%&hl)+`YiAPZO{(v(Dq)@8m+w|E$u1o(yD9I7T(iBZL-b`3TR-~ zYVFo?ZP$8j1A;)kR_)kI1h%At7oct0s_ojcZQHu-+rn+!%I)0JZQa@}+R_4JlI`9i z;G{g`-vaL6RukV6E=6EV;396~rsCihZsQ)V;zDlZ$|2)6F5y0|M%zZVc_(?(O0(?N)#&Z=E015#BMc`ljAIJUMd4#cm zxF;5i1?27nitzw02aD4I)N=s!d>-{sgjPOOCm*AekHi;Y@cBAAIv9Kr!nh2Fx5XHj z@fa5g{99&a!e;pxt6E{JGGVJ)Eh|qst7LJjGOTSG*0I*s))wj6g>|WybE(I<)VkOP z0lrLQ_gm`j_3EBgIL~GvavmAP^z`(!^-RV4)jX5|2E=FuwF}&0YK3;01vQuj zHJgQ22}d%4YNtpITQLpm2RXK+24+tEOn&`LeDi8d^KM4Nd~I#t!WRNFd38e-l_NAgOX6hI-XNcL=KGe{)nm@#B?V76UW7hYr7mYE?#+bE3%%j%i)}ht* zq1B=pX4Mq4evCOZG*mmqY#&=c=*n-HI;xsy*3U3or;cjpnSE314fD*Qsjc>zqoJ9l zzM0+Df9cHD%*;&R{BG+K^JuKTZ=N|ezcn;}G&aB6wZ!aOIvQI#>RV;bEbR`hGUu1p zr&f=K)|oS_NAs(@^Q#A|tE*H0(skzi`qBJ4b7}o(b^Ty|>xj8JwY0@t-8xv^I-1}8 z2bk+y2kTo$OaJih(dsU9>43Su%iP*M+TGpV`Ueh1292qwT}6*i+4wnZbj72JAgMICV%X8vQ7RLMLw0kwiuhtSMginvjNuz7uH?<2Vj zRc^iYW&K%7sTtbi&@M1U>*o4w?~A7-F5D0!=M}1aw8ZR@f_vY~%JHYHuLs*d!(v&U z=z03j^}T{l72t=Db8c}|eSG0RUgh4eQTamO(4KG~h-MXXZQH$Z5>fkn;oTCOcK?ZL z9wAX&Yq@_^h5x5+s+47c)yL&a5`1^s8KiOt+Jj^I`4?UNSpk#5|T-O?PPS9CnRFph)3y+te z8pdY3SnG(}i=>+>#joZn==S;TSJc($dT$ zv|h-)_W|*=;(&l!h{QO#5REfn*Bf89U$5(_y^YlPZPp%boe%DQW>mkVR$g<{ihZTF zDKkyLn(T1~b*eY>s`AxmiYLCj)?y_kHK2Nr9@d;uAq{)?GK#;qo=Y`&uR{&Bl$UhK z6pz=L7LJ~8LTVoOsWS4SyB)RKY}s1adix*o`4<*NSs&=ZK>#)@$$VPcdz1EDW3>2G$)-N8LUE0lO7PZ8VcN)}zMHXyRt_b}r_O$PyQi`=@{dtiBJ$4c z>zjNoeXpN(O%|GAr60>a0WrYg5rD0M$%?Cy-Yx(Eh?ZaSHu`_{V2;(;*05QFd;?a& zCGX4G{X?zm?tExfJH>F2f(Wk3aYcF(!Hq z64It$@lziNQ4Y(qEci0tAoC#4^MWWIdbYR@_rnEug_aH1X3z^+7>l>%B`MbS>Q4*;uh>1S&=4#e=8JG@an=S|*jY$d_Yb-aw6TzVd2!yH;g1VTx zhiF?9;xtF#iC43h-4H;zIe#PL5i%@Qrv?8a(5!@_lS@*(f{8_LE&{r?XqjmuD>9S; z+;u)L;CCjPkhz}8jh{M6TSU$)61B4wuuei}v^EApRVf0GSp17ncDLjKEIS>k+6f1e z)O6KwvauWhpiwQ852DBdY32%6J@sx)m^dkcWhN<+b1WWQ#4q*Sd9croTeXMUU${%; zxUmzTzh!J9U>gE(U?omp$fkpAsR)Pkn|a*2bWm4(JnO(s_*<(e)0;U$88?7D&hzKB zyK@lX#p0)RG4ht1g0Xoi<4;v5@|1x?F@OL}AVju^`bRZlLC?%So+0TH)d2c30N4_vB8!Vz z0(1eZg-UCOZxS^XxJt7>u0s*?ym>&QoCl1Z=(;pn5|HubjM_`KU}MtB!pVd;4h&eE zfw|KkL~P-`8xZp#M}2q4L}fXrC<2opWmBqsRa+JlYaFItAhLNCy_Aq(O!I{ATzjU? zO}eN-GoV#ao}L}9%FU^gDTwnusW9CXcVk{XUvqQg%*R6eTOLzyDzd=<2fgHqzd<3N zR<}*n9arMt60twdl;hmAq;tik?;iQ|NjJeCO&6CrvGcObQ*TY>#;WD?I&LAC5~3nn z9ow_>zk$T7-PikG(mpE5-hKUPsL}Oy`RVs3wYnocZY5-&TPjSe=?cw&9fQvA7F+RI zs=m!oS-DYlHJ(&-gCphvAk>Nb;PR6guZsocg`@BxAe`G?pk~vQZ*91)kh}aNt#W~I z99#Wkp{-o!d^O#=$d4yJ@PDT;MR-a+Xh*4(pZIp$%ZQj21Gof;pao$ zpTETC5b6ii+vb*RK6iY1yo;oD=@^}{;mg0(W|Y6SN8PL8l)#8rNCaqDJ~9xGy{z@FDChkpkN2wBYM7C(p* zZ!rJ+c&Y479{<^H^Ikj9-IL6c!!O{9UU9L~50;B@hsbTfRi~u7Ow#ZA6`=1~03 zSY9E*)r}*Bkp0CfO7X6sJ&)V|b8a(3G`Uu&w0|sHY4ewLfV^ET`bDO~W*bkV9;D>P zT!DV~NOQL)_3GlXFfAfR<1ejpZ01v|LaH#`)z1_(Bt^QjAn`;up!X^3c0@05$gy|2 z0i@w^O|Q#DL@sN0Om`?IdF07^C3Mq(QQ--XiLB+92;7j15(%%Y4!98_-12I}ipH}* z8`Pv~CFrWT9o9OSj*8pe`N{A0X7TTig3~&5t5U-BG@lFjNOEmnR`4x@6>+G<_BXv? zpMSOB>AOtbVBd+W9!yQ_hwseL`N-S_%`YDoOxo|x9%&o@0Y8+z(avtW1RllqQg8qM zUIXLMtOFtoQH`*BaR0OIR{*gcV5pG&Ea_gQC;JlNo<_Ok$Q7=!?%U6PUYUG~H<-G8 zDm`LKQ#Fa@LH4-LV%!<7pZ8BWU``^=jFcF;mYDp8|92__!KT$yp@Z&V=D z3sb!c_IPpi5kL41JfJ*U<3+Z{qjT_Nd}5AF;ZGy$IE;U|ld|1|HEHCEprwp3 zC`VeUJ!!ni=U5^`bb$s$eq8K&@~4`5)-wRJ&-O`)KhfNrJ= zu;b#TREo-|=sW2`ts@+>;(4*l1tRO1U2!RP2HVoFWT`uOy9D%zt)Y4$iyYg%chtx5 z5Qx%ILFZSDigroO4%<8p{oe>+Bf!-|Ez-La?<9b#1cTw?*&Lx9&zXC9=DDKnAw@TD zc#BJvIpm5q5uPkbL2KiAcDD6E0Xq~ko$z%>F7xUFdK|iK|qIZBb`Po zacyX6Z0$k?;v|tR#>`+m>Y3vKzNPB$m)lUs`eeIko?3xnL zacY$2x0cf`7dbD7330`@ z^dx>`+4`hn{=H%lwIH2G4v^6`0}?Q$5~8$OOM4iVh4lP z80hyp?pF%s$k_ociNEZ&uT`)_Ro>ub4JjD-Hc)QW|EfyJa-DVZxb?$v@<$!0pg0(h zgFd7W&R4TXUxHgP{n;m}Pj0etD_0M$=|GvbV-9YuJJ*0MYOn5j)NRF)BgJ>3bK}bA zk>I(uKPURFM%b42AaWSA=^f8ti^ol2Xs1Sq{Z?lX*hTPGzsvEc79CuZk(6*W|O&)s7Xx(a= zFrS^!MImYmCu!9fSn`nLHizrnNOM0|*G0C^xr)&t16Ft2Drlw6+bS+Jp=+B{i7n86 z44QD>PR}u7yp(jWOU;i_FOhvCp6kExmx;~_u7foCLK_>_GvPlf<>VC8f`pDKc zob&dh9dqs@>(0kS;hB=n{<0dbJUX3Y0C(%|Yu~s3h!FjY00hG75CVyPZTUdCzaC>e6x`-5~gLBU_ zr~;Wei=eG0t^_3(8{*KI$Yjd>Ug{joUHoJEVE;@$rmO|pQ1e+>@41uPq!ECy#LY`6 zk4Sl7=GkhE*-+3oqS2T(!6@j~pQTEPx+l*dr#%)bLl@?17W(@a5|Fbn64Y>>&6t@Y zA=Nx^<}-U6vEHI+I)KXYun?MrTA9elWV^veL)gxHEN0wa%$l3B2w@wwUGdl&5_y2B zKSs<9N+KPOwnHzKKr5(yr8Amf1-9>=PxB< zE#GqHRQ$@`#Y-mTw$%zv|tU_C+W78Hk!acxrcHU;XzVs!NC_TbC|pYs%X1U zoF!EEO_g1H(Qzx+f1d@nhCkxI8(;n)jJ}sefFcQid?DI*2+T!)uwb-bz0eb%VZjv0zyLA?6at;Ij316R}mN zIo9nEHcR?<|E=#YA8>grf^-8Ul;&ruB#>4|N-F(AuETqlA#4XUWTnLKa{LFccVB$2 ze{wH`7Cb*7akKNAJTK}{Q;fT1t%U}O<0=J4A+(k0I$2B=k0-_E%hI*E_ z4qK4F&OF&N8i5rNe(62z+%8x&+J@$DL%aX$IPk#0?vDfzj<)hvfgKyhI~fXG)HoX_ zAqs)#tr+s!Eg74r3+*zdIF>po?Mnu4JjL0&wczPxf@!6B zCvX?ael^q;1XoO26{|4?3)}3z+Lxct*LdqgCV|jpyCR8=3XfaQSr92bA*7fQygyRz zj!-BR87Lp8GxjApTi0D0iNoEH-}ET&#-3g-wcRGPGYJCYo)l`TCUt^` z1wt;q-=TU0N^)m-4G`NpUxa~Y6!+CeOU^4W_vob`n5zokorbS9WQVkUh#pqL6|T69 zC-AEU`{ZuS+2wIt7R=u3o7l`geSLNI%yMr@n2o~){ZMuJ%eyOC7G;6FC%Z4sH*$QG z@M3ZKC+gM)JvM-1q(f>%O8S-IeYod3Ap{&9{NRpvNMVN%kAGd4Ml`ae*W-=ii$QJ3 zsh6V)YD#CjTT5zReeilbST{pIE1`)FmqN9ZBFw1yj+qKWfI!Mkw#@78ZBb{^tPFeW ztihn+=2c1i<(Ct&V4D{3Q|vHhzxKv@#`S#zr3xpR7vJTNW2tmj)`JU6Joo>;=oUl? z7v4B^sS0GxE_nAY#*kI>M6uzza;RqRxrlibnZK53My@rizuv+FEu zsZ_#|?4pnuOCZXKE@$5H&5fW@%+0<~X211dgIu{XWK4W``nXaP)IOAJ*e;4)Ka7$V zzQ0`fz4~oeI^prnVk$94BGdNKlY4)0_zzDhIVBQ4%I6h_;Xg~MCU|b{Fr#54FKV=n z=YHDzbKHpz@69Wph2iG6mb<}_2)bXTB^RbRH{xDsAaCGOT}Q=+Q_PSVw(`xAp zu7n`Z_yWrkHvQQfyk5@I!I~CsR~o`0=vmgX#Cn5pg{*Mv)4%l6AL;r(W((J{_iM@6 zmClac9*M*i?D!l|B|rV+W! zdAEY|QnBy19q4AUgZtwiX+nH?qQp|Gl2^Q6{V=f@eZ zv|m?K>}#J1ee>|n;-Zwuzcw1=GW2}NoGEJeF0TNsd&RIdl$Em6ZNYm^pLJwJM#9EV z*c?|t;cVD7%y+<8sAW+%9-(|s+aIP~{7>)GfVn7mKlu$_)DkpZ=A9kkM{i|Oj~)H~ zlm9q-MO!m_xC|Qx70w4)%Idz6r{Q)287;v^r(>Lx4Uj7M)264ft~I67rHDkfJ~?E7yV2eerNJ9<$%` z7i)}6J5LdFmJF(YO=e+_&|!K-qOZ=+7HFDzn67%2<)uj%7Mh_emQLKD8d+j{69W-N z5|Ta39>uB|Ql&<$Mg$U+N_h7lPJCI8j#mDd3z=?RrM znD`^NSBf)16NM?~*ZKuZKdpSF7(&A(*U(kmeip)qIYJR&5holGqc|xpqh>Rp<#bI@|8H zEcf7NHq#bQR1%dtKPq~JtWb)%-UC(R`E2{wM5dVgK0d0!#1iGJuIfC}C8I+<&8k3l zxBQJXFPWjr?ZcCq3XY$xToX7>0kW{&?0|3TFs)B0)rxtCOU4#!w2LvB6%<`pH8)S9 zn6TqTJ98q)fsP6mN60&7d~wuYHU8uFCBIR6qBAa( ziS>0&V0Y*G3F5sU(Q!h7l)&?@jW^dURLrR^QGn^qA0tP0QzLo%%|g0k8qb{x$&3FF z2kEXqWX36mxRG7HHDXq_LnUVMOP?(+il27|)X6*Ug`O8hqDHb{ji1Dg1qhrA2;3F8 z*8Fb4YlBZXfU6;HCY$zC^84m_Ry{__1x3$n)tply7KDXP#%o-?8om7RZmzWA`il;B zC03V}g=@K)k0o_UQG(Zq&}kwUW=KFfiAZLD`W~*;Q5AcJtJ?DyXXjmz3HAu*tMI(7 zv&-aUn7&=SLWv}|qh9y(55(m!wIsn6V(=O2+gL;Fuf{>;a4|o-YrY?HJ7cIYqgx{MQRsEy&f)@GOH}forVk2B?)vmzEjv>r=CeCAsr7%Z1T4CB8SObl$04^@unp z$2|TMJ;HW|ZShQoT-H!Rh!%Z?YU|Mwi2Li*G*94xVqndTL9gaNOR#bR~~wdC=MR_V#Q>@sAj4J1pAY@sGyCnY5Wf)c?eOszg_%oU#0wj(`b2tQI_S*D}ocQ z#EGV|JWd&=~TJ zQRB;#)nvk1$BpWIB45NB`Kqg4thpN7y;ey>7_J96aVPEq0~VfE_3cyZ<{Qz4y;c!6 z{W1zx5>d=WAf~<1S*^-*jKa*H)ck!G;e&V^Io|f4Gau;KplY0daa?f82=V!>UfHk8 zrbnzxoHgb*TP?=v6fKnYQ4oDFbXZ9IkiI1wRz$t$-DZZGA$LcFnff2ING}@=3(dc-|n&CMTwkK7QYMD)o#hi)CGk}?!#)tK0<@MN;AytGpaFOYM$3`g_5IQ~j+RGO) z*xtfCE(;#r;Qz)$$--4OplOz#5Dxb^5O*~4^A2rXv2h<_pV%bbg+ zufy1Cj}8|~Ew+p_%Ws1LL}D)z^h%gm*JAaOOvDs|`2~nRL?S5L3SmpJLy)2cU}MIX zfUPCM46Z6b6wmGl2@q*ypehW6D2x&p0G?Y>n0AyV54)W90Pa6TX%<92ztsj3lm8d(L2X+13Z)gGN39z3C?Dj2NxZY_laCMHtY~K*CuU)*Yk=FK*d>?t+Y6SF$<&W|3 z9@*l=ip>HNyr6@CictO{LF30PQh(z9>J0x}?)zjFE9{6+$Q~9Fq3j3~F+_krVp#0f zU~ta>)5`ug60~F`z4V!dK_xSP;2xrbtaC=xc`@-XdpOTu8`TaPy+Y4LQ%3umSTynV zl`riSwk<}HBtsZb!DIgy33l@*4;xdo5m98!1Xg$WKLl9SacrkLdiLgC;K2a2&t ze}5;8AF$n@Jx`jR_|G4TsDMmjA;6EZY~du;OT_zY`H4P5onW&m$%mGBv9r8W-v(j= z{SoeskGk)n{0JI5Iux<*+!azp`b}ti}pKJ72ACgD@Mc>x{Vwvz^fS zz{s;&5Vj5FwVd1^0M|^I501c$F*4b31<&zfae05b-YwxNBFZ_Gme`fX>05*JEE%SEp^QOP-S4w`idIBk=RF1yqD5rQj(SNai~1)BW`j}?#J6Tq5Cjq8 zJhOhr74f)@g=%#2$Qu52{PWR;I_%`d{TK)i}L`#|3{}TFwAG zglKsL5f{Oxp+zjsca8U-d5R}NrXdbyP!2-$`i>jI(n4K#x@HsQcfTPT80;1Pc<5uv zIA&q0Ryeig+rJe_au%Ur{Gp_tL6x_oB(w9iI+sSF_M{Q#7&CaH(tPyx+_cYRoyi#P zmHw*}if<<}6f25CuQlNdXZv2wR+^B?HbE68BnpEl&-nKiL?9dBz{jv+W>_f{!HNZ7 zpX`W-$J|zx?OED=72w z(T|0~j2Sl9o?h#?ag4`l(R=gxtj8Lc5WWP{Nu2&Q5If@kEi zl@>6B0!lYY0ENJ_y@0hQ!@|8sO<;-~(GcgQgR&(Jzi2_qW!0gK&2K~H6FIdpwa;TZ zOo=YGd2tNilPiBbSZ78!1_h=Q}cfuT0J@mCdb`zxU!8AsC9TQX(!Z4Q238a(}Er z&cxLEogBL6XKHlz0>o^*JCzoD=uaDT%*`;7+D##URT{>BS(3tks{d?J4&ztGF^(9V*pxdOQn+>A=LAd%O5d#&d*m796d_Da4HAK756> z$J>Dp_1Rhx1-?p$uSoN4#1^FW1Rw_11p^N`<4Z{ zrocD;prTM@K!El*=QPRErwEcX>{yx|LODKBQ2HJL6G z4;<&n!GR8kUyBZA$sX>mDTt#C-_BXcs{#skjnu8|J2CjhPH%4fJz19#98deE+v8s@ z;L~qS7S&qUHN74`y(Ujv+DsvMS(CTtKmRa|`5t^dNnXxpLaa%23lewkc-_yH0o(i? ztX#Vu&sgjC@Ey)XtWRyRUSYGqgHOZ=#5&v{3~OIC3s6|eg%sF%4!Jf%0Ye)*jP(&rPD;HU>7F<;p~1aIy6*3nAVyKL^^BuB13Eo% zx2bUwssLLL*fL~S{~YW=&og_g_E_A$(YbwNn|%)FXaU>(b8-7-S^MTs_bp!UTXu(8 z+2Em^m+>}<8%-qJ9oVIaxX>P!tBssuALH}|6j>;;X&1<1G|)>#H?)xCwI9Y?&Z*{V zD)zWmiRGXYl9D_4<0%G&I*bdqwZ3pC?zXc*bZ;CXg4_8uBK;-kM!iymLbyUaJg}~U z!18l3CDd&$T*?cHr?6ai4tLm&xjn7q&=Ye#I}-zuwbXibzeouh2^japMKIuMvqTrg z+g)l-kcu02`#(Z1Mz}VEf&?O%sAWtvU=mdI$pX5FE*5T>5cl^T7TU2{k6aT;d!Sw9@hAMcaBfjHKy^ih)oICUA{z$ z;gA8#Y?z>N=#c(YPPid^CPj)2av9L{ymYKX0A#?r}PdRt>QIYM$+&oB3hH~ z6J3Hp9{T4BEoK`+Q(az_cO#-vrVz;YIh?>_FF$n@x8#i``KS4{VG>F$&I+8;8dydJ zLhxHxr}YUlgqz)gPO79hJxs+|=y*0>HadJ{k4}7d{zJ?YEwG)CW9LNE)#7UR`gVd< zPsjNTz6!44v$H;d#AhW=#)HD}(h&)dJCS#ko4+8#ITTBTLaW$DmbsU}5zE}xx)E+` z09V$b9~tD-c(bqihL87E-wUTJQpEWLLj1zU%gnw#@qI;z({A}zW&7gUC;`vCONLk~ z?}U^LGgY`&xUBU&+{{R#^A^}71-K5e%yMmgwoWM%xS*KoCHvGtrBmvFHh2}4S$JVNkOv1EklOLN@N?jx<#YeQ z&i2g?SJj^{#ua0~ikLsmdMv7WYo#u;{-F zqXs9}QniC$RT5d$&A>4iH9cF5MEr9IuybX}=J^IjKdCWIS{3g<(&@m>LQ_N>Em}ml z^sb)7!rAsB3}5s1*^Ltehy=N^AG-KBOF0xL<8=+HI^}fh#(NGfTMSgsQ0$mO5C<1w z1E5^`Z&4x{`jwaZZ+O@QLk&1OT`Vzk9gBlX7%HLoOX6Oz80Z!v^rs+L}6)wnV{kRuBm@0|!U5 z=+00wBC?;qO(4nt_l?H!`is&h^I>=1u2^uEir=C6Zd|LBOnDExsu!BygSW%GYhV{E zK!|8JG-ft_ExeK2Zu_#t;|YkSy(G_elpgS^L^Ob}B|PGsUIg<>WgE&*9>*zv*{3d+ z_r;;;=KVVJ`4bD6a4%NH9wKs^=Je4T#y-B*&0wY6ivApgz+aXw z{)8w2x1Y;URmhz6*;F+Uc;A;=sD4-F6{qLzgnAyu32AC}VZ!3j~WWkVNqTkl^48A6uHB<$aQ#(kOm|g&b&9x_wrej z;C8Bjork8g9?yOe;%)4c4$insBz&p&gb!OA3UG`>GuKsrzRrmqFYix#b339KrjPwm zVfA*E`)RYXLU3Jd1rAW48qe=ro2!a5z;BlCE~plPfvvaluAj7%2Nm@+X#~qMmlF>y06$j4=*EptN`{Ad>N`u`9fHCqQJ9@oUa-{zAhUa2O?uJUB#jex5T@cqj zEeLApKfV1?T->d~Nn57w@JBwE$TMWTrYgEJq+1Dj|Ks0 z2Jmf`#r=y}{VXGkN^$}W_#~#Q#@33Lk>2hcrA+$i@(@Z*Ho6a1x=2rxP!UsQ)2f=rsPUja*6el4|Xi?M! z;~I0`1oPdxOXdtC{**#NA-Yy!=Ltac;E&OtfCY|L!Y@`46nsuN+z5lmuiCWG0_6e*3p=ZUDt8=Hhvd7zMWVI!BPe-8WKmFybF0!r?;- z`yGU}sNGbuPS~hmu7s+?!jAwm5phw$5K$lry!gK8r^K9?{Two_Qw~?auH%kK0xM5E zVPBI}#zKxoq?Cod|HJ^w^ve=~tZk0jlBSkYe~mEaUSghJrs*W$UXi9flus{RVT|bO zX)IkWB~NVEb^d@W&CYKr$Nw&#{a>r|39=k3Y8$O60{R7J;Rzr%x1u?Gm^Z4n?F2 z4egxT?POMj6n!tKwi_f!C{!&q-;y?7w^FTM_Monqo6T7iJ~7WOd)hM%K2F*iECqF@ z+T0*Zv(creR!ln$_-w(p{{MP-RhDWYSg0RX+?T-N9FhNpQrF3OZ%RDR#! zW0pZJ4`I6!h>F$0*o0Xd3(5i46d3M9ejctxq9cA`52Cbk`0q$yuitnIx(6uemV%&H z*jjzu)eEX`_2}4=lrp<5b~>70_D5QGTF=k%^sQd&`@*vd*c8a#KWI}~i-nbDg=_cO zYe8It*du~_+5eg#@W7>7mN8a2LiL3HH)EXmaCC9IyWtnG>XjJnFFXo>N5Rvx4-DNx zn7owTa;%xXd?D##fxi`fMn4J6n=L(gUfvvEncg5bYG)u->aQ7cIm+5&G}S=lxFaj` zt3K99#11p>n5=;4NG^`LR`rD^9M1w&g2RYx^eZvVt6F!`K}4Ph8ebK(<*fi=a}MI@~i&AqpSu6<#3O$uzb;mK&hnCpT9i6{Q7h*&|^$Q6mS+@;hi6E3pAgq z`gbSCt6;H7fo37~>_(|oPeoR>ed%rm*;;}N0az=G$7+0uOc+-uQ%)~_DNScqA=0|v zfdIh)Biup2+F*wc*+Ua>dprLuUBiQ;;EAbdffC$1r^-i>gLtevXED@qET1phEZ&h~ znDAg3P&d>hdq_D~|NL514UgShb3mAo3GOqV458 zYOj3%p(x#TCC0VFBY|5hER~<=Z}_+E%p6f|A2NR6HEFPkw5Y*oGu`|Bf<|76e~@uk z)tM8{teN&uG^Ykn-?`kHOP)E9`~;utQoV-!8(p2Dv}y5mk@MtWeLBCxg##VAheLji z>-NH(AOQi;uH60oOneJ`8{5Qux)-`TLIb~6ojVwdjaU43YJ#h@NCaSZzW7oy)2 z{j1>AQSSBg1m)+=fq&#hep`F5HsNu1o~YQ@j7HY3MJeNE2-6LUAIp{BH+znq7KJ8N zZ^+=p`L-8FFKyWyU^;`$k@S9x&kgkxPAd!1tKY6|DSEAedcNMV7s9iw%LMDpTj&+!$NH=YGV{?)2&SYHZ6AX0!A=_D zqhjf;KQ862e`4bk<+ZJ2&n|tZv}5k0@-@fDRL^75P%-guG<*7v;KQ<3!2p7)kOrTM`jcy-lbfYN#0On>M9w6aa~>HYds%zE4*m>)qG7VbDD_Tn@lS~=RtJS6&`K)x4nVa%TXud+Z7&NSji zSYTT4?0{UBs@79-(%4VUz-Uj0Tge zG^=*%uwMBQS?TN(_2)})hwFl+-WrcKq66)}r}S&ay)b^%sb$m0pMO*PVy86iW=Wo> zM$tdx?4<6c4&4`BdSYF=KX2ffMmRI@Bg14tk9y8@5W~LHd_hJ7Z^kpw$zuJ|=7XTQ z+wk`-6>S@`qz?(zSzn?9AR|DMP$PXBM9aBDrG+PCHtgzQlu9(@?7k6BJc^%A{7<_N zK8@$|Kjriri~VNE>db1hH)j*Kr}gF>tNKu~m%kvsjSX3kPzH2ZAbQ&!4yU3|t?iIY zPlr@Tol=ZGO@!z(jBvQG{@QGiYJjVgiS&B-`Gilqb$a`y?ptmTZ)$$|80iWYz&~d@ zo4|r-6LT=qx4PwdiH(J&GFvX(`=`zPaByv)@E zI-xKGluqPJkJ6z*G>oGiAF}Q9ZK2fdm5m`9v}m35D884kKw3ZHZU>=$hGL!Y^ZQ|; zS-Vv}0)m z7W(eB8~>*M%hTBr-h%i9L?)463!-mD0u-ZoSF2G!MM>i%sk@*^v?;h62su@FC(-zB z$LW|Se)l%i^Zit~RBo%cW0e-y_*_g?p2<6ie(d%M@(T~fBLnY{^7*T~M^ zq)T>W%P3tdiezV{Yh-5>->h_rQb|`D2>086a31g9&g(p1&v$)hHKUI74&=O?-aD~R zwHvh$EpVh6FGE>!t^4DL{ew!xA?-qNvMMw5nDo2&evwCdagbX4WmU=H5pAB%DHkw@ z)HwtetW6wJ#H;7eJj`#Cd}y;#>n-(B0CJuR5mEMq5p>MsOci#LnBv8C`Ff(ARh<@m zM5U9E`V+)>its&%YWj>W_wKzvLO;EZz#}nr&iWroLu$t$Sa+AzdA4MJ-^$*jhH`!G zN)S(sDX(1Bt7wo4Sx;Hj$Iu0gd=UK|bnx^~MTS3voIV|*9(-$(oH=8{bl$N$$@I;3OXR=MM(rNZo~wx?H)32_{LJMta&&4EZb?aj`V8NOz83vb@ny;+bAhVb3ko zahb7OMczj3?|ZL~=@|{Da_#h{4M#a64c$r@#g#LvR{?plUM>7(*MypcP4^U9WBTc! zA{ipz*8sv(PzSXcC3lM^^~}3e##Rit2S{S=zrcmZ<8L)C>?EsMG8Wu32@ps>Kl{uo zUE}&iKkBM@cND`JpCPreoZEEDql@r!^@rphBk%>QTUy)Tc~h-8^6>?; zOfK5DD3>J6Vh{8oT~{K)9l;#5Uyx0Z2JOg@=kyV2!yxNx_mE_} zD&^zd-gU34$7b#yoArb=#UKQo5y{`$a-^b}=i6^#B7|3va2#p}pHt~hd?-5$<78@f&v9F0Yb~qypM#d1Bkwu{Ty%02N&q~ z)gXmF*46srF+3TPS2beHu!AKLg>*mrhD$AhXPcR3a|KO=KJOb&RWxOwrpJbQiY2Qg z2<9g04q+bm5NK{6H}314Bc_HtJW`dDS2O}Ov6<<%Rw&oe9447qp1jMwt?cZJU5uq? z2S<4I6kc&F2n(@DUTex6v6uv>^G<|c@i8}@*7Z+mU3m3b&es2iTi)-Do?*Lpqj}!% zn0+pSF;|6`+9G#aL8$3`+XxoBbdbawPvJg&$WyNHnIolR{^({cH%M5A2Yi8&KC`|j zYo}ik+Uo*Ikv9F;GV2n10l_eT1HC_TepwceR+E<~s?e!B2S)0nIYT7)m{m}1XERmi z63%XO27MVA68oSVps4?(%blLca7GFZN*A}7^X`f7^d+!xXDshZ>Nk482b2UzMk#(3 zF)z!6ND<9>sSf{s)C;aqg+{Xi6X`*yO5wtmmi5E0Dc;gGkHoe^C?aEh$p|LZSV{L z=f3WZj3+xVjXr?uOO0^_pGF%e%UxqPEV{pLeTU)KyGTRu( zsl%C=9C^S(g7bTHe@^T&r!g}?M_ZOyw?p?cc1Ev(R{8N z{0NX`dODU`PtK5ZOujNMAtYzP=(*YBZ=>(zb>DT2J1haWk(_W%dzXw6=7dKH;H=xS+0BuSA* z6^TZaRx!owDtR#$SZnQGuE;Tjd>0Iv2t!SWFLRh`_^d zS`B%uF~X^^6739gJ+>xe(mf%_9nkX>-qr)B+g>e27d?kAz+0eW(<+n&&RNpl23(-H z?G}Pc{wi+?D7g9&d;WhNlVl?Pc5Y4u@yI+1THV9OM`AWDtrT z6{S;kvQ-9Y*KaniV?)wYZ8z(0GQ_-8-l$BypsnD=b7+8<^S)I&Kg_jC8naVsNtH~M z%5>q?<$GN@sunXOKv)&~+QTT5P+}OciXLH0rGT0A*9GWS#D&@PbLW0|hQXwudrIKW z`g@|uh!zjdRBT$b=Le^5#*2Uo)7Z9-4K5}A;zL~wDhZja{)*+3==dWvgj~t4S3jsk z4bdvH(u-T)^xWjhza3UM4)9y)o7c3QL(#;F8m25{dzF#{Mn3Sbjn!Ou#@OTH<$brV z1rYh6gY@72z+u9Z#3)9DdfwafBgYagqaSAH9J7jC0Y>>1L(MZ-*D-rzA5e;Z^ucI} z;d>f4bniUeW4)3~yT8W&MdzcFWkw{9|MM8E*K6An=kCc#UF0*M-o?b<8`0}UzqQ{T zo!Hv3s~XHTbWqHk%ucPZc85q`g>7JOXzDT%(1{So9y9Leg_5S{Uu`fFGT4K@G7A>D zrfK0U+~d$0DS|G3we6y3$DFhFD_ipQ#Y>U7XO=sDMkZ~I`@)LzUfyBg>x(w?j9O+f zcjjuV5*+hdIzqjVoJn0Xfch?#!F;o#8u-?s%4Xop**jAJemlcSuuLGGUR?a_Ly>H7 zM4KAYNJKc=eoS_-5_Q2Syn7mnaf=CsHN|A(-rN9`9(QAQOze95zcob-^xEznop1kW z@ZDlza%~|&jC(9SC;(NZHvOxn@&V*^Le$FT_ov(x|BNcx;}(l7hC0DepJ2WmU759W zVtDT9=2Rq=HK4U)Xcbu#^TL1ZHLKfjv3yIErQ96H-_Ga!zI(TMMP6Kclv4S)z2!Fc zak6x|!)WnVNY2yO6BmE#3eVaZDXgt8dG^c?(52omaJsu8qCS?H0upJ@_~&Iky6asT zzem52bAIjYJoQz4KhrnVt64!m1BOnrEGxOXNoZ$T+fFwA+v}mQ!AqCz(Hqpzol61i z^Mlr!({RoN)JOH^S^ZcNKc*^O;!N3`brV?bP(4}3H1^&{c|WPvJXl5~Z@a}gMXjP{ z1d$jvRV;t@wyRm*Es>f+w6sBF@Fcs_*oLL!(o;6|^=$Fs<>|JEzw85klhg!SS@839 z8S&TQg3-Eym-oT>IfJOT$8K)0mSm%QE_iS6FC3G(ku@iWZgYX1ER&4TyNchgem3gVX zHs=dl0M9F`;Bq%-*ZDMQtDo$<(|Cqyb)j;nmO595KD;CRjN^e;*^@@4A}rLUd3aesUwut(aVEY!_u_gkMD><$6+iHMqcM#l#Yr%R9MbAt;4BBjOY|ni9Xu^N1hWVxD zt5w1`#Vd*Y7Pr7kHAiyPBPwzmo3ou|@vOLc`n+Xz1x==ER?Gz8>k$>nb*t{ll|<+6 zOj&%WX>6AWE|8%;(hXR#QDFTR$f{xf@_<$8cpC5lI32BME@Eq^ICim_HH39l39VQ) z2-C75pfC)S0U944v(eXCkW`e*deTSgZ!`mvuCbS+9a66w0_n}>(3<7A`iS+~E-Oy- z2&;=aMx!BnBZ1bRJLjH6^RP{P(LN4g%Q@U5x$TQ(F?6lSHkWOUB-%l zhZXh9UXM;-WIBvw>XbyThl)f4{Pfrq$w#jwYcWy=7_q;5ecHLKuaqvd4|pk%t(RYO zxk``5H$XQ-F$I;ZU$DI3YeHX0i-kkL09?0TALsLFweV&QKzOkDNw(^Ff*@BS=ecCT!ola zOrLXZ5w6=qnx<>m=ANOChn@o|-5UvGFH8dehZNOL#5nr=@&x^{abTDdf z*#^*v^5UUD4@fGtKr*$RHTexxmnytl!0bX$gA@&!5woDTy3w6(r52!$1z$jJ5SgH;Rv1Aw#@(9t=hsHC zV!x<|6b@fP5wuvJd)x?>!|AceoCmjI^?!kCb`5(29Q--W_dBp-9{BpiHxo#fd60qh zAS3lBHaX&Ca0Z!$<~*YA9RZxF=RAfi5$f3EQ@7*)sOOVdPx_v252B8Rz9SSOJ-w~n zi#oV&yYu_~a{W;BtbPHEK4*Os3|3;d?e5^8T96C|8Pf+`zLJ<{J7ipLaW%?%{GMwC#v6^(w)D_xEb``e0}{A&=!png7{}N-h9r`tjIHlg6=U{7 zom=hQjT-{kK|97e1b!E_hT}JhV)eV@-}@Wuo}%TF$ak8^?ZYYJKn*D8=9I$Ssj%l6 z#05$w1%7i7r8xw>r-~9m(MST%K8KWk@v$bitjW5Zm=33fihT5MshW0GJ*u}J5zr;5 z#fYflDA12M#`Xx4Y-NUgHW(%hHvB^p({sY#ULWn z0N>!VK(*@lnLnbdFM&?H+Q#)`W?VwfE%ripF`CNFFlokw--(Zs*oXgRf%R_8nK62f zxK3^n1QAL&NM{o9!|BHFSF`yHI$}UhiSB#gS`M*F?TAHEv2AH%Qg$d?z8nbQu#j;Z zj)3W8*UGYt{7KDaV{JaT{jF<2fwQ=?-jk^W2feE!gHSx%;I3X2KD58micY zV_fxOihb2CJOs&DyehQrwzexZy8S!vlSs+3GZVrSu)A#O;s=GN3wwMFLKkhBKQuPs$ z!|{?aXL~6TL5ND_E!+AGj;I1Rj)NE*75j2_JDtnjWZwBo4bCd$SJ1(_nHLsdr2=3= zElU+V7K;M|I8^}p5DTdH1TF$V&k-O&mRQ6#(NR@T-j_9TS2YTIG!ziAY>5r~5#U9v z=mAbagjecEj%qQKwTg018^GA8=x-*TN2cF@#i@2P_5pvmYHuZ}=#6UkFX8?o=HXvH z-0ek}aMiRhp~xtkN6S(&)=>yRIN0R87ZrfH!#132mw@WC&b2B%)k|2wunhb22!NG8 z`BjF6Y1CTdFtOyPaQEf{LQetEJy6ztHx7%BMR{R+pT~9KJYcH8Gwb!nkn$>TY`3)= zimZX?Do6g;i%sHhWUuTg<>#dRea_^LiUs|m zz$=+7)Vj`ZGh985y?-eiP6Sx#2RcH2L+Uij?RBV8jIK{yPu(rXo2PoIm>d;7Je(!n2S#6e|%%iN_8LG@&R{rhL=TcQc2Yh&}Ky{GbmI{; zB|z*z?p7e{<8{G`ElwdZX~U!&H{`-EFGI|9p$t0GTv%q+ch>1)93R!{edAxM^j5%$ z99bMAIY&NU2`2Qsu!u+0n@El_&Ut8XqH6W?j;p*?bRB85+i%v*PT8ZeH2yc$$G}4( zHkY4sGaj2y1cOOcGp?q~>Hzgdb4K~<=t^n|D&P7U}^m5fo+0^*zj5QG}_ipuV z&pQ>7apVmcVzsaCFYufAK5cdVm*B=9!c*}CFdzWk)v6X3;!GFdWCh;fgyxv8j6V^; z&F_Hx-bf(`=;HzY-;A8jBMv|Ocn>Q1;*;eMDjjTLx zhZBJ<`nc;FN(2+E!36$i&pDmgitoOwF>%tr0oVP$?)-jBbK=95SC}iJRq>P12NUD> zx-MMVz+HW}wbCbkWpey@?A47P#r`o+|E8(>u7UOz%KhGx=Q7SpkAZjzkhma{s8@Fg(-P)KSDHs`3K0Rzw58GdfS92|J*oc z0q<2lzu$P6%c80uZw5CZuF*oY>EJ{%T+zQ!L^iI9z_0c z-&T9$-m}ivp&`1>g4$2pM_2OV{;U2nS2k3U_Jc{dBsY8_5eQleH$+iw;;3mHiPz~+ z?4llwEq#z-SF3&0(PJI{UXRm|lW+_4@GW0lP(}m=@uLI2p5~FEdNoc!3|D0P=am7K zB>q~33tnP(aK#^Effu%2%!(R{;$KQ#(UHRwKtar(hjPT_)2mWL#;!ke(S0=_iU^;i z4b7a%Fd6skw7=)hP)e^ z`kDP3n?lh905&l(uXK}#NKs2-o5-t_W)wp)$^ox4tF48&rLWt21?#|`)7`%0+_gFW z;ajqtH*x)$w}dx43g$?;Q{Gi^JFw?V6aQD49Y-R7ssi`sHA8BH16n0DCmNymR5g5I zZBwm@?Rv)^s~tE*hb6*9v8bwXBYf6bvjZ-_bhOzQ;S+bl8t zMAJ8IZH&nmVQ|T;Z%pLCzroY*32>L5{;QundKpknMctJ{!GQc&4Q}n8$a(+M{=B^&7+S6+VA5; zBHHa;e_1(KID0#CN=OOJy78>di1F0y ztzTA_FUwMXUn*i?B~$!^m@hwWC&;v6hOu?32I`KVdIU=XuKIOxDK=xF9#o5{0yYrz zBSqu++>~lt988%H`}D*0VP0zzNB~?nm@SqgaZKVyPzLHCWYU@axlD)EK^PYf%APd9 z{AUqM`LPF&-{8N>Lkk1U7Hi=FjC#PwA+A5yuE)8?7`Z&8KA;a|L7{ev=7(ls`p+B< z(hfclIA0w|1S4j^b$YI2=pPL5RtwzG2K0OaE+yF)9~JqR5#Q5X&g`R;{Nk(y3wVGH zMZu;rI8}hOnQaQ9W;3+M7Hq=ngw6v}MmBGf$CIrllvzrLnC-(bRZ zRqd8Dlq@5)=!W*_?$>YL0y3iAug)u#KHBls8!mx71s4%=p5{{;%$I%Bed*!cKO%0q^o^fU!cyn^QNzVO+`jEe{~;;QOX zKPN?ztC7a-G|u^=Z?eKVRyjwDj?5C~LFwxC_EcW75-d(zxmnGqxI8Cz4F3-&4|E|lm#$xpr_0S&d> zq_~XmIoPMxKDm|%RY~6f@!T;#@#$ge^#C0`-}l?vxC- z>MDnOzPqk)M%{EyO$rgPDC7bryadWx73isRZk&~iMVvS8bfq~NoU=poyGGw`26rcd zN~m|PFq}h90wWB9ywA+3Z4Bi~RC5sb(3mab7u_zUH=4`d&Ovsh?yM#f;$$_tk z*Y8jpo!KpD6D+UEwkXDfiaz}uJh9E#2zEs*7fLAFW3^f1Bm_eW?*uKWh#A}0FKlHW*MZFpU#>h1L{RlPikeNXuzV; zD6Ri@ncu@)^c@hOjCq) z(xOl09Toa0q-2%_Ls?(rRW%6dM`XhbsoP05J)mh4a-{+;XLl(R?~NXQ_xq%%fdZ?4 zs-PN|!$ozMj9WU)`)=z=dBc#W4@+KuMR#^bz=92jv=i8S|C0E-0rdNegQervsEZ=` zt43g+j^mh?mtR6N7mm1#zvo5E@HJIr?7!`(w+y5K6Ht|SN<$3FVy|#>RIWK8%)9;z zh8KNCXBwLnK>hh5(hB-cJ12aX=Aj9r0m{*d6>l!5Wco2w>07T)o_4>l`ic`BQBV8O z*i4u2Zr^rv`b2Z$W!hT&MZRLf24tLj7X*WiiK9zYWoF0={7Cqv|jsB^Td zjzmN%bQtUAAeh%ikvRd%htbaO|E$q%geb6M}>Q@F-}^EBjpeY+eQ!*6nM_*?mvTyP&4 zvJ*__Fsn>jy~g8LDOA13u?rE=?@|a77m4n0h`?Opfts4QS*MP1jAAv%M}sHpLIp5j zJ3MYf8SzG2 zEB>kWP>$t2O_NUApj_H ziIEQk^2DR&xAR2~Q4!5|(X)3`yYG5Z!2lY(%42Cx1Rc#n55;X+85r*qnV#j|apsCb zQKMJEvAV6u>!olik%fQI<$-Ow8K#Jvsoczsg_;XDE&*3Ov&0&g(D5j69%3e)1u|Qn zjV%EyGQV9!4ycuY=aBP@_vn;-@LaiaX}PWwa(>ov!46tSLH*9Xrp*}zBgE_;;M0kz z?czvZA1-XG*|m@hEldw)ame>CWl?~+N?kdFB6Gx}d%6xUiDx?m5M~bTwwWQ+^T?`Sddwf@YXJL}hhjx(HA-ts28;IYzU@TUGj!8FF%w z*}oV!h}TfWaP_lgUN+1$C54+L)`qdF=2Dh^!ozER4=<+(jgnYzQfj&I73h)&{l*2O zrPW{^SgtgBV5vOOmn&Sn384H>}cl1Ph{vL8*md1^{3Eyw4k=Cs=hDO_%W6h zyzuDO-GBDn+GUfb<;T!BM6P};>tm9!KulJ!OoQ@3!!17ceVM1CObr6-jr!K0mJrzN z#R{3^pl&V%6?phwJ#>-exi!%Y!=iqvvW)_)1L(-UP>2h>;ZDiZ{DUA(0A5gb_U(lH zSZ*+k46Y@i=75&rQEtX`)^E$rTYOeViNpgdW@<`iR#!_)Pn*_Co5+fMn^miAD(f4o zSlA;|#;Qx&i&Z}sL8Tzga+7sG6WtqHJSMwE7#mioP%od>TFO74ZrP`ePJ2aYkf|`qUp8;A z=W-=icepk{;kxh9+u5KG5PNUsaUlnV&G$K>zMMd_Q1@^z94~C9C)>z!vuC~xXzl8I z-4zT#&aiv-DIpHX%;LR(HL3i5Z})xE{v?}D)DS8iXcHnsS4pgMq=!#8IvH(b_t!fE zhyP6-9lAo-Zu9SxW9zz%>GG}QS{s7h-%soOE7Euy4B#Vv4!m%~J$o?J6QWT}GA#n_ zbPhekz41rWiOUSMDR(VVgv?3^H#MKkpI0gZ65>n{TgHe$R-uPCBCXGfBbP{Ep`=hnf$O(gJgsw)6Iw*j1v zMJ)y+>X{`kx%63shArbc^>;xWoB*qGjo+%#cHLiY#sjRa&hiWozCKeNxP0V1El5xJwvnEURF-P2^K*c2q6 zgrX9V7d0d`0<=3dJVtKoTe-;235;)fyt-@6<7X`kj~~CXs{Oi;E7Vk(`}{x|!ob;V zKu5|&aP{#53#7YRVmY&=UEpb_S#>s{pgW+>Q0BhpEaU6?EERQT1wuA@78#>C3OT7x zk;$G@L%lH?rDOAh<^J`+ke$wRO6#MF$}HyC9tjQj0txjdcq}B}w5QN)#=rNgj%=sR zFfqjC&R%Cpn6}bMTCW{;`ZkC0W!VF39_GHjfB|Jk>)y`E0boONPZRxvLTBP!Q9RN_ zcTA1Q8AC68nfa$8=pw)%cDXF@zu8lgMCk)B5k4`MqFGVEN!~7ZrSg z@4k9S{){S+O{j_QyI#cHkWXdX^aGiZT9?tt=>W;tBF6eDjPK~8FctIILBLmYIa}l^8<;`BX)$*7fk;?E&@}IssqfkC73`V zQ~6MJw9Mz3xFuv@e0_)+yYP*$S~T>DU&~D^2;E*QpO`a;t`@Z*GU8nqqSH2%2oa=^;SJaOl;AWBPO&F!!xg@R5 zV+zx&SIshHXe}1CLqg6!S!evqyqb;N!J=x(P*wj$a|+W51$pJl+QjO{;k`A5rTmu@ zSuW-^lOp~yRiHPq)S-; zL0o@BKrXzhS}{ky!EXE@Z0J%~`+k6|NsMjBs2?OcYK-`$?#>rFHSZu`TN_jY(Se2> zFQ5dc1{yK@gc7jeY@gHIKztoTe;tPwn&-x7hzs1sd^=_Bi{b#PHW-Ev?q2Qz@Mvfl z8gW2Daa+7wGl}r@L*k}U2WUjttnOUX6Fe1a)xWd0zVUT;5Mj|jMuY1HXCnUscruhj z2muDME?Yc|{rC;X$_mCk_8~*B^0bLlTX5UEJ9j=Jzwgp^2gfK(-ocPf*CvPCupZiaoAv-V+b((7oCujo;6w(A3ZPpuYd| zo!*~JU~RM7gTL68S!;fyy?p)q@9HPN{jP!!5@7f6EDb`xUx0tdST1;c|Mdfpk0$cN zgE~Y7|D*}GRlj5C41qx)t?@JRYN$hvuYU?=Fr*9k((gN2Gl%zQ4k8~MLiU@AUnIv_ z9?7^I);&GiRXA)wB|iFo)N*s}$(g@<41YUv{`v(Rbz2@9P5*uI{)_i4L#5^M%b?@Y zoa6DQ$CES1uf8A8pibtV9$%sUr39VW$+rhRJz1GKdH4O~J?eD*%;^Wq)2*OWhw_oP zPfx$joPPU$`W;2zJ44^Mr2h({|H+}#51-Qi&d^W3)9ENQoq<)%ah9r+%*3hSxj4J7 zmyQuvM_}Bm^j#owS2h>tK3vSj8Qc+bdcA2}C~eOwfG2KUZ~?G=HBN6nn%`54*xfX4 zy*6NocDBJ7)rvDPdNTC*@QN&5P(puUe8&?GFqCR_1a2)ae7)3s{w8a{zsiRKH}GX1 zgeRFW0{SWE{lb3IWn#iIsw{9RgbZ7EEkrn#8fsUY0Yl0zHfpu^9>%5mDCj0fjlIbxTDu?|`&u8kc zzCShDIDBwwYM46p@n+9wuZs3UlRKH#J%`>x0Pnqvkm5w3Q_z;F&)Y-=cE%)Z z@S{olJMs3xh1q7yMJ{<|5&voUAoCqSAaK)vV(MTn;PQ2DKGM^~FC9`0+0*WS9-kx; zWR}oXd}RG}z2E_dL_Vg0OW>3wV%wd(FpKIFb;D=%o;ah<7Ekrah--D3x-yJO50&cq z(=9*Fq+q2^N1@pxCQ&iy*->h2Ne_SIX+T`F_? z8;7{-ohuH1Q(7U0Je73yT$c4kS6624hafSQL6K3eun3^`OA^y+sf%s%9ZxFq3oS93 z>+nGqB>u3eMDdPEYoJS!0PS)?$`ba`!N--L+nZZoAI*GcK6&73`O*KZ5|BoHGy#te zE^OjF`lsg}{>VV>x~*~=y;*SPGDw}3&Ef02AF1(2!AsBO7`7d&5+u0wpDnvTk1BuM znNoYk=-qx&?Xeu=wf?DE5TN-!Zc~ExVI9?dh?Txz_2hwsyO-?HOVb5%q$_@LpzC_ zwI81bj-Rk_%TKLOx~u5dg3vd4zu7aR8|(rL(7U36Q0% zU8@oVmRbI0u$+;Qwa<&^iUApG{s_G)DT6huIV>um!dTT!Cv7zlTODj{KuH@M0Wf#6 z2P#-2R7qC5BbRayx#p6=CRM;~W`nW3tw~JnXD~TL>HoB_d0)45*W_TPME>RsdjvGoo+J9k9nZ#C8y`P|KEYkVx?jz0b z=w=j5L%w+nxvuz-{&SxRjNNyla(vDfa(X>y#8xY<{@DaoZF9G*zE)8jVdi^OS-Pey zcYZ-SHFVkbDUG9^^XRkHGZDM$<+^&~Ehd{%^#`@u=OitPWTL8^?aQq=8wR?+I9#o= ze|q$=!Ofh>aXhxHrD8$MYs*-f|9sw+C8V^CXz}=+Yix6KMcTghvc`)&1wryVx$HXc zM}l=yCk^zk*fv};-i;9M|7|a3B%dZ{HkjpF_yM=v$C;Mtpg!Td)1+wjpAg))t+vI? zd*@3jy&KG-yzF*e)QCOvb?|@f_jO*0*i?}qg6+6iUJ zb4s-f3hvOK*2Lnw2E{v@%Q4k>wNKrz%g7Ru908qVgAHBH{qw1xr986v(3FPLh^M^Xx%)x@v!dl$xe9_fa!sFHlqmLJ(v`c*y9ETRMVnD? zPVtPX-Pt3t3}oHf`PM@-z4V)v$qL}?WR)?yYZbVyYg>_%?Kw3)t}bVE<^!$Du>HMU z2mS53go2~8%#}TTzUUlRwAx5f5j4LP$KvD@$sMhbc6%=#rT%?GIJ~n>E${o%Fct5Q z#mT&Y#m}nAf6;XCYsI-YLJG1~9GIad#o9QDo2iGbzXZZ0a${IR3G&0$<8mdVSA=Jh zy@~ literal 0 HcmV?d00001 diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md new file mode 100644 index 0000000000..7521ff29ba --- /dev/null +++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -0,0 +1,49 @@ +--- +title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10) +description: Implementing Your Windows Firewall with Advanced Security Design Plan +ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 +author: brianlic-msft +--- + +# Implementing Your Windows Firewall with Advanced Security Design Plan + + +The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan: + +- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the computers on your network. [Group Policy Analysis and Troubleshooting Overview](http://technet.microsoft.com/library/jj134223.aspx) (http://technet.microsoft.com/library/jj134223.aspx) can help you review and change, if necessary, your Group Policy infrastructure. + +- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the computers on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external computers to connect to computers in that zone, then you must allow that traffic through the perimeter firewall to the computers in the boundary zone. + +- **Computers running operating systems other than Windows**. If your network includes computers that are not running the Windows operating system, then you must make sure that required communication with those computers is not blocked by the restrictions put in place by your design. You must do one of the following: + + - Include those computers in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used. + + - Include the computer in the authentication exemption list included in your design. You can choose this option if for any reason the computer cannot participate in the isolated domain design. + +## How to implement your Windows Firewall with Advanced Security design using this guide + + +The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design. + +![wfas implementation](images/wfas-implement.gif) + +Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design. + +- [Checklist: Implementing a Basic Firewall Policy Design](../p_server_archive/checklist-implementing-a-basic-firewall-policy-design.md) + +- [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md) + +- [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md) + +- [Checklist: Implementing a Certificate-based Isolation Policy Design](../p_server_archive/checklist-implementing-a-certificate-based-isolation-policy-design.md) + +The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md). + +  + +  + + + + + diff --git a/windows/keep-secure/install-active-directory-certificate-services.md b/windows/keep-secure/install-active-directory-certificate-services.md new file mode 100644 index 0000000000..a7a4ace49e --- /dev/null +++ b/windows/keep-secure/install-active-directory-certificate-services.md @@ -0,0 +1,77 @@ +--- +title: Install Active Directory Certificate Services (Windows 10) +description: Install Active Directory Certificate Services +ms.assetid: 6f2ed8ac-b8a6-4819-9c21-be91dedfd619 +author: brianlic-msft +--- + +# Install Active Directory Certificate Services + + +To use certificates in a server isolation or domain isolation design, you must first set up the infrastructure to deploy the certificates. This is called a public key infrastructure (PKI). The services required for a PKI are available in Windows Server 2012 in the form of the Active Directory Certificate Services (AD CS) role. + +**Caution**   +Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see [Active Directory Certificate Services Overview](e37b2335-0796-449f-aaf4-0520e508f47d) in the Windows Server 2012 Technical Library (http://technet.microsoft.com/library/hh831740.aspx). + +  + +To perform this procedure, the computer on which you are installing AD CS must be joined to an Active Directory domain. + +**Administrative credentials** + +To complete this procedure, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group. + +**To install AD CS** + +1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group. + +2. Click **Server Manager** in the taskbar. The Server Manager console opens. Click **Add roles and features**. + +3. On the **Before you begin** page, click **Next**. + +4. On the **Select installation type** page, ensure **Role-based or feature-based installation** is selected and click **Next**. + +5. On the **Select destination server** page, ensure your server is selected and click **Next**. + +6. On the **Select Server Roles** page, select **Active Directory Certificate Services**, and then click **Add Features** and then click **Next**. + +7. On the **Select features** page, click **Next**. + +8. On the **Active Directory Certificate Services** page, click **Next**. + +9. On the **Select role services** page, ensure **Certification Authority** is selected and click **Next**. + +10. On the **Confirm installation selections** page, click **Install**. + + After installation completes, click close. + +11. On the Server Manager Dashboard, click the Notifications flag icon and then click **Configure Active Directory Certificate Services on the destination server**. + +12. On the **Credentials** page, ensure the default user account is a member of both the local Administrators group and the Enterprise Admins group and then click **Next**. + +13. On the **Role Services** page, click **Certification Authority**, and click **Next**. + +14. On the **Setup Type** page, ensure **Enterprise CA** is selected, and click **Next**. + +15. On the **CA Type** page, ensure **Root CA** is selected, and then click **Next**. + +16. On the **Private Key** page, ensure **Create a new private key** is selected, and then click **Next**. + +17. On the **Cryptography for CA** page, keep the default settings for CSP (**RSA\#Microsoft Software Key Storage Provider**) and hash algorithm (**sha1**), and determine the best key character length for your deployment. Large key character lengths provide optimal security, but they can affect server performance. It is recommended that you keep the default setting of 2048 or, if appropriate for your deployment, reduce key character length to 1024. Click **Next**. + +18. On the **CA Name** page, keep the suggested common name for the CA or change the name according to your requirements, and then click **Next**. + +19. On the **Validity Period** page, in **Specify the validity period**, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click **Next**. + +20. On the **CA Database** page, in **Certificate database location** and **Certificate database log location**, specify the folder location for these items. If you specify locations other than the default locations, make sure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. + +21. Click **Next**, click **Configure**, and then click **Close**. + +  + +  + + + + + diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md new file mode 100644 index 0000000000..0b6a5cf020 --- /dev/null +++ b/windows/keep-secure/isolated-domain-gpos.md @@ -0,0 +1,28 @@ +--- +title: Isolated Domain GPOs (Windows 10) +description: Isolated Domain GPOs +ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f +author: brianlic-msft +--- + +# Isolated Domain GPOs + + +All of the computers in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. + +Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) section. + +The GPOs created for the Woodgrove Bank isolated domain include the following: + +- [GPO\_DOMISO\_IsolatedDomain\_Clients](../p_server_archive/gpo-domiso-isolateddomain-clients.md) + +- [GPO\_DOMISO\_IsolatedDomain\_Servers](../p_server_archive/gpo-domiso-isolateddomain-servers.md) + +  + +  + + + + + diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md new file mode 100644 index 0000000000..498d66aac0 --- /dev/null +++ b/windows/keep-secure/isolated-domain.md @@ -0,0 +1,67 @@ +--- +title: Isolated Domain (Windows 10) +description: Isolated Domain +ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e +author: brianlic-msft +--- + +# Isolated Domain + + +The isolated domain is the primary zone for trusted computers. The computers in this zone use connection security and firewall rules to control the communications that can be sent between computers in the zone. + +The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted computers. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, computers that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. + +For most implementations, an isolated domain will contain the largest number of computers. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. + +You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](cdbe81c3-6dbf-41c2-b003-3ac4fd4e67dd) section. + +The GPOs for the isolated domain should contain the following connection security rules and settings. + +## GPO settings for isolated domain members running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 + + +GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 should include the following: + +- IPsec default settings that specify the following options: + + 1. Exempt all ICMP traffic from IPsec. + + 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. + + 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + + If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. + + 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. + +- The following connection security rules: + + - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment. + + - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. + + **Important**   + Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out. + +   + +- A registry policy that includes the following values: + + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + + **Note**   + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + +   + +**Next: **[Boundary Zone](../p_server_archive/boundary-zone.md) + +  + +  + + + + + diff --git a/windows/keep-secure/isolating-windows-store-apps-on-your-network.md b/windows/keep-secure/isolating-windows-store-apps-on-your-network.md new file mode 100644 index 0000000000..019fcfc553 --- /dev/null +++ b/windows/keep-secure/isolating-windows-store-apps-on-your-network.md @@ -0,0 +1,343 @@ +--- +title: Isolating Windows Store Apps on Your Network (Windows 10) +description: Isolating Windows Store Apps on Your Network +ms.assetid: fee4cf1b-6dee-4911-a426-f678a70f4c6f +author: brianlic-msft +--- + +# Isolating Windows Store Apps on Your Network + + +When you add new computers and devices that are running Windows 8 to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a computer running Windows 8, appropriate firewall rules are automatically created to enable access. Administrators can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. + +For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access. + +The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the computer, and the network. In addition, apps can be isolated and protected from malicious access from the network. + +When creating new Windows Store apps, a developer can define the following network capabilities for their app: + +- **Home\\Work Networking** + + Provides inbound and outbound access to intranet networks that the user has designated as a home or a work network, or if the network has an authenticated domain controller. + +- **Internet (Client)** + + Provides outbound access to the Internet and untrusted networks, such as airports and coffee shops (for example, intranet networks where the user has designated the network as Public). Most apps that require Internet access should use this capability. + +- **Internet (Client and Server)** + + Provides inbound and outbound access to the Internet and untrusted networks, such as airports and coffee shops. This capability is a superset of the **Internet (Client)** capability, and **Internet (Client)** does not need to be enabled if this capability is enabled. + +- **Proximity** + + Provides near-field communication (NFC) with devices that are in close proximity to the computer. Proximity may be used to send files or connect with an application on a proximate device. + +**In this document** + +To isolate Windows Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Windows Store app firewall rules. + +- [Prerequisites](#bkmk-prereq) + +- [Step 1: Define your network](#bkmk-step1) + +- [Step 2: Create custom firewall rules](#bkmk-step2) + +## Prerequisites + + +- A domain controller is installed on your network, and your computers are joined to the Windows domain. + +- Your Windows Store app is installed on your client computer. + +- The Remote Server Administration Tools (RSAT) are installed on your client computer. When you perform the following steps from your client computer, you can select your Windows Store app when you create Windows Firewall rules. + + **Note**   + You can install the RSAT on your computer running Windows 8 from the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=238560). + +   + +## Step 1: Define your network + + +The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Windows Store apps can access intranet resources appropriately. + +The Windows Store Internet Explorer app that is included with Windows 8 uses the network capabilities to detect which zone it should use. The browser uses the network capabilities to ensure that it operates in the correct security zone. + +A network endpoint is considered part of the **Home\\Work Network** if: + +- It is part of the local subnet of a trusted network. + + For example, home users generally flag their network as Trusted. Local computers will be designated as such. + +- A computer is on a network, and it is authenticated to a domain controller. + + - Endpoints within the intranet address space are considered private. + + - Endpoints within the local subnet are considered private. + +- The computer is configured for DirectAccess, and the endpoint is part of the intranet address space. + +The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative. + +Any proxies that you configure or that are automatically configured with proxy autoconfiguration (by using Web Proxy Auto-Discovery (WPAD) protocol) are exempt from the intranet zone. You can add proxy addresses by using Group Policy. + +All other endpoints that do not meet the previously stated criteria are considered endpoints on the Internet. + +**To configure a GPO that defines your intranet address space** + +1. Open the Group Policy Management snap-in (gpmc.msc) and edit the Default Domain Policy. + +2. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**. + +3. In the right pane, double-click **Private network ranges for apps**. + +4. In the **Private network ranges for apps** dialog box, click **Enabled**. In the **Private subnets** text box, type the private subnets for your intranet, separated by commas if necessary. + + For example, if the Contoso intranet is defined as 10.0.0.0 with a subnet mask of 255.255.255.0, you would type 10.0.0.0/24 in the **Private subnets** text box. + +5. Double-click **Subnet definitions are authoritative**. + + If you want the subnet definitions that you previously created to be the single source for your subnet definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional subnets by using local settings or network isolation heuristics. + +**To configure the proxy addresses for the intranet and Internet** + +1. Double-click **Internet proxy servers for apps**. Click **Enabled**, and then in the **Domain Proxies** text box, type the IP addresses of your Internet proxy servers, separated by semicolons. + +2. Double-click **Intranet proxy servers for apps**. Click **Enabled**, and then in the IP address text box, type the IP addresses of your intranet proxy servers, separated by semicolons. + +3. Double-click **Proxy definitions are authoritative**. + + If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics. + +## Step 2: Create custom firewall rules + + +Windows Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices. + +The following table provides a complete list of the possible app capabilities. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CapabilityNameDescription

Internet (Client)

internetClient

Your outgoing Internet connection.

Internet (Client & Server)

internetClientServer

Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your computer through a firewall. You do not need to declare internetClient if this capability is declared.

Home\Work Networking

privateNetworkClientServer

A home or work network. The app can send information to or from your computer and other computers on the same network.

Document Library Access

documentsLibrary

Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest. The app cannot access document libraries on HomeGroup computers.

Picture Library Access

picturesLibrary

Your Pictures library, including the capability to add, change, or delete files. This capability also includes Picture libraries on HomeGroup computers and picture file types on locally connected media servers.

Video Library Access

videosLibrary

Your Videos library, including the capability to add, change, or delete files. This capability also includes Video libraries on HomeGroup computers and video file types on locally connected media servers.

Music Library Access

musicLibrary

Your Music library, including the capability to add, change, or delete files. This capability also includes Music libraries on HomeGroup computers and music file types on locally connected media servers.

Default Windows Credentials

defaultWindowsCredentials

Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.

Removable Storage

removableStorage

A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.

Shared User Certificates

sharedUserCertificates

Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.

Location

location

Provides access to the user's current location.

Microphone

microphone

Provides access to the microphone's audio feed.

Near-field Proximity

proximity

Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.

Text Messaging

sms

Provides access to computer text messaging functionality.

Webcam

webcam

Provides access to the webcam's video feed.

Other devices (represented by GUIDs)

<GUID>

Includes specialized devices and Windows Portable Devices.

+ +  + +In Windows Server 2012, it is possible to create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app. + +For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability. + +**To block Internet access for any apps on your network that have the Documents Library capability** + +1. Open the Group Policy Management snap-in (gpmc.msc). + +2. In the left pane, right-click your domain name and click **Create a GPO in this domain, and link it here**. + +3. Type a name for the GPO in the **Name** text box, and then click **OK**. + +4. Right-click the new GPO, and then click **Edit**. + +5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and click **Windows Firewall with Advanced Security – LDAP://…** + +6. Right-click **Outbound Rules**, and then click **New Rule**. + +7. Click **Custom**, and then click **Next**. + +8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page. + +9. On the **Action** page, ensure that **Block the Connection** is selected, and then click **Next**. + +10. On the **Profile** page, click **Next**. + +11. On the **Name** page, type a name for your rule, and then click **Finish**. + +12. In the right pane, right-click your new rule and click **Properties**. + +13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**. + +14. Click **Application Package Properties**, and then click **OK**. + +15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\Your documents library**, and then click **OK**. + +16. Click the **Scope** tab under **Remote IP addresses**, and then click **Add**. + +17. Click **Predefined set of computers**, select **Internet**, and click **OK**. + + This scopes the rule to block traffic to Internet computers. + +18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**. + +19. Click **Apply to application packages only**, and then click **OK**. + + **Important**   + You must do this to ensure that the rule applies only to Windows Store apps and not to other applications and programs. Non-Windows Store applications and programs declare all capabilities by default, and this rule would apply to them if you do not configure it this way. + +   + +20. Click **OK** to close the **Properties** dialog box. + +21. Close the Group Policy Management Editor. + +22. In the Group Policy Management snap-in, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**. Click **Remove**, and then click **OK**. + +23. Under **Security Filtering**, click **Add**. + +24. Type **domain computers** in the text box, and then click **OK**. + +25. Close the Group Policy Management snap-in. + +Use the following procedure if you want to block intranet access for a specific media sharing app on your network. + +**To block intranet access for a specific media sharing app on your network** + +1. Open the Group Policy Management snap-in (gpmc.msc). + +2. In the left pane, right-click your domain name, and then click **Create a GPO in this domain, and link it here**. + +3. Type a name for your GPO in the **Name** text box, and then click **OK**. + +4. Right-click your new GPO, and then click **Edit**. + +5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then click **Windows Firewall with Advanced Security – LDAP://**… + +6. Right-click **Outbound Rules**, and then click **New Rule**. + +7. Click **Custom**, and then click **Next**. + +8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page. + +9. On the **Action** page, ensure **Block the Connection** is selected, and then click **Next**. + +10. On the **Profile** page, click **Next**. + +11. On the **Name** page, type a name for your rule, and then click **Finish**. + +12. In the right pane, right-click your new rule, and then click **Properties**. + +13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**. + +14. Click **Application Package Properties**, and then click **OK**. + +15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\A home or work network**, and then click **OK**. + +16. Click the **Programs and Services** tab under **Application Packages**, and then click **Settings**. + +17. Click **Apply to this application package**, select the app in the text box, and then click **OK**. + +18. Click **OK** to close the **Properties** dialog box. + +19. Close the Group Policy Management Editor. + +20. In Group Policy Management, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**, click **Remove**, and then click **OK**. + +21. Under **Security Filtering**, click **Add**. + +22. Type **domain computers** in the text box and click **OK**. + +23. Close Group Policy Management. + +## See also + + +- [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md) + +  + +  + + + + + diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md new file mode 100644 index 0000000000..d912164e47 --- /dev/null +++ b/windows/keep-secure/link-the-gpo-to-the-domain.md @@ -0,0 +1,40 @@ +--- +title: Link the GPO to the Domain (Windows 10) +description: Link the GPO to the Domain +ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165 +author: brianlic-msft +--- + +# Link the GPO to the Domain + + +After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target computers. + +If the filters comprehensively control the application of the GPO to only the correct computers, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of computers. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Admins group, or otherwise be delegated permissions to modify the GPOs. + +**To link the GPO to the domain container in Active Directory** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, and then expand *YourDomainName*. + +3. Right-click *YourDomainName*, and then click **Link an Existing GPO**. + +4. In the **Select GPO** dialog box, select the GPO that you want to deploy, and then click **OK**. + +5. The GPO appears in the **Linked Group Policy Objects** tab in the details pane and as a linked item under the domain container in the navigation pane. + +6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client computer from the highest link order number to the lowest. + +  + +  + + + + + diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md new file mode 100644 index 0000000000..f062e68961 --- /dev/null +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -0,0 +1,82 @@ +--- +title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10) +description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design +ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 +author: brianlic-msft +--- + +# Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design + + +After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. + +**Important**   +The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design. + +  + +Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Deployment Goals[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md)[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md)[Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md)[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md)

[Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md)

Yes

Yes

Yes

Yes

[Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md)

-

Yes

Yes

Yes

[Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md)

-

-

Yes

Yes

[Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md)

-

Optional

Optional

Optional

+ +  + +To examine details for a specific design, click the design title at the top of the column in the preceding table. + +**Next: **[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) + +  + +  + + + + + diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md new file mode 100644 index 0000000000..f003cb6ee2 --- /dev/null +++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -0,0 +1,91 @@ +--- +title: Modify GPO Filters to Apply to a Different Zone or Version of Windows (Windows 10) +description: Modify GPO Filters to Apply to a Different Zone or Version of Windows +ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 +author: brianlic-msft +--- + +# Modify GPO Filters to Apply to a Different Zone or Version of Windows + + +You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +In this topic: + +- [Change the security group filter for a GPO](#bkmk-toallowmembersofagrouptoapplyagpo) + +- [Block members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo) + +- [Remove a block for members of a group from applying a GPO](#bkmk-toremoveablockformembersofgroupfromapplyingagpo) + +## + + +Use the following procedure to change a group to the security filter on the GPO that allows group members to apply the GPO. You must remove the reference to the original group, and add the group appropriate for this GPO. + +**To change the security group filter for a GPO** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. In the details pane, under **Security Filtering**, click the currently assigned security group, and then click **Remove**. + +4. Now you can add the appropriate security group to this GPO. Under **Security Filtering**, click **Add**. + +5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. + +## + + +Use the following procedure if you need to add a group to the security filter on the GPO that blocks group members from applying the GPO. This can be used on the GPOs for the main isolated domain to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. + +**To block members of group from applying a GPO** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. In the details pane, click the **Delegation** tab. + +4. Click **Advanced**. + +5. Under the **Group or user names** list, click **Add**. + +6. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. + +7. Select the group in the **Group or user names** list, and then select the boxes in the **Deny** column for both **Read** and **Apply group policy**. + +8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**. + +9. The group appears in the list with custom permissions. + +## + + +**To remove a block for members of group from applying a GPO** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, find and then click the GPO that you want to modify. + +3. In the details pane, click the **Delegation** tab. + +4. In the **Groups and users** list, select the group that should no longer be blocked, and then click **Remove**. + +5. In the message box, click **OK**. + +If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. + +  + +  + + + + + diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md new file mode 100644 index 0000000000..729e906fcc --- /dev/null +++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md @@ -0,0 +1,28 @@ +--- +title: Open the Group Policy Management Console to IP Security Policies (Windows 10) +description: Open the Group Policy Management Console to IP Security Policies +ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43 +author: brianlic-msft +--- + +# Open the Group Policy Management Console to IP Security Policies + + +Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). + +**To open a GPO to the IP Security Policies section** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. + +3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (***YourDomainName***)**. + +  + +  + + + + + diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md new file mode 100644 index 0000000000..5d720ae16f --- /dev/null +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -0,0 +1,28 @@ +--- +title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10) +description: Open the Group Policy Management Console to Windows Firewall with Advanced Security +ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98 +author: brianlic-msft +--- + +# Open the Group Policy Management Console to Windows Firewall with Advanced Security + + +Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. + +**To open a GPO to Windows Firewall with Advanced Security** + +1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. + +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. + +3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then expand **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**. + +  + +  + + + + + diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md new file mode 100644 index 0000000000..02b493283f --- /dev/null +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md @@ -0,0 +1,28 @@ +--- +title: Open the Group Policy Management Console to Windows Firewall (Windows 10) +description: Open the Group Policy Management Console to Windows Firewall +ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 +author: brianlic-msft +--- + +# Open the Group Policy Management Console to Windows Firewall + + +**To open a GPO to Windows Firewall** + +1. Open **Active Directory Users and Computers**. + +2. In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**. + +3. Click the **Group Policy** tab, select your GPO, and then click **Edit**. + +4. In the navigation pane of the Group Policy Object Editor, expand **Computer Configuration**, expand **Administrative Templates**, expand **Network**, expand **Network Connections**, and then expand **Windows Firewall**. + +  + +  + + + + + diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md new file mode 100644 index 0000000000..5387c113a1 --- /dev/null +++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md @@ -0,0 +1,55 @@ +--- +title: Open Windows Firewall with Advanced Security (Windows 10) +description: Open Windows Firewall with Advanced Security +ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 +author: brianlic-msft +--- + +# Open Windows Firewall with Advanced Security + + +This procedure shows you how to open the Windows Firewall with Advanced Security MMC snap-in. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations. + +## Opening Windows Firewall with Advanced Security + + +- [Using the Windows interface](#bkmk-proc1) + +- [Using a command line](#bkmk-proc2) + +## + + +**To open Windows Firewall with Advanced Security by using the Windows interface** + +- Click the **Start** charm, right-click the Start page, click **All Apps**, and then click the **Windows Firewall with Advanced Security** tile. + +## + + +**To open Windows Firewall with Advanced Security from a command prompt** + +1. Open a command prompt window. + +2. At the command prompt, type: + + ``` syntax + wf.msc + ``` + +**Additional considerations** + +Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators. + +  + +  + + + + + diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md new file mode 100644 index 0000000000..414b5e373d --- /dev/null +++ b/windows/keep-secure/planning-certificate-based-authentication.md @@ -0,0 +1,58 @@ +--- +title: Planning Certificate-based Authentication (Windows 10) +description: Planning Certificate-based Authentication +ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec +author: brianlic-msft +--- + +# Planning Certificate-based Authentication + + +Sometimes a computer cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the computer can still participate in the isolated domain by using certificate-based authentication. + +The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each computer sends a copy of its certificate to the other computer. Each computer examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local computer. + +Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS). For more information about creating and maintaining a PKI in your organization, see [Active Directory Certificate Services Overview](http://technet.microsoft.com/library/hh831740.aspx) at http://technet.microsoft.com/library/hh831740.aspx. + +## Deploying certificates + + +No matter how you acquire your certificates, you must deploy them to clients and servers that require them in order to communicate. + +### Using Active Directory Certificate Services + +If you use AD CS to create your own user and computer certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member computers. Computer certificates are deployed when a domain member computer starts. User certificates are deployed when a user logs on. + +If you want non-domain member computers to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each computer or user includes enough identification information to enable IPsec to match the certificate to both user and computer accounts. + +AD CS automatically ensures that certificates issued by the CAs are trusted by the client computers by putting the CA certificates in the correct store on each domain member computer. + +### Using a commercially purchased certificate for computers running Windows + +You can import the certificates manually onto each computer if the number of computers is relatively small. For a deployment to more than a handful of computers, use Group Policy. + +You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each computer that applies the GPO. + +You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each computer that applies the GPO. + +### Using a commercially purchased certificate for computers running a non-Windows operating system + +If you are installing the certificates on an operating system other than Windows, see the documentation for that operating system. + +## Configuring IPsec to use the certificates + + +When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or computers that are members of authorized groups in a server isolation solution. + +Starting in Windows Server 2012, the Administrator can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. + +**Next: **[Documenting the Zones](../p_server_archive/documenting-the-zones.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md new file mode 100644 index 0000000000..f2d1bfb04c --- /dev/null +++ b/windows/keep-secure/planning-domain-isolation-zones.md @@ -0,0 +1,32 @@ +--- +title: Planning Domain Isolation Zones (Windows 10) +description: Planning Domain Isolation Zones +ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 +author: brianlic-msft +--- + +# Planning Domain Isolation Zones + + +After you have the required information about your network, Active Directory, and client and server computers, you can use that information to make decisions about the isolation zones you want to use in your environment. + +The bulk of the work in planning server and domain isolation is determining which computers to assign to each isolation zone. Correctly choosing the zone for each computer is important to providing the correct level of security without compromising performance or the ability a computer to send or receive required network traffic. + +The zones described in this guide include the following: + +- [Exemption List](../p_server_archive/exemption-list.md) + +- [Isolated Domain](../p_server_archive/isolated-domain.md) + +- [Boundary Zone](../p_server_archive/boundary-zone.md) + +- [Encryption Zone](../p_server_archive/encryption-zone.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md new file mode 100644 index 0000000000..9346df25bc --- /dev/null +++ b/windows/keep-secure/planning-gpo-deployment.md @@ -0,0 +1,134 @@ +--- +title: Planning GPO Deployment (Windows 10) +description: Planning GPO Deployment +ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 +author: brianlic-msft +--- + +# Planning GPO Deployment + + +You can control which GPOs are applied to computers in Active Directory in a combination of three ways: + +- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All computers in the OU and its subordinate containers receive and apply the GPO. + + Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to computers based on their location within Active Directory. If a computer is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling. + +- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which computers receive the GPO by using permissions that only allow correct group members to apply the GPO. + + The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those computers whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO. + +- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a computer is a member of the result set when the WMI filter query runs, the GPO is applied to the computer. + + A WMI filter consists of one or more conditions that are evaluated against the local computer. You can check almost any characteristic of the computer, its operating system, and its installed programs. If all of the specified conditions are true for the computer, the GPO is applied; otherwise the GPO is ignored. + +This guide uses a combination of security group filtering and WMI filtering to provide the most flexible options. If you follow this guidance, even though there might be five different GPOs linked to a specific group because of operating system version differences, only the correct GPO is applied. + +## General considerations + + +- Deploy your GPOs before you add any computer accounts to the groups that receive the GPOs. That way you can add your computers to the groups in a controlled manner. Be sure to add only a few test computers at first. Before adding many group members, examine the results on the test computers and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue. + +## Test your deployed groups and GPOs + + +After you have deployed your GPOs and added some test computers to the groups, confirm the following before you continue with more group members: + +- Examine the GPOs that are both assigned to and filtered from the computer. Run the **gpresult** tool at a command prompt. + +- Examine the rules deployed to the computer. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. + +- Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**. + +- Verify that communications are encrypted when the computers require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. + +- Verify that your programs are unaffected. Run them and confirm that they still work as expected. + +After you have confirmed that the GPOs have been correctly applied, and that the computers are now communicating by using IPsec network traffic in request mode, you can begin to add more computers to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the computers. + +## Do not enable require mode until deployment is complete + + +If you deploy a GPO that requires authentication to a computer before the other computers have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the computers are successfully communicating by using IPsec. + +If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, computers can continue to operate, because request mode enables any computer to fall back to clear communications. + +Only after you have added all of the computers to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. + +Do not change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections. + +If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of computers to the larger groups. + +## Example Woodgrove Bank deployment plans + + +Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of computers. All of the GPOs have the User Configuration section disabled to improve performance. + +### GPO\_DOMISO\_Firewall\_2008\_Win7-Vista + +- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: + + `select * from Win32_OperatingSystem where Version like "6.%" and ProductType <> "2"` + + **Note**   + This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers running versions of Windows earlier than Windows Vista and Windows Server 2008. + +   + +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC. + +### GPO\_DOMISO\_IsolatedDomain\_Clients\_Win7Vista + +- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: + + `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"` + +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. + +### GPO\_DOMISO\_IsolatedDomain\_Servers\_WS2008 + +- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: + + `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` + + **Note**   + This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. + +   + +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. + +### GPO\_DOMISO\_Boundary\_WS2008 + +- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: + + `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` + + **Note**   + This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. + +   + +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. + +### GPO\_DOMISO\_Encryption\_WS2008 + +- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: + + `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` + + **Note**   + This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. + +   + +- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to computers that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC. + +  + +  + + + + + diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md new file mode 100644 index 0000000000..0100f63ad7 --- /dev/null +++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md @@ -0,0 +1,30 @@ +--- +title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10) +description: Planning Group Policy Deployment for Your Isolation Zones +ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c +author: brianlic-msft +--- + +# Planning Group Policy Deployment for Your Isolation Zones + + +After you have decided on the best logical design of your isolation environment for the network and computer security requirements, you can start the implementation plan. + +You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the computer accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct computers within each group. + +- [Planning Isolation Groups for the Zones](../p_server_archive/planning-isolation-groups-for-the-zones.md) + +- [Planning Network Access Groups](../p_server_archive/planning-network-access-groups.md) + +- [Planning the GPOs](../p_server_archive/planning-the-gpos.md) + +- [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md new file mode 100644 index 0000000000..73063b68ef --- /dev/null +++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md @@ -0,0 +1,79 @@ +--- +title: Planning Isolation Groups for the Zones (Windows 10) +description: Planning Isolation Groups for the Zones +ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 +author: brianlic-msft +--- + +# Planning Isolation Groups for the Zones + + +Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A computer is assigned to a zone by adding its computer account to the group which represents that zone. + +**Caution**   +Do not add computers to your groups yet. If a computer is in a group when the GPO is activated then that GPO is applied to the computer. If the GPO is one that requires authentication, and the other computers have not yet received their GPOs, the computer that uses the new GPO might not be able to communicate with the others. + +  + +Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead. + +The following table lists typical groups that can be used to manage the domain isolation zones discussed in the Woodgrove Bank example in this guide: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Group nameDescription

CG_DOMISO_No_IPsec

A universal group of computer accounts that do not participate in the IPsec environment. Typically consists of infrastructure computer accounts that will also be included in exemption lists.

+

This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.

CG_DOMISO_IsolatedDomain

A universal group of computer accounts that contains the members of the isolated domain.

+

During the early days of testing, this group might contain only a very small number of computers. During production, it might contain the built-in Domain Computers group to ensure that every computer in the domain participates.

+

Members of this group receive the domain isolation GPO that requires authentication for inbound connections.

CG_DOMISO_Boundary

A universal group of computer accounts that contains the members of the boundary zone.

+

Members of this group receive a GPO that specifies that authentication is requested, but not required.

CG_DOMISO_Encryption

A universal group of computer accounts that contains the members of the encryption zone.

+

Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections.

CG_SRVISO_ServerRole

A universal group of computer accounts that contains the members of the server isolation group.

+

Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.

+

There will be one group for each set of servers that have different user and computer restriction requirements.

+ +  + +Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](../p_server_archive/planning-the-gpos.md). + +If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the computer. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. + +**Next: **[Planning Network Access Groups](../p_server_archive/planning-network-access-groups.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md new file mode 100644 index 0000000000..dc94283493 --- /dev/null +++ b/windows/keep-secure/planning-network-access-groups.md @@ -0,0 +1,68 @@ +--- +title: Planning Network Access Groups (Windows 10) +description: Planning Network Access Groups +ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 +author: brianlic-msft +--- + +# Planning Network Access Groups + + +A network access group (NAG) is used to identify users and computers that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a computer, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. + +Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the computers or users that are granted access. You can optionally split the NAG into two different groups: one for authorized computers and one for authorized users. + +The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership. + +For the Woodgrove Bank scenario, access to the computers running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative computers. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. + + +++++ + + + + + + + + + + + + + + + + + + + +
NAG NameNAG Member Users, Computers, or GroupsDescription

CG_NAG_ServerRole_Users

Svr1AdminA

+

Svr1AdminB

+

Group_AppUsers

+

AppSvcAccount

This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.

CG_NAG_ServerRole_Computers

Desktop1

+

Desktop2

+

AdminDT1

+

AppAdminDT1

This group contains all computers that are authorized to make inbound IPsec connections to the isolated servers in this zone.

+ +  + +**Note**   +Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the computer or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5. + +  + +**Next: **[Planning the GPOs](../p_server_archive/planning-the-gpos.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md new file mode 100644 index 0000000000..6394f51aa0 --- /dev/null +++ b/windows/keep-secure/planning-server-isolation-zones.md @@ -0,0 +1,88 @@ +--- +title: Planning Server Isolation Zones (Windows 10) +description: Planning Server Isolation Zones +ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b +author: brianlic-msft +--- + +# Planning Server Isolation Zones + + +Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any computers that are outside the isolated domain, and encrypts all network connections to server. + +The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or computers who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved computers. + +To grant access, you add the approved user and computer accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided computer and user accounts for group membership in the NAGs. If either the user or computer is not a member of a required NAG then the network connection is refused. + +## Isolated domains and isolated servers + + +If you are using an isolated domain, the client computers already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized computer or user. + +If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client computers that you want to access the server to use the appropriate IPsec rules. If the client computers are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. + +## Creating multiple isolated server zones + + +Each set of servers that must be accessed by different sets of users should be set up in its own isolated server zone. After one set of GPOs for one isolated server zone has been successfully created and verified, you can copy the GPOs to a new set. You must change the GPO names to reflect the new zone, the name and membership of the isolated server zone group to which the GPOs are applied, and the names and membership of the NAG groups that determine which clients can access the servers in the isolated server zone. + +## Creating the GPOs + + +Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. + +An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members. + +### GPO settings for isolated servers running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 + +GPOs for computers running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 should include the following: + +**Note**   +The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone. + +  + +- IPsec default settings that specify the following options: + + 1. Exempt all ICMP traffic from IPsec. + + 2. Key exchange (main mode) security methods and algorithm. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + + 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + + If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs. + + 4. Authentication methods. Include at least computer-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else computers that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method. + +- The following connection security and firewall rules: + + - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + + - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. + + **Important**   + Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + +   + + - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both computer and user network access groups. + +- A registry policy that includes the following values: + + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + + **Note**   + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + +   + +**Next: **[Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md new file mode 100644 index 0000000000..783b92991e --- /dev/null +++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md @@ -0,0 +1,58 @@ +--- +title: Planning Settings for a Basic Firewall Policy (Windows 10) +description: Planning Settings for a Basic Firewall Policy +ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 +author: brianlic-msft +--- + +# Planning Settings for a Basic Firewall Policy + + +After you have identified your requirements, and have the information about the network layout and computers available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the computers. + +The following is a list of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis: + +- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private** (on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2). Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on computers that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. + + **Important**   + We recommend that on server computers that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop computers, and only support different profiles on portable computers. + +   + +- **Firewall state: On**. We recommend that you prevent the user from turning it off. + +- **Default behavior for Inbound connections: Block**. We recommend that you enforce the default behavior of blocking unsolicited inbound connections. To allow network traffic for a specific program, create an inbound rule that serves as an exception to this default behavior. + +- **Default behavior for Outbound connections: Allow**. We recommend that you enforce the default behavior of allowing outbound connections. + +- **Allow unicast response: Yes**. We recommend that you use the default setting of **Yes** unless you have specific requirements to do otherwise. + +- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows does not create a new firewall rule and the traffic remains blocked. + + If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs then you can set this value to **No**. + +- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot. + +- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions. + +- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another computer on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port. + + Inbound rules are common on servers, because they host services to which client computers connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required. + + **Important**   + If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application. + +   + +- **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs. + +**Next: **[Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md new file mode 100644 index 0000000000..e970a3c826 --- /dev/null +++ b/windows/keep-secure/planning-the-gpos.md @@ -0,0 +1,64 @@ +--- +title: Planning the GPOs (Windows 10) +description: Planning the GPOs +ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 +author: brianlic-msft +--- + +# Planning the GPOs + + +When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the computers to the zones. + +## General considerations + + +A few things to consider as you plan the GPOs: + +- Do not allow a computer to be a member of more than one isolation zone. A computer in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior. + + The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones. + +- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The computers will negotiate down from the top of their lists, selecting one that is configured on both computers. So a computer that is running Windows Vista that is connected to a server that is running Windows Server 2012 can communicate by using a much more secure algorithm. + +- The primary difference in your domain isolation GPOs is whether the rules request or require authentication. + + **Caution**   + It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the computers over time, applying a require policy to one computer breaks its ability to communicate with another computer that has not yet received its policy. Using request mode at the beginning enables computers to continue communicating by using plaintext connections if required. After you confirm that your computers are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone. + +   + +- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the computer. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the computer handles network traffic will change accordingly. We recommend for stationary computers, such as desktops and servers, that you assign any rule for the computer to all profiles. Apply GPOs that change rules per network location to computers that must move between networks, such as your portable computers. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. For more information, see Network Location Types at . + + **Note**   + Computers running Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2 support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. + +   + +After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs. + +## Woodgrove Bank example GPOs + + +The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which computers receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) section. + +In this section you can find information about the following: + +- [Firewall GPOs](../p_server_archive/firewall-gpos.md) + +- [Isolated Domain GPOs](../p_server_archive/isolated-domain-gpos.md) + +- [Boundary Zone GPOs](../p_server_archive/boundary-zone-gpos.md) + +- [Encryption Zone GPOs](../p_server_archive/encryption-zone-gpos.md) + +- [Server Isolation GPOs](../p_server_archive/server-isolation-gpos.md) + +  + +  + + + + + diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md new file mode 100644 index 0000000000..a517124934 --- /dev/null +++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -0,0 +1,51 @@ +--- +title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10) +description: Planning to Deploy Windows Firewall with Advanced Security +ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e +author: brianlic-msft +--- + +# Planning to Deploy Windows Firewall with Advanced Security + + +After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](../p_server_archive/windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. + +## Reviewing your Windows Firewall with Advanced Security Design + + +If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points: + +- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which computers apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: + + - [Planning Isolation Groups for the Zones](../p_server_archive/planning-isolation-groups-for-the-zones.md) + + - [Planning the GPOs](../p_server_archive/planning-the-gpos.md) + + - [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) + +- The communication to be allowed between members of each of the zones in the isolated domain and computers that are not part of the isolated domain or members of the isolated domain's exemption list. + +- The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. + +- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between computers might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated. + +- The requirement that all computers that must communicate with each other share a common set of: + + - Authentication methods + + - Main mode key exchange algorithms + + - Quick mode data integrity algorithms + + If at least one set of each does not match between two computers, then the computers cannot successfully communicate. + +After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](../p_server_archive/implementing-your-windows-firewall-with-advanced-security-design-plan.md). + +  + +  + + + + + diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md new file mode 100644 index 0000000000..9efd46604f --- /dev/null +++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md @@ -0,0 +1,96 @@ +--- +title: Planning Your Windows Firewall with Advanced Security Design (Windows 10) +description: Planning Your Windows Firewall with Advanced Security Design +ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f +author: brianlic-msft +--- + +# Planning Your Windows Firewall with Advanced Security Design + + +After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. + +## Basic firewall design + + +We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. + +When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) section. + +## Algorithm and method support and selection + + +To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths. To review the algorithms and methods supported in versions of the Windows operating system, see IPsec Algorithms and Methods Supported in Windows (). + +## IPsec performance considerations + + +Although IPsec is critically important in securing network traffic going to and from your computers, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your computer from making use of all of the available bandwidth. For example, an IPsec-enabled computer using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. + +IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a computer’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. For more information, see Improving Network Performance by Using IPsec Task Offload (). + +## Domain isolation design + + +Include this design in your plans: + +- If you have an Active Directory domain of which most of the computers are members. + +- If you want to prevent the computers in your organization from accepting any unsolicited network traffic from computers that are not part of the domain. + +If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the computers are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. + +When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) section. + +## Server isolation design + + +Include this design in your plans: + +- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and computers. + +- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and computers. + +If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements. + +When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) section. + +## Certificate-based authentication design + + +Include this design in your plans: + +- If you want to implement some of the elements of domain or server isolation on computers that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism. + +- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the computer is not running Windows, or for any other reason. + +- You must enable external computers that are not managed by your organization to access information on one of your servers, and want to do this in a secure way. + +If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the computers that require it. + +When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md) section. + +## Documenting your design + + +After you finish selecting the designs that you will use, you must assign each of your computers to the appropriate isolation zone and document the assignment for use by the deployment team. + +- [Documenting the Zones](../p_server_archive/documenting-the-zones.md) + +## Designing groups and GPOs + + +After you have selected a design and assigned your computers to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your computers. + +When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. + +**Next: **[Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) + +  + +  + + + + + diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md new file mode 100644 index 0000000000..733ca019e5 --- /dev/null +++ b/windows/keep-secure/procedures-used-in-this-guide.md @@ -0,0 +1,98 @@ +--- +title: Procedures Used in This Guide (Windows 10) +description: Procedures Used in This Guide +ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 +author: brianlic-msft +--- + +# Procedures Used in This Guide + + +The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. + +[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md) + +[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md) + +[Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md) + +[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md) + +[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) + +[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) + +[Configure Group Policy to Autoenroll and Deploy Certificates](../p_server_archive/configure-group-policy-to-autoenroll-and-deploy-certificates.md) + +[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) + +[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) + +[Configure the Windows Firewall Log](../p_server_archive/configure-the-windows-firewall-log.md) + +[Configure the Workstation Authentication Certificate Template](../p_server_archive/configure-the-workstation-authentication-certificate-templatewfas-dep.md) + +[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](../p_server_archive/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) + +[Confirm That Certificates Are Deployed Correctly](../p_server_archive/confirm-that-certificates-are-deployed-correctly.md) + +[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md) + +[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md) + +[Create a Group Policy Object](../p_server_archive/create-a-group-policy-object.md) + +[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) + +[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) + +[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Create WMI Filters for the GPO](../p_server_archive/create-wmi-filters-for-the-gpo.md) + +[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) + +[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) + +[Install Active Directory Certificate Services](../p_server_archive/install-active-directory-certificate-services.md) + +[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md) + +[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) + +[Open the Group Policy Management Console to IP Security Policies](../p_server_archive/open-the-group-policy-management-console-to-ip-security-policies.md) + +[Open the Group Policy Management Console to Windows Firewall](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall.md) + +[Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) + +[Open Windows Firewall with Advanced Security](../p_server_archive/open-windows-firewall-with-advanced-security.md) + +[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md) + +[Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md) + +[Turn on Windows Firewall and Configure Default Behavior](../p_server_archive/turn-on-windows-firewall-and-configure-default-behavior.md) + +[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md) + +  + +  + + + + + diff --git a/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md b/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md new file mode 100644 index 0000000000..156362cc19 --- /dev/null +++ b/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md @@ -0,0 +1,44 @@ +--- +title: Protect Computers from Unwanted Network Traffic (Windows 10) +description: Protect Computers from Unwanted Network Traffic +ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc +author: brianlic-msft +--- + +# Protect Computers from Unwanted Network Traffic + + +Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as a computer virus that is brought in on portable media and run on a trusted computer. Portable computers are often taken outside the network and connected directly to the Internet, without adequate protection between the computer and security threats. + +Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](http://download.microsoft.com/download/C/9/A/C9A544AD-4150-43D3-80F7-4F1641EF910A/Microsoft_Security_Intelligence_Report_Volume_12_Key_Findings_Summary_English.pdf) at http://download.microsoft.com/download/C/9/A/C9A544AD-4150-43D3-80F7-4F1641EF910A/Microsoft\_Security\_Intelligence\_Report\_Volume\_12\_Key\_Findings\_Summary\_English.pdf. + +Running a host-based firewall on every computer that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable computer to provide protection when it is away from the organization's network. + +A host-based firewall helps secure a computer by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](0c75637e-86b7-4fb3-9910-04c5cf186305), provides the following benefits: + +- Network traffic that is a reply to a request from the local computer is permitted into the computer from the network. + +- Network traffic that is unsolicited, but that matches a rule for allowed network traffic, is permitted into the computer from the network. + + For example, Woodgrove Bank wants a computer that is running SQL Server to be able to receive the SQL queries sent to it by client computers. The firewall policy deployed to the computer that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program. + +- Outbound network traffic that is not specifically blocked is allowed on the network. + + For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted. + +The following component is recommended for this deployment goal: + +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources \[lhs\]](508b3d05-e9c9-4df9-bae4-750d4ad03302). + +Other means of deploying a firewall policy are available, such as creating scripts that use the **netsh** command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations. + +**Next: **[Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919) + +  + +  + + + + + diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md new file mode 100644 index 0000000000..29dfe483a0 --- /dev/null +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -0,0 +1,42 @@ +--- +title: Require Encryption When Accessing Sensitive Network Resources (Windows 10) +description: Require Encryption When Accessing Sensitive Network Resources +ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f +author: brianlic-msft +--- + +# Require Encryption When Accessing Sensitive Network Resources + + +The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md)) enables a computer in the isolated domain to block traffic from untrusted computers. However, it does not prevent an untrusted computer from eavesdropping on the network traffic shared between two trusted computers, because by default network packets are not encrypted. + +For computers that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to computers that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. + +The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. + +![encryption zone in an isolated domain](images/wfas-domainisoencrypt.gif) + +This goal provides the following benefits: + +- Computers in the encryption zone require authentication to communicate with other computers. This works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md). + +- Computers in the encryption zone require that all inbound and outbound network traffic be encrypted. + + For example, Woodgrove Bank processes sensitive customer data on a computer that must be protected from eavesdropping by computers on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data. + +- Computers in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more information, see [Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md). + +The following components are required for this deployment goal: + +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](../p_server_archive/additional-resources-wfasdesign.md). + +**Next: **[Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md) + +  + +  + + + + + diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md new file mode 100644 index 0000000000..1e565f2c6b --- /dev/null +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md @@ -0,0 +1,46 @@ +--- +title: Restrict Access to Only Specified Users or Computers (Windows 10) +description: Restrict Access to Only Specified Users or Computers +ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df +author: brianlic-msft +--- + +# Restrict Access to Only Specified Users or Computers + + +Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919)) prevents computers that are members of the isolated domain from accepting network traffic from untrusted computers. However, some computers on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. + +Windows Firewall with Advanced Security enables you to restrict access to computers and users that are members of domain groups authorized to access that computer. These groups are called *network access groups (NAGs)*. When a computer authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple computers in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Computers that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267)). + +Restricting access to only users and computers that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. + +Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista enable you to restrict access by specifying either computer or user credentials. + +The following illustration shows an isolated server, and examples of computers that can and cannot communicate with it. Computers that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server. + +![isolated domain with network access groups](images/wfas-domainnag.gif) + +This goal, which corresponds to [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md), provides the following features: + +- Isolated servers accept unsolicited inbound network traffic only from computers or users that are members of the NAG. + +- Isolated servers can be implemented as part of an isolated domain, and treated as another zone. Members of the zone group receive a GPO with rules that require authentication, and that specify that only network traffic authenticated as coming from a member of the NAG is allowed. + +- Server isolation can also be configured independently of an isolated domain. To do so, configure only the computers that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership. + +- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). + +The following components are required for this deployment goal: + +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](../p_server_archive/additional-resources-wfasdesign.md). + +**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](../p_server_archive/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) + +  + +  + + + + + diff --git a/windows/keep-secure/restrict-access-to-only-trusted-computers.md b/windows/keep-secure/restrict-access-to-only-trusted-computers.md new file mode 100644 index 0000000000..aa3e530671 --- /dev/null +++ b/windows/keep-secure/restrict-access-to-only-trusted-computers.md @@ -0,0 +1,59 @@ +--- +title: Restrict Access to Only Trusted Computers (Windows 10) +description: Restrict Access to Only Trusted Computers +ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b +author: brianlic-msft +--- + +# Restrict Access to Only Trusted Computers + + +Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach computers that are not owned by your organization to your network. Because you do not manage those computers, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy computers both on and outside of your physical network must not be permitted to access your organization's computers except where it is truly required. + +To mitigate this risk, you must be able to isolate the computers you trust, and restrict their ability to receive unsolicited network traffic from untrusted computers. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the computers that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each computer or user can positively identify itself by using credentials that are trusted by the other computer. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. + +**Note**   +Because the primary authentication method recommended for computers that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to computers that are not part of an Active Directory domain. + +  + +The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. + +The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. + +![domain isolation](images/wfas-domainiso.gif) + +These goals, which correspond to [Domain Isolation Policy Design](3aa75a74-adef-41e4-bf2d-afccf2c47d46) and [Certificate-based Isolation Policy Design](a706e809-ddf3-42a4-9991-6e5d987ebf38), provide the following benefits: + +- Computers in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another computer in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication. + + For example, Woodgrove Bank wants all of its computers to block all unsolicited inbound network traffic from any computer that it does not manage. The connection security rules deployed to domain member computers require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted. + +- Computers in the isolated domain can still send outbound network traffic to untrusted computers and receive the responses to the outbound requests. + + For example, Woodgrove Bank wants its users at client computers to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required. + +These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's computers: + +- Computers in the "boundary zone" are configured to use connection security rules that request but do not require authentication. This enables them to receive unsolicited inbound network traffic from untrusted computers, and also to receive traffic from the other members of the isolated domain. + + For example, Woodgrove Bank has a server that must be accessed by its partners' computers through the Internet. The rules applied to computers in the boundary zone use authentication when the client computer can support it, but do not block the connection if the client computer cannot authenticate. + +- Computers in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it is sent over the network. + + For example, Woodgrove Bank wants the computers running SQL Server to only transmit data that is encrypted to help protect the sensitive data stored on those computers. + +The following components are required for this deployment goal: + +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources \[lhs\]](508b3d05-e9c9-4df9-bae4-750d4ad03302). + +**Next: **[Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267) + +  + +  + + + + + diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md new file mode 100644 index 0000000000..437e25bce5 --- /dev/null +++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md @@ -0,0 +1,58 @@ +--- +title: Restrict Server Access to Members of a Group Only (Windows 10) +description: Restrict Server Access to Members of a Group Only +ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b +author: brianlic-msft +--- + +# Restrict Server Access to Members of a Group Only + + +After you have configured the IPsec connection security rules that force client computers to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those computers or users who have been identified through the authentication process as members of the isolated server’s access group. + +The way in which you restrict access to the isolated server depends on which version of the Windows operating system the server is running. + +- If the server is running Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012, then you create a firewall rule that specifies the user and computer accounts that are allowed. The authentication method used in the connection must support the account type specified. Remember that only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 support user-based authentication. + +In this topic: + +- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#bkmk-section1) + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +## + + +**To create a firewall rule that grants access to an isolated server running Windows Server 2008 or later** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](75ccea22-f225-40be-94a9-d0b17170d4fe). You must edit the GPO that applies settings to servers in the isolated server zone. + +2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**. + +3. On the **Rule Type** page, click **Custom**, and then click **Next**. + +4. If you must restrict access to a single network program, then you can select **This program path**, and specify the program or service to which to grant access. Otherwise, click **All programs**, and then click **Next**. + +5. If you must restrict access to only some TCP or UDP port numbers, then enter the port numbers on the **Protocol and Ports** page. Otherwise, set **Protocol type** to **Any**, and then click **Next**. + +6. On the **Scope** page, select **Any IP address** for both local and remote addresses, and then click **Next**. + +7. On the **Action** page, click **Allow the connection if it is secure**. If required by your design, you can also click **Customize** and select **Require the connections to be encrypted**. Click **Next**. + +8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the computer and user accounts permitted to access the server. + + **Caution**   + Remember that if you specify a user group on the Users page, your authentication scheme must include a method that uses user-based credentials. User-based credentials are only supported on versions of Windows that support AuthIP, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. Earlier versions of Windows and other operating systems that support IKE v1 only do not support user-based authentication; computers running those versions or other operating systems will not be able to connect to the isolated server through this firewall rule. + +   + +  + +  + + + + + diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md new file mode 100644 index 0000000000..acdb18d98f --- /dev/null +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md @@ -0,0 +1,203 @@ +--- +title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) +description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 +ms.assetid: 290d61e6-ec8c-48b9-8dcd-d0df6df24181 +author: brianlic-msft +--- + +# Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 + + +In Windows Server 2012, Internet Key Exchange version 2 (IKEv2) support is broadened from previous Windows versions. + +For example, in Windows Server 2012, IKEv2 does the following: + +- Supports additional scenarios, including IPsec end-to-end transport mode connections + +- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security + +- Supports Suite B (RFC 4869) requirements + +- Coexists with existing policies that deploy AuthIP/IKEv1 + +- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface. + +- Uses certificates for the authentication mechanism + +In Windows Server 2008 R2, IKEv2 is available as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. + +**In this document** + +- [Prerequisites](#bkmk-prereqs) + +- [Computers joined to a domain](#bkmk-step1) + +- [Computers not joined to a domain](#bkmk-step2) + +- [Troubleshooting](#bkmk-troubleshooting) + +**Note**   +This topic includes sample Windows PowerShell cmdlets. For more information, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693). + +  + +## Prerequisites + + +These procedures assume that you already have a public key infrastructure (PKI) in place for computer authentication. + +## Computers joined to a domain + + +The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. + +![the contoso corporate network](images/corpnet.gif) + +**Figure 1** The Contoso corporate network + +This script does the following: + +- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members. + +- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain. + +- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**. + +- Indicates the certificate to use for authentication. + + **Important**   + The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. + +   + +- Creates the IKEv2 connection security rule called **My IKEv2 Rule**. + +![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** + +Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. + +``` syntax +# Create a Security Group for the computers that will get the policy +$pathname = (Get-ADDomain).distinguishedname +New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` +-GroupCategory security -GroupScope Global -path $pathname + +# Add test computers to the Security Group +$computer = Get-ADComputer -LDAPFilter "(name=client1)" +Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer +$computer = Get-ADComputer -LDAPFilter "(name=server1)" +Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer + +# Create and link the GPO to the domain +$gpo = New-gpo IPsecRequireInRequestOut +$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes + +# Set permissions to security group for the GPO +$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace +$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace + +#Set up the certificate for authentication +$gponame = "corp.contoso.com\IPsecRequireInRequestOut" +$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" +$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame + +#Create the IKEv2 Connection Security rule +New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` +-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame +``` + +## Computers not joined to a domain + + +Use a Windows PowerShell script similar to the following to create a local IPsec policy on the computers that you want to include in the secure connection. + +**Important**   +The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. + +  + +![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** + +Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. + +``` syntax +#Set up the certificate +$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" +$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop + +#Create the IKEv2 Connection Security rule +New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` +-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 +``` + +Make sure that you install the required certificates on the participating computers. + +**Note**   +- For local computers, you can import the certificates manually if you have administrator access to the computer. For more information, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). + +- You need a root certificate and a computer certificate on all computers that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. + +- For remote computers, you can create a secure website to facilitate access to the script and certificates. + +  + +## Troubleshooting + + +Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: + +**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.** + +1. On the **Start** screen, type **wf.msc**, and then press ENTER. + +2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule. + +3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile. + +**Use Windows PowerShell cmdlets to display the security associations.** + +1. Open a Windows PowerShell command prompt. + +2. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations. + +3. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations. + +**Use netsh to capture IPsec events.** + +1. Open an elevated command prompt. + +2. At the command prompt, type **netsh wfp capture start**. + +3. Reproduce the error event so that it can be captured. + +4. At the command prompt, type **netsh wfp capture stop**. + + A wfpdiag.cab file is created in the current folder. + +5. Open the cab file, and then extract the wfpdiag.xml file. + +6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: + + ``` syntax + ERROR_IPSEC_IKE_NO_CERT + 32 + + ``` + + In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error. + +You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues. + +## See also + + +- [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md) + +  + +  + + + + + diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md new file mode 100644 index 0000000000..aa7a7f109b --- /dev/null +++ b/windows/keep-secure/server-isolation-gpos.md @@ -0,0 +1,36 @@ +--- +title: Server Isolation GPOs (Windows 10) +description: Server Isolation GPOs +ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 +author: brianlic-msft +--- + +# Server Isolation GPOs + + +Each set of computers that have different users or computers accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on computers in the zone. The Woodgrove Bank example has an isolation zone for their computers that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. + +All of the computer accounts for computers in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client computers are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. + +## GPO\_SRVISO\_WS2008 + + +This GPO is identical to the GPO\_DOMISO\_Encryption\_WS2008 GPO with the following changes: + +- The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs granted permission include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers. + + **Important**   + Earlier versions of Windows support only computer-based authentication. If you specify that user authentication is mandatory, only users on computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 can connect. + +   + +**Next: **[Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) + +  + +  + + + + + diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md new file mode 100644 index 0000000000..1666f22af8 --- /dev/null +++ b/windows/keep-secure/server-isolation-policy-design-example.md @@ -0,0 +1,87 @@ +--- +title: Server Isolation Policy Design Example (Windows 10) +description: Server Isolation Policy Design Example +ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 +author: brianlic-msft +--- + +# Server Isolation Policy Design Example + + +This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) section. + +In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the computers that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network. + +The information presented by the WGBank front-end servers to the client computers, and the information presented by the WGPartner servers to the remote partner computers, are not considered sensitive for the purposes of the government regulations, because they are processed to remove sensitive elements before transmitting the data to the client computers. + +In this guide, the examples show server isolation layered on top of a domain isolation design. If you have an isolated domain, the client computers are already equipped with GPOs that require authentication. You only have to add settings to the isolated server(s) to require authentication on inbound connections, and to check for membership in the NAG. The connection attempt succeeds only if NAG membership is confirmed. + +## Server isolation without domain isolation + + +Server isolation can also be deployed by itself, to only the computers that must participate. The GPO on the server is no different from the one discussed in the previous paragraph for a server in an existing isolated domain. The difference is that you must also deploy a GPO with supporting connection security rules to the clients that must be able to communicate with the isolated server. Because those computers must be members of the NAG, that group can also be used in a security group filter on the client GPO. That GPO must contain rules that support the authentication requirements of the isolated server. + +In short, instead of applying the client GPO to all clients in the domain, you apply the GPO to only the members of the NAG. + +If you do not have an Active Directory domain then you can manually apply the connection security rules to the client computers, or you can use a netsh command-line script (or Windows PowerShell in Windows 8 and Windows Server 2012) to help automate the configuration of the rules on larger numbers of computers. If you do not have an Active Directory domain, you cannot use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. + +## Design requirements + + +In addition to the protection provided by the firewall rules and domain isolation described in the previous design examples, the network administrators want to implement server isolation to help protect the sensitive data stored on the computers that run SQL Server. + +The following illustration shows the traffic protection needs for this design example. + +![isolated server example](images/wfas-design3example1.gif) + +1. Access to the SQL Server computers must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server computers. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). + +2. All network traffic to and from the SQL Server computers must be encrypted. + +3. Client computers or users whose accounts are not members of the NAG cannot access the isolated servers. + +**Other traffic notes:** + +- All of the design requirements shown in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section are still enforced. + +- All of the design requirements shown in the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) section are still enforced. + +## Design details + + +Woodgrove Bank uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the computers on its network. + +As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all computers that run Windows were added to the correct groups. + +- **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the computers that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they are using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS. + +**Note**   +If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, computers that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any computers that are incorrectly assigned to more than one group. + +  + +Network access groups (NAGs) are not used to determine which GPOs are applied to a computer. Instead, these groups determine which users and computers can access the services on the isolated server. + +- **CG\_NAG\_SQL\_COMPUTERS**. This network access group contains the computer accounts that are able to access the computers running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client computers from which SQL Server administrators are permitted to work on the servers. + +- **CG\_NAG\_SQL\_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server computers that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its computers, and the user accounts for the SQL Server administration team members. + +**Note**   +You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity. + +  + +If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client computers. By doing this, all the computers that are authorized to access the isolated server also have the required connection security rules. + +You do not have to include the encryption-capable rules on all computers. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption. + +**Next: **[Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md) + +  + +  + + + + + diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md new file mode 100644 index 0000000000..798292f552 --- /dev/null +++ b/windows/keep-secure/server-isolation-policy-design.md @@ -0,0 +1,59 @@ +--- +title: Server Isolation Policy Design (Windows 10) +description: Server Isolation Policy Design +ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a +author: brianlic-msft +--- + +# Server Isolation Policy Design + + +In the server isolation policy design, you assign servers to a zone that allows access only to users and computers that authenticate as members of an approved network access group (NAG). + +This design typically begins with a network configured as described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements. + +You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the computers that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and computers can access the isolated server are also used to determine which computers receive the GPO. + +The design is shown in the following illustration, with arrows that show the permitted communication paths. + +![isolated domain with isolated server](images/wfas-domainisohighsec.gif) + +Characteristics of this design include the following: + +- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then computers in the boundary zone behave just like other members of the isolated domain in the way that they interact with computers in server isolation zones. + +- Isolated servers (area B) - Computers in the server isolation zones restrict access to computers, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. + +- Encryption zone (area C) - If the data being exchanged is sufficiently sensitive, the connection security rules for the zone can also require that the network traffic be encrypted. Encryption zones are most often implemented as rules that are part of a server isolation zone, instead of as a separate zone. The diagram illustrates the concept as a subset for conceptual purposes only. + +To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules. + +**Important**   +This design builds on the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. + +  + +This design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. + +For more information about this design: + +- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), [Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md), and [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). + +- To learn more about this design, see [Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md). + +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). + +- To help you make the decisions required in this design, see [Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md). + +- For a list of tasks that you can use to deploy your server isolation policy design, see "Checklist: Implementing a Standalone Server Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxx. + +**Next: **[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md) + +  + +  + + + + + diff --git a/windows/keep-secure/start-a-command-prompt-as-an-administrator.md b/windows/keep-secure/start-a-command-prompt-as-an-administrator.md new file mode 100644 index 0000000000..55bd05b936 --- /dev/null +++ b/windows/keep-secure/start-a-command-prompt-as-an-administrator.md @@ -0,0 +1,34 @@ +--- +title: Start a Command Prompt as an Administrator (Windows 10) +description: Start a Command Prompt as an Administrator +ms.assetid: 82615224-39df-458f-b165-48af77721527 +author: brianlic-msft +--- + +# Start a Command Prompt as an Administrator + + +This topic describes how to open a command prompt with full administrator permissions. If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions. You must explicitly specify that you require the use of your administrative permissions by using one of the procedures in this topic. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Administrators group. + +**To start a command prompt as an administrator** + +- Right-click the **Start** charm, and then click **Command Prompt (Admin)**. + +**To start a command prompt as an administrator (alternative method)** + +1. Click the **Start** charm. + +2. Type **cmd**, right-click the **Command Prompt** tile, and then click **Run as administrator**. + +  + +  + + + + + diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md new file mode 100644 index 0000000000..0e12364aa9 --- /dev/null +++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md @@ -0,0 +1,48 @@ +--- +title: Turn on Windows Firewall and Configure Default Behavior (Windows 10) +description: Turn on Windows Firewall and Configure Default Behavior +ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 +author: brianlic-msft +--- + +# Turn on Windows Firewall and Configure Default Behavior + + +To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node (for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2) in the Group Policy Management MMC snap-in. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +## + + +**To enable Windows Firewall and configure the default behavior on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. + +3. For each network location type (Domain, Private, Public), perform the following steps. + + **Note**   + The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design. + +   + + 1. Click the tab that corresponds to the network location type. + + 2. Change **Firewall state** to **On (recommended)**. + + 3. Change **Inbound connections** to **Block (default)**. + + 4. Change **Outbound connections** to **Allow (default)**. + +  + +  + + + + + diff --git a/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md new file mode 100644 index 0000000000..5088fc9668 --- /dev/null +++ b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -0,0 +1,34 @@ +--- +title: Understanding the Windows Firewall with Advanced Security Design Process (Windows 10) +description: Understanding the Windows Firewall with Advanced Security Design Process +ms.assetid: ab7db2bf-38c8-48eb-82e0-3d284055e7bb +author: brianlic-msft +--- + +# Understanding the Windows Firewall with Advanced Security Design Process + + +Designing any deployment starts by performing several important tasks: + +- [Identifying Your Windows Firewall with Advanced Security Design Goals](bba6fa3a-2318-4cb7-aa75-f2910d9c406d) + +- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](39bb8fa5-4601-45ae-83c5-121d42f7f82c) + +- [Evaluating Windows Firewall with Advanced Security Design Examples](6da09290-8cda-4731-8fce-07fc030f9f4f) + +After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics: + +- [Designing A Windows Firewall with Advanced Security Strategy](36230ca4-ee8d-4b2c-ab4f-5492b4400340) + +- [Planning Your Windows Firewall with Advanced Security Design](6622d31d-a62c-4506-8cea-275bf42e755f) + +**Next:**[Identifying Your Windows Firewall with Advanced Security Design Goals](bba6fa3a-2318-4cb7-aa75-f2910d9c406d) + +  + +  + + + + + diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md new file mode 100644 index 0000000000..40056df757 --- /dev/null +++ b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md @@ -0,0 +1,77 @@ +--- +title: Verify That Network Traffic Is Authenticated (Windows 10) +description: Verify That Network Traffic Is Authenticated +ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 +author: brianlic-msft +--- + +# Verify That Network Traffic Is Authenticated + + +After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the computers on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the computers have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. + +In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you are working on: + +- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, computers on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules are not working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm is not included in a security method combination on the clients, then those clients cannot successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they are working as expected without risking a loss of communications. + +- **Boundary zone.** Confirming correct operation of IPsec is the last step if you are working on the boundary zone GPO. You do not convert the GPO to require mode at any time. + +- **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode. + +**Note**   +In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from . Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your computer. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them. + +  + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +## For computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 + + +**To verify that network connections are authenticated by using the Windows Firewall with Advanced Security MMC snap-in** + +1. Click the **Start** charm, type **wf.msc**, and then press ENTER. + + Windows Firewall with Advanced Security opens. + +2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**. + + The details pane displays the rules currently in effect on the computer. + +3. **To display the Rule Source column** + + 1. In the **Actions** pane, click **View**, and then click **Add/Remove Columns**. + + 2. In the **Available columns** list, select **Rule Source**, and then click **Add**. + + 3. Use the **Move up** and **Move down** buttons to rearrange the order. Click **OK** when you are finished. + + It can take a few moments for the list to be refreshed with the newly added column. + +4. Examine the list for the rules from GPOs that you expect to be applied to this computer. + + **Note**   + If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local computer is a member of the appropriate groups and meets the requirements of the WMI filters. + +   + +5. In the navigation pane, expand **Security Associations**, and then click **Main Mode**. + + The current list of main mode associations that have been negotiated with other computers appears in the details column. + +6. Examine the list of main mode security associations for sessions between the local computer and the remote computer. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with additional details about the security association. + +7. In the navigation pane, click **Quick mode**. + +8. Examine the list of quick mode security associations for sessions between the local computer and the remote computer. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values. + +  + +  + + + + + diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md new file mode 100644 index 0000000000..bf8243fdb9 --- /dev/null +++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -0,0 +1,734 @@ +--- +title: Windows Firewall with Advanced Security Administration with Windows PowerShell (Windows 10) +description: Windows Firewall with Advanced Security Administration with Windows PowerShell +ms.assetid: 3e1e53af-015e-427d-a027-c2e8ceee799d +author: brianlic-msft +--- + +# Windows Firewall with Advanced Security Administration with Windows PowerShell + + +The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management in Windows Server 2012. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows. + +In Windows Server 2012 and Windows 8, administrators can use Windows PowerShell to manage their firewall and IPsec deployments. This object-oriented scripting environment will make it easier for administrators to manage policies and monitor network conditions than was possible in Netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in Netsh and how you can use Windows PowerShell to accomplish them. + +**Important**   +The netsh commands for Windows Firewall with Advanced Security have not changed since the previous operating system version. The netsh commands for Windows Firewall with Advanced Security in Windows Server 2012 are identical to the commands that are provided in Windows Server 2008 R2. + +  + +In future versions of Windows, Microsoft might remove the netsh functionality for Windows Firewall with Advanced Security. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Firewall with Advanced Security. + +Windows PowerShell and netsh command references are at the following locations. + +- [Netsh Commands for Windows Firewall with Advanced Security](http://technet.microsoft.com/library/cc771920) + +## Scope + + +This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide. + +## Audience and user requirements + + +This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Firewall with Advanced Security, the Windows PowerShell language, and the basic concepts of Windows PowerShell. + +## System requirements + + +To run the scripts and scriptlets in this guide, install and configure your system as follows: + +- Windows Server 2012 + +- Windows PowerShell 3.0 (included in Windows Server 2012) + +- Windows NetSecurity Module for Windows PowerShell (included in Windows Server 2012) + +- Windows PowerShell ISE (optional feature in Windows PowerShell 3.0, which is installed by using Server Manager) + +**Note**   +In Windows PowerShell 3.0, modules are imported automatically when you get or use any cmdlet in the module. You can still use the **Import-Module** cmdlet to import a module. + +Use **Import-Module** if you are using Windows PowerShell 2.0, or if you need to use a feature of the module before you use any of its cmdlets. For more information, see [Import-Module](http://go.microsoft.com/fwlink/p/?linkid=141553). + +Use **Import-PSSnapIn** to use cmdlets in a Windows PowerShell snap-in, regardless of the version of Windows PowerShell that you are running. + +  + +## In this guide + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TopicDescription

[Set profile global defaults](#bkmk-profileglobaldefaults)

Enable and control firewall behavior

[Deploy basic firewall rules](#bkmk-deploying)

How to create, modify, and delete firewall rules

[Manage Remotely](#bkmk-remote)

Remote management by using -CimSession

[Deploy basic IPsec rule settings](#bkmk-deployingipsec)

IPsec rules and associated parameters

[Deploy secure firewall rules with IPsec](#bkmk-deploysecurerules)

Domain and server isolation

[Additional resources](#bkmk-additionalresources)

More information about Windows PowerShell

+ +  + +## Set profile global defaults + + +Global defaults set the system behavior in a per profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles. + +### Enable Windows Firewall + +Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the computer. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain computer: + +**Netsh** + +``` syntax +netsh advfirewall set allprofiles state on +``` + +Windows PowerShell + +The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. + +``` syntax +Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True +``` + +### Control firewall behavior + +The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security MMC snap-in. + +The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. + +**Netsh** + +``` syntax +netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound +netsh advfirewall set allprofiles settings inboundusernotification enable +netsh advfirewall set allprofiles settings unicastresponsetomulticast enable +netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log +``` + +Windows PowerShell + +``` syntax +Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log + +``` + +## Deploy basic firewall rules + + +This section provides scriptlet examples for creating, modifying, and deleting firewall rules. + +### Create firewall rules + +Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently. + +Here is an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local computer, and it becomes effective immediately. + +**Netsh** + +``` syntax +netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= %SystemRoot%\System32\tlntsvr.exe remoteip=localsubnet action=allow +``` + +Windows PowerShell + +``` syntax +New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow +``` + +The following scriptlet shows how to add a basic firewall rule that blocks outbound traffic from a specific application and local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter within the **New-NetFirewall** cmdlet. In Netsh, you must first specify the GPO that the commands in a Netsh session should modify. The commands you enter are run against the contents of the GPO, and this remains in effect until the Netsh session is ended or until another set store command is executed. + +Here, **domain.contoso.com** is the name of your Active Directory Domain Services (AD DS), and **gpo\_name** is the name of the GPO that you want to modify. Quotation marks are required if there are any spaces in the GPO name. + +**Netsh** + +``` syntax +netsh advfirewall set store gpo=domain.contoso.com\gpo_name +netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block +``` + +Windows PowerShell + +``` syntax +New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name +``` + +### GPO Caching + +To reduce the burden on busy domain controllers, Windows PowerShell allows you to load a GPO to your local session, make all your changes in that session, and then save it back at all once. + +The following performs the same actions as the previous example (by adding a Telnet rule to a GPO), but we do so leveraging GPO caching in PowerShell. Changing the GPO by loading it onto your local session and using the *-GPOSession* parameter are not supported in Netsh + +Windows PowerShell + +``` syntax +$gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name +New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo +Save-NetGPO –GPOSession $gpo +``` + +Note that this does not batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes. + +### Modify an existing firewall rule + +When a rule is created, Netsh and Windows PowerShell allow the administrator to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell this is specified with the *-Name* parameter). + +For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule. + +**Netsh** + +``` syntax +netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2 +``` + +Windows PowerShell + +``` syntax +Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2 +``` + +Netsh requires you to provide the name of the rule for it to be changed and we do not have an alternate way of getting the firewall rule. In Windows PowerShell, you can query for the rule using its known properties. + +When you run `Get-NetFirewallRule`, you may notice that common conditions like addresses and ports do not appear. These conditions are represented in separate objects called Filters. As shown before, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query for firewall rules based on these fields (ports, addresses, security, interfaces, services), you will need to get the filter objects themselves. + +You can change the remote endpoint of the **Allow Web 80** rule (as done previously) using filter objects. Using Windows PowerShell you query by port using the port filter, then assuming additional rules exist affecting the local port, you build with further queries until your desired rule is retrieved. + +In the following example, we assume the query returns a single firewall rule, which is then piped to the `Set-NetFirewallRule` cmdlet utilizing Windows PowerShell’s ability to pipeline inputs. + +Windows PowerShell + +``` syntax +Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2 +``` + +You can also query for rules using the wildcard character. The following example returns an array of firewall rules associated with a particular program. The elements of the array can be modified in subsequent `Set-NetFirewallRule` cmdlets. + +Windows PowerShell + +``` syntax +Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule +``` + +Multiple rules in a group can be simultaneously modified when the associated group name is specified in a Set command. You can add firewall rules to specified management groups in order to manage multiple rules that share the same influences. + +In the following example, we add both inbound and outbound Telnet firewall rules to the group **Telnet Management**. In Windows PowerShell, group membership is specified when the rules are first created so we re-create the previous example rules. Adding rules to a custom rule group is not possible in Netsh. + +Windows PowerShell + +``` syntax +New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” +New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” +``` + +If the group is not specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You cannot specify the group using `Set-NetFirewallRule` since the command allows querying by rule group. + +Windows PowerShell + +``` syntax +$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet” +$rule.Group = “Telnet Management” +$rule | Set-NetFirewallRule +``` + +Using the `Set` command, if the rule group name is specified, the group membership is not modified but rather all rules of the group receive the same modifications indicated by the given parameters. + +The following scriptlet enables all rules in a predefined group containing remote management influencing firewall rules. + +**Netsh** + +``` syntax +netsh advfirewall firewall set rule group="windows firewall remote management" new enable=yes +``` + +Windows PowerShell + +``` syntax +Set-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” –Enabled True +``` + +There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule. + +Windows PowerShell + +``` syntax +Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” -Verbose +``` + +### Delete a firewall rule + +Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the system. + +The following cmdlet deletes the specified existing firewall rule from the local policy store. + +**Netsh** + +``` syntax +netsh advfirewall firewall delete rule name=“Allow Web 80” +``` + +Windows PowerShell + +``` syntax +Remove-NetFirewallRule –DisplayName “Allow Web 80” +``` + +Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the system. + +Windows PowerShell + +``` syntax +Remove-NetFirewallRule –Action Block +``` + +Note that it may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how the administrator can view all the blocking firewall rules, and then delete the first four rules. + +Windows PowerShell + +``` syntax +$x = Get-NetFirewallRule –Action Block +$x +$x[0-3] | Remove-NetFirewallRule +``` + +## Manage remotely + + +Remote management using WinRM is enabled by default on Windows Server 2012. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default. This is important because the default and recommended installation mode for Windows Server 2012 is Server Core which does not include a graphical user interface. + +The following example returns all firewall rules of the persistent store on a computer named **RemoteComputer**. + +Windows PowerShell + +``` syntax +Get-NetFirewallRule –CimSession RemoteComputer +``` + +We can perform any modifications or view rules on remote computers by simply using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote computer. + +Windows PowerShell + +``` syntax +$RemoteSession = New-CimSession –ComputerName RemoteComputer +Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm +``` + +## Deploy basic IPsec rule settings + + +An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. For more information about IPsec, see [Windows Firewall with Advanced Security Learning Roadmap](http://technet.microsoft.com/library/dd772715(WS.10).aspx). + +Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security MMC snap-in. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility. + +In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples. + +![object model for creating a single ipsec rule](images/createipsecrule.gif) + +### Create IPsec rules + +The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the MMC snap-in under Customize IPsec Defaults. + +**Netsh** + +``` syntax +netsh advfirewall set store gpo=domain.contoso.com\gpo_name +netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout +``` + +Windows PowerShell + +``` syntax +New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name +``` + +### Add custom authentication methods to an IPsec rule + +If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](http://technet.microsoft.com/library/cc757847(WS.10).aspx) . + +You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object. + +![crypto set object](images/qmcryptoset.gif) + +In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method. + +**Netsh** + +``` syntax +netsh advfirewall set store gpo=domain.contoso.com\gpo_name +netsh advfirewall consec add rule name="Require Outbound Authentication" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des +``` + +Windows PowerShell + +``` syntax +$AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3 +$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name +New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name +``` + +### IKEv2 IPsec transport rules + +A corporate network may need to secure communications with another agency. But, you discover the agency runs non-Windows operating systems and requires the use of the Internet Key Exchange Version 2 (IKEv2) standard. + +You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying IKEv2 as the key module in an IPsec rule. This can only be done using computer certificate authentication and cannot be used with phase 2 authentication. + +Windows PowerShell + +``` syntax +New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway +``` + +For more information about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](../p_server_archive/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md). + +### Copy an IPsec rule from one policy to another + +Firewall and IPsec rules with the same rule properties can be duplicated to simplify the task of re-creating them within different policy stores. + +To copy the previously created rule from one policy store to another, the associated objects must be also be copied separately. Note that there is no need to copy associated firewall filters. You can query rules to be copied in the same way as other cmdlets. + +Copying individual rules is a task that is not possible through the Netsh interface. Here is how you can accomplish it with Windows PowerShell. + +Windows PowerShell + +``` syntax +$Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication” +$Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name +$Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name +``` + +### Handling Windows PowerShell errors + +**** + +To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you will notice that it fails if the rule is not found. When removing rules, if the rule isn’t already there, it is generally acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation. + +Windows PowerShell + +``` syntax +Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue +``` + +Note that the use of wildcards can also suppress errors, but they could potentially match rules that you did not intend to remove. This can be a useful shortcut, but should only be used if you know there aren’t any extra rules that will be accidentally deleted. So the following cmdlet will also remove the rule, suppressing any “not found” errors. + +Windows PowerShell + +``` syntax +Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” +``` + +When using wildcards, if you want to double-check the set of rules that is matched, you can use the *–WhatIf* parameter. + +Windows PowerShell + +``` syntax +Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf +``` + +If you only want to delete some of the matched rules, you can use the *–Confirm* parameter to get a rule-by-rule confirmation prompt. + +Windows PowerShell + +``` syntax +Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm +``` + +You can also just perform the whole operation, displaying the name of each rule as the operation is performed. + +Windows PowerShell + +``` syntax +Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose +``` + +### Monitor + +The following Windows PowerShell commands are useful in the update cycle of a deployment phase. + +To allow you to view all the IPsec rules in a particular store, you can use the following commands. In Netsh, this command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have the single entry domain that is included in the rule. The following command examples will show the IPsec rules in all profiles. + +**Netsh** + +``` syntax +netsh advfirewall consec show rule name=all +``` + +Windows PowerShell + +``` syntax +Show-NetIPsecRule –PolicyStore ActiveStore +``` + +You can monitor main mode security associations for information such as which peers are currently connected to the computer and which protection suite is used to form the security associations. + +Use the following cmdlet to view existing main mode rules and their security associations: + +**Netsh** + +``` syntax +netsh advfirewall monitor show mmsa all +``` + +Windows PowerShell + +``` syntax +Get-NetIPsecMainModeSA +``` + +### Find the source GPO of a rule + +To view the properties of a particular rule or group of rules, you query for the rule. When a query returns fields that are specified as **NotConfigured**, you can to determine which policy store a rule originates from. + +For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is specified as **GroupPolicy** in the **Show** command), if *–TracePolicyStore* is passed, the name of the GPO is found and returned in the **PolicyStoreSource** field. + +Windows PowerShell + +``` syntax +Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore +``` + +It is important to note that the revealed sources do not contain a domain name. + +### Deploy a basic domain isolation policy + +IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain computer members positively establish the identities of the communicating computers to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object. + +To implement domain isolation on your network, the computers in the domain receive IPsec rules that block unsolicited inbound network traffic that is not protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this, you can isolate domain member computers from computers that are non-domain members. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic. + +**Netsh** + +``` syntax +netsh advfirewall set store gpo=domain.contoso.com\domain_isolation +netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profile=domain endpoint1=”any” endpoint2=”any” action=requireinrequestout auth1=”computerkerb” +``` + +Windows PowerShell + +``` syntax +$kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos + +$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation + +New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation +``` + +### Configure IPsec tunnel mode + +The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local computer (1.1.1.1) attached to a public network to a second computer through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it is encrypted by using ESP/DES3. + +**Netsh** + +``` syntax +netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 action=requireinrequireout qmsecmethods=esp:sha1-3des +``` + +Windows PowerShell + +``` syntax +$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3 +$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal +New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name +``` + +## Deploy secure firewall rules with IPsec + + +In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment. + +### Create a secure firewall rule (allow if secure) + +Configuring firewalls rule to allow connections if they are secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec. + +The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote computer is authenticated by using a separate IPsec rule. + +**Netsh** + +``` syntax +netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in program=%SystemRoot%\System32\tlntsvr.exe security=authenticate action=allow +``` + +Windows PowerShell + +``` syntax +New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow +``` + +The following command creates an IPsec rule that requires a first (computer) authentication and then attempts an optional second (user) authentication. Creating this rule secures and allows the traffic through the firewall rule requirements for the messenger program. + +**Netsh** + +``` syntax +netsh advfirewall consec add rule name="Authenticate Both Computer and User" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb,computerntlm auth2=userkerb,userntlm,anonymous +``` + +Windows PowerShell + +``` syntax +$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos +$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM +$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop +$ukerbauthprop = New-NetIPsecAuthProposal -User -Kerberos +$unentlmauthprop = New-NetIPsecAuthProposal -User -NTLM +$anonyauthprop = New-NetIPsecAuthProposal -Anonymous +$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName “User Auth” -Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop +New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $P1Auth.Name –Phase2AuthSet $P2Auth.Name +``` + +### Isolate a server by requiring encryption and group membership + +To improve the security of the computers in an organization, an administrator can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of computers within the enterprise domain. + +IPsec can provide this additional layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and computers with legitimate business need, and the data is additionally encrypted to prevent eavesdropping. + +### Create a firewall rule that requires group membership and encryption + +To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or computers on the IPsec rule that enforces authentication. + +The following firewall rule allows Telnet traffic from user accounts that are members of a custom group created by an administrator called “Authorized to Access Server.” This access can additionally be restricted based on the computer, user, or both by specifying the restriction parameters. + +A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID). + +Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall/and or IPsec policies. + +The following example shows you how to create an SDDL string that represents security groups. + +Windows PowerShell + +``` syntax +$user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”) +$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value +$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)" +``` + +By using the previous scriptlet, you can also get the SDDL string for a secure computer group as shown here: + +Windows PowerShell + +``` syntax +$secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)" +``` + +For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](http://technet.microsoft.com/library/ff730940.aspx). + +Telnet is an application that does not provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application. + +In this example, we allow only authenticated and encrypted inbound Telnet traffic from a specified secure user group through the creation of the following firewall rule. + +**Netsh** + +``` syntax +netsh advfirewall set store gpo=domain.contoso.com\Server_Isolation +netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Group Members Only” program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport=23 security=authenc rmtusrgrp ="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)" +``` + +Windows PowerShell + +``` syntax +New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation +``` + +### Endpoint security enforcement + +The previous example showed end to end security for a particular application. In situations where endpoint security is required for many applications, having a firewall rule per application can be cumbersome and difficult to manage. Authorization can override the per-rule basis and be done at the IPsec layer. + +In this example, we set the global IPsec setting to only allow transport mode traffic to come from an authorized user group with the following cmdlet. Consult the previous examples for working with security groups. + +Windows PowerShell + +``` syntax +Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup +``` + +### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass) + +Authenticated bypass allows traffic from a specified trusted computer or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update computers without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](http://technet.microsoft.com/library/cc753463(WS.10).aspx). + +In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a computer or user account that is a member of the specified computer or user security group. + +**Netsh** + +``` syntax +netsh advfirewall set store gpo=domain.contoso.com\domain_isolation +netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in security=authenticate action="bypass" rmtcomputergrp="D:(A;;CC;;;S-1-5-21-2329867823-2610410949-1491576313-1114)" rmtusrgrp="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)" +``` + +Windows PowerShell + +``` syntax +New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation +``` + +## Additional resources + + +For more information about Windows PowerShell concepts, see the following topics. + +- [Windows PowerShell Getting Started Guide](http://go.microsoft.com/fwlink/p/?linkid=113440) + +- [Windows PowerShell User Guide](http://go.microsoft.com/fwlink/p/?linkid=113441) + +- [Windows PowerShell About Help Topics](http://go.microsoft.com/fwlink/p/?linkid=113206) + +- [about\_Functions](http://go.microsoft.com/fwlink/p/?linkid=113231) + +- [about\_Functions\_Advanced](http://go.microsoft.com/fwlink/p/?linkid=144511) + +- [about\_Execution\_Policies](http://go.microsoft.com/fwlink/p/?linkid=135170) + +- [about\_Foreach](http://go.microsoft.com/fwlink/p/?linkid=113229) + +- [about\_Objects](http://go.microsoft.com/fwlink/p/?linkid=113241) + +- [about\_Properties](http://go.microsoft.com/fwlink/p/?linkid=113249) + +- [about\_While](http://go.microsoft.com/fwlink/p/?linkid=113275) + +- [about\_Scripts](http://go.microsoft.com/fwlink/p/?linkid=144310) + +- [about\_Signing](http://go.microsoft.com/fwlink/p/?linkid=113268) + +- [about\_Throw](http://go.microsoft.com/fwlink/p/?linkid=145153) + +- [about\_PSSessions](http://go.microsoft.com/fwlink/p/?linkid=135181) + +- [about\_Modules](http://go.microsoft.com/fwlink/p/?linkid=144311) + +- [about\_Command\_Precedence](http://go.microsoft.com/fwlink/p/?linkid=113214) + +  + +  + + + + + diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md new file mode 100644 index 0000000000..91b5066a6b --- /dev/null +++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md @@ -0,0 +1,76 @@ +--- +title: Windows Firewall with Advanced Security Deployment Guide (Windows 10) +description: Windows Firewall with Advanced Security Deployment Guide +ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 +author: brianlic-msft +--- + +# Windows Firewall with Advanced Security Deployment Guide + + +You can use the Windows Firewall with Advanced Security MMC snap-in in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 to help protect the computers and the data that they share across a network. + +You can use Windows Firewall to control access to the computer from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from computer to computer. + +## About this guide + + +This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected. + +Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](../p_server_archive/planning-to-deploy-windows-firewall-with-advanced-security.md). + +If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](../p_server_archive/windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization. + +After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide: + +- [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) + +- [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) + +- [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) + +- [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md) + +Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](../p_server_archive/implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. + +**Caution**   +We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the computers in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. + +In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or computer accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded. For more information about the problems associated with excessive group membership, see the following articles in the Microsoft Knowledge Base: + +- Article 327825, “New resolution for problems with Kerberos authentication when users belong to many groups” () + +- Article 263693 “Group Policy may not be applied to users belonging to many groups” () + +- Article 328889 “Users who are members of more than 1,015 groups may fail logon authentication” () + +  + +## What this guide does not provide + + +This guide does not provide: + +- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide. + +- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. For more information, see Active Directory Domain Services () and Group Policy (). + +- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. For this information, see Active Directory Certificate Services (). + +## Overview of Windows Firewall with Advanced Security + + +Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the computer by allowing you to create rules that determine which network traffic is permitted to enter the computer from the network and which network traffic the computer is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any computer that is attempting to communicate with your computer. When authentication is required, computers that cannot be authenticated as a trusted computer cannot communicate with your computer. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. + +The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single computer in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. + +For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365.aspx) at http://technet.microsoft.com/library/hh831365.aspx. + +  + +  + + + + + diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md new file mode 100644 index 0000000000..cd839d055f --- /dev/null +++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md @@ -0,0 +1,144 @@ +--- +title: Windows Firewall with Advanced Security Design Guide (Windows 10) +description: Windows Firewall with Advanced Security Design Guide +ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 +author: brianlic-msft +--- + +# Windows Firewall with Advanced Security Design Guide + + +Windows Firewall with Advanced Security in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista is a host firewall that helps secure the computer in two ways. First, it can filter the network traffic permitted to enter the computer from the network, and also control what network traffic the computer is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any computer that is attempting to communicate with your computer. When authentication is required, computers that cannot authenticate cannot communicate with your computer. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between computers. + +The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single computer in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. + +For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security Overview](9ae80ae1-a693-48ed-917a-f03ea92b550d). + +## About this guide + + +This guide provides recommendations to help you to choose or create a design for deploying Windows Firewall with Advanced Security in your enterprise environment. The guide describes some of the common goals for using Windows Firewall with Advanced Security, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide. + +This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals. + +Windows Firewall with Advanced Security should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules. + +To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed computers by using Group Policy in Active Directory. + +You can use the deployment goals to form one of these Windows Firewall with Advanced Security designs, or a custom design that combines elements from those presented here: + +- **Basic firewall policy design**. Restricts network traffic in and out of your computers to only that which is needed and authorized. + +- **Domain isolation policy design**. Prevents computers that are domain members from receiving unsolicited network traffic from computers that are not domain members. Additional "zones" can be established to support the special requirements of some computers, such as: + + - A "boundary zone" for computers that must be able to receive requests from non-isolated computers. + + - An "encryption zone" for computers that store sensitive data that must be protected during network transmission. + +- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and computers. Commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of computers. + +- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables computers that are not part of an Active Directory domain, such as computers running operating systems other than Windows, to participate in your isolation solution. + +In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Firewall with Advanced Security using the guidance in the Windows Firewall with Advanced Security Deployment Guide. + +You can find the Windows Firewall with Advanced Security Deployment Guide at these locations: + +- (Web page) + +- (Downloadable Word document) + +## Terminology used in this guide + + +The following table identifies and defines terms used throughout this guide. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TermDefinition

Active Directory domain

A group of computers and users managed by an administrator by using Active Directory Domain Services (AD DS). Computers in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary.

Authentication

A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.

Boundary zone

A subset of the computers in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from computers that are not members of the isolated domain. Computers in the boundary zone request but do not require authentication. They use IPsec to communicate with other computers in the isolated domain.

Connection security rule

A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an IPsec rule.

Certificate-based isolation

A way to add computers that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every computer in the isolated domain and the computers that cannot use Kerberos V5 are provided with a computer certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).

Domain isolation

A technique for helping protect the computers in an organization by requiring that the computers authenticate each other's identity before exchanging information, and refusing connection requests from computers that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.

Encryption zone

A subset of the computers in an isolated domain that process sensitive data. Computers that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Computers that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.

Firewall rule

A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.

+

By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic.

Internet Protocol security (IPsec)

A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).

IPsec policy

A collection of connection security rules that provide the required protection to network traffic entering and leaving the computer. The protection includes authentication of both the sending and receiving computer, integrity protection of the network traffic exchanged between them, and can include encryption.

Isolated domain

An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member computers by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).

+

In this guide, the term isolated domain refers to the IPsec concept of a group of computers that can share authentication. The term Active Directory domain refers to the group of computers that share a security database by using Active Directory.

Server isolation

A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting computer to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.

Solicited network traffic

Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.

Unsolicited network traffic

Network traffic that is not a response to an earlier request, and that the receiving computer cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic.

Zone

A zone is a logical grouping of computers that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted computers. The encryption zone requires that all connections be encrypted.

+

This is not related to the term zone as used by Domain Name System (DNS).

+ +  + +**Next:**[Understanding the Windows Firewall with Advanced Security Design Process](b9774295-8dd3-47e3-9f5a-7fa748ae9fba) + +  + +  + + + + + diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md new file mode 100644 index 0000000000..bb9128372e --- /dev/null +++ b/windows/keep-secure/windows-firewall-with-advanced-security.md @@ -0,0 +1,147 @@ +--- +title: Windows Firewall with Advanced Security Overview (Windows 10) +description: Windows Firewall with Advanced Security Overview +ms.assetid: 596d4c24-4984-4c14-b104-e2c4c7d0b108 +author: brianlic-msft +--- + +# Windows Firewall with Advanced Security Overview + + +This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features in Windows Server 2012. + +**Did you mean…** + +- [Windows Firewall with Advanced Security in Windows Server 2008 R2](http://technet.microsoft.com/library/cc732283(WS.10).aspx) + +## Feature description + + +Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a computer, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local computer. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the computer is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy. + +## Practical applications + + +To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits: + +- **Reduces the risk of network security threats.**  Windows Firewall with Advanced Security reduces the attack surface of a computer, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a computer increases manageability and decreases the likelihood of a successful attack. Network Access Protection (NAP), a feature of Windows Server 2012, also helps ensure client computers comply with policies that define the required software and system configurations for computers that connect to your network. The integration of NAP helps prevent communications between compliant and noncompliant computers. + +- **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. + +- **Extends the value of existing investments.**  Because Windows Firewall with Advanced Security is a host-based firewall that is included with Windows Server 2012, and prior Windows operating systems and because it is tightly integrated with Active Directory® Domain Services (AD DS) and Group Policy, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). + +## New and changed functionality + + +The following table lists some of the new features for Windows Firewall with Advanced Security in Windows Server 2012. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
Feature/functionalityWindows Server 2008 R2Windows Server 2012

Internet Key Exchange version 2 (IKEv2) for IPsec transport mode

X

Windows Store app network isolation

X

Windows PowerShell cmdlets for Windows Firewall

X

+ +  + +### IKEv2 for IPsec transport mode + +In Windows Server 2012, IKEv2 supports additional scenarios including IPsec end-to-end transport mode connections. + +**What value does this change add?** + +Windows Server 2012 IKEv2 support provides interoperability for Windows with other operating systems using IKEv2 for end-to-end security, and Supports Suite B (RFC 4869) requirements. + +**What works differently?** + +In Windows Server 2008 R2, IKEv2 is available as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. + +In Windows Server 2012, IKEv2 support has been expanded. + +### Windows Store app network isolation + +Administrators can custom configure Windows Firewall to fine tune network access if they desire more control of their Windows Store apps. + +**What value does this change add?** + +The feature adds the ability to set and enforce network boundaries ensure that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact to other apps, the system, and the network. In addition, apps can be isolated and protected from malicious access from the network. + +**What works differently?** + +In addition to firewall rules that you can create for program and services, you can also create firewall rules for Windows Store apps and their various capabilities. + +### Windows PowerShell cmdlets for Windows Firewall + +Windows PowerShell has extensive cmdlets to allow Windows Firewall configuration and management. + +**What value does this change add?** + +You can now fully configure and manage Windows Firewall, IPsec, and related features using the very powerful and scriptable Windows PowerShell. + +**What works differently?** + +In previous Windows versions, you could use Netsh to perform many configuration and management functions. This capability has been greatly expanded using the more powerful Windows PowerShell scripting language. + +## See also + + +See the following topics for more information about Windows Firewall with Advanced Security in Windows Server 2012. + + ++++ + + + + + + + + + + + + + + + + +
Content typeReferences

Deployment

[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](../p_server_archive/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](../p_server_archive/isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)

Troubleshooting

[Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012](http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx)

+ +  + +  + +  + + + + + From 269f8756c023bc0003c5b4d300cad4e2478c7006 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Apr 2016 16:24:23 -0700 Subject: [PATCH 02/26] Update TOC.md --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 09e5265e8a..988164c94a 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -459,7 +459,7 @@ ######## [Server Isolation GPOs](server-isolation-gpos.md) ####### [Planning GPO Deployment](planning-gpo-deployment.md) ##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) -##### [Additional Resources [WFASDesign]](additional-resources-wfasdesign.md) +##### [Additional Resources](additional-resources-wfasdesign.md) #### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) ##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md) ##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) From 69a5e703f5f3e1365e4e35c2f248fc3b86a1aae4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 28 Apr 2016 16:29:11 -0700 Subject: [PATCH 03/26] fixing links --- ...ters-to-the-membership-group-for-a-zone.md | 6 +- ...ters-to-the-membership-group-for-a-zone.md | 4 +- .../basic-firewall-policy-design.md | 12 +-- windows/keep-secure/boundary-zone-gpos.md | 2 +- windows/keep-secure/boundary-zone.md | 8 +- ...e-based-isolation-policy-design-example.md | 4 +- ...rtificate-based-isolation-policy-design.md | 12 +-- ...ange-rules-from-request-to-require-mode.md | 4 +- ...ist-configuring-basic-firewall-settings.md | 6 +- ...uring-rules-for-an-isolated-server-zone.md | 26 +++---- ...rs-in-a-standalone-isolated-server-zone.md | 30 +++---- ...configuring-rules-for-the-boundary-zone.md | 12 +-- ...nfiguring-rules-for-the-encryption-zone.md | 14 ++-- ...nfiguring-rules-for-the-isolated-domain.md | 24 +++--- ...checklist-creating-group-policy-objects.md | 18 ++--- ...ecklist-creating-inbound-firewall-rules.md | 10 +-- ...cklist-creating-outbound-firewall-rules.md | 6 +- ...ts-of-a-standalone-isolated-server-zone.md | 22 +++--- ...ementing-a-basic-firewall-policy-design.md | 26 +++---- ...rtificate-based-isolation-policy-design.md | 16 ++-- ...enting-a-domain-isolation-policy-design.md | 20 ++--- ...andalone-server-isolation-policy-design.md | 20 ++--- ...-server-2008-and-windows-server-2008-r2.md | 2 +- ...-server-2008-and-windows-server-2008-r2.md | 2 +- ...-server-2008-and-windows-server-2008-r2.md | 2 +- ...-server-2008-and-windows-server-2008-r2.md | 6 +- .../configure-the-windows-firewall-log.md | 2 +- ...notifications-when-a-program-is-blocked.md | 2 +- ...hat-certificates-are-deployed-correctly.md | 2 +- ...-server-2008-and-windows-server-2008-r2.md | 2 +- ...-server-2008-and-windows-server-2008-r2.md | 4 +- ...s-server-2008-or-windows-server-2008-r2.md | 6 +- ...s-server-2008-or-windows-server-2008-r2.md | 8 +- ...s-server-2008-or-windows-server-2008-r2.md | 6 +- ...s-server-2008-or-windows-server-2008-r2.md | 2 +- ...s-server-2008-or-windows-server-2008-r2.md | 4 +- ...s-server-2008-or-windows-server-2008-r2.md | 6 +- ...irewall-with-advanced-security-strategy.md | 8 +- ...ing-the-trusted-state-of-your-computers.md | 6 +- windows/keep-secure/documenting-the-zones.md | 4 +- .../domain-isolation-policy-design-example.md | 6 +- .../domain-isolation-policy-design.md | 18 ++--- ...s-server-2008-or-windows-server-2008-r2.md | 2 +- ...s-server-2008-or-windows-server-2008-r2.md | 2 +- windows/keep-secure/encryption-zone-gpos.md | 2 +- windows/keep-secure/encryption-zone.md | 8 +- ...-server-2008-and-windows-server-2008-r2.md | 2 +- windows/keep-secure/exemption-list.md | 4 +- windows/keep-secure/firewall-gpos.md | 2 +- .../firewall-policy-design-example.md | 2 +- ...-about-your-active-directory-deployment.md | 2 +- ...hering-information-about-your-computers.md | 2 +- ...out-your-current-network-infrastructure.md | 2 +- .../gathering-other-relevant-information.md | 2 +- .../gathering-the-information-you-need.md | 8 +- .../keep-secure/gpo-domiso-boundary-ws2008.md | 4 +- .../gpo-domiso-encryption-ws2008.md | 4 +- windows/keep-secure/gpo-domiso-firewall.md | 2 +- .../gpo-domiso-isolateddomain-clients.md | 6 +- .../gpo-domiso-isolateddomain-servers.md | 2 +- ...wall-with-advanced-security-design-plan.md | 10 +-- windows/keep-secure/isolated-domain-gpos.md | 6 +- windows/keep-secure/isolated-domain.md | 6 +- ...ting-windows-store-apps-on-your-network.md | 2 +- ...-firewall-with-advanced-security-design.md | 18 ++--- ...anning-certificate-based-authentication.md | 2 +- .../planning-domain-isolation-zones.md | 8 +- ...icy-deployment-for-your-isolation-zones.md | 8 +- ...planning-isolation-groups-for-the-zones.md | 4 +- .../planning-network-access-groups.md | 2 +- .../planning-server-isolation-zones.md | 8 +- ...ng-settings-for-a-basic-firewall-policy.md | 2 +- windows/keep-secure/planning-the-gpos.md | 12 +-- ...windows-firewall-with-advanced-security.md | 10 +-- ...-firewall-with-advanced-security-design.md | 16 ++-- .../procedures-used-in-this-guide.md | 78 +++++++++---------- ...n-accessing-sensitive-network-resources.md | 10 +-- ...ss-to-only-specified-users-or-computers.md | 8 +- ...s-by-using-ikev2-in-windows-server-2012.md | 2 +- windows/keep-secure/server-isolation-gpos.md | 2 +- .../server-isolation-policy-design-example.md | 8 +- .../server-isolation-policy-design.md | 16 ++-- ...firewall-and-configure-default-behavior.md | 2 +- ...-administration-with-windows-powershell.md | 4 +- ...with-advanced-security-deployment-guide.md | 16 ++-- ...windows-firewall-with-advanced-security.md | 2 +- 86 files changed, 360 insertions(+), 360 deletions(-) diff --git a/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md index cad68e2a55..cacc2910f5 100644 --- a/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md @@ -15,7 +15,7 @@ For GPOs that contain connection security rules that prevent unauthenticated con   -The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new computers that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude computers that must not receive the GPOs. Use computer groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Computers that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md). +The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new computers that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude computers that must not receive the GPOs. Use computer groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Computers that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). Without such a group (or groups), you must either add computers individually or use the groups containing computer accounts that are available to you. @@ -55,7 +55,7 @@ After a computer is a member of the group, you can force a Group Policy refresh **To refresh Group Policy on a computer** -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: ``` syntax gpupdate /target:computer /force @@ -68,7 +68,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to **To see which GPOs are applied to a computer** -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: ``` syntax gpresult /r /scope:computer diff --git a/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md index f297cfd705..c14ecf58eb 100644 --- a/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md +++ b/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md @@ -50,7 +50,7 @@ After a computer is a member of the group, you can force a Group Policy refresh **To refresh Group Policy on a computer** -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: ``` syntax gpupdate /target:computer /force @@ -63,7 +63,7 @@ After Group Policy is refreshed, you can see which GPOs are currently applied to **To see which GPOs are applied to a computer** -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: +- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: ``` syntax gpresult /r /scope:computer diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md index 0c1698eb75..d5020e47c8 100644 --- a/windows/keep-secure/basic-firewall-policy-design.md +++ b/windows/keep-secure/basic-firewall-policy-design.md @@ -44,7 +44,7 @@ An organization typically uses this design as a first step toward a more compreh After implementing this design, your administrative team will have centralized management of the firewall rules applied to all computers that are running Windows in your organization. **Important**   -If you also intend to deploy the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md), or the [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. +If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.   @@ -52,17 +52,17 @@ The basic firewall design can be applied to computers that are part of an Active For more information about this design: -- This design coincides with the deployment goal to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md). +- This design coincides with the deployment goal to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md). -- To learn more about this design, see [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md). +- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). -- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md). +- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md). - For a list of detailed tasks that you can use to deploy your basic firewall policy design, see "Checklist: Implementing a Basic Firewall Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. -**Next: **[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) +**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)   diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md index b987d99a53..e8e136ef00 100644 --- a/windows/keep-secure/boundary-zone-gpos.md +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -21,7 +21,7 @@ The boundary zone GPOs discussed in this guide are only for server versions of W In the Woodgrove Bank example, only the GPO settings for a Web service on Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 are discussed. -- [GPO\_DOMISO\_Boundary\_WS2008](../p_server_archive/gpo-domiso-boundary-ws2008.md) +- [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary-ws2008.md)   diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md index 4aa10f7795..e6e1d51bec 100644 --- a/windows/keep-secure/boundary-zone.md +++ b/windows/keep-secure/boundary-zone.md @@ -22,7 +22,7 @@ The goal of this process is to determine whether the risk of adding a computer t You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. -Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. +Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. ## GPO settings for boundary zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 @@ -49,14 +49,14 @@ The boundary zone GPO for computers running Windows Server 2012, Windows Server - A registry policy that includes the following values: - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)   -**Next: **[Encryption Zone](../p_server_archive/encryption-zone.md) +**Next: **[Encryption Zone](encryption-zone.md)   diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md index 765f3010c9..2a59f16587 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md @@ -8,7 +8,7 @@ author: brianlic-msft # Certificate-based Isolation Policy Design Example -This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md), [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md). +This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). One of the servers that must be included in the domain isolation environment is a computer running UNIX that supplies other information to the WGBank dashboard program running on the client computers. This computer sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the computers that receive this information. @@ -44,7 +44,7 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local computer. -**Next: **[Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md) +**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)   diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md index a59802bd5c..3c24ba8f07 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design.md @@ -8,7 +8,7 @@ author: brianlic-msft # Certificate-based Isolation Policy Design -In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) and [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. +In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. Domain isolation and server isolation help provide security for the computers on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some computers that must run another operating system, such as Linux or UNIX. These computers cannot join an Active Directory domain, without a third-party package being installed. Also, some computers that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the computer needs to be joined to the Active Directory and (for non-windows computers) support Kerberos as an authentication protocol. @@ -20,17 +20,17 @@ For computers that run Windows and that are part of an Active Directory domain, For more information about this design: -- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). -- To learn more about this design, see [Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md). +- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). -- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md). +- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md). - For a list of tasks that you can use to deploy your certificate-based policy design, see "Checklist: Implementing a Certificate-based Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. -**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](../p_server_archive/evaluating-windows-firewall-with-advanced-security-design-examples.md) +**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)   diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md index 3f8a49404e..36c2306bb2 100644 --- a/windows/keep-secure/change-rules-from-request-to-require-mode.md +++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md @@ -27,7 +27,7 @@ In this topic: **To convert a rule from request to require mode for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Connection Security Rules**. @@ -42,7 +42,7 @@ In this topic: **To apply the modified GPOs to the client computers** -1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md) and run the following command: +1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) and run the following command: ``` syntax gpupdate /force diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md index c4c624a4b7..93ba95bbff 100644 --- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -32,17 +32,17 @@ This checklist includes tasks for configuring a GPO with firewall defaults and s

_

Turn the firewall on and set the default inbound and outbound behavior.

-

Procedure topic[Turn on Windows Firewall and Configure Default Behavior](../p_server_archive/turn-on-windows-firewall-and-configure-default-behavior.md)

+

Procedure topic[Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)

_

Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules.

-

Procedure topic[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](../p_server_archive/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)

+

Procedure topic[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)

_

Configure the firewall to record a log file.

-

Procedure topic[Configure the Windows Firewall Log](../p_server_archive/configure-the-windows-firewall-log.md)

+

Procedure topic[Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)

diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md index 4fe0df466c..3fe907d8cd 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -8,7 +8,7 @@ author: brianlic-msft # Checklist: Configuring Rules for an Isolated Server Zone -The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](../p_server_archive/checklist-implementing-a-standalone-server-isolation-policy-design.md). +The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or computers who are authenticated members of a network access group (NAG). Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access in IPsec only to computers that are members of the NAG, because IPsec and IKE in those versions of Windows do not support user-based authentication. If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. @@ -44,37 +44,37 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone.

-

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

+

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.

-

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

+

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

-

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

-

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption.

-

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

-

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

-

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

@@ -86,27 +86,27 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
 
-

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone.

-

Procedure topic[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)

+

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG.

-

Procedure topic[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md)

+

Procedure topic[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

-

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

+

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.

-

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index aaccf455e0..6d2a88909f 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -8,7 +8,7 @@ author: brianlic-msft # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone -This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](../p_server_archive/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. @@ -39,38 +39,38 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

-

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

+

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.

-

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

+

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

-

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

-

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

-

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

-

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional.

-

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

@@ -82,32 +82,32 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se
 
-

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it.

-

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.

-

Procedure topic[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)

+

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zone’s NAG.

-

Procedure topic[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md)

+

Procedure topic[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

-

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

+

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

-

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md index 92853aab0f..bd93a5e321 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -17,7 +17,7 @@ Rules for the boundary zone are typically the same as those for the isolated dom ![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring boundary zone rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** -A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. +A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. @@ -36,27 +36,27 @@ A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Se - + - + - + - + - +

_

Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.

Procedure topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

Procedure topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md index 6f79c81796..c90e28f60a 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -14,7 +14,7 @@ Rules for the encryption zone are typically the same as those for the isolated d ![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring encryption zone rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** -A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. +A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. @@ -33,32 +33,32 @@ A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Se - + - + - + - + - + - +

_

Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.

Procedure topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

Procedure topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Add the encryption requirements for the zone.

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic.

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md index e88f33cec8..84b4f69a88 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -37,58 +37,58 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se

_

Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

-

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

+

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.

-

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

+

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

-

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

-

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

-

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

-

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

-

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the rule that requests authentication for all inbound network traffic.

-

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the AD DS organizational unit hierarchy.

-

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

+

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.

-

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic to and from the test computers.

-

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

+

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md index 5264c7d2c6..698ddd1336 100644 --- a/windows/keep-secure/checklist-creating-group-policy-objects.md +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -43,44 +43,44 @@ You can also use a membership group for one zone as an exclusion group for anoth

_

Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.

-

Procedure topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Procedure topic[Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md)

+

Procedure topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Procedure topic[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)

_

Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO.

If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter.

-

Procedure topic[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md)

+

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a GPO for each version of Windows that has different implementation requirements.

-

Procedure topic[Create a Group Policy Object](../p_server_archive/create-a-group-policy-object.md)

+

Procedure topic[Create a Group Policy Object](create-a-group-policy-object.md)

_

Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group.

-

Procedure topic[Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md)

+

Procedure topic[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)

_

Create WMI filters to limit each GPO to only the computers that match the criteria in the filter.

-

Procedure topic[Create WMI Filters for the GPO](../p_server_archive/create-wmi-filters-for-the-gpo.md)

+

Procedure topic[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.

-

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

+

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

-

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

+

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group.

-

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md index 65a3c463b5..c62910188e 100644 --- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -32,27 +32,27 @@ This checklist includes tasks for creating firewall rules in your GPOs.

_

Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires.

-

Procedure topic[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound network traffic on a specified port number.

-

Procedure topic[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound ICMP network traffic.

-

Procedure topic[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create rules that allow inbound RPC network traffic.

-

Procedure topic[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

-

Procedure topic[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md index 61e94ff601..0e6115009a 100644 --- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -34,17 +34,17 @@ By default, in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windo

_

Create a rule that allows a program to send any outbound network traffic on any port it requires.

-

Procedure topic[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows outbound network traffic on a specified port number.

-

Procedure topic[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

-

Procedure topic[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+

Procedure topic[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 251866927c..843f11e525 100644 --- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -37,53 +37,53 @@ The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Se

_

Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.

-

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

+

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.

-

Checklist topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

+

Checklist topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

-

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

-

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

-

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

-

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

-

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.

-

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

+

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

-

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

+

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

-

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md index d6ff2cb7f5..1c3c8530e2 100644 --- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -36,51 +36,51 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co

_

Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization.

-

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md)

-

Conceptual topic[Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md)

-

Conceptual topic[Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md)

+

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Basic Firewall Policy Design](basic-firewall-policy-design.md)

+

Conceptual topic[Firewall Policy Design Example](firewall-policy-design-example.md)

+

Conceptual topic[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)

_

Create the membership group and a GPO for each set of computers that require different firewall rules. Where GPOs will be similar, such as for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy.

-

Checklist topic[Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md)

+

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

+

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the computers for which this GPO is intended.

-

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

+

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure the GPO with firewall default settings appropriate for your design.

-

Checklist topic[Checklist: Configuring Basic Firewall Settings](../p_server_archive/checklist-configuring-basic-firewall-settings.md)

+

Checklist topic[Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)

_

Create one or more inbound firewall rules to allow unsolicited inbound network traffic.

-

Checklist topic[Checklist: Creating Inbound Firewall Rules](../p_server_archive/checklist-creating-inbound-firewall-rules.md)

+

Checklist topic[Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)

_

Create one or more outbound firewall rules to block unwanted outbound network traffic.

-

Checklist topic[Checklist: Creating Outbound Firewall Rules](../p_server_archive/checklist-creating-outbound-firewall-rules.md)

+

Checklist topic[Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

-

Procedure topic[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md)

+

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add test computers to the membership group, and then confirm that the computers receive the firewall rules from the GPOs as expected.

-

Procedure topic[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy the completed firewall policy settings to your computers.

-

Procedure topic[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md index 59ca82798d..67dfdd611b 100644 --- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -36,30 +36,30 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co

_

Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.

-

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md)

-

Conceptual topic[Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md)

-

Conceptual topic[Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md)

+

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)

+

Conceptual topic[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)

+

Conceptual topic[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)

_

Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.

-

Procedure topic[Install Active Directory Certificate Services](../p_server_archive/install-active-directory-certificate-services.md)

+

Procedure topic[Install Active Directory Certificate Services](install-active-directory-certificate-services.md)

_

Configure the certificate template for workstation authentication certificates.

-

Procedure topic[Configure the Workstation Authentication Certificate Template](../p_server_archive/configure-the-workstation-authentication-certificate-templatewfas-dep.md)

+

Procedure topic[Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)

_

Configure Group Policy to automatically deploy certificates based on your template to workstation computers.

-

Procedure topic[Configure Group Policy to Autoenroll and Deploy Certificates](../p_server_archive/configure-group-policy-to-autoenroll-and-deploy-certificates.md)

+

Procedure topic[Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)

_

On a test computer, refresh Group Policy and confirm that the certificate is installed.

-

Procedure topic[Confirm That Certificates Are Deployed Correctly](../p_server_archive/confirm-that-certificates-are-deployed-correctly.md)

+

Procedure topic[Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)

diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md index 6febf014de..1bb54f22dd 100644 --- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -38,40 +38,40 @@ For more information about the security algorithms and authentication methods av

_

Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.

-

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md)

-

Conceptual topic[Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md)

-

Conceptual topic[Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md)

+

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Domain Isolation Policy Design](domain-isolation-policy-design.md)

+

Conceptual topic[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)

+

Conceptual topic[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)

_

Create the GPOs and connection security rules for the isolated domain.

-

Checklist topic[Checklist: Configuring Rules for the Isolated Domain](../p_server_archive/checklist-configuring-rules-for-the-isolated-domain.md)

+

Checklist topic[Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)

_

Create the GPOs and connection security rules for the boundary zone.

-

Checklist topic[Checklist: Configuring Rules for the Boundary Zone](../p_server_archive/checklist-configuring-rules-for-the-boundary-zone.md)

+

Checklist topic[Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)

_

Create the GPOs and connection security rules for the encryption zone.

-

Checklist topic[Checklist: Configuring Rules for the Encryption Zone](../p_server_archive/checklist-configuring-rules-for-the-encryption-zone.md)

+

Checklist topic[Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)

_

Create the GPOs and connection security rules for the isolated server zone.

-

Checklist topic[Checklist: Configuring Rules for an Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-an-isolated-server-zone.md)

+

Checklist topic[Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.

-

Procedure topic[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

_

After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.

-

Procedure topic[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md)

+

Procedure topic[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)

diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md index 92a7ec6199..be94daaa5c 100644 --- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -8,7 +8,7 @@ author: brianlic-msft # Checklist: Implementing a Standalone Server Isolation Policy Design -This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-an-isolated-server-zone.md). +This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. @@ -38,35 +38,35 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co

_

Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.

-

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](../p_server_archive/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md)

-

Conceptual topic[Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md)

-

Conceptual topic[Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md)

+

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

+

Conceptual topic[Server Isolation Policy Design](server-isolation-policy-design.md)

+

Conceptual topic[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)

+

Conceptual topic[Planning Server Isolation Zones](planning-server-isolation-zones.md)

_

Create the GPOs and connection security rules for isolated servers.

-

Checklist topic[Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](../p_server_archive/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)

+

Checklist topic[Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)

_

Create the GPOs and connection security rules for the client computers that must connect to the isolated servers.

-

Checklist topic[Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](../p_server_archive/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)

+

Checklist topic[Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)

_

Verify that the connection security rules are protecting network traffic on your test computers.

-

Procedure topic[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md)

+

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

_

After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it.

-

Procedure topic[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md)

+

Procedure topic[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings.

-

Procedure topic[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md)

+

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

diff --git a/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md index 6cd45af6d4..6569e0cab2 100644 --- a/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -21,7 +21,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To configure authentication methods** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. diff --git a/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md index 19af4227c6..41a78a8639 100644 --- a/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To configure quick mode settings** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. diff --git a/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md index 98b44775c3..dfb5e88e6c 100644 --- a/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To configure key exchange settings** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. diff --git a/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md index d01116f6b5..2ffedaee22 100644 --- a/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To modify an authentication request rule to also require encryption** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Connection Security Rules**. @@ -36,14 +36,14 @@ To complete this procedure, you must be a member of the Domain Administrators gr This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client computers will use to connect to members of the encryption zone. The client computers receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client computers in that zone will not be able to connect to computers in this zone. -10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md). +10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md). **Note**   Not all of the algorithms available in Windows 8 or Windows Server 2012 can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell. - For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md) + For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)   diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md index 0bd77d8930..cb025368ae 100644 --- a/windows/keep-secure/configure-the-windows-firewall-log.md +++ b/windows/keep-secure/configure-the-windows-firewall-log.md @@ -23,7 +23,7 @@ In this topic: **To configure Windows Firewall logging for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index e8fdd8d249..b494eb1f78 100644 --- a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -30,7 +30,7 @@ In this topic: **To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md index 16224c9683..efb2cee353 100644 --- a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md @@ -27,7 +27,7 @@ In this topic: **To refresh Group Policy on a computer** -- On a computer running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md), and then type the following command: +- On a computer running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: ``` syntax gpupdate /target:computer /force diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md index 93b8e8fa26..2f1df0c3a9 100644 --- a/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -21,7 +21,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To create a rule that exempts specified hosts from authentication** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Connection Security Rules**. diff --git a/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md index d3c1139e03..f2168bbc7d 100644 --- a/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To create the authentication request rule** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. @@ -31,7 +31,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr 5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP), which is supported only on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. - 1. **Default**. Selecting this option tells the computer to request authentication by using the method currently defined as the default on the computer. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) procedure. + 1. **Default**. Selecting this option tells the computer to request authentication by using the method currently defined as the default on the computer. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) procedure. 2. **Computer and User (Kerberos V5)**. Selecting this option tells the computer to request authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. diff --git a/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index 08aecf9783..edbbf0d6e5 100644 --- a/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -16,13 +16,13 @@ To complete these procedures, you must be a member of the Domain Administrators This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see: -- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) **To create an inbound ICMP rule** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index 6644cd06b4..49f4b7d7ba 100644 --- a/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -16,13 +16,13 @@ To complete these procedures, you must be a member of the Domain Administrators This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see: -- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) **To create an inbound port rule** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. @@ -38,7 +38,7 @@ This topic describes how to create a standard port rule for a specified protocol 5. On the **Program** page, click **All programs**, and then click **Next**. **Note**   - This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. + This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.   diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index b254db6e7c..83fa805eef 100644 --- a/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -11,7 +11,7 @@ author: brianlic-msft To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. **Note**   -This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure. +This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure.   @@ -21,7 +21,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To create an inbound firewall rule for a program or service** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. @@ -61,7 +61,7 @@ To complete these procedures, you must be a member of the Domain Administrators   -8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). After you have configured the protocol and port options, click **Next**. +8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). After you have configured the protocol and port options, click **Next**. 9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. diff --git a/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index acc279e9e1..d91a6e972b 100644 --- a/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To create an outbound port rule** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Outbound Rules**. diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index 6a9f0d3b2f..8552952fbd 100644 --- a/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To create an outbound firewall rule for a program or service** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Outbound Rules**. @@ -41,7 +41,7 @@ To complete these procedures, you must be a member of the Domain Administrators - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**. -8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). When you have configured the protocol and port options, click **Next**. +8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). When you have configured the protocol and port options, click **Next**. 9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index c18b3e488e..1c41bd67ec 100644 --- a/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -16,9 +16,9 @@ To complete these procedures, you must be a member of the Domain Administrators This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see: -- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) In this topic: @@ -31,7 +31,7 @@ In this topic: **To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md index 7f5556412d..6e3d38e38b 100644 --- a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -10,9 +10,9 @@ author: brianlic-msft To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the computers on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the computers. -- [Gathering the Information You Need](../p_server_archive/gathering-the-information-you-need.md) +- [Gathering the Information You Need](gathering-the-information-you-need.md) -- [Determining the Trusted State of Your Computers](../p_server_archive/determining-the-trusted-state-of-your-computers.md) +- [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md) The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design. @@ -46,9 +46,9 @@ Computers running Windows XP and Windows Server 2003 will not be able to partici   -This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems, starting with Windows Vista and Windows Server 2008. Windows XP and Windows Server 2003 are not discussed in this guide. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide. +This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems, starting with Windows Vista and Windows Server 2008. Windows XP and Windows Server 2003 are not discussed in this guide. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide. -**Next: **[Gathering the Information You Need](../p_server_archive/gathering-the-information-you-need.md) +**Next: **[Gathering the Information You Need](gathering-the-information-you-need.md)   diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-computers.md b/windows/keep-secure/determining-the-trusted-state-of-your-computers.md index c1812d4311..4e2b3f8fd2 100644 --- a/windows/keep-secure/determining-the-trusted-state-of-your-computers.md +++ b/windows/keep-secure/determining-the-trusted-state-of-your-computers.md @@ -115,7 +115,7 @@ The final step in this part of the process is to record the approximate cost of - What is the projected cost or impact of making the proposed changes to enable the computer to achieve a trusted state? -By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular computer or group of computers into the scope of the project. It is important to remember that the state of a computer is transitive, and that by performing the listed remedial actions you can change the state of a computer from untrusted to trusted. After you decide whether to place a computer in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) discusses. +By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular computer or group of computers into the scope of the project. It is important to remember that the state of a computer is transitive, and that by performing the listed remedial actions you can change the state of a computer from untrusted to trusted. After you decide whether to place a computer in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. The following table is an example of a data sheet that you could use to help capture the current state of a computer and what would be required for the computer to achieve a trusted state. @@ -164,7 +164,7 @@ In the previous table, the computer CLIENT001 is currently "known, untrusted" be The computer SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. -With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) section. +With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. The costs identified in this section only capture the projected cost of the computer upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. @@ -172,7 +172,7 @@ For more information about how to configure firewalls to support IPsec, see "Con For more information about WMI, see "Windows Management Instrumentation" at . -**Next: **[Planning Your Windows Firewall with Advanced Security Design](../p_server_archive/planning-your-windows-firewall-with-advanced-security-design.md) +**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)   diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md index 30d08b26eb..d15b2fd6c4 100644 --- a/windows/keep-secure/documenting-the-zones.md +++ b/windows/keep-secure/documenting-the-zones.md @@ -8,7 +8,7 @@ author: brianlic-msft # Documenting the Zones -Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: +Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: @@ -73,7 +73,7 @@ Generally, the task of determining zone membership is not complex, but it can be   -**Next: **[Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) +**Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)   diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md index 9d43df0cc7..3e58a40369 100644 --- a/windows/keep-secure/domain-isolation-policy-design-example.md +++ b/windows/keep-secure/domain-isolation-policy-design-example.md @@ -8,7 +8,7 @@ author: brianlic-msft # Domain Isolation Policy Design Example -This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. +This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. ## Design Requirements @@ -29,7 +29,7 @@ The following illustration shows the traffic protection needed for this design e **Other traffic notes:** -- All of the design requirements described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section are still enforced. +- All of the design requirements described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced. ## Design Details @@ -53,7 +53,7 @@ If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Window   -**Next: **[Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md) +**Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)   diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md index 7156c376c5..4300787f6c 100644 --- a/windows/keep-secure/domain-isolation-policy-design.md +++ b/windows/keep-secure/domain-isolation-policy-design.md @@ -10,7 +10,7 @@ author: brianlic-msft In the domain isolation policy design, you configure the computers on your network to accept only connections coming from computers that are authenticated as members of the same isolated domain. -This design typically begins with a network configured as described in the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure computers in the isolated domain to accept only network traffic from other computers that can authenticate as a member of the isolated domain. After implementing the new rules, your computers reject unsolicited network traffic from computers that are not members of the isolated domain. +This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure computers in the isolated domain to accept only network traffic from other computers that can authenticate as a member of the isolated domain. After implementing the new rules, your computers reject unsolicited network traffic from computers that are not members of the isolated domain. The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. @@ -22,7 +22,7 @@ The design is shown in the following illustration, with the arrows that show the Characteristics of this design, as shown in the diagram, include the following: -- Isolated domain (area A) - Computers in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from computers referenced in authentication exemption rules. Computers in the isolated domain can send traffic to any computer. This includes unauthenticated traffic to computers that are not in the isolated domain. Computers that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more information, see the [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md). +- Isolated domain (area A) - Computers in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from computers referenced in authentication exemption rules. Computers in the isolated domain can send traffic to any computer. This includes unauthenticated traffic to computers that are not in the isolated domain. Computers that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more information, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). - Boundary zone (area B) - Computers in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted computers, such as clients on the Internet. @@ -37,27 +37,27 @@ Characteristics of this design, as shown in the diagram, include the following: After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the computers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista in your organization. **Important**   -This design builds on the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. +This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented.   This design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. -In order to expand the isolated domain to include computers that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md). +In order to expand the isolated domain to include computers that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). For more information about this design: -- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). -- To learn more about this design, see the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md). +- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). -- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md). +- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). - For a list of tasks that you can use to deploy your domain isolation policy design, see "Checklist: Implementing a Domain Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxxx. -**Next:** [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) +**Next:** [Server Isolation Policy Design](server-isolation-policy-design.md)   diff --git a/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index 430a558adb..7f8e8b4d05 100644 --- a/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To deploy predefined firewall rules that allow inbound network traffic for common network functions** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Inbound Rules**. diff --git a/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md index c82d0ba984..b37bf8b4c4 100644 --- a/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md @@ -16,7 +16,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To deploy predefined firewall rules that block outbound network traffic for common network functions** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, click **Outbound Rules**. diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md index d8eddfb597..a02f4037c8 100644 --- a/windows/keep-secure/encryption-zone-gpos.md +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -12,7 +12,7 @@ Handle encryption zones in a similar manner to the boundary zones. A computer is The GPO is only for server versions of Windows. Client computers are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. -- [GPO\_DOMISO\_Encryption\_WS2008](../p_server_archive/gpo-domiso-encryption-ws2008.md) +- [GPO\_DOMISO\_Encryption\_WS2008](gpo-domiso-encryption-ws2008.md)   diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md index 324c6f3514..54a7dfeb35 100644 --- a/windows/keep-secure/encryption-zone.md +++ b/windows/keep-secure/encryption-zone.md @@ -14,7 +14,7 @@ To support the additional security requirements of these servers, we recommend t You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. -Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. +Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. ## GPO settings for encryption zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 @@ -46,16 +46,16 @@ The GPO for computers that are running Windows Server 2012, Windows Server 2008 - A registry policy that includes the following values: - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).   - If domain member computers must communicate with computers in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. -**Next: **[Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) +**Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md)   diff --git a/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md index cfc0b71639..a431459419 100644 --- a/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md @@ -21,7 +21,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To exempt ICMP network traffic from authentication** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md index a74d5b6f83..0a1aea9187 100644 --- a/windows/keep-secure/exemption-list.md +++ b/windows/keep-secure/exemption-list.md @@ -40,9 +40,9 @@ To keep the number of exemptions as small as possible, you have several options: - Consolidate exempted hosts on the same subnet. Where network traffic volume allows, you might be able to locate the servers on a subnet that is exempted, instead of using exemptions for each IP address. -As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](../p_server_archive/boundary-zone.md) section. +As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section. -**Next: **[Isolated Domain](../p_server_archive/isolated-domain.md) +**Next: **[Isolated Domain](isolated-domain.md)   diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md index e370430566..95375afd70 100644 --- a/windows/keep-secure/firewall-gpos.md +++ b/windows/keep-secure/firewall-gpos.md @@ -12,7 +12,7 @@ All the computers on Woodgrove Bank's network that run Windows are part of the i The GPO created for the example Woodgrove Bank scenario include the following: -- [GPO\_DOMISO\_Firewall](../p_server_archive/gpo-domiso-firewall.md) +- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)   diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md index 5caed1a7d4..07adcdb285 100644 --- a/windows/keep-secure/firewall-policy-design-example.md +++ b/windows/keep-secure/firewall-policy-design-example.md @@ -96,7 +96,7 @@ The following groups were created by using the Active Directory Users and Comput In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most computers on the network, you might consider adding computers performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. -**Next: **[Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) +**Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)   diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md index 7aacef01e4..de3c494963 100644 --- a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md +++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md @@ -22,7 +22,7 @@ Active Directory is another important item about which you must gather informati - **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to computers running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable computers using either the old or new IPsec policies to communicate with each other. -**Next: **[Gathering Information about Your Computers](../p_server_archive/gathering-information-about-your-computers.md) +**Next: **[Gathering Information about Your Computers](gathering-information-about-your-computers.md)   diff --git a/windows/keep-secure/gathering-information-about-your-computers.md b/windows/keep-secure/gathering-information-about-your-computers.md index 16e161b101..e0eb0f0b44 100644 --- a/windows/keep-secure/gathering-information-about-your-computers.md +++ b/windows/keep-secure/gathering-information-about-your-computers.md @@ -46,7 +46,7 @@ Whether you use an automatic, manual, or hybrid option to gather the information This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design. -**Next: **[Gathering Other Relevant Information](../p_server_archive/gathering-other-relevant-information.md) +**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)   diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md index 1668112a6d..ba38d968e5 100644 --- a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md @@ -116,7 +116,7 @@ Some of the more common applications and protocols are as follows: - **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between computers by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. -**Next: **[Gathering Information about Your Active Directory Deployment](../p_server_archive/gathering-information-about-your-active-directory-deployment.md) +**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)   diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md index d92519121f..b224e74fa6 100644 --- a/windows/keep-secure/gathering-other-relevant-information.md +++ b/windows/keep-secure/gathering-other-relevant-information.md @@ -79,7 +79,7 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne Network Monitor is available as a free download from Microsoft at . -**Next: **[Determining the Trusted State of Your Computers](../p_server_archive/determining-the-trusted-state-of-your-computers.md) +**Next: **[Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md)   diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md index 1ff777de17..c4bcf27cfe 100644 --- a/windows/keep-secure/gathering-the-information-you-need.md +++ b/windows/keep-secure/gathering-the-information-you-need.md @@ -12,13 +12,13 @@ Before starting the planning process for a Windows Firewall with Advanced Securi Review each of the following topics for guidance about the kinds of information that you must gather: -- [Gathering Information about Your Current Network Infrastructure](../p_server_archive/gathering-information-about-your-current-network-infrastructure.md) +- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) -- [Gathering Information about Your Active Directory Deployment](../p_server_archive/gathering-information-about-your-active-directory-deployment.md) +- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) -- [Gathering Information about Your Computers](../p_server_archive/gathering-information-about-your-computers.md) +- [Gathering Information about Your Computers](gathering-information-about-your-computers.md) -- [Gathering Other Relevant Information](../p_server_archive/gathering-other-relevant-information.md) +- [Gathering Other Relevant Information](gathering-other-relevant-information.md)   diff --git a/windows/keep-secure/gpo-domiso-boundary-ws2008.md b/windows/keep-secure/gpo-domiso-boundary-ws2008.md index 4c2140385f..feafd79586 100644 --- a/windows/keep-secure/gpo-domiso-boundary-ws2008.md +++ b/windows/keep-secure/gpo-domiso-boundary-ws2008.md @@ -25,7 +25,7 @@ Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authen ## Registry settings -The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). +The boundary zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). ## Firewall rules @@ -34,7 +34,7 @@ Copy the firewall rules for the boundary zone from the GPO that contains the fir Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. -**Next: **[Encryption Zone GPOs](../p_server_archive/encryption-zone-gpos.md) +**Next: **[Encryption Zone GPOs](encryption-zone-gpos.md)   diff --git a/windows/keep-secure/gpo-domiso-encryption-ws2008.md b/windows/keep-secure/gpo-domiso-encryption-ws2008.md index c5ec2d8c7a..dac33f72d4 100644 --- a/windows/keep-secure/gpo-domiso-encryption-ws2008.md +++ b/windows/keep-secure/gpo-domiso-encryption-ws2008.md @@ -27,7 +27,7 @@ Rename the **Isolated Domain Rule** to **Encryption Zone Rule**. Leave the authe ## Registry settings -The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). +The encryption zone uses the same registry settings as the isolated domain to optimize IPsec operation. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). ## Firewall rules @@ -38,7 +38,7 @@ Change the action for every inbound firewall rule from **Allow the connection** Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. -**Next: **[Server Isolation GPOs](../p_server_archive/server-isolation-gpos.md) +**Next: **[Server Isolation GPOs](server-isolation-gpos.md)   diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md index 78e4c0281a..5ffd27f985 100644 --- a/windows/keep-secure/gpo-domiso-firewall.md +++ b/windows/keep-secure/gpo-domiso-firewall.md @@ -59,7 +59,7 @@ This GPO provides the following rules: - A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile. -**Next: **[Isolated Domain GPOs](../p_server_archive/isolated-domain-gpos.md) +**Next: **[Isolated Domain GPOs](isolated-domain-gpos.md)   diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md index e03f882634..0b881a5231 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md @@ -17,13 +17,13 @@ Because client computers can sometimes be portable, the settings and rules for t This GPO provides the following settings: -- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](../p_server_archive/firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy. +- No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy. - The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting. - Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones. -- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](../p_server_archive/isolated-domain.md). +- The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md).
@@ -169,7 +169,7 @@ This GPO provides the following rules: - Authentication mode is set to **Do not authenticate**. -**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](../p_server_archive/gpo-domiso-isolateddomain-servers.md) +**Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)   diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md index d179b62321..20491ecac5 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md @@ -19,7 +19,7 @@ Because so many of the settings and rules for this GPO are common to those in th   -**Next: **[Boundary Zone GPOs](../p_server_archive/boundary-zone-gpos.md) +**Next: **[Boundary Zone GPOs](boundary-zone-gpos.md)   diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 7521ff29ba..acd8702deb 100644 --- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -29,15 +29,15 @@ The next step in implementing your design is to determine in what order each of Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design. -- [Checklist: Implementing a Basic Firewall Policy Design](../p_server_archive/checklist-implementing-a-basic-firewall-policy-design.md) +- [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md) -- [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md) +- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) -- [Checklist: Implementing a Domain Isolation Policy Design](../p_server_archive/checklist-implementing-a-domain-isolation-policy-design.md) +- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) -- [Checklist: Implementing a Certificate-based Isolation Policy Design](../p_server_archive/checklist-implementing-a-certificate-based-isolation-policy-design.md) +- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) -The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](../p_server_archive/checklist-creating-group-policy-objects.md). +The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).   diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md index 0b6a5cf020..022c062ce6 100644 --- a/windows/keep-secure/isolated-domain-gpos.md +++ b/windows/keep-secure/isolated-domain-gpos.md @@ -10,13 +10,13 @@ author: brianlic-msft All of the computers in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. -Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) section. +Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section. The GPOs created for the Woodgrove Bank isolated domain include the following: -- [GPO\_DOMISO\_IsolatedDomain\_Clients](../p_server_archive/gpo-domiso-isolateddomain-clients.md) +- [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md) -- [GPO\_DOMISO\_IsolatedDomain\_Servers](../p_server_archive/gpo-domiso-isolateddomain-servers.md) +- [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md)   diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md index 498d66aac0..8c1163d07c 100644 --- a/windows/keep-secure/isolated-domain.md +++ b/windows/keep-secure/isolated-domain.md @@ -48,14 +48,14 @@ GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server - A registry policy that includes the following values: - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).   -**Next: **[Boundary Zone](../p_server_archive/boundary-zone.md) +**Next: **[Boundary Zone](boundary-zone.md)   diff --git a/windows/keep-secure/isolating-windows-store-apps-on-your-network.md b/windows/keep-secure/isolating-windows-store-apps-on-your-network.md index 019fcfc553..6d4410b869 100644 --- a/windows/keep-secure/isolating-windows-store-apps-on-your-network.md +++ b/windows/keep-secure/isolating-windows-store-apps-on-your-network.md @@ -331,7 +331,7 @@ Use the following procedure if you want to block intranet access for a specific ## See also -- [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md) +- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md)   diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index f062e68961..6972acc8cd 100644 --- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -28,36 +28,36 @@ Use the following table to determine which Windows Firewall with Advanced Securi - - - - + + + + - + - + - + - + @@ -70,7 +70,7 @@ Use the following table to determine which Windows Firewall with Advanced Securi To examine details for a specific design, click the design title at the top of the column in the preceding table. -**Next: **[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) +**Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md)   diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md index 414b5e373d..5882c9fec7 100644 --- a/windows/keep-secure/planning-certificate-based-authentication.md +++ b/windows/keep-secure/planning-certificate-based-authentication.md @@ -46,7 +46,7 @@ When the clients and servers have the certificates available, you can configure Starting in Windows Server 2012, the Administrator can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. -**Next: **[Documenting the Zones](../p_server_archive/documenting-the-zones.md) +**Next: **[Documenting the Zones](documenting-the-zones.md)   diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md index f2d1bfb04c..79003e56ed 100644 --- a/windows/keep-secure/planning-domain-isolation-zones.md +++ b/windows/keep-secure/planning-domain-isolation-zones.md @@ -14,13 +14,13 @@ The bulk of the work in planning server and domain isolation is determining whic The zones described in this guide include the following: -- [Exemption List](../p_server_archive/exemption-list.md) +- [Exemption List](exemption-list.md) -- [Isolated Domain](../p_server_archive/isolated-domain.md) +- [Isolated Domain](isolated-domain.md) -- [Boundary Zone](../p_server_archive/boundary-zone.md) +- [Boundary Zone](boundary-zone.md) -- [Encryption Zone](../p_server_archive/encryption-zone.md) +- [Encryption Zone](encryption-zone.md)   diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md index 0100f63ad7..83dd7f12ae 100644 --- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md @@ -12,13 +12,13 @@ After you have decided on the best logical design of your isolation environment You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the computer accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct computers within each group. -- [Planning Isolation Groups for the Zones](../p_server_archive/planning-isolation-groups-for-the-zones.md) +- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) -- [Planning Network Access Groups](../p_server_archive/planning-network-access-groups.md) +- [Planning Network Access Groups](planning-network-access-groups.md) -- [Planning the GPOs](../p_server_archive/planning-the-gpos.md) +- [Planning the GPOs](planning-the-gpos.md) -- [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) +- [Planning GPO Deployment](planning-gpo-deployment.md)   diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md index 73063b68ef..209c9c78e2 100644 --- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md +++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md @@ -63,11 +63,11 @@ The following table lists typical groups that can be used to manage the domain i   -Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](../p_server_archive/planning-the-gpos.md). +Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md). If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the computer. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. -**Next: **[Planning Network Access Groups](../p_server_archive/planning-network-access-groups.md) +**Next: **[Planning Network Access Groups](planning-network-access-groups.md)   diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md index dc94283493..e96e8d26f2 100644 --- a/windows/keep-secure/planning-network-access-groups.md +++ b/windows/keep-secure/planning-network-access-groups.md @@ -56,7 +56,7 @@ Membership in a NAG does not control the level of IPsec traffic protection. The   -**Next: **[Planning the GPOs](../p_server_archive/planning-the-gpos.md) +**Next: **[Planning the GPOs](planning-the-gpos.md)   diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md index 6394f51aa0..dc95031002 100644 --- a/windows/keep-secure/planning-server-isolation-zones.md +++ b/windows/keep-secure/planning-server-isolation-zones.md @@ -29,7 +29,7 @@ Each set of servers that must be accessed by different sets of users should be s ## Creating the GPOs -Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. +Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members. @@ -69,14 +69,14 @@ The connection security rules described here are identical to the ones for the e - A registry policy that includes the following values: - - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. + - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](../p_server_archive/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md).   -**Next: **[Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md) +**Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)   diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md index 783b92991e..4609526945 100644 --- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md @@ -46,7 +46,7 @@ The following is a list of the firewall settings that you might consider for inc - **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs. -**Next: **[Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) +**Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)   diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md index e970a3c826..e2809e0d05 100644 --- a/windows/keep-secure/planning-the-gpos.md +++ b/windows/keep-secure/planning-the-gpos.md @@ -40,19 +40,19 @@ After considering these issues, document each GPO that you require, and the deta ## Woodgrove Bank example GPOs -The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which computers receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) section. +The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which computers receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. In this section you can find information about the following: -- [Firewall GPOs](../p_server_archive/firewall-gpos.md) +- [Firewall GPOs](firewall-gpos.md) -- [Isolated Domain GPOs](../p_server_archive/isolated-domain-gpos.md) +- [Isolated Domain GPOs](isolated-domain-gpos.md) -- [Boundary Zone GPOs](../p_server_archive/boundary-zone-gpos.md) +- [Boundary Zone GPOs](boundary-zone-gpos.md) -- [Encryption Zone GPOs](../p_server_archive/encryption-zone-gpos.md) +- [Encryption Zone GPOs](encryption-zone-gpos.md) -- [Server Isolation GPOs](../p_server_archive/server-isolation-gpos.md) +- [Server Isolation GPOs](server-isolation-gpos.md)   diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md index a517124934..e044483cf2 100644 --- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -8,7 +8,7 @@ author: brianlic-msft # Planning to Deploy Windows Firewall with Advanced Security -After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](../p_server_archive/windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. +After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. ## Reviewing your Windows Firewall with Advanced Security Design @@ -17,11 +17,11 @@ If the design team that created the Windows Firewall with Advanced Security desi - The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which computers apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: - - [Planning Isolation Groups for the Zones](../p_server_archive/planning-isolation-groups-for-the-zones.md) + - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) - - [Planning the GPOs](../p_server_archive/planning-the-gpos.md) + - [Planning the GPOs](planning-the-gpos.md) - - [Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) + - [Planning GPO Deployment](planning-gpo-deployment.md) - The communication to be allowed between members of each of the zones in the isolated domain and computers that are not part of the isolated domain or members of the isolated domain's exemption list. @@ -39,7 +39,7 @@ If the design team that created the Windows Firewall with Advanced Security desi If at least one set of each does not match between two computers, then the computers cannot successfully communicate. -After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](../p_server_archive/implementing-your-windows-firewall-with-advanced-security-design-plan.md). +After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).   diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md index 9efd46604f..4c5d9ec780 100644 --- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md @@ -13,9 +13,9 @@ After you have gathered the relevant information in the previous sections, and u ## Basic firewall design -We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. +We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. -When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) section. +When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section. ## Algorithm and method support and selection @@ -40,7 +40,7 @@ Include this design in your plans: If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the computers are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. -When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](../p_server_archive/planning-domain-isolation-zones.md) section. +When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. ## Server isolation design @@ -53,7 +53,7 @@ Include this design in your plans: If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements. -When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) section. +When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section. ## Certificate-based authentication design @@ -68,23 +68,23 @@ Include this design in your plans: If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the computers that require it. -When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](../p_server_archive/planning-certificate-based-authentication.md) section. +When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section. ## Documenting your design After you finish selecting the designs that you will use, you must assign each of your computers to the appropriate isolation zone and document the assignment for use by the deployment team. -- [Documenting the Zones](../p_server_archive/documenting-the-zones.md) +- [Documenting the Zones](documenting-the-zones.md) ## Designing groups and GPOs After you have selected a design and assigned your computers to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your computers. -When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md) section. +When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. -**Next: **[Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) +**Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)   diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md index 733ca019e5..9793debf2a 100644 --- a/windows/keep-secure/procedures-used-in-this-guide.md +++ b/windows/keep-secure/procedures-used-in-this-guide.md @@ -10,83 +10,83 @@ author: brianlic-msft The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. -[Add Production Computers to the Membership Group for a Zone](../p_server_archive/add-production-computers-to-the-membership-group-for-a-zone.md) +[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md) -[Add Test Computers to the Membership Group for a Zone](../p_server_archive/add-test-computers-to-the-membership-group-for-a-zone.md) +[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md) -[Assign Security Group Filters to the GPO](../p_server_archive/assign-security-group-filters-to-the-gpo.md) +[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) -[Change Rules from Request to Require Mode](../p_server_archive/change-rules-from-request-to-require-mode.md) +[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) -[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -[Configure Group Policy to Autoenroll and Deploy Certificates](../p_server_archive/configure-group-policy-to-autoenroll-and-deploy-certificates.md) +[Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) -[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -[Configure the Windows Firewall Log](../p_server_archive/configure-the-windows-firewall-log.md) +[Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) -[Configure the Workstation Authentication Certificate Template](../p_server_archive/configure-the-workstation-authentication-certificate-templatewfas-dep.md) +[Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md) -[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](../p_server_archive/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) +[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) -[Confirm That Certificates Are Deployed Correctly](../p_server_archive/confirm-that-certificates-are-deployed-correctly.md) +[Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) -[Copy a GPO to Create a New GPO](../p_server_archive/copy-a-gpo-to-create-a-new-gpo.md) +[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) -[Create a Group Account in Active Directory](../p_server_archive/create-a-group-account-in-active-directory.md) +[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) -[Create a Group Policy Object](../p_server_archive/create-a-group-policy-object.md) +[Create a Group Policy Object](create-a-group-policy-object.md) -[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](../p_server_archive/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Create WMI Filters for the GPO](../p_server_archive/create-wmi-filters-for-the-gpo.md) +[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) -[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](../p_server_archive/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](../p_server_archive/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -[Install Active Directory Certificate Services](../p_server_archive/install-active-directory-certificate-services.md) +[Install Active Directory Certificate Services](install-active-directory-certificate-services.md) -[Link the GPO to the Domain](../p_server_archive/link-the-gpo-to-the-domain.md) +[Link the GPO to the Domain](link-the-gpo-to-the-domain.md) -[Modify GPO Filters to Apply to a Different Zone or Version of Windows](../p_server_archive/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) +[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) -[Open the Group Policy Management Console to IP Security Policies](../p_server_archive/open-the-group-policy-management-console-to-ip-security-policies.md) +[Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) -[Open the Group Policy Management Console to Windows Firewall](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall.md) +[Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md) -[Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) +[Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) -[Open Windows Firewall with Advanced Security](../p_server_archive/open-windows-firewall-with-advanced-security.md) +[Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) -[Restrict Server Access to Members of a Group Only](../p_server_archive/restrict-server-access-to-members-of-a-group-only.md) +[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) -[Start a Command Prompt as an Administrator](../p_server_archive/start-a-command-prompt-as-an-administrator.md) +[Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) -[Turn on Windows Firewall and Configure Default Behavior](../p_server_archive/turn-on-windows-firewall-and-configure-default-behavior.md) +[Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) -[Verify That Network Traffic Is Authenticated](../p_server_archive/verify-that-network-traffic-is-authenticated.md) +[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)   diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index 29dfe483a0..ca133f5f86 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -8,7 +8,7 @@ author: brianlic-msft # Require Encryption When Accessing Sensitive Network Resources -The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md)) enables a computer in the isolated domain to block traffic from untrusted computers. However, it does not prevent an untrusted computer from eavesdropping on the network traffic shared between two trusted computers, because by default network packets are not encrypted. +The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) enables a computer in the isolated domain to block traffic from untrusted computers. However, it does not prevent an untrusted computer from eavesdropping on the network traffic shared between two trusted computers, because by default network packets are not encrypted. For computers that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to computers that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. @@ -18,19 +18,19 @@ The following illustration shows an encryption zone in an isolated domain. The r This goal provides the following benefits: -- Computers in the encryption zone require authentication to communicate with other computers. This works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md). +- Computers in the encryption zone require authentication to communicate with other computers. This works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md). - Computers in the encryption zone require that all inbound and outbound network traffic be encrypted. For example, Woodgrove Bank processes sensitive customer data on a computer that must be protected from eavesdropping by computers on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data. -- Computers in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more information, see [Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md). +- Computers in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more information, see [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md). The following components are required for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](../p_server_archive/additional-resources-wfasdesign.md). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). -**Next: **[Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md) +**Next: **[Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)   diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md index 1e565f2c6b..b6fc24fa0c 100644 --- a/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md @@ -20,7 +20,7 @@ The following illustration shows an isolated server, and examples of computers t ![isolated domain with network access groups](images/wfas-domainnag.gif) -This goal, which corresponds to [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md), provides the following features: +This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features: - Isolated servers accept unsolicited inbound network traffic only from computers or users that are members of the NAG. @@ -28,13 +28,13 @@ This goal, which corresponds to [Server Isolation Policy Design](../p_server_arc - Server isolation can also be configured independently of an isolated domain. To do so, configure only the computers that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership. -- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). +- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). The following components are required for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](../p_server_archive/additional-resources-wfasdesign.md). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). -**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](../p_server_archive/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) +**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)   diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md index acdb18d98f..a6194dff0b 100644 --- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md @@ -191,7 +191,7 @@ You might not find the exact answer for the issue, but you can find good hints. ## See also -- [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md) +- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md)   diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md index aa7a7f109b..acfe57e0bb 100644 --- a/windows/keep-secure/server-isolation-gpos.md +++ b/windows/keep-secure/server-isolation-gpos.md @@ -24,7 +24,7 @@ This GPO is identical to the GPO\_DOMISO\_Encryption\_WS2008 GPO with the follow   -**Next: **[Planning GPO Deployment](../p_server_archive/planning-gpo-deployment.md) +**Next: **[Planning GPO Deployment](planning-gpo-deployment.md)   diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md index 1666f22af8..d6c1c4c7af 100644 --- a/windows/keep-secure/server-isolation-policy-design-example.md +++ b/windows/keep-secure/server-isolation-policy-design-example.md @@ -8,7 +8,7 @@ author: brianlic-msft # Server Isolation Policy Design Example -This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) section. +This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the computers that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network. @@ -42,9 +42,9 @@ The following illustration shows the traffic protection needs for this design ex **Other traffic notes:** -- All of the design requirements shown in the [Firewall Policy Design Example](../p_server_archive/firewall-policy-design-example.md) section are still enforced. +- All of the design requirements shown in the [Firewall Policy Design Example](firewall-policy-design-example.md) section are still enforced. -- All of the design requirements shown in the [Domain Isolation Policy Design Example](../p_server_archive/domain-isolation-policy-design-example.md) section are still enforced. +- All of the design requirements shown in the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section are still enforced. ## Design details @@ -75,7 +75,7 @@ If Woodgrove Bank wants to implement server isolation without domain isolation, You do not have to include the encryption-capable rules on all computers. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption. -**Next: **[Certificate-based Isolation Policy Design Example](../p_server_archive/certificate-based-isolation-policy-design-example.md) +**Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)   diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md index 798292f552..c8671321c0 100644 --- a/windows/keep-secure/server-isolation-policy-design.md +++ b/windows/keep-secure/server-isolation-policy-design.md @@ -10,7 +10,7 @@ author: brianlic-msft In the server isolation policy design, you assign servers to a zone that allows access only to users and computers that authenticate as members of an approved network access group (NAG). -This design typically begins with a network configured as described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements. +This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements. You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the computers that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and computers can access the isolated server are also used to determine which computers receive the GPO. @@ -20,7 +20,7 @@ The design is shown in the following illustration, with arrows that show the per Characteristics of this design include the following: -- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then computers in the boundary zone behave just like other members of the isolated domain in the way that they interact with computers in server isolation zones. +- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then computers in the boundary zone behave just like other members of the isolated domain in the way that they interact with computers in server isolation zones. - Isolated servers (area B) - Computers in the server isolation zones restrict access to computers, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. @@ -29,7 +29,7 @@ Characteristics of this design include the following: To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules. **Important**   -This design builds on the [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. +This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented.   @@ -37,17 +37,17 @@ This design can be applied to computers that are part of an Active Directory for For more information about this design: -- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md), [Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md), and [Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). -- To learn more about this design, see [Server Isolation Policy Design Example](../p_server_archive/server-isolation-policy-design-example.md). +- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](../p_server_archive/designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). -- To help you make the decisions required in this design, see [Planning Server Isolation Zones](../p_server_archive/planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](../p_server_archive/planning-group-policy-deployment-for-your-isolation-zones.md). +- To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). - For a list of tasks that you can use to deploy your server isolation policy design, see "Checklist: Implementing a Standalone Server Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxx. -**Next: **[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md) +**Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)   diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md index 0e12364aa9..f796faa837 100644 --- a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md @@ -19,7 +19,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To enable Windows Firewall and configure the default behavior on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](../p_server_archive/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index bf8243fdb9..1dd93d35df 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -26,7 +26,7 @@ Windows PowerShell and netsh command references are at the following locations. ## Scope -This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](../p_server_archive/windows-firewall-with-advanced-security-overview-win8.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide. +This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide. ## Audience and user requirements @@ -408,7 +408,7 @@ Windows PowerShell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway ``` -For more information about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](../p_server_archive/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md). +For more information about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md). ### Copy an IPsec rule from one policy to another diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md index 91b5066a6b..915d050d9a 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md @@ -17,21 +17,21 @@ You can use Windows Firewall to control access to the computer from the network. This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected. -Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](../p_server_archive/planning-to-deploy-windows-firewall-with-advanced-security.md). +Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md). -If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](../p_server_archive/windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization. +If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization. After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide: -- [Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md) +- [Basic Firewall Policy Design](basic-firewall-policy-design.md) -- [Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md) +- [Domain Isolation Policy Design](domain-isolation-policy-design.md) -- [Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md) +- [Server Isolation Policy Design](server-isolation-policy-design.md) -- [Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md) +- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) -Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](../p_server_archive/implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. +Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. **Caution**   We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the computers in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. @@ -51,7 +51,7 @@ In a large enterprise environment with hundreds or thousands of GPOs, using this This guide does not provide: -- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](../p_server_archive/planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide. +- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide. - Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. For more information, see Active Directory Domain Services () and Group Policy (). diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md index bb9128372e..199b30568c 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security.md @@ -126,7 +126,7 @@ See the following topics for more information about Windows Firewall with Advanc - + From 3c8bc2cbfd984078371f41d7533fd49a7c297d60 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 29 Apr 2016 09:17:15 -0700 Subject: [PATCH 04/26] fixing links --- ...ewall-with-advanced-security-design-examples.md | 8 ++++---- ...wall-with-advanced-security-deployment-goals.md | 14 +++++++------- ...nstall-active-directory-certificate-services.md | 2 +- windows/keep-secure/isolated-domain.md | 2 +- ...isolating-windows-store-apps-on-your-network.md | 2 +- ...tect-computers-from-unwanted-network-traffic.md | 4 ++-- ...-access-to-only-specified-users-or-computers.md | 4 ++-- .../restrict-access-to-only-trusted-computers.md | 6 +++--- ...ict-server-access-to-members-of-a-group-only.md | 2 +- ...ctions-by-using-ikev2-in-windows-server-2012.md | 2 +- ...rewall-with-advanced-security-design-process.md | 12 ++++++------ ...urity-administration-with-windows-powershell.md | 2 +- ...firewall-with-advanced-security-design-guide.md | 4 ++-- 13 files changed, 32 insertions(+), 32 deletions(-) diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md index 030fbafc71..139c0affde 100644 --- a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -10,13 +10,13 @@ author: brianlic-msft The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. -- [Firewall Policy Design Example](91fc4c4c-dca9-422e-be05-42a5e14f5e4a) +- [Firewall Policy Design Example](firewall-policy-design-example.md) -- [Domain Isolation Policy Design Example](d918816a-52be-4266-9027-7bc3c36f4916) +- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) -- [Server Isolation Policy Design Example](c275b916-56cf-4863-9900-e50193cd77ed) +- [Server Isolation Policy Design Example](server-isolation-policy-design-example.md) -- [Certificate-based Isolation Policy Design Example](85a83c33-358b-4b73-9b08-ef7589d01f91) +- [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)   diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 995905d641..1dbe198a85 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -28,23 +28,23 @@ The following table lists the three main tasks for articulating, refining, and s diff --git a/windows/keep-secure/install-active-directory-certificate-services.md b/windows/keep-secure/install-active-directory-certificate-services.md index a7a4ace49e..5fc8bd6b1c 100644 --- a/windows/keep-secure/install-active-directory-certificate-services.md +++ b/windows/keep-secure/install-active-directory-certificate-services.md @@ -11,7 +11,7 @@ author: brianlic-msft To use certificates in a server isolation or domain isolation design, you must first set up the infrastructure to deploy the certificates. This is called a public key infrastructure (PKI). The services required for a PKI are available in Windows Server 2012 in the form of the Active Directory Certificate Services (AD CS) role. **Caution**   -Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see [Active Directory Certificate Services Overview](e37b2335-0796-449f-aaf4-0520e508f47d) in the Windows Server 2012 Technical Library (http://technet.microsoft.com/library/hh831740.aspx). +Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see [Active Directory Certificate Services Overview](http://technet.microsoft.com/library/hh831740.aspx).   diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md index 8c1163d07c..9e52a463a4 100644 --- a/windows/keep-secure/isolated-domain.md +++ b/windows/keep-secure/isolated-domain.md @@ -14,7 +14,7 @@ The term *domain* in this context means a boundary of communications trust inste For most implementations, an isolated domain will contain the largest number of computers. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. -You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](cdbe81c3-6dbf-41c2-b003-3ac4fd4e67dd) section. +You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. The GPOs for the isolated domain should contain the following connection security rules and settings. diff --git a/windows/keep-secure/isolating-windows-store-apps-on-your-network.md b/windows/keep-secure/isolating-windows-store-apps-on-your-network.md index 6d4410b869..8da591bc98 100644 --- a/windows/keep-secure/isolating-windows-store-apps-on-your-network.md +++ b/windows/keep-secure/isolating-windows-store-apps-on-your-network.md @@ -331,7 +331,7 @@ Use the following procedure if you want to block intranet access for a specific ## See also -- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md) +- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)   diff --git a/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md b/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md index 156362cc19..4ce8c89c1d 100644 --- a/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md +++ b/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md @@ -14,7 +14,7 @@ Reports of targeted attacks against organizations, governments, and individuals Running a host-based firewall on every computer that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable computer to provide protection when it is away from the organization's network. -A host-based firewall helps secure a computer by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](0c75637e-86b7-4fb3-9910-04c5cf186305), provides the following benefits: +A host-based firewall helps secure a computer by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits: - Network traffic that is a reply to a request from the local computer is permitted into the computer from the network. @@ -32,7 +32,7 @@ The following component is recommended for this deployment goal: Other means of deploying a firewall policy are available, such as creating scripts that use the **netsh** command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations. -**Next: **[Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919) +**Next: **[Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)   diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md index b6fc24fa0c..5ec1556728 100644 --- a/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md @@ -8,9 +8,9 @@ author: brianlic-msft # Restrict Access to Only Specified Users or Computers -Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919)) prevents computers that are members of the isolated domain from accepting network traffic from untrusted computers. However, some computers on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. +Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) prevents computers that are members of the isolated domain from accepting network traffic from untrusted computers. However, some computers on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. -Windows Firewall with Advanced Security enables you to restrict access to computers and users that are members of domain groups authorized to access that computer. These groups are called *network access groups (NAGs)*. When a computer authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple computers in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Computers that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267)). +Windows Firewall with Advanced Security enables you to restrict access to computers and users that are members of domain groups authorized to access that computer. These groups are called *network access groups (NAGs)*. When a computer authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple computers in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Computers that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). Restricting access to only users and computers that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. diff --git a/windows/keep-secure/restrict-access-to-only-trusted-computers.md b/windows/keep-secure/restrict-access-to-only-trusted-computers.md index aa3e530671..89288e3473 100644 --- a/windows/keep-secure/restrict-access-to-only-trusted-computers.md +++ b/windows/keep-secure/restrict-access-to-only-trusted-computers.md @@ -23,7 +23,7 @@ The following illustration shows an isolated domain, with one of the zones that ![domain isolation](images/wfas-domainiso.gif) -These goals, which correspond to [Domain Isolation Policy Design](3aa75a74-adef-41e4-bf2d-afccf2c47d46) and [Certificate-based Isolation Policy Design](a706e809-ddf3-42a4-9991-6e5d987ebf38), provide the following benefits: +These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: - Computers in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another computer in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication. @@ -45,9 +45,9 @@ These goals also support optional zones that can be created to add customized pr The following components are required for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources \[lhs\]](508b3d05-e9c9-4df9-bae4-750d4ad03302). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). -**Next: **[Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267) +**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)   diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md index 437e25bce5..17df17ac12 100644 --- a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md @@ -27,7 +27,7 @@ To complete these procedures, you must be a member of the Domain Administrators **To create a firewall rule that grants access to an isolated server running Windows Server 2008 or later** -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](75ccea22-f225-40be-94a9-d0b17170d4fe). You must edit the GPO that applies settings to servers in the isolated server zone. +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone. 2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**. diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md index a6194dff0b..95639e5917 100644 --- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md @@ -191,7 +191,7 @@ You might not find the exact answer for the issue, but you can find good hints. ## See also -- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md) +- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)   diff --git a/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md index 5088fc9668..ccf6d3f7f8 100644 --- a/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -10,19 +10,19 @@ author: brianlic-msft Designing any deployment starts by performing several important tasks: -- [Identifying Your Windows Firewall with Advanced Security Design Goals](bba6fa3a-2318-4cb7-aa75-f2910d9c406d) +- [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) -- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](39bb8fa5-4601-45ae-83c5-121d42f7f82c) +- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) -- [Evaluating Windows Firewall with Advanced Security Design Examples](6da09290-8cda-4731-8fce-07fc030f9f4f) +- [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics: -- [Designing A Windows Firewall with Advanced Security Strategy](36230ca4-ee8d-4b2c-ab4f-5492b4400340) +- [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) -- [Planning Your Windows Firewall with Advanced Security Design](6622d31d-a62c-4506-8cea-275bf42e755f) +- [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) -**Next:**[Identifying Your Windows Firewall with Advanced Security Design Goals](bba6fa3a-2318-4cb7-aa75-f2910d9c406d) +**Next:**[Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)   diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 1dd93d35df..05bbcfd63d 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -26,7 +26,7 @@ Windows PowerShell and netsh command references are at the following locations. ## Scope -This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security-overview-win8.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide. +This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide. ## Audience and user requirements diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md index cd839d055f..e191dcbf2b 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md @@ -12,7 +12,7 @@ Windows Firewall with Advanced Security in Windows Server 2012, Windows Server  The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single computer in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. -For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security Overview](9ae80ae1-a693-48ed-917a-f03ea92b550d). +For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). ## About this guide @@ -132,7 +132,7 @@ The following table identifies and defines terms used throughout this guide.   -**Next:**[Understanding the Windows Firewall with Advanced Security Design Process](b9774295-8dd3-47e3-9f5a-7fa748ae9fba) +**Next:**[Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)   From 1e07e3ab8ebeeab71ec727801eee809fff8c1100 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 29 Apr 2016 09:27:12 -0700 Subject: [PATCH 05/26] fixing more links --- ...-windows-firewall-with-advanced-security-deployment-goals.md | 2 +- .../protect-computers-from-unwanted-network-traffic.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 1dbe198a85..8f50949a9a 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -52,7 +52,7 @@ The following table lists the three main tasks for articulating, refining, and s   -**Next:**[Protect Computers from Unwanted Network Traffic](fe94e9b8-c456-4343-af5f-5511b8047d29) +**Next:**[Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)   diff --git a/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md b/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md index 4ce8c89c1d..5230ec4e6d 100644 --- a/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md +++ b/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md @@ -28,7 +28,7 @@ A host-based firewall helps secure a computer by dropping all network traffic th The following component is recommended for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources \[lhs\]](508b3d05-e9c9-4df9-bae4-750d4ad03302). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). Other means of deploying a firewall policy are available, such as creating scripts that use the **netsh** command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations. From f268382871a30d36102aed6499cee6cce893c82f Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 27 May 2016 11:40:00 -0700 Subject: [PATCH 06/26] updating content --- windows/keep-secure/TOC.md | 4 +- ...k.md => isolating-apps-on-your-network.md} | 184 +++++------------- ...s-by-using-ikev2-in-windows-server-2012.md | 80 ++++---- ...-administration-with-windows-powershell.md | 174 +++++------------ ...windows-firewall-with-advanced-security.md | 147 ++------------ 5 files changed, 154 insertions(+), 435 deletions(-) rename windows/keep-secure/{isolating-windows-store-apps-on-your-network.md => isolating-apps-on-your-network.md} (59%) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e64df92184..03655002f2 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -430,8 +430,8 @@ #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) -#### [Isolating Windows Store Apps on Your Network](isolating-windows-store-apps-on-your-network.md) -#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) +#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) +#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) #### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) #### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) ##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) diff --git a/windows/keep-secure/isolating-windows-store-apps-on-your-network.md b/windows/keep-secure/isolating-apps-on-your-network.md similarity index 59% rename from windows/keep-secure/isolating-windows-store-apps-on-your-network.md rename to windows/keep-secure/isolating-apps-on-your-network.md index 8da591bc98..09367196c5 100644 --- a/windows/keep-secure/isolating-windows-store-apps-on-your-network.md +++ b/windows/keep-secure/isolating-apps-on-your-network.md @@ -1,18 +1,24 @@ --- title: Isolating Windows Store Apps on Your Network (Windows 10) description: Isolating Windows Store Apps on Your Network -ms.assetid: fee4cf1b-6dee-4911-a426-f678a70f4c6f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Isolating Windows Store Apps on Your Network +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -When you add new computers and devices that are running Windows 8 to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a computer running Windows 8, appropriate firewall rules are automatically created to enable access. Administrators can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. +When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access. -The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the computer, and the network. In addition, apps can be isolated and protected from malicious access from the network. +The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network. When creating new Windows Store apps, a developer can define the following network capabilities for their app: @@ -30,52 +36,46 @@ When creating new Windows Store apps, a developer can define the following netwo - **Proximity** - Provides near-field communication (NFC) with devices that are in close proximity to the computer. Proximity may be used to send files or connect with an application on a proximate device. + Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device. -**In this document** +**In this topic** To isolate Windows Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Windows Store app firewall rules. -- [Prerequisites](#bkmk-prereq) +- [Prerequisites](#prerequisites) -- [Step 1: Define your network](#bkmk-step1) +- [Step 1: Define your network](#step-1-Define-your-network) -- [Step 2: Create custom firewall rules](#bkmk-step2) +- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules) ## Prerequisites +- A domain controller is installed on your network, and your devices are joined to the Windows domain. -- A domain controller is installed on your network, and your computers are joined to the Windows domain. +- Your Windows Store app is installed on the client device. -- Your Windows Store app is installed on your client computer. +- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Firewall rules. -- The Remote Server Administration Tools (RSAT) are installed on your client computer. When you perform the following steps from your client computer, you can select your Windows Store app when you create Windows Firewall rules. - - **Note**   - You can install the RSAT on your computer running Windows 8 from the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=238560). + >**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).   - -## Step 1: Define your network - +## Step 1: Define your network The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Windows Store apps can access intranet resources appropriately. -The Windows Store Internet Explorer app that is included with Windows 8 uses the network capabilities to detect which zone it should use. The browser uses the network capabilities to ensure that it operates in the correct security zone. - A network endpoint is considered part of the **Home\\Work Network** if: - It is part of the local subnet of a trusted network. - For example, home users generally flag their network as Trusted. Local computers will be designated as such. + For example, home users generally flag their network as Trusted. Local devices will be designated as such. -- A computer is on a network, and it is authenticated to a domain controller. +- A device is on a network, and it is authenticated to a domain controller. - Endpoints within the intranet address space are considered private. - Endpoints within the local subnet are considered private. -- The computer is configured for DirectAccess, and the endpoint is part of the intranet address space. +- The device is configured for DirectAccess, and the endpoint is part of the intranet address space. The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative. @@ -109,113 +109,32 @@ All other endpoints that do not meet the previously stated criteria are consider If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics. -## Step 2: Create custom firewall rules - +## Step 2: Create custom firewall rules Windows Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices. The following table provides a complete list of the possible app capabilities. -
Deployment Goals[Basic Firewall Policy Design](../p_server_archive/basic-firewall-policy-design.md)[Domain Isolation Policy Design](../p_server_archive/domain-isolation-policy-design.md)[Server Isolation Policy Design](../p_server_archive/server-isolation-policy-design.md)[Certificate-based Isolation Policy Design](../p_server_archive/certificate-based-isolation-policy-design.md)[Basic Firewall Policy Design](basic-firewall-policy-design.md)[Domain Isolation Policy Design](domain-isolation-policy-design.md)[Server Isolation Policy Design](server-isolation-policy-design.md)[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)

[Protect Computers from Unwanted Network Traffic](../p_server_archive/protect-computers-from-unwanted-network-traffic.md)

[Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)

Yes

Yes

Yes

Yes

[Restrict Access to Only Trusted Computers](../p_server_archive/restrict-access-to-only-trusted-computers.md)

[Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)

-

Yes

Yes

Yes

[Restrict Access to Only Specified Users or Computers](../p_server_archive/restrict-access-to-only-specified-users-or-computers.md)

[Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)

-

-

Yes

Yes

[Require Encryption When Accessing Sensitive Network Resources](../p_server_archive/require-encryption-when-accessing-sensitive-network-resources.md)

[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

-

Optional

Optional

Deployment

[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](../p_server_archive/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](../p_server_archive/isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](../p_server_archive/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)

[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)

Troubleshooting

Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.

Predefined deployment goals:

    -

  • [Protect Computers from Unwanted Network Traffic](fe94e9b8-c456-4343-af5f-5511b8047d29)

    • -

  • [Restrict Access to Only Trusted Computers](29805c5c-a8e4-4600-86b9-7abb9a068919)

    • -

  • [Require Encryption When Accessing Sensitive Network Resources](261bd90d-5a8a-4de1-98c7-6d07e5d81267)

    • -

  • [Restrict Access to Sensitive Resources to Only Specified Users or Computers](09cd6d03-c1ce-45ed-a894-d7f7aaa9b6f0)

    • +

  • [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)

    • +

  • [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)

    • +

  • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

    • +

  • [Restrict Access to Sensitive Resources to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)

Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design.
    -

  • [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](39bb8fa5-4601-45ae-83c5-121d42f7f82c)

    • +

  • [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)

Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan.
    -

  • [Designing A Windows Firewall with Advanced Security Strategy](36230ca4-ee8d-4b2c-ab4f-5492b4400340)

    • -

  • [Planning Your Windows Firewall with Advanced Security Design](6622d31d-a62c-4506-8cea-275bf42e755f)

    • +

  • [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

    • +

  • [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
CapabilityNameDescription

Internet (Client)

internetClient

Your outgoing Internet connection.

Internet (Client & Server)

internetClientServer

Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your computer through a firewall. You do not need to declare internetClient if this capability is declared.

Home\Work Networking

privateNetworkClientServer

A home or work network. The app can send information to or from your computer and other computers on the same network.

Document Library Access

documentsLibrary

Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest. The app cannot access document libraries on HomeGroup computers.

Picture Library Access

picturesLibrary

Your Pictures library, including the capability to add, change, or delete files. This capability also includes Picture libraries on HomeGroup computers and picture file types on locally connected media servers.

Video Library Access

videosLibrary

Your Videos library, including the capability to add, change, or delete files. This capability also includes Video libraries on HomeGroup computers and video file types on locally connected media servers.

Music Library Access

musicLibrary

Your Music library, including the capability to add, change, or delete files. This capability also includes Music libraries on HomeGroup computers and music file types on locally connected media servers.

Default Windows Credentials

defaultWindowsCredentials

Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.

Removable Storage

removableStorage

A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.

Shared User Certificates

sharedUserCertificates

Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.

Location

location

Provides access to the user's current location.

Microphone

microphone

Provides access to the microphone's audio feed.

Near-field Proximity

proximity

Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.

Text Messaging

sms

Provides access to computer text messaging functionality.

Webcam

webcam

Provides access to the webcam's video feed.

Other devices (represented by GUIDs)

<GUID>

Includes specialized devices and Windows Portable Devices.

+| Capability | Name | Description | +| - | - | - | +| **Internet (Client)** | internetClient | Your outgoing Internet connection.| +| **Internet (Client & Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared. +| **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.| +| **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.| +| **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.| +| **Video Library Access**| videosLibrary| Your Videos library, including the capability to add, change, or delete files.| +| **Music Library Access**| musicLibrary|Your Music library, including the capability to add, change, or delete files.| +| **Default Windows Credentials**| defaultWindowsCredentials| Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.| +| **Removable Storage** | removableStorage| A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.| +| **Shared User Certificates**| sharedUserCertificates| Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.| +| **Location**| location| Provides access to the user's current location.| +| **Microphone** | microphone| Provides access to the microphone's audio feed.| +| **Near-field Proximity** | proximity| Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.| +| **Text Messaging** | sms| Provides access to text messaging functionality.| +| **Webcam** | webcam| Provides access to the webcam's video feed.| +| **Other devices (represented by GUIDs)** | <GUID>| Includes specialized devices and Windows Portable Devices.| -  - -In Windows Server 2012, it is possible to create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app. +You can create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app. For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability. @@ -255,16 +174,13 @@ For example, you could create a Windows Firewall policy to block Internet access 17. Click **Predefined set of computers**, select **Internet**, and click **OK**. - This scopes the rule to block traffic to Internet computers. + This scopes the rule to block traffic to Internet devices. 18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**. 19. Click **Apply to application packages only**, and then click **OK**. - **Important**   - You must do this to ensure that the rule applies only to Windows Store apps and not to other applications and programs. Non-Windows Store applications and programs declare all capabilities by default, and this rule would apply to them if you do not configure it this way. - -   + >**Important:**  You must do this to ensure that the rule applies only to Windows Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way. 20. Click **OK** to close the **Properties** dialog box. @@ -328,16 +244,6 @@ Use the following procedure if you want to block intranet access for a specific 23. Close Group Policy Management. -## See also - +## See also - [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md) - -  - -  - - - - - diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md index 95639e5917..fa9c66bfb4 100644 --- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md @@ -1,18 +1,22 @@ --- title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 -ms.assetid: 290d61e6-ec8c-48b9-8dcd-d0df6df24181 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 +# Securing End-to-End IPsec connections by using IKEv2 +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -In Windows Server 2012, Internet Key Exchange version 2 (IKEv2) support is broadened from previous Windows versions. +IKEv2 offers the following: -For example, in Windows Server 2012, IKEv2 does the following: - -- Supports additional scenarios, including IPsec end-to-end transport mode connections +- Supports IPsec end-to-end transport mode connections - Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security @@ -24,30 +28,25 @@ For example, in Windows Server 2012, IKEv2 does the following: - Uses certificates for the authentication mechanism -In Windows Server 2008 R2, IKEv2 is available as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. +You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. **In this document** -- [Prerequisites](#bkmk-prereqs) +- [Prerequisites](#prerequisites) -- [Computers joined to a domain](#bkmk-step1) +- [Devices joined to a domain](#devices-joined-to-a-domain) -- [Computers not joined to a domain](#bkmk-step2) +- [Device not joined to a domain](#devices-not-joined-to-a-domain) -- [Troubleshooting](#bkmk-troubleshooting) +- [Troubleshooting](#troubleshooting) -**Note**   -This topic includes sample Windows PowerShell cmdlets. For more information, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693). - -  +>**Note:**  This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693). ## Prerequisites +These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication. -These procedures assume that you already have a public key infrastructure (PKI) in place for computer authentication. - -## Computers joined to a domain - +## Devices joined to a domain The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. @@ -65,10 +64,7 @@ This script does the following: - Indicates the certificate to use for authentication. - **Important**   - The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. - -   + >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. - Creates the IKEv2 connection security rule called **My IKEv2 Rule**. @@ -106,15 +102,11 @@ New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet -InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame ``` -## Computers not joined to a domain +## Devices not joined to a domain +Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection. -Use a Windows PowerShell script similar to the following to create a local IPsec policy on the computers that you want to include in the secure connection. - -**Important**   -The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. - -  +>**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. ![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** @@ -132,23 +124,18 @@ New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet Make sure that you install the required certificates on the participating computers. -**Note**   -- For local computers, you can import the certificates manually if you have administrator access to the computer. For more information, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). - -- You need a root certificate and a computer certificate on all computers that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. - -- For remote computers, you can create a secure website to facilitate access to the script and certificates. - -  - -## Troubleshooting +>**Note:**   +- For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). +- You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. +- For remote devices, you can create a secure website to facilitate access to the script and certificates. +## Troubleshooting Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: **Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.** -1. On the **Start** screen, type **wf.msc**, and then press ENTER. +1. Open the Windows Firewall with Advanced Security console. 2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule. @@ -179,19 +166,18 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: 6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: ``` syntax - ERROR_IPSEC_IKE_NO_CERT - 32 + + ERROR_IPSEC_IKE_NO_CERT + 32 ``` - In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error. You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues. -## See also +## See also - -- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md) +- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)   diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 05bbcfd63d..23f9e3d1c0 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -1,21 +1,22 @@ --- title: Windows Firewall with Advanced Security Administration with Windows PowerShell (Windows 10) description: Windows Firewall with Advanced Security Administration with Windows PowerShell -ms.assetid: 3e1e53af-015e-427d-a027-c2e8ceee799d +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Windows Firewall with Advanced Security Administration with Windows PowerShell +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management in Windows Server 2012. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows. +The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows. -In Windows Server 2012 and Windows 8, administrators can use Windows PowerShell to manage their firewall and IPsec deployments. This object-oriented scripting environment will make it easier for administrators to manage policies and monitor network conditions than was possible in Netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in Netsh and how you can use Windows PowerShell to accomplish them. - -**Important**   -The netsh commands for Windows Firewall with Advanced Security have not changed since the previous operating system version. The netsh commands for Windows Firewall with Advanced Security in Windows Server 2012 are identical to the commands that are provided in Windows Server 2008 R2. - -  +You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them. In future versions of Windows, Microsoft might remove the netsh functionality for Windows Firewall with Advanced Security. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Firewall with Advanced Security. @@ -25,88 +26,30 @@ Windows PowerShell and netsh command references are at the following locations. ## Scope - -This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide. +This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide. ## Audience and user requirements - This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Firewall with Advanced Security, the Windows PowerShell language, and the basic concepts of Windows PowerShell. -## System requirements +## In this topic - -To run the scripts and scriptlets in this guide, install and configure your system as follows: - -- Windows Server 2012 - -- Windows PowerShell 3.0 (included in Windows Server 2012) - -- Windows NetSecurity Module for Windows PowerShell (included in Windows Server 2012) - -- Windows PowerShell ISE (optional feature in Windows PowerShell 3.0, which is installed by using Server Manager) - -**Note**   -In Windows PowerShell 3.0, modules are imported automatically when you get or use any cmdlet in the module. You can still use the **Import-Module** cmdlet to import a module. - -Use **Import-Module** if you are using Windows PowerShell 2.0, or if you need to use a feature of the module before you use any of its cmdlets. For more information, see [Import-Module](http://go.microsoft.com/fwlink/p/?linkid=141553). - -Use **Import-PSSnapIn** to use cmdlets in a Windows PowerShell snap-in, regardless of the version of Windows PowerShell that you are running. - -  - -## In this guide - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Set profile global defaults](#bkmk-profileglobaldefaults)

Enable and control firewall behavior

[Deploy basic firewall rules](#bkmk-deploying)

How to create, modify, and delete firewall rules

[Manage Remotely](#bkmk-remote)

Remote management by using -CimSession

[Deploy basic IPsec rule settings](#bkmk-deployingipsec)

IPsec rules and associated parameters

[Deploy secure firewall rules with IPsec](#bkmk-deploysecurerules)

Domain and server isolation

[Additional resources](#bkmk-additionalresources)

More information about Windows PowerShell

- -  +| Section | Description | +| - | - | +| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior| +| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules| +| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`| +| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters| +| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation| +| [Additional resources](#additional-resources) | More information about Windows PowerShell| ## Set profile global defaults - -Global defaults set the system behavior in a per profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles. +Global defaults set the device behavior in a per-profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles. ### Enable Windows Firewall -Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the computer. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain computer: +Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain device: **Netsh** @@ -114,9 +57,7 @@ Windows Firewall drops traffic that does not correspond to allowed unsolicited t netsh advfirewall set allprofiles state on ``` -Windows PowerShell - -The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. +**Windows PowerShell** ``` syntax Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True @@ -124,7 +65,7 @@ Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True ### Control firewall behavior -The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security MMC snap-in. +The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security console. The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. @@ -141,11 +82,9 @@ Windows PowerShell ``` syntax Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log - ``` -## Deploy basic firewall rules - +## Deploy basic firewall rules This section provides scriptlet examples for creating, modifying, and deleting firewall rules. @@ -153,7 +92,7 @@ This section provides scriptlet examples for creating, modifying, and deleting f Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently. -Here is an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local computer, and it becomes effective immediately. +Here is an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local device, and it becomes effective immediately. **Netsh** @@ -202,7 +141,7 @@ Note that this does not batch your individual changes, it loads and saves the en ### Modify an existing firewall rule -When a rule is created, Netsh and Windows PowerShell allow the administrator to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell this is specified with the *-Name* parameter). +When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell this is specified with the *-Name* parameter). For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule. @@ -287,7 +226,7 @@ Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” -V ### Delete a firewall rule -Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the system. +Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device. The following cmdlet deletes the specified existing firewall rule from the local policy store. @@ -303,7 +242,7 @@ Windows PowerShell Remove-NetFirewallRule –DisplayName “Allow Web 80” ``` -Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the system. +Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the device. Windows PowerShell @@ -311,7 +250,7 @@ Windows PowerShell Remove-NetFirewallRule –Action Block ``` -Note that it may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how the administrator can view all the blocking firewall rules, and then delete the first four rules. +Note that it may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules. Windows PowerShell @@ -321,34 +260,32 @@ $x $x[0-3] | Remove-NetFirewallRule ``` -## Manage remotely +## Manage remotely +Remote management using WinRM is enabled by default. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default. -Remote management using WinRM is enabled by default on Windows Server 2012. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default. This is important because the default and recommended installation mode for Windows Server 2012 is Server Core which does not include a graphical user interface. - -The following example returns all firewall rules of the persistent store on a computer named **RemoteComputer**. +The following example returns all firewall rules of the persistent store on a device named **RemoteDevice**. Windows PowerShell ``` syntax -Get-NetFirewallRule –CimSession RemoteComputer +Get-NetFirewallRule –CimSession RemoteDevice ``` -We can perform any modifications or view rules on remote computers by simply using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote computer. +We can perform any modifications or view rules on remote devices by simply using the *–CimSession* parameter. Here we remove a specific firewall rule from a remote device. Windows PowerShell ``` syntax -$RemoteSession = New-CimSession –ComputerName RemoteComputer +$RemoteSession = New-CimSession –ComputerName RemoteDevice Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm ``` -## Deploy basic IPsec rule settings +## Deploy basic IPsec rule settings +An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. -An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. For more information about IPsec, see [Windows Firewall with Advanced Security Learning Roadmap](http://technet.microsoft.com/library/dd772715(WS.10).aspx). - -Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security MMC snap-in. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility. +Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility. In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples. @@ -356,7 +293,7 @@ In Netsh, the authentication and cryptographic sets were specified as a list of ### Create IPsec rules -The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the MMC snap-in under Customize IPsec Defaults. +The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the console under Customize IPsec Defaults. **Netsh** @@ -408,7 +345,7 @@ Windows PowerShell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway ``` -For more information about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md). +For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md). ### Copy an IPsec rule from one policy to another @@ -428,8 +365,6 @@ $Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name ### Handling Windows PowerShell errors -**** - To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAction* parameter. This is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you will notice that it fails if the rule is not found. When removing rules, if the rule isn’t already there, it is generally acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation. Windows PowerShell @@ -488,7 +423,7 @@ Windows PowerShell Show-NetIPsecRule –PolicyStore ActiveStore ``` -You can monitor main mode security associations for information such as which peers are currently connected to the computer and which protection suite is used to form the security associations. +You can monitor main mode security associations for information such as which peers are currently connected to the device and which protection suite is used to form the security associations. Use the following cmdlet to view existing main mode rules and their security associations: @@ -520,9 +455,9 @@ It is important to note that the revealed sources do not contain a domain name. ### Deploy a basic domain isolation policy -IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain computer members positively establish the identities of the communicating computers to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object. +IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain-joined devices positively establish the identities of the communicating devices to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object. -To implement domain isolation on your network, the computers in the domain receive IPsec rules that block unsolicited inbound network traffic that is not protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this, you can isolate domain member computers from computers that are non-domain members. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic. +To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that is not protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this, you can isolate domain-joined devices from devices that are not joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic. **Netsh** @@ -535,15 +470,13 @@ Windows PowerShell ``` syntax $kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos - $Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation - New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation ``` ### Configure IPsec tunnel mode -The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local computer (1.1.1.1) attached to a public network to a second computer through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it is encrypted by using ESP/DES3. +The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it is encrypted by using ESP/DES3. **Netsh** @@ -559,8 +492,7 @@ $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name ``` -## Deploy secure firewall rules with IPsec - +## Deploy secure firewall rules with IPsec In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment. @@ -568,7 +500,7 @@ In situations where only secure traffic can be allowed through the Windows Firew Configuring firewalls rule to allow connections if they are secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec. -The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote computer is authenticated by using a separate IPsec rule. +The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote device is authenticated by using a separate IPsec rule. **Netsh** @@ -605,15 +537,15 @@ New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -Inbound ### Isolate a server by requiring encryption and group membership -To improve the security of the computers in an organization, an administrator can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of computers within the enterprise domain. +To improve the security of the devices in an organization, you can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of devices within the enterprise domain. -IPsec can provide this additional layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and computers with legitimate business need, and the data is additionally encrypted to prevent eavesdropping. +IPsec can provide this additional layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping. ### Create a firewall rule that requires group membership and encryption -To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or computers on the IPsec rule that enforces authentication. +To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or devices on the IPsec rule that enforces authentication. -The following firewall rule allows Telnet traffic from user accounts that are members of a custom group created by an administrator called “Authorized to Access Server.” This access can additionally be restricted based on the computer, user, or both by specifying the restriction parameters. +The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters. A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID). @@ -670,9 +602,9 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr ### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass) -Authenticated bypass allows traffic from a specified trusted computer or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update computers without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](http://technet.microsoft.com/library/cc753463(WS.10).aspx). +Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](http://technet.microsoft.com/library/cc753463(WS.10).aspx). -In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a computer or user account that is a member of the specified computer or user security group. +In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a device or user account that is a member of the specified device or user security group. **Netsh** @@ -687,7 +619,7 @@ Windows PowerShell New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation ``` -## Additional resources +## Additional resources For more information about Windows PowerShell concepts, see the following topics. diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md index 199b30568c..3adc42213a 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security.md @@ -1,147 +1,42 @@ --- title: Windows Firewall with Advanced Security Overview (Windows 10) description: Windows Firewall with Advanced Security Overview -ms.assetid: 596d4c24-4984-4c14-b104-e2c4c7d0b108 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Windows Firewall with Advanced Security Overview +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features in Windows Server 2012. +This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. -**Did you mean…** +## Feature description -- [Windows Firewall with Advanced Security in Windows Server 2008 R2](http://technet.microsoft.com/library/cc732283(WS.10).aspx) +Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy. -## Feature description - - -Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a computer, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local computer. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the computer is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy. - -## Practical applications +## Practical applications To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits: -- **Reduces the risk of network security threats.**  Windows Firewall with Advanced Security reduces the attack surface of a computer, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a computer increases manageability and decreases the likelihood of a successful attack. Network Access Protection (NAP), a feature of Windows Server 2012, also helps ensure client computers comply with policies that define the required software and system configurations for computers that connect to your network. The integration of NAP helps prevent communications between compliant and noncompliant computers. +- **Reduces the risk of network security threats.**  Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. - **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. -- **Extends the value of existing investments.**  Because Windows Firewall with Advanced Security is a host-based firewall that is included with Windows Server 2012, and prior Windows operating systems and because it is tightly integrated with Active Directory® Domain Services (AD DS) and Group Policy, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). - -## New and changed functionality - - -The following table lists some of the new features for Windows Firewall with Advanced Security in Windows Server 2012. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
Feature/functionalityWindows Server 2008 R2Windows Server 2012

Internet Key Exchange version 2 (IKEv2) for IPsec transport mode

X

Windows Store app network isolation

X

Windows PowerShell cmdlets for Windows Firewall

X

- -  - -### IKEv2 for IPsec transport mode - -In Windows Server 2012, IKEv2 supports additional scenarios including IPsec end-to-end transport mode connections. - -**What value does this change add?** - -Windows Server 2012 IKEv2 support provides interoperability for Windows with other operating systems using IKEv2 for end-to-end security, and Supports Suite B (RFC 4869) requirements. - -**What works differently?** - -In Windows Server 2008 R2, IKEv2 is available as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. - -In Windows Server 2012, IKEv2 support has been expanded. - -### Windows Store app network isolation - -Administrators can custom configure Windows Firewall to fine tune network access if they desire more control of their Windows Store apps. - -**What value does this change add?** - -The feature adds the ability to set and enforce network boundaries ensure that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact to other apps, the system, and the network. In addition, apps can be isolated and protected from malicious access from the network. - -**What works differently?** - -In addition to firewall rules that you can create for program and services, you can also create firewall rules for Windows Store apps and their various capabilities. - -### Windows PowerShell cmdlets for Windows Firewall - -Windows PowerShell has extensive cmdlets to allow Windows Firewall configuration and management. - -**What value does this change add?** - -You can now fully configure and manage Windows Firewall, IPsec, and related features using the very powerful and scriptable Windows PowerShell. - -**What works differently?** - -In previous Windows versions, you could use Netsh to perform many configuration and management functions. This capability has been greatly expanded using the more powerful Windows PowerShell scripting language. - -## See also - - -See the following topics for more information about Windows Firewall with Advanced Security in Windows Server 2012. - - ---- - - - - - - - - - - - - - - - - -
Content typeReferences

Deployment

[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)

Troubleshooting

[Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012](http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx)

- -  - -  - -  - - - +- **Extends the value of existing investments.**  Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). +## In this section +| Topic | Description +| - | - | +| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. | +| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. | +| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. | +| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. | +| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Firewall with Advanced Security. | From d2511fbe4131aa720eb1a953210fc934b35e5626 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 27 May 2016 15:34:36 -0700 Subject: [PATCH 07/26] updating for Windows 10 --- ...with-advanced-security-deployment-goals.md | 19 ++- ...l-with-advanced-security-design-process.md | 17 +-- ...all-with-advanced-security-design-guide.md | 139 ++++++------------ 3 files changed, 61 insertions(+), 114 deletions(-) diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 8f50949a9a..85363b9abe 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -2,11 +2,19 @@ title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10) description: Identifying Your Windows Firewall with Advanced Security Deployment Goals ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security + author: brianlic-msft --- # Identifying Your Windows Firewall with Advanced Security Deployment Goals +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios. @@ -52,13 +60,4 @@ The following table lists the three main tasks for articulating, refining, and s   -**Next:**[Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) - -  - -  - - - - - +**Next:** [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) diff --git a/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md index ccf6d3f7f8..82f6355c8a 100644 --- a/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/keep-secure/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -1,13 +1,15 @@ --- title: Understanding the Windows Firewall with Advanced Security Design Process (Windows 10) description: Understanding the Windows Firewall with Advanced Security Design Process -ms.assetid: ab7db2bf-38c8-48eb-82e0-3d284055e7bb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Understanding the Windows Firewall with Advanced Security Design Process - Designing any deployment starts by performing several important tasks: - [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) @@ -22,13 +24,4 @@ After you identify your deployment goals and map them to a Windows Firewall with - [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) -**Next:**[Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) - -  - -  - - - - - +**Next:** [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md index e191dcbf2b..acc229bd6a 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-design-guide.md @@ -2,42 +2,48 @@ title: Windows Firewall with Advanced Security Design Guide (Windows 10) description: Windows Firewall with Advanced Security Design Guide ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Windows Firewall with Advanced Security Design Guide +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Windows Firewall with Advanced Security in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista is a host firewall that helps secure the computer in two ways. First, it can filter the network traffic permitted to enter the computer from the network, and also control what network traffic the computer is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any computer that is attempting to communicate with your computer. When authentication is required, computers that cannot authenticate cannot communicate with your computer. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between computers. +Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. -The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single computer in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. +The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. -For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). +For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md). ## About this guide - This guide provides recommendations to help you to choose or create a design for deploying Windows Firewall with Advanced Security in your enterprise environment. The guide describes some of the common goals for using Windows Firewall with Advanced Security, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide. This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals. Windows Firewall with Advanced Security should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules. -To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed computers by using Group Policy in Active Directory. +To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory. You can use the deployment goals to form one of these Windows Firewall with Advanced Security designs, or a custom design that combines elements from those presented here: -- **Basic firewall policy design**. Restricts network traffic in and out of your computers to only that which is needed and authorized. +- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized. -- **Domain isolation policy design**. Prevents computers that are domain members from receiving unsolicited network traffic from computers that are not domain members. Additional "zones" can be established to support the special requirements of some computers, such as: +- **Domain isolation policy design**. Prevents devices that are domain members from receiving unsolicited network traffic from devices that are not domain members. Additional "zones" can be established to support the special requirements of some devices, such as: - - A "boundary zone" for computers that must be able to receive requests from non-isolated computers. + - A "boundary zone" for devices that must be able to receive requests from non-isolated devices. - - An "encryption zone" for computers that store sensitive data that must be protected during network transmission. + - An "encryption zone" for devices that store sensitive data that must be protected during network transmission. -- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and computers. Commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of computers. +- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and devices. Commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of devices. -- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables computers that are not part of an Active Directory domain, such as computers running operating systems other than Windows, to participate in your isolation solution. +- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables devices that are not part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution. In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Firewall with Advanced Security using the guidance in the Windows Firewall with Advanced Security Deployment Guide. @@ -47,92 +53,41 @@ You can find the Windows Firewall with Advanced Security Deployment Guide at the - (Downloadable Word document) -## Terminology used in this guide +## In this section +| Topic | Description +| - | - | +| [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Firewall with Advanced Security design process. | +| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Firewall with Advanced Security deployment goals. | +| [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. | +| [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. | +| [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. | +| [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. | +| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). | + +## Terminology used in this guide The following table identifies and defines terms used throughout this guide. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TermDefinition

Active Directory domain

A group of computers and users managed by an administrator by using Active Directory Domain Services (AD DS). Computers in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary.

Authentication

A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.

Boundary zone

A subset of the computers in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from computers that are not members of the isolated domain. Computers in the boundary zone request but do not require authentication. They use IPsec to communicate with other computers in the isolated domain.

Connection security rule

A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an IPsec rule.

Certificate-based isolation

A way to add computers that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every computer in the isolated domain and the computers that cannot use Kerberos V5 are provided with a computer certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).

Domain isolation

A technique for helping protect the computers in an organization by requiring that the computers authenticate each other's identity before exchanging information, and refusing connection requests from computers that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.

Encryption zone

A subset of the computers in an isolated domain that process sensitive data. Computers that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Computers that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.

Firewall rule

A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.

-

By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic.

Internet Protocol security (IPsec)

A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).

IPsec policy

A collection of connection security rules that provide the required protection to network traffic entering and leaving the computer. The protection includes authentication of both the sending and receiving computer, integrity protection of the network traffic exchanged between them, and can include encryption.

Isolated domain

An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member computers by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).

-

In this guide, the term isolated domain refers to the IPsec concept of a group of computers that can share authentication. The term Active Directory domain refers to the group of computers that share a security database by using Active Directory.

Server isolation

A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting computer to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.

Solicited network traffic

Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.

Unsolicited network traffic

Network traffic that is not a response to an earlier request, and that the receiving computer cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic.

Zone

A zone is a logical grouping of computers that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted computers. The encryption zone requires that all connections be encrypted.

-

This is not related to the term zone as used by Domain Name System (DNS).

+| Term | Definition | +| - | - | +| Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary. | +| Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.| +| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that are not members of the isolated domain. Devices in the boundary zone request but do not require authentication. They use IPsec to communicate with other devices in the isolated domain.| +| Connection security rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.| +| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| +| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.| +| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.| +| Firewall rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | +| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| +| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| +| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| +| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.| +| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.| +| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. | +| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
This is not related to the term zone as used by Domain Name System (DNS). | -  - -**Next:**[Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) +**Next:** [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)   From 5ae8ba3d2574a546d6558d1fa4082864af594ca9 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 1 Jun 2016 16:45:14 -0700 Subject: [PATCH 08/26] updating for Windows 10 --- windows/keep-secure/TOC.md | 4 +- .../basic-firewall-policy-design.md | 54 +++-- ...e-based-isolation-policy-design-example.md | 42 ++-- ...rtificate-based-isolation-policy-design.md | 30 ++- ...irewall-with-advanced-security-strategy.md | 45 ++--- .../domain-isolation-policy-design-example.md | 43 ++-- .../domain-isolation-policy-design.md | 53 +++-- ...-with-advanced-security-design-examples.md | 17 +- .../firewall-policy-design-example.md | 72 ++++--- ...-about-your-active-directory-deployment.md | 30 ++- ...hering-information-about-your-computers.md | 58 ------ ...out-your-current-network-infrastructure.md | 45 ++--- .../gathering-other-relevant-information.md | 52 ++--- .../gathering-the-information-you-need.md | 20 +- ...with-advanced-security-deployment-goals.md | 3 - ...-firewall-with-advanced-security-design.md | 77 ++----- ...computers-from-unwanted-network-traffic.md | 44 ---- ...n-accessing-sensitive-network-resources.md | 32 ++- ...ss-to-only-specified-users-or-computers.md | 46 ----- ...strict-access-to-only-trusted-computers.md | 59 ------ ...s-by-using-ikev2-in-windows-server-2012.md | 189 ------------------ .../server-isolation-policy-design-example.md | 62 +++--- .../server-isolation-policy-design.md | 37 ++-- 23 files changed, 287 insertions(+), 827 deletions(-) delete mode 100644 windows/keep-secure/gathering-information-about-your-computers.md delete mode 100644 windows/keep-secure/protect-computers-from-unwanted-network-traffic.md delete mode 100644 windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md delete mode 100644 windows/keep-secure/restrict-access-to-only-trusted-computers.md delete mode 100644 windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 03655002f2..89aee60958 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -436,8 +436,8 @@ #### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) ##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) ##### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) -###### [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) -###### [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md) +###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) +###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) ###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) ###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md) ##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) diff --git a/windows/keep-secure/basic-firewall-policy-design.md b/windows/keep-secure/basic-firewall-policy-design.md index d5020e47c8..3863b0cf74 100644 --- a/windows/keep-secure/basic-firewall-policy-design.md +++ b/windows/keep-secure/basic-firewall-policy-design.md @@ -2,57 +2,58 @@ title: Basic Firewall Policy Design (Windows 10) description: Basic Firewall Policy Design ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Basic Firewall Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each computer in the organization. +Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. -The Basic Firewall Policy Design helps you to protect the computers in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each computer in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped. +The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped. -Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the computer that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted. +Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted. Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy: -- On client computers, the default firewall behavior already supports typical client programs. Programs designed for Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another computer. +- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device. - When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you. - For example, when you install a server role in Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008, the appropriate firewall rules are created and enabled automatically. + For example, when you install a server role, the appropriate firewall rules are created and enabled automatically. -- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the computers in your organization. +- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization. For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. -With few exceptions, the firewall can be enabled on all configurations of Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista. Therefore, we recommended that you enable the firewall on every computer in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. +With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. -**Caution**   -**Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft**. +>**Caution:**  Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. -By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista. +By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later. -If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. For more information about Windows Service Hardening, see . +If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. -Third-party firewall software that is compatible with Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. - -  +Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft.  An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation. -After implementing this design, your administrative team will have centralized management of the firewall rules applied to all computers that are running Windows in your organization. +After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization. -**Important**   -If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. +>**Important:**  If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. -  - -The basic firewall design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules. +The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules. For more information about this design: -- This design coincides with the deployment goal to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md). +- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md). - To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md). @@ -60,15 +61,6 @@ For more information about this design: - To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md). -- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see "Checklist: Implementing a Basic Firewall Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. +- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md). **Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md) - -  - -  - - - - - diff --git a/windows/keep-secure/certificate-based-isolation-policy-design-example.md b/windows/keep-secure/certificate-based-isolation-policy-design-example.md index 2a59f16587..8b5e59db2e 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md @@ -2,55 +2,51 @@ title: Certificate-based Isolation Policy Design Example (Windows 10) description: Certificate-based Isolation Policy Design Example ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Certificate-based Isolation Policy Design Example +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). -One of the servers that must be included in the domain isolation environment is a computer running UNIX that supplies other information to the WGBank dashboard program running on the client computers. This computer sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the computers that receive this information. +One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information. ## Design requirements +One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate. -One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows computer even though it cannot authenticate. +A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed. -A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows computer in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed. - -In this case, Woodgrove Bank used Microsoft Certificate Services, included with Windows Server 2008, to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server. +In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server. The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate. -The creation of the IPsec connection security rules for a non-Windows computer is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows computer by using the standard IPsec protocols is the subject of this design. +The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design. -The non-Windows computer can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the computer. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX computer must also be supported by the Windows-based computers with which it communicates. +The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates. **Other traffic notes:** -- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows computer. +- None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device. ## Design details +Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization. -Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the computers in their organization. +The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules. -The inclusion of one or more non-Windows computers to the network requires only a simple addition to the GPOs for computers that must communicate with the non-Windows computer. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules. +When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. -When multiple authentication methods are available, two negotiating computers agree on the first one in their lists that match. Because the majority of the computers in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type. +By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member. -By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the computer accounts to this group for Windows computers that need to communicate with the non-Windows computers. If all the computers in the isolated domain need to be able to access the non-Windows computers, then the **Domain Computers** group can be added to the group as a member. - -Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local computer. +Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device. **Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) - -  - -  - - - - - diff --git a/windows/keep-secure/certificate-based-isolation-policy-design.md b/windows/keep-secure/certificate-based-isolation-policy-design.md index 3c24ba8f07..8d0483f776 100644 --- a/windows/keep-secure/certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/certificate-based-isolation-policy-design.md @@ -2,25 +2,32 @@ title: Certificate-based Isolation Policy Design (Windows 10) description: Certificate-based Isolation Policy Design ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Certificate-based Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. -Domain isolation and server isolation help provide security for the computers on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some computers that must run another operating system, such as Linux or UNIX. These computers cannot join an Active Directory domain, without a third-party package being installed. Also, some computers that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the computer needs to be joined to the Active Directory and (for non-windows computers) support Kerberos as an authentication protocol. +Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol. -To authenticate with non-domain member computers, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to computers that do not run the Windows operating system. +To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows. -The same principles of the domain and server isolation designs apply to this design. Only computers that can authenticate (in this case, by providing a specified certificate) can communicate with the computers in your isolated domain. +The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain. -For computers that run Windows and that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the computers that are trusted but are not part of the Active Directory domain. For other computers, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner. +For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner. -For more information about this design: +For more info about this design: -- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). @@ -28,15 +35,6 @@ For more information about this design: - To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md). -- For a list of tasks that you can use to deploy your certificate-based policy design, see "Checklist: Implementing a Certificate-based Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=98308) at http://go.microsoft.com/fwlink/?linkid=98308. +- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md). **Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) - -  - -  - - - - - diff --git a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md index 6e3d38e38b..144252b206 100644 --- a/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/keep-secure/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -2,17 +2,24 @@ title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10) description: Designing a Windows Firewall with Advanced Security Strategy ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Designing a Windows Firewall with Advanced Security Strategy +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the computers on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the computers. +To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. - [Gathering the Information You Need](gathering-the-information-you-need.md) -- [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md) +- [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md) The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design. @@ -20,41 +27,21 @@ The information that you gather will help you answer the following questions. Th - What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs? -- What traffic on the network cannot be protected by IPsec because the computers or devices sending or receiving the traffic do not support IPsec? +- What traffic on the network cannot be protected by IPsec because the devices or devices sending or receiving the traffic do not support IPsec? - For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required? -- Do you have an Active Directory domain (or forest of trusted domains) to which all your computers are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use. +- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use. -- Which computers must be able to accept unsolicited inbound connections from computers that are not part of the domain? +- Which devices must be able to accept unsolicited inbound connections from devices that are not part of the domain? -- Which computers contain data that must be encrypted when exchanged with another computer? +- Which devices contain data that must be encrypted when exchanged with another computer? -- Which computers contain sensitive data to which access must be restricted to specifically authorized users and computers? +- Which devices contain sensitive data to which access must be restricted to specifically authorized users and devices? -- Does your organization have specific network troubleshooting devices or computers (such as protocol analyzers) that must be granted unlimited access to the computers on the network, essentially bypassing the firewall? - -## If you already have firewall or IPsec rules deployed +- Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall? -Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 has many new capabilities that are not available in earlier versions of Windows. - -If you already have a domain and/or server isolation deployment in your organization then you can continue to use your existing GPOs and apply them to computers running Windows 8 and Windows Server 2012. - -**Note**   -Computers running Windows XP and Windows Server 2003 will not be able to participate in this domain and/or server isolation deployment plan. - -  - -This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems, starting with Windows Vista and Windows Server 2008. Windows XP and Windows Server 2003 are not discussed in this guide. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide. +This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) later in this guide. **Next: **[Gathering the Information You Need](gathering-the-information-you-need.md) - -  - -  - - - - - diff --git a/windows/keep-secure/domain-isolation-policy-design-example.md b/windows/keep-secure/domain-isolation-policy-design-example.md index 3e58a40369..2bfcf9cbc8 100644 --- a/windows/keep-secure/domain-isolation-policy-design-example.md +++ b/windows/keep-secure/domain-isolation-policy-design-example.md @@ -2,30 +2,36 @@ title: Domain Isolation Policy Design Example (Windows 10) description: Domain Isolation Policy Design Example ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Domain Isolation Policy Design Example +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. ## Design Requirements - -In addition to the basic protection provided by the firewall rules in the previous design example, the administrators of the network want to implement domain isolation to provide another layer of security to their networked computers. They want to create firewall and connection security rules that use authentication to reduce the risk of communicating with untrusted and potentially hostile computers. +In addition to the basic protection provided by the firewall rules in the previous design example, you might want to implement domain isolation to provide another layer of security to their networked devices. You can create firewall and connection security rules that use authentication to reduce the risk of communicating with untrusted and potentially hostile devices. The following illustration shows the traffic protection needed for this design example. ![domain isolation policy design](images/wfas-design2example1.gif) -1. All computers on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's computers reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. +1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. -2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from computers owned by its partners, which are not members of Woodgrove Bank's domain. +2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which are not members of Woodgrove Bank's domain. -3. Client computers can initiate non-authenticated outbound communications with computers that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. +3. Client devices can initiate non-authenticated outbound communications with devices that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. -4. Computers in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain. +4. Devices in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain. **Other traffic notes:** @@ -33,33 +39,20 @@ The following illustration shows the traffic protection needed for this design e ## Design Details - -Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the computers on its network. +Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices on its network. Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. -The following groups were created by using the Active Directory Users and Computers MMC snap-in, all computers that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a computer in the isolated domain or any one of its subordinate zones, simply add the computer's account in the appropriate group. +The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, simply add the device's account in the appropriate group. -- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all computers in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the computers in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. +- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. - **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that cannot participate in domain isolation, such as a DHCP server running UNIX, is added to this group. -- **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the computers that are part of the boundary group able to receive unsolicited inbound traffic from untrusted computers. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication. +- **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the devices that are part of the boundary group able to receive unsolicited inbound traffic from untrusted devices. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication. -- **CG\_DOMISO\_ENCRYPTION**. This group contains the computer accounts for all the computers that require all inbound and outbound traffic to be both authenticated and encrypted. Members of the group receive a GPO that configures connection security and firewall rules to require both authentication and encryption on all inbound and outbound traffic. +- **CG\_DOMISO\_ENCRYPTION**. This group contains the computer accounts for all the devices that require all inbound and outbound traffic to be both authenticated and encrypted. Members of the group receive a GPO that configures connection security and firewall rules to require both authentication and encryption on all inbound and outbound traffic. -**Note**   -If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, computers that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any computers that are incorrectly assigned to more than one group. - -  +>**Note:**  If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. **Next: **[Server Isolation Policy Design Example](server-isolation-policy-design-example.md) - -  - -  - - - - - diff --git a/windows/keep-secure/domain-isolation-policy-design.md b/windows/keep-secure/domain-isolation-policy-design.md index 4300787f6c..da2564242b 100644 --- a/windows/keep-secure/domain-isolation-policy-design.md +++ b/windows/keep-secure/domain-isolation-policy-design.md @@ -2,19 +2,26 @@ title: Domain Isolation Policy Design (Windows 10) description: Domain Isolation Policy Design ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Domain Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -In the domain isolation policy design, you configure the computers on your network to accept only connections coming from computers that are authenticated as members of the same isolated domain. +In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. -This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure computers in the isolated domain to accept only network traffic from other computers that can authenticate as a member of the isolated domain. After implementing the new rules, your computers reject unsolicited network traffic from computers that are not members of the isolated domain. +This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After implementing the new rules, your devices reject unsolicited network traffic from devices that are not members of the isolated domain. The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. -By using connection security rules based on IPsec, you provide a logical barrier between computers even if they are connected to the same physical network segment. +By using connection security rules based on IPsec, you provide a logical barrier between devices even if they are connected to the same physical network segment. The design is shown in the following illustration, with the arrows that show the permitted communication paths. @@ -22,48 +29,36 @@ The design is shown in the following illustration, with the arrows that show the Characteristics of this design, as shown in the diagram, include the following: -- Isolated domain (area A) - Computers in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from computers referenced in authentication exemption rules. Computers in the isolated domain can send traffic to any computer. This includes unauthenticated traffic to computers that are not in the isolated domain. Computers that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more information, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). +- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This includes unauthenticated traffic to devices that are not in the isolated domain. Devices that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). -- Boundary zone (area B) - Computers in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted computers, such as clients on the Internet. +- Boundary zone (area B) - Devices in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted devices, such as clients on the Internet. - Computers in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a computer that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated. + Devices in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a device that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated. - Because boundary zone computers are exposed to network traffic from untrusted and potentially hostile computers, they must be carefully managed and secured. Put only the computers that must be accessed by external computers in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member computers. + Because boundary zone devices are exposed to network traffic from untrusted and potentially hostile devices, they must be carefully managed and secured. Put only the devices that must be accessed by external devices in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member devices. -- Trusted non-domain members (area C) - Computers on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable computers in the isolated domain to accept inbound connections from these trusted non-domain member computers. +- Trusted non-domain members (area C) - Devices on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices. -- Untrusted non-domain members (area D) - Computers that are not managed by your organization and have an unknown security configuration must have access only to those computers required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted computers and your organization's computers. +- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. -After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the computers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista in your organization. +After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. -**Important**   -This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. +>**Important:**  This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. -  +This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. -This design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. +In order to expand the isolated domain to include Devices that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). -In order to expand the isolated domain to include computers that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). +For more info about this design: -For more information about this design: - -- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the info described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). - To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). -- For a list of tasks that you can use to deploy your domain isolation policy design, see "Checklist: Implementing a Domain Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxxx. +- For a list of tasks that you can use to deploy your domain isolation policy design, see [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). **Next:** [Server Isolation Policy Design](server-isolation-policy-design.md) - -  - -  - - - - - diff --git a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md index 139c0affde..35a8444e6e 100644 --- a/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/keep-secure/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -2,13 +2,20 @@ title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10) description: Evaluating Windows Firewall with Advanced Security Design Examples ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Evaluating Windows Firewall with Advanced Security Design Examples +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. +The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization. - [Firewall Policy Design Example](firewall-policy-design-example.md) @@ -18,11 +25,3 @@ The following Windows Firewall with Advanced Security design examples illustrate - [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) -  - -  - - - - - diff --git a/windows/keep-secure/firewall-policy-design-example.md b/windows/keep-secure/firewall-policy-design-example.md index 07adcdb285..41310314aa 100644 --- a/windows/keep-secure/firewall-policy-design-example.md +++ b/windows/keep-secure/firewall-policy-design-example.md @@ -2,23 +2,29 @@ title: Firewall Policy Design Example (Windows 10) description: Firewall Policy Design Example ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Firewall Policy Design Example +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview In this example, the fictitious company Woodgrove Bank is a financial services institution. -Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows-based computers. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate computers host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of computers that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing. +Woodgrove Bank has an Active Directory domain that provides Group Policy-based management for all their Windows devices. The Active Directory domain controllers also host Domain Name System (DNS) for host name resolution. Separate devices host Windows Internet Name Service (WINS) for network basic input/output system (NetBIOS) name resolution. A set of devices that are running UNIX provide the Dynamic Host Configuration Protocol (DHCP) services for automatic IP addressing. -Woodgrove Bank is in the process of migrating their computers from Windows Vista and Windows Server 2008 to Windows 8 and Windows Server 2012. A significant number of the computers at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. +Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016 Technical Preview. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. -A key line-of-business program called WGBank consists of a client program running on most of the desktop computers in the organization. This program accesses several front-end server computers that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database computers that are running Microsoft SQL Server. +A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. ## Design requirements - The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted. The following illustration shows the traffic protection needs for this design example. @@ -27,38 +33,38 @@ The following illustration shows the traffic protection needs for this design ex 1. The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers. -2. The WGBank front-end servers can receive unsolicited inbound traffic from the client computers and the WGBank partner servers. The WGBank client computers and partner servers can receive the response. +2. The WGBank front-end servers can receive unsolicited inbound traffic from the client devices and the WGBank partner servers. The WGBank client devices and partner servers can receive the response. -3. The WGBank front-end servers can send updated information to the client computers to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it. +3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it. 4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses. -5. There is no direct communications between the client computers and the WGBank back-end computers. +5. There is no direct communications between the client devices and the WGBank back-end devices. -6. There is no unsolicited traffic from the WGBank back-end computers to the WGBank front-end servers. +6. There is no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers. 7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that do not require an outside server. Firewall rules must block the network traffic created by these programs. -8. The WGBank partner servers can receive inbound requests from partner computers through the Internet. +8. The WGBank partner servers can receive inbound requests from partner devices through the Internet. Other traffic notes: -- Computers are not to receive any unsolicited traffic from any computer other than specifically allowed above. +- Devices are not to receive any unsolicited traffic from any computer other than specifically allowed above. -- Other outbound network traffic from the client computers not specifically identified in this example is permitted. +- Other outbound network traffic from the client devices not specifically identified in this example is permitted. ## Design details -Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the computers on their network. They know that they must deploy policies to the following collections of computers: +Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices: -- Client computers that run Windows 8, Windows 7, or Windows Vista +- Client devices that run Windows 10, Windows 8, or Windows 7 -- WGBank front-end servers that run Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) +- WGBank front-end servers that run Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) - WGBank partner servers that run Windows Server 2008 -- WGBank back-end SQL Server computers that run Windows Server 2008 (there are none in place yet, but their solution must support adding them) +- WGBank back-end SQL Server devices that run Windows Server 2008 (there are none in place yet, but their solution must support adding them) - Infrastructure servers that run Windows Server 2008 @@ -66,43 +72,35 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t - DHCP servers that run the UNIX operating system -After evaluating these sets of computers, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant computers. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct computers. +After evaluating these sets of devices, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct devices. Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. -The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all computers that run Windows were added to the correct groups: +The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all devices that run Windows were added to the correct groups: -- **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all computers. +- **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all devices. - The two computer types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for computers that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only computers that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. + The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. - - Client computers receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. + - Client devices receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. - - Server computers receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server computers. + - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices. - All rules are scoped to allow network traffic only from computers on Woodgrove Bank's corporate network. + All rules are scoped to allow network traffic only from devices on Woodgrove Bank's corporate network. -- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Computers are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group. +- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group. -- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server computers. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Computers in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO. -- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end computers that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Computers in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO. -- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Computers in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO. -- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server computers. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Computers in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO. -- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server computers. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Computers in this group also receive the default firewall GPO. +- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO. -In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most computers on the network, you might consider adding computers performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. +In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. **Next: **[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) -  - -  - - - - - diff --git a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md index de3c494963..33727fc9f4 100644 --- a/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md +++ b/windows/keep-secure/gathering-information-about-your-active-directory-deployment.md @@ -2,33 +2,31 @@ title: Gathering Information about Your Active Directory Deployment (Windows 10) description: Gathering Information about Your Active Directory Deployment ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Gathering Information about Your Active Directory Deployment +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where computers are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed: +Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed: -- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which computers can be isolated and how best to accomplish the required degree of isolation. +- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation. -- **Names and number of domains**. Authentication in server and domain isolation uses the IKE negotiation process with the Kerberos V5 protocol. This protocol assumes that computers are domain members. +- **Names and number of domains**. Authentication in server and domain isolation uses the IKE negotiation process with the Kerberos V5 protocol. This protocol assumes that devices are domain members. -- **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between computers in different Active Directory domains. +- **Number and types of trusts**. Trusts affect the logical boundaries of domain isolation and define whether IKE negotiation can occur between devices in different Active Directory domains. - **Names and number of sites**. Site architecture is usually aligned with the network topology. Understanding how sites are defined in Active Directory will help provide insight into replication and other details. Site architecture can provide a better understanding of the current Active Directory deployment. -- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct computers. - -- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to computers running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable computers using either the old or new IPsec policies to communicate with each other. - -**Next: **[Gathering Information about Your Computers](gathering-information-about-your-computers.md) - -  - -  - - - +- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices. +- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other. +**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md) diff --git a/windows/keep-secure/gathering-information-about-your-computers.md b/windows/keep-secure/gathering-information-about-your-computers.md deleted file mode 100644 index e0eb0f0b44..0000000000 --- a/windows/keep-secure/gathering-information-about-your-computers.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Gathering Information about Your Computers (Windows 10) -description: Gathering Information about Your Computers -ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb -author: brianlic-msft ---- - -# Gathering Information about Your Computers - - -One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server computers on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. - -Capture the following information from each computer: - -- **Computer name**. This name is the computer's NetBIOS or DNS name that identifies the computer on the network. Because a computer can have more than one media access control (MAC) or IP address, the computer's name is one of the criteria that can be used to determine uniqueness on the network. Because computer names can be duplicated under some circumstances, the uniqueness should not be considered absolute. - -- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address is not an effective way to identify an asset because it is often subject to change. - -- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It is also important to track the current state of service packs and updates that might be installed, because these are often used to determine that minimum security standards have been met. - -- **Domain membership**. This information is used to determine whether a computer can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy. - -- **Physical location**. This information is just the location of the device in your organization. It can be used to determine whether a device can participate in a specific isolation group based on its location or the location of the devices that it communicates with regularly. - -- **Hardware type or role**. Some tools that perform host discovery can provide this information by querying the hardware information and running applications to determine its type, such as server, workstation, or portable computer. You can use this information to determine the appropriate IPsec policy to assign, whether a specific computer can participate in isolation, and in which isolation group to include the computer. - -After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements. - -You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to completely manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy. - -## Automated Discovery - - -Using an automated auditing network management system such as Microsoft System Center Configuration Manager (formerly known as Systems Management Server) provides valuable information about the current state of the IT infrastructure. - -For more information about how System Center Configuration Manager 2007 can help perform automated information gathering, see . - -## Manual Discovery - - -The biggest difference between manual discovery methods and automated methods is time. - -You can use the Windows Script Host (WSH), VBScript, and Windows Management Instrumentation (WMI) to create a script file that can collect the system configuration information. VBScript and WMI are built-in to Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. Starting with Windows Server 2008, Windows PowerShell is included with the operating system. For more information, see “Scripting with Windows PowerShell” (). - -Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory. - -This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design. - -**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md index ba38d968e5..65555cc782 100644 --- a/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/keep-secure/gathering-information-about-your-current-network-infrastructure.md @@ -2,11 +2,18 @@ title: Gathering Information about Your Current Network Infrastructure (Windows 10) description: Gathering Information about Your Current Network Infrastructure ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Gathering Information about Your Current Network Infrastructure +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: @@ -14,7 +21,7 @@ Perhaps the most important aspect of planning for Windows Firewall with Advanced - Network address translation (NAT). NAT is a means of separating network segments by using a device that maps all of the IP addresses on one side of the device to a single IP address accessible on the other side. -- Network infrastructure devices. This includes the routers, switches, hubs, and other network equipment that makes communications between the computers on the network possible. +- Network infrastructure devices. This includes the routers, switches, hubs, and other network equipment that makes communications between the devices on the network possible. - **Current network traffic model.** This includes the quantity and the characteristics of the network traffic flowing through your network. @@ -35,7 +42,7 @@ If your organization does not have its current network architecture documented a - Undertake a discovery project, either through manual processes or with network analysis tools that can provide the information you need to document the current network topology. -Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, do not include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every computer in your organization. +Although the required information can be presented in many different ways, a series of schematic diagrams is often the most effective method of illustrating and understanding the current network configuration. When creating network diagrams, do not include too much information. If necessary, use multiple diagrams that show different layers of detail. Use a top-level diagram that illustrates the major sites that make up your organization's network, and then break out each site into a more detailed diagram that captures a deeper level of detail. Continue until you reach the individual IP subnet level, and so have the means to identify the network location of every device in your organization. During this process, you might discover some network applications and services that are not compatible with IPsec. For example, IPsec breaks network-based prioritization and port/protocol-based traffic management. If traffic management or prioritization must be based on ports or protocol, the host itself must be able to perform any traffic management or prioritization. @@ -53,23 +60,14 @@ Other examples of incompatibility include: - Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null). - **Note**   - Network Monitor added an ESP parser starting in version 2.1 to aid troubleshooting of unencrypted IPsec packets. The latest version of Network Monitor is available as a free download from Microsoft (). - + >**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](http://www.microsoft.com/download/details.aspx?id=44226).   - ## Network address translation (NAT) - IPsec NAT traversal (NAT-T) enables IPsec peers that are behind NATs to detect the presence of NATs, negotiate IPsec security associations (SAs), and send ESP-protected data even though the addresses in the IPsec-protected IPv4 packets change. IPsec NAT-T does not support the use of AH across NAT devices. -IPsec NAT-T is supported by Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, Windows Server 2008 R2, - -For detailed information about how IPsec NAT-T works, see "IPsec NAT Traversal Overview" in the August 2002 Cable Guy article at . - ## Network infrastructure devices - The devices that make up the network infrastructure (routers, switches, load balancers, and firewalls) must be able communicate using IPsec after the solution is implemented. For this reason, you have to examine the following characteristics of these network devices to ensure that they can handle the technical and physical requirements of the design: - **Make/model**. You can use this information to determine the features that the device supports. In addition, check the BIOS version or software running on the device to ensure that IPsec is supported. @@ -86,10 +84,7 @@ The devices that make up the network infrastructure (routers, switches, load bal - **The maximum transmission unit (MTU) size on device interface(s)**. The MTU defines the largest datagram that can be transmitted on a particular interface without being divided into smaller pieces for transmission (a process also known as *fragmentation*). In IPsec communications, the MTU is necessary to anticipate when fragmentation occurs. Packet fragmentation must be tracked for Internet Security Association and Key Management Protocol (ISAKMP) by the router. IPsec configures the MTU size on the session to the minimum-discovered MTU size along the communication path being used, and then set the Don't Fragment bit (DF bit) to 1. - **Note**   - If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly. - -   + >**Note:**  If Path MTU (PMTU) discovery is enabled and functioning correctly, you do not have to gather the MTU size on device interfaces. Although sources, such as the Windows Server 2003 Hardening Guide, recommend disabling PMTU discovery, it must be enabled for IPsec to function correctly. - **Intrusion detection system (IDS) in use**. Your IDS must have an IPsec-compatible parser to detect ESP packets. If the IDS does not have such a parser, it cannot determine if data in those packets is encrypted. @@ -97,32 +92,22 @@ After you obtain this information, you can quickly determine whether you must up ## Current network traffic model - After gathering the addressing and network infrastructure information, the next step is to examine the communications flow. For example, if a department such as Human Resources (HR) spans several buildings, and you want to use server isolation with encryption to help protect information in that department, you must know how those buildings are connected to determine the level of "trust" to place in the connection. A highly secured building that is connected by an unprotected cable to another building that is not secured can be compromised by an eavesdropping or information replay attack. If such an attack is considered a threat, IPsec can help by providing strong mutual authentication and traffic encryption for trusted hosts. IPsec allows you to more securely communicate across untrusted links such as the Internet. -When you examine traffic flow, look closely at how all managed and unmanaged devices interact. This includes non-Windows-based computers running Linux, UNIX, and Macintosh. Ask yourself such questions as: +When you examine traffic flow, look closely at how all managed and unmanaged devices interact. This includes non-Windows-based devices running Linux, UNIX, and Macintosh. Ask yourself such questions as: - Do specific communications occur at the port and protocol level, or are there many sessions between the same hosts across many protocols? - How do servers and clients communicate with each other? -- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your computers to "lock down" specific ports, such as UDP 500, IKE negotiations fail. +- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail. Some of the more common applications and protocols are as follows: - **NetBIOS over TCP/IP (NetBT) and server message block (SMB)**. On a LAN, it is common to have ports 137, 138, and 139 enabled for NetBT and port 445 enabled for SMB. These ports provide NetBIOS name resolution services and other features. Unfortunately, they also allow the creation of *null sessions*. A null session is a session that is established on a host that does not use the security context of a known user or entity. Frequently, these sessions are anonymous. -- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 reduce this risk by introducing stateful inspection of RPC traffic. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account. +- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account. -- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between computers by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. +- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured. **Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gathering-other-relevant-information.md b/windows/keep-secure/gathering-other-relevant-information.md index b224e74fa6..ca8d396fcb 100644 --- a/windows/keep-secure/gathering-other-relevant-information.md +++ b/windows/keep-secure/gathering-other-relevant-information.md @@ -2,20 +2,26 @@ title: Gathering Other Relevant Information (Windows 10) description: Gathering Other Relevant Information ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Gathering Other Relevant Information +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization. ## Capacity considerations +Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a device. Areas to watch: -Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a computer. Areas to watch: - -- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](http://technet.microsoft.com/network/dd277647.aspx) at http://technet.microsoft.com/network/dd277647.aspx +- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](http://technet.microsoft.com/network/dd277647.aspx). - **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5  KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization. @@ -25,26 +31,19 @@ Because IPsec uses mathematically intensive cryptographic techniques, it can con - **Other factors.** These include CPU usage on network infrastructure servers, increased overhead on servers and workstations running IPsec (especially servers, because they usually contain more main mode SAs than clients), and increased network latency because of IPsec negotiation. - **Note**   - When Microsoft deployed its own domain isolation solution, it found a one to three percent increase in usage on the network as a direct result of IPsec. - -   + >**Note:**  When Microsoft deployed its own domain isolation solution, it found a one to three percent increase in usage on the network as a direct result of IPsec. ## Group Policy deployment groups and WMI filters - -You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate computers or users can apply the GPO settings. Because the firewall and connection security rules have evolved significantly from Windows 2000 Server to Windows XP and Windows Server 2003, and now with Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, we recommend that you use WMI filtering to dynamically ensure that GPOs apply only to computers that are running the correct operating system. It is not necessary to use this technique if your network consists of computers running Windows Vista or later. +You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices. ## Different Active Directory trust environments - When you design a domain isolation policy, consider any logical boundaries that might affect IPsec-secured communications. For example, the trust relationships between your domains and forests are critical in determining an appropriate IKE authentication method. Kerberos V5 authentication is recommended for use in a two-way (mutual) domain and forest trust environment. You can use Kerberos V5 for IKE authentication across domains that have two-way trusts established, if the domains are in the same forest or different forests. If the two domains are in different forests, you must configure two external trusts, one for each direction, between the domains. The external trusts must use the fully qualified domain name (FQDN) of the domains, and IPsec policy must allow an IKE initiator in one domain to communicate with any domain controller in the forest domain hierarchy, so that the initiator can obtain a Kerberos V5 ticket from a domain controller in the responder’s domain. If firewalls separate the domains then you must configure the firewall to allow Kerberos V5 traffic over UDP destination port 88, TCP destination port 88, and UDP destination port 389. -For more information, see "Active Directory in Networks Segmented by Firewalls" at . - -If the use of Kerberos V5 authentication is not possible because two-way trusts across forests cannot be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication. For an example of how Microsoft deployed their PKI, see "Deploying PKI Inside Microsoft" at . +If the use of Kerberos V5 authentication is not possible because two-way trusts across forests cannot be established as in some large enterprise environments, you can use a public key infrastructure (PKI) and digital certificates to establish IPsec-trusted communication. ## Creating firewall rules to permit IKE, AH, and ESP traffic @@ -53,39 +52,26 @@ In some cases, IPsec-secured traffic might have to pass through a router, perime In the case of a filtering router or a firewall, you must configure these devices to allow IPsec traffic to be forwarded. Configure the firewall to allow IPsec traffic on UDP source and destination port 500 (IKE), UDP source and destination port 4500 (IPsec NAT-T), and IP Protocol 50 (ESP). You might also have to configure the firewall to allow IPsec traffic on IP protocol 51 (AH) to allow troubleshooting by IPsec administrators and to allow the IPsec traffic to be inspected. -For more information, see "How to Enable IPsec Traffic Through a Firewall" at . +For more info, see [How to Enable IPsec Traffic Through a Firewall](http://go.microsoft.com/fwlink/?LinkId=45085). ## Network load balancing and server clusters - -There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific computer, it prevents different computers from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client computer as untrusted. +There are challenges implementing connection security for network traffic going to and from network load balancing (NLB) clusters and server clusters. NLB enables multiple servers to be clustered together to provide high availability for a service by providing automatic failover to other nodes in the cluster. Because IPsec matches a security association to a specific device, it prevents different devices from handling the same client connection. If a different node in the cluster responds to an IPsec connection that was originally established by another node, the traffic will be dropped by the client device as untrusted. This means that NLB in "no affinity" mode is not supported by IPsec at all. If you must use "no affinity" mode in the cluster then consider including the servers that make up the cluster in your IPsec exemption group, and allowing clients to communicate with the servers without IPsec. -**IPsec improvements for clusters running Windows Server 2008** - -Starting with Windows Server 2008 and Windows Vista, IPsec is much more tightly integrated into TCP/IP than in earlier versions of Windows. When a TCP connection is dropped because of a cluster node failover, IPsec on a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out. +When a TCP connection is dropped because of a cluster node failover, IPsec detects the TCP connection failure and removes the IPsec SAs for that connection. When the new TCP connection is established to another node, IPsec can negotiate new SAs immediately without having to wait for the obsolete SAs to time out. ## Network inspection technologies - Within a TCP/IP packet, IPsec without encryption changes the offsets for the destination ports and protocols. These changes can adversely affect applications that are running on network devices such as routers that monitor and manage traffic on the network. While some network applications have been updated to support IPsec, some are not yet compatible. Check with the vendor of your device to see whether the changes in the protocol and port fields caused by IPsec are compatible with the device. -Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, cannot parse ESP-encrypted traffic. Only the destination computer, with which the originating computer negotiated the connection, can decrypt the traffic. +Any device designed to view network traffic, such as hardware protocol analyzers or Microsoft Network Monitor, cannot parse ESP-encrypted traffic. Only the destination device, with which the originating device negotiated the connection, can decrypt the traffic. In general, IPsec defeats network-based prioritization and port- or protocol-based traffic management. For encrypted packets, there is no workaround; the host itself must handle any traffic management functions. For unencrypted, authenticated-only packets, the devices and applications must be aware of how IPsec changes packets to be able to do anything with them other than route them to the correct host. If you cannot upgrade monitoring or management devices to support IPsec, it is important that you record this information and figure it into your domain or server isolation design. -Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both computers. - -Network Monitor is available as a free download from Microsoft at . - -**Next: **[Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md) - -  - -  - - - +Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Network Monitor parsers for ESP can parse inside the ESP packet only if ESP null-encryption is being used. Network Monitor cannot parse the encrypted parts of IPsec ESP traffic when encryption is performed in software. However, if encryption is performed by an IPsec hardware offload network adapter, the ESP packets can be decrypted when Network Monitor captures them on either the source or the destination and, therefore, they can be parsed. To diagnose ESP software-encrypted communication, you must disable ESP encryption and use ESP-null encryption by changing the IPsec policy or connection security rule on both devices. +Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226). +**Next: **[Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md) diff --git a/windows/keep-secure/gathering-the-information-you-need.md b/windows/keep-secure/gathering-the-information-you-need.md index c4bcf27cfe..3e8a62b0cc 100644 --- a/windows/keep-secure/gathering-the-information-you-need.md +++ b/windows/keep-secure/gathering-the-information-you-need.md @@ -2,13 +2,20 @@ title: Gathering the Information You Need (Windows 10) description: Gathering the Information You Need ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Gathering the Information You Need +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the computers that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and computers that were not considered during the planning phase are encountered during implementation. +Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. Review each of the following topics for guidance about the kinds of information that you must gather: @@ -16,15 +23,6 @@ Review each of the following topics for guidance about the kinds of information - [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) -- [Gathering Information about Your Computers](gathering-information-about-your-computers.md) +- [Gathering Information about Your Devices](gathering-information-about-your-devices.md) - [Gathering Other Relevant Information](gathering-other-relevant-information.md) - -  - -  - - - - - diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 85363b9abe..17ef2d4aa4 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -6,7 +6,6 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security - author: brianlic-msft --- @@ -58,6 +57,4 @@ The following table lists the three main tasks for articulating, refining, and s -  - **Next:** [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 6972acc8cd..012969637d 100644 --- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -2,81 +2,32 @@ title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10) description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. -**Important**   -The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design. - -  +>**Important:**  The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design. Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization. - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deployment Goals[Basic Firewall Policy Design](basic-firewall-policy-design.md)[Domain Isolation Policy Design](domain-isolation-policy-design.md)[Server Isolation Policy Design](server-isolation-policy-design.md)[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)

[Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)

Yes

Yes

Yes

Yes

[Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)

-

Yes

Yes

Yes

[Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)

-

-

Yes

Yes

[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

-

Optional

Optional

Optional

- -  +| Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design | +| - |- | - | - | - | +| [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes| +| [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md) | -| Yes| Yes| Yes| +| [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)| -| -| Yes| Yes| +| [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)| -| Optional| Optional| Optional| To examine details for a specific design, click the design title at the top of the column in the preceding table. **Next: **[Basic Firewall Policy Design](basic-firewall-policy-design.md) - -  - -  - - - - - diff --git a/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md b/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md deleted file mode 100644 index 5230ec4e6d..0000000000 --- a/windows/keep-secure/protect-computers-from-unwanted-network-traffic.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Protect Computers from Unwanted Network Traffic (Windows 10) -description: Protect Computers from Unwanted Network Traffic -ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc -author: brianlic-msft ---- - -# Protect Computers from Unwanted Network Traffic - - -Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as a computer virus that is brought in on portable media and run on a trusted computer. Portable computers are often taken outside the network and connected directly to the Internet, without adequate protection between the computer and security threats. - -Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](http://download.microsoft.com/download/C/9/A/C9A544AD-4150-43D3-80F7-4F1641EF910A/Microsoft_Security_Intelligence_Report_Volume_12_Key_Findings_Summary_English.pdf) at http://download.microsoft.com/download/C/9/A/C9A544AD-4150-43D3-80F7-4F1641EF910A/Microsoft\_Security\_Intelligence\_Report\_Volume\_12\_Key\_Findings\_Summary\_English.pdf. - -Running a host-based firewall on every computer that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable computer to provide protection when it is away from the organization's network. - -A host-based firewall helps secure a computer by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits: - -- Network traffic that is a reply to a request from the local computer is permitted into the computer from the network. - -- Network traffic that is unsolicited, but that matches a rule for allowed network traffic, is permitted into the computer from the network. - - For example, Woodgrove Bank wants a computer that is running SQL Server to be able to receive the SQL queries sent to it by client computers. The firewall policy deployed to the computer that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program. - -- Outbound network traffic that is not specifically blocked is allowed on the network. - - For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted. - -The following component is recommended for this deployment goal: - -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). - -Other means of deploying a firewall policy are available, such as creating scripts that use the **netsh** command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations. - -**Next: **[Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md) - -  - -  - - - - - diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index ca133f5f86..4a19f0dbf8 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -2,15 +2,22 @@ title: Require Encryption When Accessing Sensitive Network Resources (Windows 10) description: Require Encryption When Accessing Sensitive Network Resources ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Require Encryption When Accessing Sensitive Network Resources +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) enables a computer in the isolated domain to block traffic from untrusted computers. However, it does not prevent an untrusted computer from eavesdropping on the network traffic shared between two trusted computers, because by default network packets are not encrypted. +The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. -For computers that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to computers that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. +For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. @@ -18,25 +25,16 @@ The following illustration shows an encryption zone in an isolated domain. The r This goal provides the following benefits: -- Computers in the encryption zone require authentication to communicate with other computers. This works no differently from the domain isolation goal and design. For more information, see [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md). +- Devices in the encryption zone require authentication to communicate with other devices. This works no differently from the domain isolation goal and design. For more info, see [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md). -- Computers in the encryption zone require that all inbound and outbound network traffic be encrypted. +- Devices in the encryption zone require that all inbound and outbound network traffic be encrypted. - For example, Woodgrove Bank processes sensitive customer data on a computer that must be protected from eavesdropping by computers on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data. + For example, Woodgrove Bank processes sensitive customer data on a device that must be protected from eavesdropping by devices on the network. Connection security rules specify that all traffic must be encrypted by a sufficiently complex encryption algorithm to help protect the data. -- Computers in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more information, see [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md). +- Devices in the encryption zone are often good candidates for server isolation, where access is limited to only computer accounts and user accounts that are members of an authorized access group. In many organizations, the encryption zone and the server isolation zone are one and the same. For more info, see [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md). The following components are required for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). - -**Next: **[Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md) - -  - -  - - - - +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. For more info about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). +**Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md) diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md deleted file mode 100644 index 5ec1556728..0000000000 --- a/windows/keep-secure/restrict-access-to-only-specified-users-or-computers.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Restrict Access to Only Specified Users or Computers (Windows 10) -description: Restrict Access to Only Specified Users or Computers -ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df -author: brianlic-msft ---- - -# Restrict Access to Only Specified Users or Computers - - -Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) prevents computers that are members of the isolated domain from accepting network traffic from untrusted computers. However, some computers on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. - -Windows Firewall with Advanced Security enables you to restrict access to computers and users that are members of domain groups authorized to access that computer. These groups are called *network access groups (NAGs)*. When a computer authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple computers in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Computers that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). - -Restricting access to only users and computers that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. - -Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista enable you to restrict access by specifying either computer or user credentials. - -The following illustration shows an isolated server, and examples of computers that can and cannot communicate with it. Computers that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server. - -![isolated domain with network access groups](images/wfas-domainnag.gif) - -This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features: - -- Isolated servers accept unsolicited inbound network traffic only from computers or users that are members of the NAG. - -- Isolated servers can be implemented as part of an isolated domain, and treated as another zone. Members of the zone group receive a GPO with rules that require authentication, and that specify that only network traffic authenticated as coming from a member of the NAG is allowed. - -- Server isolation can also be configured independently of an isolated domain. To do so, configure only the computers that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership. - -- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - -The following components are required for this deployment goal: - -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). - -**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) - -  - -  - - - - - diff --git a/windows/keep-secure/restrict-access-to-only-trusted-computers.md b/windows/keep-secure/restrict-access-to-only-trusted-computers.md deleted file mode 100644 index 89288e3473..0000000000 --- a/windows/keep-secure/restrict-access-to-only-trusted-computers.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Restrict Access to Only Trusted Computers (Windows 10) -description: Restrict Access to Only Trusted Computers -ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b -author: brianlic-msft ---- - -# Restrict Access to Only Trusted Computers - - -Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach computers that are not owned by your organization to your network. Because you do not manage those computers, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy computers both on and outside of your physical network must not be permitted to access your organization's computers except where it is truly required. - -To mitigate this risk, you must be able to isolate the computers you trust, and restrict their ability to receive unsolicited network traffic from untrusted computers. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the computers that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each computer or user can positively identify itself by using credentials that are trusted by the other computer. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. - -**Note**   -Because the primary authentication method recommended for computers that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to computers that are not part of an Active Directory domain. - -  - -The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. - -The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. - -![domain isolation](images/wfas-domainiso.gif) - -These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: - -- Computers in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another computer in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication. - - For example, Woodgrove Bank wants all of its computers to block all unsolicited inbound network traffic from any computer that it does not manage. The connection security rules deployed to domain member computers require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted. - -- Computers in the isolated domain can still send outbound network traffic to untrusted computers and receive the responses to the outbound requests. - - For example, Woodgrove Bank wants its users at client computers to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required. - -These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's computers: - -- Computers in the "boundary zone" are configured to use connection security rules that request but do not require authentication. This enables them to receive unsolicited inbound network traffic from untrusted computers, and also to receive traffic from the other members of the isolated domain. - - For example, Woodgrove Bank has a server that must be accessed by its partners' computers through the Internet. The rules applied to computers in the boundary zone use authentication when the client computer can support it, but do not block the connection if the client computer cannot authenticate. - -- Computers in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it is sent over the network. - - For example, Woodgrove Bank wants the computers running SQL Server to only transmit data that is encrypted to help protect the sensitive data stored on those computers. - -The following components are required for this deployment goal: - -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). - -**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) - -  - -  - - - - - diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md deleted file mode 100644 index fa9c66bfb4..0000000000 --- a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md +++ /dev/null @@ -1,189 +0,0 @@ ---- -title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) -description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft ---- - -# Securing End-to-End IPsec connections by using IKEv2 - -**Applies to** -- Windows 10 -- Windows Server 2016 Technical Preview - -IKEv2 offers the following: - -- Supports IPsec end-to-end transport mode connections - -- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security - -- Supports Suite B (RFC 4869) requirements - -- Coexists with existing policies that deploy AuthIP/IKEv1 - -- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface. - -- Uses certificates for the authentication mechanism - -You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. - -**In this document** - -- [Prerequisites](#prerequisites) - -- [Devices joined to a domain](#devices-joined-to-a-domain) - -- [Device not joined to a domain](#devices-not-joined-to-a-domain) - -- [Troubleshooting](#troubleshooting) - ->**Note:**  This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693). - -## Prerequisites - -These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication. - -## Devices joined to a domain - -The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. - -![the contoso corporate network](images/corpnet.gif) - -**Figure 1** The Contoso corporate network - -This script does the following: - -- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members. - -- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain. - -- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**. - -- Indicates the certificate to use for authentication. - - >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. - -- Creates the IKEv2 connection security rule called **My IKEv2 Rule**. - -![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** - -Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. - -``` syntax -# Create a Security Group for the computers that will get the policy -$pathname = (Get-ADDomain).distinguishedname -New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` --GroupCategory security -GroupScope Global -path $pathname - -# Add test computers to the Security Group -$computer = Get-ADComputer -LDAPFilter "(name=client1)" -Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer -$computer = Get-ADComputer -LDAPFilter "(name=server1)" -Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer - -# Create and link the GPO to the domain -$gpo = New-gpo IPsecRequireInRequestOut -$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes - -# Set permissions to security group for the GPO -$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace -$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace - -#Set up the certificate for authentication -$gponame = "corp.contoso.com\IPsecRequireInRequestOut" -$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" -$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame - -#Create the IKEv2 Connection Security rule -New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` --InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame -``` - -## Devices not joined to a domain - -Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection. - ->**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. - -![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** - -Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. - -``` syntax -#Set up the certificate -$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" -$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop - -#Create the IKEv2 Connection Security rule -New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` --InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -``` - -Make sure that you install the required certificates on the participating computers. - ->**Note:**   -- For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). -- You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. -- For remote devices, you can create a secure website to facilitate access to the script and certificates. - -## Troubleshooting - -Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: - -**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.** - -1. Open the Windows Firewall with Advanced Security console. - -2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule. - -3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile. - -**Use Windows PowerShell cmdlets to display the security associations.** - -1. Open a Windows PowerShell command prompt. - -2. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations. - -3. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations. - -**Use netsh to capture IPsec events.** - -1. Open an elevated command prompt. - -2. At the command prompt, type **netsh wfp capture start**. - -3. Reproduce the error event so that it can be captured. - -4. At the command prompt, type **netsh wfp capture stop**. - - A wfpdiag.cab file is created in the current folder. - -5. Open the cab file, and then extract the wfpdiag.xml file. - -6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: - - ``` syntax - - ERROR_IPSEC_IKE_NO_CERT - 32 - - ``` - In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error. - -You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues. - -## See also - -- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) - -  - -  - - - - - diff --git a/windows/keep-secure/server-isolation-policy-design-example.md b/windows/keep-secure/server-isolation-policy-design-example.md index d6c1c4c7af..4d38ed4c99 100644 --- a/windows/keep-secure/server-isolation-policy-design-example.md +++ b/windows/keep-secure/server-isolation-policy-design-example.md @@ -2,43 +2,48 @@ title: Server Isolation Policy Design Example (Windows 10) description: Server Isolation Policy Design Example ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Server Isolation Policy Design Example +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. -In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the computers that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network. +In addition to the protections provided by the firewall and domain isolation, Woodgrove Bank wants to provide additional protection to the devices that are running Microsoft SQL Server for the WGBank program. They contain personal data, including each customer's financial history. Government and industry rules and regulations specify that access to this information must be restricted to only those users who have a legitimate business need. This includes a requirement to prevent interception of and access to the information when it is in transit over the network. -The information presented by the WGBank front-end servers to the client computers, and the information presented by the WGPartner servers to the remote partner computers, are not considered sensitive for the purposes of the government regulations, because they are processed to remove sensitive elements before transmitting the data to the client computers. +The information presented by the WGBank front-end servers to the client devices, and the information presented by the WGPartner servers to the remote partner devices, are not considered sensitive for the purposes of the government regulations, because they are processed to remove sensitive elements before transmitting the data to the client devices. -In this guide, the examples show server isolation layered on top of a domain isolation design. If you have an isolated domain, the client computers are already equipped with GPOs that require authentication. You only have to add settings to the isolated server(s) to require authentication on inbound connections, and to check for membership in the NAG. The connection attempt succeeds only if NAG membership is confirmed. +In this guide, the examples show server isolation layered on top of a domain isolation design. If you have an isolated domain, the client devices are already equipped with GPOs that require authentication. You only have to add settings to the isolated server(s) to require authentication on inbound connections, and to check for membership in the NAG. The connection attempt succeeds only if NAG membership is confirmed. ## Server isolation without domain isolation - -Server isolation can also be deployed by itself, to only the computers that must participate. The GPO on the server is no different from the one discussed in the previous paragraph for a server in an existing isolated domain. The difference is that you must also deploy a GPO with supporting connection security rules to the clients that must be able to communicate with the isolated server. Because those computers must be members of the NAG, that group can also be used in a security group filter on the client GPO. That GPO must contain rules that support the authentication requirements of the isolated server. +Server isolation can also be deployed by itself, to only the devices that must participate. The GPO on the server is no different from the one discussed in the previous paragraph for a server in an existing isolated domain. The difference is that you must also deploy a GPO with supporting connection security rules to the clients that must be able to communicate with the isolated server. Because those devices must be members of the NAG, that group can also be used in a security group filter on the client GPO. That GPO must contain rules that support the authentication requirements of the isolated server. In short, instead of applying the client GPO to all clients in the domain, you apply the GPO to only the members of the NAG. -If you do not have an Active Directory domain then you can manually apply the connection security rules to the client computers, or you can use a netsh command-line script (or Windows PowerShell in Windows 8 and Windows Server 2012) to help automate the configuration of the rules on larger numbers of computers. If you do not have an Active Directory domain, you cannot use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. +If you do not have an Active Directory domain, you can manually apply the connection security rules, use a netsh command-line script, or use a Windows PowerShell script to help automate the configuration of the rules on larger numbers of devices. If you do not have an Active Directory domain, you cannot use the Kerberos V5 protocol, but instead must provide the clients and the isolated servers with certificates that are referenced in the connection security rules. ## Design requirements - -In addition to the protection provided by the firewall rules and domain isolation described in the previous design examples, the network administrators want to implement server isolation to help protect the sensitive data stored on the computers that run SQL Server. +In addition to the protection provided by the firewall rules and domain isolation described in the previous design examples, the network administrators want to implement server isolation to help protect the sensitive data stored on the devices that run SQL Server. The following illustration shows the traffic protection needs for this design example. ![isolated server example](images/wfas-design3example1.gif) -1. Access to the SQL Server computers must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server computers. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). +1. Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG). -2. All network traffic to and from the SQL Server computers must be encrypted. +2. All network traffic to and from the SQL Server devices must be encrypted. -3. Client computers or users whose accounts are not members of the NAG cannot access the isolated servers. +3. Client devices or users whose accounts are not members of the NAG cannot access the isolated servers. **Other traffic notes:** @@ -48,40 +53,25 @@ The following illustration shows the traffic protection needs for this design ex ## Design details +Woodgrove Bank uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the devices on its network. -Woodgrove Bank uses Active Directory groups and GPOs to deploy the server isolation settings and rules to the computers on its network. +As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all devices that run Windows were added to the correct groups. -As in the previously described policy design examples, GPOs to implement the domain isolation environment are linked to the domain container in Active Directory, and then WMI filters and security group filters are attached to GPOs to ensure that the correct GPO is applied to each computer. The following groups were created by using the Active Directory Users and Computers snap-in, and all computers that run Windows were added to the correct groups. +- **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the devices that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they are using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS. -- **CG\_SRVISO\_WGBANK\_SQL**. This group contains the computer accounts for the computers that run SQL Server. Members of this group receive a GPO with firewall and connections security rules that require that only users who are members of the group CG\_NAG\_SQL\_USERS can access the server, and only when they are using a computer that is a member of the group CG\_NAG\_SQL\_COMPUTERS. - -**Note**   -If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, computers that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any computers that are incorrectly assigned to more than one group. +>**Note:**  You can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. However, devices that are running older versions of Windows can only support a single IPsec policy being active at a time. The policies for each GPO must be complete (and to a great extent redundant with each other), because you cannot layer them as you can in the newer versions of Windows. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.   +Network access groups (NAGs) are not used to determine which GPOs are applied to a computer. Instead, these groups determine which users and devices can access the services on the isolated server. -Network access groups (NAGs) are not used to determine which GPOs are applied to a computer. Instead, these groups determine which users and computers can access the services on the isolated server. +- **CG\_NAG\_SQL\_COMPUTERS**. This network access group contains the computer accounts that are able to access the devices running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client devices from which SQL Server administrators are permitted to work on the servers. -- **CG\_NAG\_SQL\_COMPUTERS**. This network access group contains the computer accounts that are able to access the computers running SQL Server hosting the WGBank data. Members of this group include the WGBank front-end servers, and some client computers from which SQL Server administrators are permitted to work on the servers. +- **CG\_NAG\_SQL\_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server devices that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its devices, and the user accounts for the SQL Server administration team members. -- **CG\_NAG\_SQL\_USERS**. This network access group contains the user accounts of users who are permitted to access the SQL Server computers that host the WGBank data. Members of this group include the service account that the WGBank front-end program uses to run on its computers, and the user accounts for the SQL Server administration team members. +>**Note:**  You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity. -**Note**   -You can use a single group for both user and computer accounts. Woodgrove Bank chose to keep them separate for clarity. +If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client devices. By doing this, all the devices that are authorized to access the isolated server also have the required connection security rules. -  - -If Woodgrove Bank wants to implement server isolation without domain isolation, the CG\_NAG\_SQL\_COMPUTERS group can also be attached as a security group filter on the GPOs that apply connection security rules to the client computers. By doing this, all the computers that are authorized to access the isolated server also have the required connection security rules. - -You do not have to include the encryption-capable rules on all computers. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption. +You do not have to include the encryption-capable rules on all devices. Instead, you can create GPOs that are applied only to members of the NAG, in addition to the standard domain isolation GPO, that contain connection security rules to support encryption. **Next: **[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md) - -  - -  - - - - - diff --git a/windows/keep-secure/server-isolation-policy-design.md b/windows/keep-secure/server-isolation-policy-design.md index c8671321c0..a2397773da 100644 --- a/windows/keep-secure/server-isolation-policy-design.md +++ b/windows/keep-secure/server-isolation-policy-design.md @@ -2,17 +2,24 @@ title: Server Isolation Policy Design (Windows 10) description: Server Isolation Policy Design ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Server Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -In the server isolation policy design, you assign servers to a zone that allows access only to users and computers that authenticate as members of an approved network access group (NAG). +In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). This design typically begins with a network configured as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. For this design, you then create zones for servers that have additional security requirements. The zones can limit access to the server to only members of authorized groups, and can optionally require the encryption of all traffic in or out of these servers. This can be done on a per server basis, or for a group of servers that share common security requirements. -You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the computers that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and computers can access the isolated server are also used to determine which computers receive the GPO. +You can implement a server isolation design without using domain isolation. To do this, you use the same principles as domain isolation, but instead of applying them to an Active Directory domain, you apply them only to the devices that must be able to access the isolated servers. The GPO contains connection security and firewall rules that require authentication when communicating with the isolated servers. In this case, the NAGs that determine which users and devices can access the isolated server are also used to determine which devices receive the GPO. The design is shown in the following illustration, with arrows that show the permitted communication paths. @@ -20,24 +27,21 @@ The design is shown in the following illustration, with arrows that show the per Characteristics of this design include the following: -- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then computers in the boundary zone behave just like other members of the isolated domain in the way that they interact with computers in server isolation zones. +- Isolated domain (area A) - The same isolated domain described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) section. If the isolated domain includes a boundary zone, then devices in the boundary zone behave just like other members of the isolated domain in the way that they interact with devices in server isolation zones. -- Isolated servers (area B) - Computers in the server isolation zones restrict access to computers, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. +- Isolated servers (area B) - Devices in the server isolation zones restrict access to devices, and optionally users, that authenticate as a member of a network access group (NAG) authorized to gain access. - Encryption zone (area C) - If the data being exchanged is sufficiently sensitive, the connection security rules for the zone can also require that the network traffic be encrypted. Encryption zones are most often implemented as rules that are part of a server isolation zone, instead of as a separate zone. The diagram illustrates the concept as a subset for conceptual purposes only. To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules. -**Important**   -This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. +>**Important:**  This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. -  +This design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. -This design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. +For more info about this design: -For more information about this design: - -- This design coincides with the deployment goals to [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md), [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). @@ -45,15 +49,6 @@ For more information about this design: - To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md). -- For a list of tasks that you can use to deploy your server isolation policy design, see "Checklist: Implementing a Standalone Server Isolation Policy Design" in the [Windows Firewall with Advanced Security Deployment Guide](http://go.microsoft.com/fwlink/?linkid=xxxxx) at http://go.microsoft.com/fwlink/?linkid=xxxx. +- For a list of tasks that you can use to deploy your server isolation policy design, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). **Next: **[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) - -  - -  - - - - - From e1c9e1dc652f2d2acb8f9deb652707da6996a777 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Wed, 1 Jun 2016 16:45:43 -0700 Subject: [PATCH 09/26] updating for Windows 10 --- ...athering-information-about-your-devices.md | 54 +++++ ...t-devices-from-unwanted-network-traffic.md | 42 ++++ ...cess-to-only-specified-users-or-devices.md | 44 ++++ ...restrict-access-to-only-trusted-devices.md | 54 +++++ ...to-end-ipsec-connections-by-using-ikev2.md | 189 ++++++++++++++++++ 5 files changed, 383 insertions(+) create mode 100644 windows/keep-secure/gathering-information-about-your-devices.md create mode 100644 windows/keep-secure/protect-devices-from-unwanted-network-traffic.md create mode 100644 windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md create mode 100644 windows/keep-secure/restrict-access-to-only-trusted-devices.md create mode 100644 windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md diff --git a/windows/keep-secure/gathering-information-about-your-devices.md b/windows/keep-secure/gathering-information-about-your-devices.md new file mode 100644 index 0000000000..1f3b73fa21 --- /dev/null +++ b/windows/keep-secure/gathering-information-about-your-devices.md @@ -0,0 +1,54 @@ +--- +title: Gathering Information about Your Devices (Windows 10) +description: Gathering Information about Your Devices +ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Gathering Information about Your Devices + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. + +Capture the following information from each device: + +- **Computer name**. This name is the device's NetBIOS or DNS name that identifies the device on the network. Because a device can have more than one media access control (MAC) or IP address, the device's name is one of the criteria that can be used to determine uniqueness on the network. Because device names can be duplicated under some circumstances, the uniqueness should not be considered absolute. + +- **IP address for each network adapter**. The IP address is the address that is used with the subnet mask to identify a host on the network. An IP address is not an effective way to identify an asset because it is often subject to change. + +- **Operating system, service pack, and hotfix versions**. The operating system version is a key factor in determining the ability of a host to communicate by using IPsec. It is also important to track the current state of service packs and updates that might be installed, because these are often used to determine that minimum security standards have been met. + +- **Domain membership**. This information is used to determine whether a device can obtain IPsec policy from Active Directory or whether it must use a local IPsec policy. + +- **Physical location**. This information is just the location of the device in your organization. It can be used to determine whether a device can participate in a specific isolation group based on its location or the location of the devices that it communicates with regularly. + +- **Hardware type or role**. Some tools that perform host discovery can provide this information by querying the hardware information and running applications to determine its type, such as server, workstation, or portable device. You can use this information to determine the appropriate IPsec policy to assign, whether a specific device can participate in isolation, and in which isolation group to include the device. + +After collecting all this information and consolidating it into a database, perform regular discovery efforts periodically to keep the information current. You need the most complete and up-to-date picture of the managed hosts on their networks to create a design that matches your organization's requirements. + +You can use various methods to gather data from the hosts on the network. These methods range from high-end, fully automated systems to completely manual data collection. Generally, the use of automated methods to gather data is preferred over manual methods for reasons of speed and accuracy. + +## Automated Discovery + +Using an automated auditing network management system provides valuable information about the current state of the IT infrastructure. + + +## Manual Discovery + + +The biggest difference between manual discovery methods and automated methods is time. + +You can use Windows PowerShell to create a script file that can collect the system configuration information. For more information, see [Windows PowerShell Scripting](http://go.microsoft.com/fwlink/?linkid=110413). + +Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory. + +This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design. + +**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md) diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md new file mode 100644 index 0000000000..5191757d81 --- /dev/null +++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md @@ -0,0 +1,42 @@ +--- +title: Protect Devices from Unwanted Network Traffic (Windows 10) +description: Protect Devices from Unwanted Network Traffic +ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Protect Devices from Unwanted Network Traffic + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. + +Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](http://www.microsoft.com/security/sir/default.aspx). + +Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network. + +A host-based firewall helps secure a device by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits: + +- Network traffic that is a reply to a request from the local device is permitted into the device from the network. + +- Network traffic that is unsolicited, but that matches a rule for allowed network traffic, is permitted into the device from the network. + + For example, Woodgrove Bank wants a device that is running SQL Server to be able to receive the SQL queries sent to it by client devices. The firewall policy deployed to the device that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program. + +- Outbound network traffic that is not specifically blocked is allowed on the network. + + For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted. + +The following component is recommended for this deployment goal: + +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). + +Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations. + +**Next: **[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md new file mode 100644 index 0000000000..0197fbcba0 --- /dev/null +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md @@ -0,0 +1,44 @@ +--- +title: Restrict Access to Only Specified Users or Devices (Windows 10) +description: Restrict Access to Only Specified Users or Devices +ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Restrict Access to Only Specified Users or Computers + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. + +Windows Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)). + +Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. + +You can restrict access by specifying either computer or user credentials. + +The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server. + +![isolated domain with network access groups](images/wfas-domainnag.gif) + +This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features: + +- Isolated servers accept unsolicited inbound network traffic only from devices or users that are members of the NAG. + +- Isolated servers can be implemented as part of an isolated domain, and treated as another zone. Members of the zone group receive a GPO with rules that require authentication, and that specify that only network traffic authenticated as coming from a member of the NAG is allowed. + +- Server isolation can also be configured independently of an isolated domain. To do so, configure only the devices that must communicate with the isolated server with connection security rules to implement authentication and check NAG membership. + +- A server isolation zone can be simultaneously configured as an encryption zone. To do this, configure the GPO with rules that force encryption in addition to requiring authentication and restricting access to NAG members. For more information, see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). + +The following components are required for this deployment goal: + +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. For more info about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). + +**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md new file mode 100644 index 0000000000..be3854af23 --- /dev/null +++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md @@ -0,0 +1,54 @@ +--- +title: Restrict Access to Only Trusted Devices (Windows 10) +description: Restrict Access to Only Trusted Devices +ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Restrict Access to Only Trusted Devices + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. + +To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. + +>**Note:**  Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain. + +The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. + +The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory. + +![domain isolation](images/wfas-domainiso.gif) + +These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits: + +- Devices in the isolated domain accept unsolicited inbound network traffic only when it can be authenticated as coming from another device in the isolated domain. Exemption rules can be defined to allow inbound traffic from trusted computers that for some reason cannot perform IPsec authentication. + + For example, Woodgrove Bank wants all of its devices to block all unsolicited inbound network traffic from any device that it does not manage. The connection security rules deployed to domain member devices require authentication as a domain member or by using a certificate before an unsolicited inbound network packet is accepted. + +- Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests. + + For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required. + +These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices: + +- Devices in the "boundary zone" are configured to use connection security rules that request but do not require authentication. This enables them to receive unsolicited inbound network traffic from untrusted devices, and also to receive traffic from the other members of the isolated domain. + + For example, Woodgrove Bank has a server that must be accessed by its partners' devices through the Internet. The rules applied to devices in the boundary zone use authentication when the client device can support it, but do not block the connection if the client device cannot authenticate. + +- Devices in the "encryption zone" require that all network traffic in and out must be encrypted to secure potentially sensitive material when it is sent over the network. + + For example, Woodgrove Bank wants the devices running SQL Server to only transmit data that is encrypted to help protect the sensitive data stored on those devices. + +The following components are required for this deployment goal: + +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. For more info about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). + +**Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) diff --git a/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md new file mode 100644 index 0000000000..fa9c66bfb4 --- /dev/null +++ b/windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -0,0 +1,189 @@ +--- +title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) +description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Securing End-to-End IPsec connections by using IKEv2 + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +IKEv2 offers the following: + +- Supports IPsec end-to-end transport mode connections + +- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security + +- Supports Suite B (RFC 4869) requirements + +- Coexists with existing policies that deploy AuthIP/IKEv1 + +- Uses the Windows PowerShell interface exclusively for configuration. You cannot configure IKEv2 through the user interface. + +- Uses certificates for the authentication mechanism + +You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection. + +**In this document** + +- [Prerequisites](#prerequisites) + +- [Devices joined to a domain](#devices-joined-to-a-domain) + +- [Device not joined to a domain](#devices-not-joined-to-a-domain) + +- [Troubleshooting](#troubleshooting) + +>**Note:**  This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693). + +## Prerequisites + +These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication. + +## Devices joined to a domain + +The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. + +![the contoso corporate network](images/corpnet.gif) + +**Figure 1** The Contoso corporate network + +This script does the following: + +- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members. + +- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain. + +- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**. + +- Indicates the certificate to use for authentication. + + >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. + +- Creates the IKEv2 connection security rule called **My IKEv2 Rule**. + +![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** + +Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. + +``` syntax +# Create a Security Group for the computers that will get the policy +$pathname = (Get-ADDomain).distinguishedname +New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` +-GroupCategory security -GroupScope Global -path $pathname + +# Add test computers to the Security Group +$computer = Get-ADComputer -LDAPFilter "(name=client1)" +Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer +$computer = Get-ADComputer -LDAPFilter "(name=server1)" +Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer + +# Create and link the GPO to the domain +$gpo = New-gpo IPsecRequireInRequestOut +$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes + +# Set permissions to security group for the GPO +$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace +$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace + +#Set up the certificate for authentication +$gponame = "corp.contoso.com\IPsecRequireInRequestOut" +$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" +$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame + +#Create the IKEv2 Connection Security rule +New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` +-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame +``` + +## Devices not joined to a domain + +Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection. + +>**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. + +![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands** + +Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. + +``` syntax +#Set up the certificate +$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" +$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop + +#Create the IKEv2 Connection Security rule +New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` +-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 +``` + +Make sure that you install the required certificates on the participating computers. + +>**Note:**   +- For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). +- You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. +- For remote devices, you can create a secure website to facilitate access to the script and certificates. + +## Troubleshooting + +Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: + +**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.** + +1. Open the Windows Firewall with Advanced Security console. + +2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule. + +3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile. + +**Use Windows PowerShell cmdlets to display the security associations.** + +1. Open a Windows PowerShell command prompt. + +2. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations. + +3. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations. + +**Use netsh to capture IPsec events.** + +1. Open an elevated command prompt. + +2. At the command prompt, type **netsh wfp capture start**. + +3. Reproduce the error event so that it can be captured. + +4. At the command prompt, type **netsh wfp capture stop**. + + A wfpdiag.cab file is created in the current folder. + +5. Open the cab file, and then extract the wfpdiag.xml file. + +6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: + + ``` syntax + + ERROR_IPSEC_IKE_NO_CERT + 32 + + ``` + In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error. + +You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues. + +## See also + +- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) + +  + +  + + + + + From 8863c8459e010a6b73e4d623e950bb9313751f36 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 11:44:45 -0700 Subject: [PATCH 10/26] updating topics for Windows 10 6/2/2016 --- windows/keep-secure/TOC.md | 6 +- .../additional-resources-wfasdesign.md | 67 ------- .../additional-resourceswfas-deploy.md | 64 ------ ...e-files-for-settings-used-in-this-guide.md | 23 +-- windows/keep-secure/boundary-zone-gpos.md | 27 ++- windows/keep-secure/boundary-zone.md | 37 ++-- ...ist-configuring-basic-firewall-settings.md | 59 ++---- ...uring-rules-for-an-isolated-server-zone.md | 130 +++---------- ...rs-in-a-standalone-isolated-server-zone.md | 134 +++---------- ...configuring-rules-for-the-boundary-zone.md | 73 ++----- ...nfiguring-rules-for-the-encryption-zone.md | 76 ++------ ...nfiguring-rules-for-the-isolated-domain.md | 112 ++--------- ...checklist-creating-group-policy-objects.md | 98 +++------- ...ecklist-creating-inbound-firewall-rules.md | 60 ++---- ...cklist-creating-outbound-firewall-rules.md | 52 ++--- ...ts-of-a-standalone-isolated-server-zone.md | 109 ++--------- ...ementing-a-basic-firewall-policy-design.md | 103 ++-------- ...rtificate-based-isolation-policy-design.md | 78 ++------ ...enting-a-domain-isolation-policy-design.md | 92 ++------- ...andalone-server-isolation-policy-design.md | 84 ++------ ...ing-the-trusted-state-of-your-computers.md | 184 ------------------ ...ining-the-trusted-state-of-your-devices.md | 139 +++++++++++++ windows/keep-secure/documenting-the-zones.md | 84 ++------ windows/keep-secure/encryption-zone-gpos.md | 22 +-- windows/keep-secure/encryption-zone.md | 37 ++-- windows/keep-secure/exemption-list.md | 34 ++-- windows/keep-secure/firewall-gpos.md | 18 +- ...ndary-ws2008.md => gpo-domiso-boundary.md} | 29 ++- ...ion-ws2008.md => gpo-domiso-encryption.md} | 0 windows/keep-secure/gpo-domiso-firewall.md | 27 +-- .../gpo-domiso-isolateddomain-clients.md | 160 +++------------ .../gpo-domiso-isolateddomain-servers.md | 26 ++- ...with-advanced-security-deployment-goals.md | 8 +- ...wall-with-advanced-security-design-plan.md | 26 ++- windows/keep-secure/isolated-domain-gpos.md | 18 +- windows/keep-secure/isolated-domain.md | 40 ++-- ...-firewall-with-advanced-security-design.md | 6 +- ...anning-certificate-based-authentication.md | 44 ++--- .../planning-domain-isolation-zones.md | 20 +- .../keep-secure/planning-gpo-deployment.md | 108 +++++----- ...icy-deployment-for-your-isolation-zones.md | 20 +- ...planning-isolation-groups-for-the-zones.md | 74 ++----- .../planning-network-access-groups.md | 65 ++----- .../planning-server-isolation-zones.md | 54 ++--- ...ng-settings-for-a-basic-firewall-policy.md | 34 ++-- windows/keep-secure/planning-the-gpos.md | 37 ++-- ...windows-firewall-with-advanced-security.md | 27 ++- ...-firewall-with-advanced-security-design.md | 49 +++-- ...n-accessing-sensitive-network-resources.md | 2 +- windows/keep-secure/server-isolation-gpos.md | 29 ++- ...with-advanced-security-deployment-guide.md | 46 ++--- 51 files changed, 835 insertions(+), 2116 deletions(-) delete mode 100644 windows/keep-secure/additional-resources-wfasdesign.md delete mode 100644 windows/keep-secure/additional-resourceswfas-deploy.md delete mode 100644 windows/keep-secure/determining-the-trusted-state-of-your-computers.md create mode 100644 windows/keep-secure/determining-the-trusted-state-of-your-devices.md rename windows/keep-secure/{gpo-domiso-boundary-ws2008.md => gpo-domiso-boundary.md} (60%) rename windows/keep-secure/{gpo-domiso-encryption-ws2008.md => gpo-domiso-encryption.md} (100%) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 89aee60958..e035651dd8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -439,7 +439,7 @@ ###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) ###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) ###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) -###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md) +###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-devices.md) ##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) ###### [Basic Firewall Policy Design](basic-firewall-policy-design.md) ###### [Domain Isolation Policy Design](domain-isolation-policy-design.md) @@ -454,9 +454,9 @@ ###### [Gathering the Information You Need](gathering-the-information-you-need.md) ####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) ####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) -####### [Gathering Information about Your Computers](gathering-information-about-your-computers.md) +####### [Gathering Information about Your Computers](gathering-information-about-your-devices.md) ####### [Gathering Other Relevant Information](gathering-other-relevant-information.md) -###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-computers.md) +###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md) ##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) ###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) ###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) diff --git a/windows/keep-secure/additional-resources-wfasdesign.md b/windows/keep-secure/additional-resources-wfasdesign.md deleted file mode 100644 index 1e524c920a..0000000000 --- a/windows/keep-secure/additional-resources-wfasdesign.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Additional Resources (Windows 10) -description: Additional Resources -ms.assetid: 74897052-508d-49b9-911c-5902a1fb0d26 -author: brianlic-msft ---- - -# Additional Resources - - -For more information about the technologies discussed in this guide, see topics referenced in the following sections. - -## Windows Firewall with Advanced Security - - -- [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365) (http://technet.microsoft.com/library/hh831365) - - This TechNet page contains links to a variety of documents available for Windows Firewall with Advanced Security. - -## IPsec - - -- [IPsec](http://technet.microsoft.com/network/bb531150.aspx) (http://technet.microsoft.com/network/bb531150.aspx) - - This TechNet page contains links to a variety of documents currently available for Internet Protocol security (IPsec) for Windows available as connection security rules. - -## Server and Domain Isolation - - -- [Server and Domain Isolation](http://technet.microsoft.com/network/bb545651.aspx) (http://technet.microsoft.com/network/bb545651.aspx) - - This TechNet page contains links to documentation about the most common uses for IPsec: server isolation and domain isolation. - -## Group Policy - - -Group Policy is a key method for implementing firewall and server and domain isolation designs. - -For more information about Group Policy and related technologies, see: - -- **Group Policy**[Group Policy Overview](http://technet.microsoft.com/library/hh831791) (http://technet.microsoft.com/library/hh831791) - - This page contains links to the documents currently available for Group Policy. - -- [WMI Filtering Using GPMC](http://technet.microsoft.com/library/6237b9b2-4a21-425e-8976-2065d28b3147) (http://technet.microsoft.com/library/6237b9b2-4a21-425e-8976-2065d28b3147) - -- [HOWTO: Leverage Group Policies with WMI Filters](http://support.microsoft.com/kb/555253) (http://support.microsoft.com/kb/555253) - - This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system. - -## Active Directory Domain Services - - -Organizations can use AD DS to manage users and resources, such as computers, printers, or applications, on a network. Server isolation and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication. - -For more information about AD DS and related technologies, see: - -- [Active Directory Domain Services Overview](http://technet.microsoft.com/library/hh831484) (http://technet.microsoft.com/library/hh831484) - -  - -  - - - - - diff --git a/windows/keep-secure/additional-resourceswfas-deploy.md b/windows/keep-secure/additional-resourceswfas-deploy.md deleted file mode 100644 index 3a4efaa457..0000000000 --- a/windows/keep-secure/additional-resourceswfas-deploy.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Additional Resources (Windows 10) -description: Additional Resources -ms.assetid: 09bdec5d-8a3f-448c-bc48-d4cb41f9c6e8 -author: brianlic-msft ---- - -# Additional Resources - - -For more information about the technologies discussed in this guide, see topics referenced in the following sections. - -## Windows Firewall with Advanced Security - - -- [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365.aspx) (http://technet.microsoft.com/library/hh831365.aspx) - - This TechNet page contains links to a variety of documents available for Windows Firewall with Advanced Security in Windows Server 2012. - -- [Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012](http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx#z6d72b831d4c24158874a04e9e9d37c43) - - This wiki article describes how Windows Firewall with Advanced Security works, what the common troubleshooting situations are, and which tools you can use for troubleshooting. The community is encouraged to add their troubleshooting and experiences to this article. - -## IPsec - - -- [IPsec](http://www.microsoft.com/ipsec) (http://www.microsoft.com/ipsec) - - This TechNet page contains links to a variety of documents currently available for Internet Protocol security (IPsec) in Windows. - -## Group Policy - - -Group Policy is a key method for implementing firewall and server and domain isolation designs. - -For more information about Group Policy and related technologies, see: - -- [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx) (http://technet.microsoft.com/library/hh831791.aspx) - - This page contains links to the documents currently available for Group Policy. - -- [WMI Filtering Using GPMC](http://go.microsoft.com/fwlink/?linkid=93188) (http://go.microsoft.com/fwlink/?linkid=93188) - -- [HOWTO: Leverage Group Policies with WMI Filters](http://go.microsoft.com/fwlink/?linkid=93760) (http://go.microsoft.com/fwlink/?linkid=93760) - - This article describes how to create a WMI filter to set the scope of a GPO based on computer attributes, such as operating system. - -## Active Directory Domain Services - - -In Windows 8 and Windows Server 2012, organizations can use AD DS to manage users and resources, such as computers, printers, or applications, on a network. Server isolation and domain isolation also require AD DS to use the Kerberos V5 protocol for IPsec authentication. - -For more information about AD DS and related technologies, see: - -- [Active Directory Domain Services Overview](http://technet.microsoft.com/library/hh831484.aspx) (http://technet.microsoft.com/library/hh831484.aspx) - -  - -  - - - - - diff --git a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 078ccc621c..f72093bb1e 100644 --- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -2,13 +2,20 @@ title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10) description: Appendix A Sample GPO Template Files for Settings Used in this Guide ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Appendix A: Sample GPO Template Files for Settings Used in this Guide +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). Creating registry setting preferences as described here was first implemented in Windows Server 2008 and Windows Vista with Service Pack 1 (SP1). +You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there. @@ -16,10 +23,7 @@ To import an .xml file to GPMC, drag it and drop it on the **Registry** node und The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply. -**Note**   -The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. - -  +>**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization. ``` syntax @@ -87,12 +91,3 @@ The file shown here is for sample use only. It should be customized to meet the ``` - -  - -  - - - - - diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md index e8e136ef00..a9a8a4d8a0 100644 --- a/windows/keep-secure/boundary-zone-gpos.md +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -2,32 +2,27 @@ title: Boundary Zone GPOs (Windows 10) description: Boundary Zone GPOs ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Boundary Zone GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -All the computers in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. +All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. -**Note**   -If you are designing GPOs for only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any computers that are incorrectly assigned to more than one group. - -  +>**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group. This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone. -The boundary zone GPOs discussed in this guide are only for server versions of Windows because client computers are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. +The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows. -In the Woodgrove Bank example, only the GPO settings for a Web service on Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 are discussed. +In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed. - [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary-ws2008.md) - -  - -  - - - - - diff --git a/windows/keep-secure/boundary-zone.md b/windows/keep-secure/boundary-zone.md index e6e1d51bec..b44e15fdc1 100644 --- a/windows/keep-secure/boundary-zone.md +++ b/windows/keep-secure/boundary-zone.md @@ -2,32 +2,39 @@ title: Boundary Zone (Windows 10) description: Boundary Zone ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Boundary Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -In most organizations, some computers must be able to receive network traffic from computers that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted computers, create a boundary zone within your isolated domain. +In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. -Computers in the boundary zone are trusted computers that can accept communication requests both from other isolated domain member computers and from untrusted computers. Boundary zone computers try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating computer. +Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device. The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it. -Because these boundary zone computers can receive unsolicited inbound communications from untrusted computers that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a computer to the boundary zone. For example, completing a formal business justification process before adding each computer to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. +Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. ![design flowchart](images/wfas-designflowchart1.gif) -The goal of this process is to determine whether the risk of adding a computer to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. +The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied. You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. -## GPO settings for boundary zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +## GPO settings for boundary zone servers running at least Windows Server 2008 -The boundary zone GPO for computers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 should include the following: +The boundary zone GPO for devices running at least Windows Server 2008 should include the following: - IPsec default settings that specify the following options: @@ -39,11 +46,11 @@ The boundary zone GPO for computers running Windows Server 2012, Windows Server If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. - The following connection security rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication. @@ -51,18 +58,6 @@ The boundary zone GPO for computers running Windows Server 2012, Windows Server - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) - -   + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) **Next: **[Encryption Zone](encryption-zone.md) - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md index 93ba95bbff..979ef0e243 100644 --- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md +++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md @@ -2,58 +2,25 @@ title: Checklist Configuring Basic Firewall Settings (Windows 10) description: Checklist Configuring Basic Firewall Settings ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Basic Firewall Settings +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring firewall defaults and settings** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Turn the firewall on and set the default inbound and outbound behavior.

Procedure topic[Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)

_

Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules.

Procedure topic[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)

_

Configure the firewall to record a log file.

Procedure topic[Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)

- -  - -  - -  - - - - +**Checklist: Configuring firewall defaults and settings** +| Task | Reference | +| - | - | +| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| +| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) | +| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md index 3fe907d8cd..a3cd9303ca 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -2,124 +2,42 @@ title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10) description: Checklist Configuring Rules for an Isolated Server Zone ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for an Isolated Server Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). -In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or computers who are authenticated members of a network access group (NAG). Computers that are running Windows 2000, Windows XP, or Windows Server 2003 can restrict access in IPsec only to computers that are members of the NAG, because IPsec and IKE in those versions of Windows do not support user-based authentication. If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. +In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer. -Computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can identify both computers and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. For more information, see “AuthIP in Windows Vista” (). +Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication. The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server. -## +**Checklist: Configuring rules for isolated servers** - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring rules for isolated servers for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. - -  - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

-

Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone.

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for all network traffic.

-
-Important   -

Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

-
-
-  -

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the servers in the isolated server zone.

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG.

Procedure topic[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  +| Task | Reference | +| - | - | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Create a rule that requests authentication for all network traffic.
**Important:** Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 6d2a88909f..f954a6f45e 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -2,125 +2,39 @@ title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10) description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or computers that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client computers that connect to them. For the GPOs for the client computers, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring rules for isolated servers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. +**Checklist: Configuring rules for isolated servers** +| Task | Reference | +| - | - | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) | +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| +| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) | +| Create a rule that requests authentication for all inbound network traffic.

**Important:** Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) | +| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|   - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the computers that need to have access restricted to the same set of client computers. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used. This procedure sets the default settings for the computer. If you want to set authentication on a per-rule basis, this procedure is optional.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for all inbound network traffic.

-
-Important   -

Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.

-
-
-  -

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it.

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the NAG to contain the computer or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client computers, then create a NAG for each set of servers.

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or computer that is a member of the zone’s NAG.

Procedure topic[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  - Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md index bd93a5e321..899be3e221 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -2,72 +2,31 @@ title: Checklist Configuring Rules for the Boundary Zone (Windows 10) description: Checklist Configuring Rules for the Boundary Zone ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for the Boundary Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring boundary zone rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.

Procedure topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

- -  - -  - -  - - - +**Checklist: Configuring boundary zone rules** +This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. +| Task | Reference | +| - | - | +| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | +| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md index c90e28f60a..f0d1aab7e7 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -2,74 +2,32 @@ title: Checklist Configuring Rules for the Encryption Zone (Windows 10) description: Checklist Configuring Rules for the Encryption Zone ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for the Encryption Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring encryption zone rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -A GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 can simply be copied and then customized. This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.

Procedure topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Add the encryption requirements for the zone.

Procedure topic[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

- -  - -  - -  - - - +**Checklist: Configuring encryption zone rules** +This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. +| Task | Reference | +| - | - | +| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md index 84b4f69a88..bec1da29f6 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -2,106 +2,36 @@ title: Checklist Configuring Rules for the Isolated Domain (Windows 10) description: Checklist Configuring Rules for the Isolated Domain ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Configuring Rules for the Isolated Domain +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring isolated domain rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other operating system. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy. - -  - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create the rule that requests authentication for all inbound network traffic.

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the AD DS organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

Verify that the connection security rules are protecting network traffic to and from the test computers.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

+**Checklist: Configuring isolated domain rules** +| Task | Reference | +| - | - | +| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|   Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. - -  - -  - - - - - diff --git a/windows/keep-secure/checklist-creating-group-policy-objects.md b/windows/keep-secure/checklist-creating-group-policy-objects.md index 698ddd1336..b846638c4e 100644 --- a/windows/keep-secure/checklist-creating-group-policy-objects.md +++ b/windows/keep-secure/checklist-creating-group-policy-objects.md @@ -2,96 +2,42 @@ title: Checklist Creating Group Policy Objects (Windows 10) description: Checklist Creating Group Policy Objects ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Group Policy Objects +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a computer into a membership group. +To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. The checklists for firewall, domain isolation, and server isolation include a link to this checklist. ## About membership groups - -For most GPO deployment tasks, you must determine which computers must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a computer, you make that computer's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. +For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. ## About exclusion groups +A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. -A Windows Firewall with Advanced Security design must often take into account domain-joined computers on the network that cannot or must not apply the rules and settings in the GPOs. Because these computers are typically fewer in number than the computers that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception computers into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a computer that is a member of both the membership group and the exception group is prevented from applying the GPO. Computers typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. - -You can also use a membership group for one zone as an exclusion group for another zone. For example, computers in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating Group Policy objects** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.

Procedure topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Procedure topic[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)

_

Create the membership group in AD DS that will be used to contain computer accounts that must receive the GPO.

-

If some computers in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the computer accounts for the computers that cannot be blocked by using a WMI filter.

Procedure topic[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)

_

Create a GPO for each version of Windows that has different implementation requirements.

Procedure topic[Create a Group Policy Object](create-a-group-policy-object.md)

_

Create security group filters to limit the GPO to only computers that are members of the membership group and to exclude computers that are members of the exclusion group.

Procedure topic[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)

_

Create WMI filters to limit each GPO to only the computers that match the criteria in the filter.

Procedure topic[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Before adding any rules or configuring the GPO, add a few test computers to the membership group, and make sure that the correct GPO is received and applied to each member of the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - - +You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. +**Checklist: Creating Group Policy objects** +| Task | Reference | +| - | - | +| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| +| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | +| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | +| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | +| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) | +| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md index c62910188e..16681cba2a 100644 --- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md @@ -2,60 +2,30 @@ title: Checklist Creating Inbound Firewall Rules (Windows 10) description: Checklist Creating Inbound Firewall Rules ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Inbound Firewall Rules +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist includes tasks for creating firewall rules in your GPOs. -## +**Checklist: Creating inbound firewall rules** - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating inbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires.

Procedure topic[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound network traffic on a specified port number.

Procedure topic[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows inbound ICMP network traffic.

Procedure topic[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create rules that allow inbound RPC network traffic.

Procedure topic[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

Procedure topic[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+| Task | Reference | +| - | - | +| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| +| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| +| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| +| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)|   diff --git a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md index 0e6115009a..22b8d892c8 100644 --- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md +++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md @@ -2,52 +2,30 @@ title: Checklist Creating Outbound Firewall Rules (Windows 10) description: Checklist Creating Outbound Firewall Rules ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Outbound Firewall Rules +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This checklist includes tasks for creating outbound firewall rules in your GPOs. Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 support the use of outbound rules. +This checklist includes tasks for creating outbound firewall rules in your GPOs. -**Important**   -By default, in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. +>**Important:**  By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create. -  +**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a rule that allows a program to send any outbound network traffic on any port it requires.

Procedure topic[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Create a rule that allows outbound network traffic on a specified port number.

Procedure topic[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

_

Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service.

Procedure topic[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)

+| Task | Reference | +| - | - | +| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| +| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| +| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)|   diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 843f11e525..c7701cd4f8 100644 --- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -2,99 +2,32 @@ title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10) description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client computers that must connect to servers in an isolated server zone. - -## - - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif)**Checklist: Configuring isolated server zone client rules for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** - -**Note**   -The GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 are usually similar. If this is true for your design, create one GPO, configure it by using the tasks in this checklist, and then create a copy of the GPO. For example, create and configure the GPO for Windows 8, create a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the required changes (if any) to the copy. - -  - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Create a GPO for the client computers that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

To determine which computers receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.

Checklist topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure IPsec to exempt all ICMP network traffic from IPsec protection.

Procedure topic[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec.

Procedure topic[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the key exchange (main mode) security methods and algorithms to be used.

Procedure topic[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the data protection (quick mode) algorithm combinations to be used.

Procedure topic[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Configure the authentication methods to be used.

Procedure topic[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with computers that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.

Procedure topic[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add your test computers to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - - +This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. +**Checklist: Configuring isolated server zone client rules** +| Task | Reference | +| - | - | +| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| +| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange--main-mode--settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection--quick-mode--settings.md)| +| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| +| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md index 1c3c8530e2..f72a945895 100644 --- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md @@ -2,96 +2,35 @@ title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) description: Checklist Implementing a Basic Firewall Policy Design ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Basic Firewall Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a basic firewall policy design** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Basic Firewall Policy Design](basic-firewall-policy-design.md)

-

Conceptual topic[Firewall Policy Design Example](firewall-policy-design-example.md)

-

Conceptual topic[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)

_

Create the membership group and a GPO for each set of computers that require different firewall rules. Where GPOs will be similar, such as for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 8, make a copy of it for Windows Server 2012, and then follow the steps in this checklist to make the few required changes to the copy.

Checklist topic[Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)

-

Checklist topic[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)

_

If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the computers for which this GPO is intended.

Procedure topic[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)

_

Configure the GPO with firewall default settings appropriate for your design.

Checklist topic[Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)

_

Create one or more inbound firewall rules to allow unsolicited inbound network traffic.

Checklist topic[Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)

_

Create one or more outbound firewall rules to block unwanted outbound network traffic.

Checklist topic[Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)

_

Link the GPO to the domain level of the Active Directory organizational unit hierarchy.

Procedure topic[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)

_

Add test computers to the membership group, and then confirm that the computers receive the firewall rules from the GPOs as expected.

Procedure topic[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy the completed firewall policy settings to your computers.

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). + **Checklist: Implementing a basic firewall policy design** +| Task | Reference | +| - | - | +| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| +| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| +| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| +| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| +| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| +| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| +| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md index 67dfdd611b..23e5c64172 100644 --- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -2,75 +2,29 @@ title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10) description: Checklist Implementing a Certificate-based Isolation Policy Design ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Certificate-based Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist - -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing certificate-based authentication** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)

-

Conceptual topic[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)

-

Conceptual topic[Planning Certificate-based Authentication](planning-certificate-based-authentication.md)

_

Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.

Procedure topic[Install Active Directory Certificate Services](install-active-directory-certificate-services.md)

_

Configure the certificate template for workstation authentication certificates.

Procedure topic[Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)

_

Configure Group Policy to automatically deploy certificates based on your template to workstation computers.

Procedure topic[Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)

_

On a test computer, refresh Group Policy and confirm that the certificate is installed.

Procedure topic[Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)

- -  - -  - -  - - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist +**Checklist: Implementing certificate-based authentication** +| Task | Reference | +| - | - | +| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | +| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) | +| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)| +| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| +| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md index 1bb54f22dd..f89ac11201 100644 --- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -2,87 +2,33 @@ title: Checklist Implementing a Domain Isolation Policy Design (Windows 10) description: Checklist Implementing a Domain Isolation Policy Design ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Domain Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -For more information about the security algorithms and authentication methods available in each version of Windows, see [IPsec Algorithms and Methods Supported in Windows](http://technet.microsoft.com/library/dd125380.aspx) at http://technet.microsoft.com/library/dd125380.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a domain isolation policy design** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Domain Isolation Policy Design](domain-isolation-policy-design.md)

-

Conceptual topic[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)

-

Conceptual topic[Planning Domain Isolation Zones](planning-domain-isolation-zones.md)

_

Create the GPOs and connection security rules for the isolated domain.

Checklist topic[Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)

_

Create the GPOs and connection security rules for the boundary zone.

Checklist topic[Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)

_

Create the GPOs and connection security rules for the encryption zone.

Checklist topic[Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)

_

Create the GPOs and connection security rules for the isolated server zone.

Checklist topic[Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

_

After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.

Procedure topic[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)

- -  - -  - -  - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). +**Checklist: Implementing a domain isolation policy design** +| Task | Reference | +| - | - | +| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Domain Isolation Policy Design](domain-isolation-policy-design.md)
[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | +| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| +| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| +| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| +| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| +| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)| +| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md index be94daaa5c..ba750e4d59 100644 --- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -2,82 +2,32 @@ title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10) description: Checklist Implementing a Standalone Server Isolation Policy Design ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Checklist: Implementing a Standalone Server Isolation Policy Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. -**Note**   -Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. - -The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](http://technet.microsoft.com/library/hh831755.aspx) at http://technet.microsoft.com/library/hh831755.aspx. - -  - -![checklist](images/2b05dce3-938f-4168-9b8f-1f4398cbdb9b.gif) **Checklist: Implementing a standalone server isolation policy design** - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReference

_

Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.

Conceptual topic[Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

-

Conceptual topic[Server Isolation Policy Design](server-isolation-policy-design.md)

-

Conceptual topic[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)

-

Conceptual topic[Planning Server Isolation Zones](planning-server-isolation-zones.md)

_

Create the GPOs and connection security rules for isolated servers.

Checklist topic[Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)

_

Create the GPOs and connection security rules for the client computers that must connect to the isolated servers.

Checklist topic[Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)

_

Verify that the connection security rules are protecting network traffic on your test computers.

Procedure topic[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

_

After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it.

Procedure topic[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)

_

According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings.

Procedure topic[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)

- -  - -  - -  - - - +>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +**Checklist: Implementing a standalone server isolation policy design** +| Task | Reference | +| - | - | +| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Server Isolation Policy Design](server-isolation-policy-design.md)
[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
[Planning Server Isolation Zones](planning-server-isolation-zones.md) | +| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| +| Create the GPOs and connection security rules for the client computers that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| +| Verify that the connection security rules are protecting network traffic on your test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| +| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| +| According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings. | [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md) | diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-computers.md b/windows/keep-secure/determining-the-trusted-state-of-your-computers.md deleted file mode 100644 index 4e2b3f8fd2..0000000000 --- a/windows/keep-secure/determining-the-trusted-state-of-your-computers.md +++ /dev/null @@ -1,184 +0,0 @@ ---- -title: Determining the Trusted State of Your Computers (Windows 10) -description: Determining the Trusted State of Your Computers -ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 -author: brianlic-msft ---- - -# Determining the Trusted State of Your Computers - - -After obtaining information about the computers that are currently part of the IT infrastructure, you must determine at what point a computer is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. - -**Note**   -In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your computers just indicates the level of risk that you believe the computer brings to the network. Trusted computers bring little risk whereas untrusted computers can potentially bring great risk. - -  - -## Trust states - - -To understand this concept, consider the four basic states that apply to computers in a typical IT infrastructure. These states are (in order of risk, lowest risk first): - -- Trusted - -- Trustworthy - -- Known, untrusted - -- Unknown, untrusted - -The remainder of this section defines these states and how to determine which computers in your organization belong in each state. - -### Trusted state - -Classifying a computer as trusted means that the computer's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the computer. A trusted computer that is poorly managed will likely become a point of weakness for the network. - -When a computer is considered trusted, other trusted computers can reasonably assume that the computer will not initiate a malicious act. For example, trusted computers can expect that other trusted computers will not run a virus that attacks them, because all trusted computers are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. - -Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a computer to obtain trusted status. - -A possible list of technology requirements might include the following: - -- **Operating system.** A trusted client computer should run Windows 8, Windows 7, or Windows Vista. A trusted server should run Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. - -- **Domain membership.** A trusted computer will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member computers by using Group Policy. - -- **Management client.** All trusted computers must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Microsoft System Center Configuration Manager is one such management system with an appropriate client. For more information, see [System Center Configuration Manager](http://technet.microsoft.com/systemcenter/bb507744.aspx) at http://technet.microsoft.com/systemcenter/bb507744.aspx. - -- **Antivirus software.** All trusted computers will run antivirus software that is configured to check for and automatically update the latest virus signature files daily. Microsoft ForeFront Endpoint Protection is one such antivirus software program. For more information, see [ForeFront Endpoint Protection](http://technet.microsoft.com/forefront/ee822838.aspx) at http://technet.microsoft.com/forefront/ee822838.aspx. - -- **File system.** All trusted computers will be configured to use the NTFS file system. - -- **BIOS settings.** All trusted portable computers will be configured to use a BIOS-level password that is under the management of the IT support team. - -- **Password requirements.** Trusted clients must use strong passwords. - -It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted computers to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status. - -A computer that continues to meet all these security requirements can be considered trusted. However it is possible that most computers that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which computers can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. - -### Trustworthy state - -It is useful to identify as soon as possible those computers in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current computer can physically achieve the trusted state with required software and configuration changes. - -For each computer that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the computer to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the computer to the solution) and the support staff (to enable them to apply the required configuration). - -Generally, trustworthy computers fall into one of the following two groups: - -- **Configuration required.** The current hardware, operating system, and software enable the computer to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a computer can be considered trusted, a computer that uses a FAT32-formatted hard disk does not meet this requirement. - -- **Upgrade required.** These computers require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these computers might require: - - - **Operating system upgrade required.** If the computer's current operating system cannot support the security needs of the organization, an upgrade would be required before the computer could achieve a trusted state. - - - **Software required.** A computer that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active. - - - **Hardware upgrade required.** In some cases, a computer might require a specific hardware upgrade before it can achieve trusted status. This type of computer usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the computer. - - - **Computer replacement required.** This category is reserved for computers that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a computer that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based computer). - -Use these groups to assign costs for implementing the solution on the computers that require upgrades. - -### Known, untrusted state - -During the process of categorizing an organization's computers, you will identify some computers that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: - -- **Financial.** The funding is not available to upgrade the hardware or software for this computer. - -- **Political.** The computer must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the computer to discuss the added value of server and domain isolation. - -- **Functional.** The computer must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the computer might be required to run an older operating system because a specific line of business application will only work on that operating system. - -There can be multiple functional reasons for a computer to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: - -- **Computers that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Computers that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of computer configurations (although limited central management of user configurations is supported). - -- **Stand-alone computers.** Computers running any version of Windows that are configured as stand-alone computers or as members of a workgroup usually cannot achieve a trustworthy state. Although these computers fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the computer is not a part of a trusted domain. - -- **Computers in an untrusted domain.** A computer that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of computers that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when computers are not in a trusted domain. - -### Unknown, untrusted state - -The unknown, untrusted state should be considered the default state for all computers. Because computers in this state have a configuration that is unknown, you can assign no trust to them. All planning for computers in this state must assume that the computer is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the computers in this state can have on their organizations. - -## Capturing upgrade costs for current computers - - -The final step in this part of the process is to record the approximate cost of upgrading the computers to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions: - -- Does the computer meet the minimum hardware requirements necessary for isolation? - -- Does the computer meet the minimum software requirements necessary for isolation? - -- What configuration changes must be made to integrate this computer into the isolation solution? - -- What is the projected cost or impact of making the proposed changes to enable the computer to achieve a trusted state? - -By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular computer or group of computers into the scope of the project. It is important to remember that the state of a computer is transitive, and that by performing the listed remedial actions you can change the state of a computer from untrusted to trusted. After you decide whether to place a computer in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. - -The following table is an example of a data sheet that you could use to help capture the current state of a computer and what would be required for the computer to achieve a trusted state. - - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer nameHardware reqs metSoftware reqs metConfiguration requiredDetailsProjected cost

CLIENT001

No

No

Upgrade hardware and software.

Current operating system is Windows XP. Old hardware is not compatible with Windows 8.

$??

SERVER001

Yes

No

Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.

No antivirus software present.

$??

- -  - -In the previous table, the computer CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many computers require the same upgrades, the overall cost of the solution would be much higher. - -The computer SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. - -With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. - -The costs identified in this section only capture the projected cost of the computer upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. - -For more information about how to configure firewalls to support IPsec, see "Configuring Firewalls" at . - -For more information about WMI, see "Windows Management Instrumentation" at . - -**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) - -  - -  - - - - - diff --git a/windows/keep-secure/determining-the-trusted-state-of-your-devices.md b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md new file mode 100644 index 0000000000..8bbd75608d --- /dev/null +++ b/windows/keep-secure/determining-the-trusted-state-of-your-devices.md @@ -0,0 +1,139 @@ +--- +title: Determining the Trusted State of Your Devices (Windows 10) +description: Determining the Trusted State of Your Devices +ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Determining the Trusted State of Your Devices + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. + +>**Note:**  In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk. + +## Trust states + + +To understand this concept, consider the four basic states that apply to devices in a typical IT infrastructure. These states are (in order of risk, lowest risk first): + +- Trusted + +- Trustworthy + +- Known, untrusted + +- Unknown, untrusted + +The remainder of this section defines these states and how to determine which devices in your organization belong in each state. + +### Trusted state + +Classifying a device as trusted means that the device's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network. + +When a device is considered trusted, other trusted devices can reasonably assume that the device will not initiate a malicious act. For example, trusted devices can expect that other trusted devices will not run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. + +Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status. + +A possible list of technology requirements might include the following: + +- **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008. + +- **Domain membership.** A trusted device will belong to a managed Active Directory domain, which means that the IT department has security management rights and can configure member devices by using Group Policy. + +- **Management client.** All trusted devices must run a specific network management client to allow for centralized management and control of security policies, configurations, and software. Configuration Manager is one such management system with an appropriate client. + +- **Antivirus software.** All trusted devices will run antivirus software that is configured to check for and automatically update the latest virus signature files daily. + +- **File system.** All trusted devices will be configured to use the NTFS file system. + +- **BIOS settings.** All trusted portable devices will be configured to use a BIOS-level password that is under the management of the IT support team. + +- **Password requirements.** Trusted clients must use strong passwords. + +It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status. + +A device that continues to meet all these security requirements can be considered trusted. However it is possible that most devices that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which devices can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. + +### Trustworthy state + +It is useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes. + +For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration). + +Generally, trustworthy devices fall into one of the following two groups: + +- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk does not meet this requirement. + +- **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require: + + - **Operating system upgrade required.** If the device's current operating system cannot support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state. + + - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active. + + - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device. + + - **Device replacement required.** This category is reserved for devices that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a device that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device). + +Use these groups to assign costs for implementing the solution on the devices that require upgrades. + +### Known, untrusted state + +During the process of categorizing an organization's devices, you will identify some devices that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: + +- **Financial.** The funding is not available to upgrade the hardware or software for this device. + +- **Political.** The device must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation. + +- **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system. + +There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: + +- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). + +- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually cannot achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device is not a part of a trusted domain. + +- **Devices in an untrusted domain.** A device that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when devices are not in a trusted domain. + +### Unknown, untrusted state + +The unknown, untrusted state should be considered the default state for all devices. Because devices in this state have a configuration that is unknown, you can assign no trust to them. All planning for devices in this state must assume that the device is an unacceptable risk to the organization. Designers of the solution should strive to minimize the impact that the devices in this state can have on their organizations. + +## Capturing upgrade costs for current devices + + +The final step in this part of the process is to record the approximate cost of upgrading the devices to a point that they can participate in the server and domain isolation design. You must make several key decisions during the design phase of the project that require answers to the following questions: + +- Does the device meet the minimum hardware requirements necessary for isolation? + +- Does the device meet the minimum software requirements necessary for isolation? + +- What configuration changes must be made to integrate this device into the isolation solution? + +- What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state? + +By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It is important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. + +The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state. + +| Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | +| - | - | - | - | - | - | +| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware is not compatible with newer versions of Windows.| $??| +| SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??| + +In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher. + +The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. + +With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. + +The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. + +**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) diff --git a/windows/keep-secure/documenting-the-zones.md b/windows/keep-secure/documenting-the-zones.md index d15b2fd6c4..88e67e80c4 100644 --- a/windows/keep-secure/documenting-the-zones.md +++ b/windows/keep-secure/documenting-the-zones.md @@ -2,84 +2,26 @@ title: Documenting the Zones (Windows 10) description: Documenting the Zones ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Documenting the Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here: - --------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Host nameHardware reqs metSoftware reqs metConfiguration requiredDetailsProjected costGroup

CLIENT001

No

No

Upgrade hardware and software.

Current operating system is Windows XP. Old hardware not compatible with Windows 8.

$??

Isolated domain

SERVER002

Yes

No

Join trusted domain, upgrade from Windows Server 2008 to Windows Server 2012

No antivirus software present.

$??

Encryption

SENSITIVE001

Yes

Yes

Not required.

Running Windows Server 2012. Ready for inclusion.

$0

Isolated server (in zone by itself)

PRINTSVR1

Yes

Yes

Not required.

Running Windows Server 2008 R2. Ready for inclusion.

$0

Boundary

- -  +| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group | +| - | - | - | - | - | - | +| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware not compatible with newer versions of Windows.| $??| Isolated domain| +| SERVER002 | Yes| No| Join trusted domain, upgrade from Windows Server 2008 to at least Windows Server 2012| No antivirus software present.| $??| Encryption| +| SENSITIVE001 | Yes| Yes| Not required.| Running Windows Server 2012. Ready for inclusion.| $0| Isolated server (in zone by itself)| +| PRINTSVR1 | Yes| Yes| Not required.| Running Windows Server 2008 R2. Ready for inclusion.| $0| Boundary| **Next: **[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/encryption-zone-gpos.md b/windows/keep-secure/encryption-zone-gpos.md index a02f4037c8..dcb49121a4 100644 --- a/windows/keep-secure/encryption-zone-gpos.md +++ b/windows/keep-secure/encryption-zone-gpos.md @@ -2,23 +2,21 @@ title: Encryption Zone GPOs (Windows 10) description: Encryption Zone GPOs ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Encryption Zone GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Handle encryption zones in a similar manner to the boundary zones. A computer is added to an encryption zone by adding the computer account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the computers that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. - -The GPO is only for server versions of Windows. Client computers are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. - -- [GPO\_DOMISO\_Encryption\_WS2008](gpo-domiso-encryption-ws2008.md) - -  - -  - - - +Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. +The GPO is only for server versions of Windows. Client devices are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. +- [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md) diff --git a/windows/keep-secure/encryption-zone.md b/windows/keep-secure/encryption-zone.md index 54a7dfeb35..f6fd2aacd4 100644 --- a/windows/keep-secure/encryption-zone.md +++ b/windows/keep-secure/encryption-zone.md @@ -2,24 +2,31 @@ title: Encryption Zone (Windows 10) description: Encryption Zone ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Encryption Zone +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between computers. +Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. -To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the computers and that requires that the sensitive inbound and outbound network traffic be encrypted. +To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted. You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. -## GPO settings for encryption zone servers running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +## GPO settings for encryption zone servers running at least Windows Server 2008 -The GPO for computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 should include the following: +The GPO for devices that are running at least Windows Server 2008 should include the following: - IPsec default settings that specify the following options: @@ -31,16 +38,16 @@ The GPO for computers that are running Windows Server 2012, Windows Server 2008 If any NAT devices are present on your networks, use ESP encapsulation.. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. - The following connection security rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy. **Important**   - Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out.   @@ -48,20 +55,8 @@ The GPO for computers that are running Windows Server 2012, Windows Server 2008 - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). -   - -- If domain member computers must communicate with computers in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. +- If domain member devices must communicate with devices in the encryption zone, ensure that you include in the isolated domain GPOs quick mode combinations that are compatible with the requirements of the encryption zone GPOs. **Next: **[Planning Server Isolation Zones](planning-server-isolation-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/exemption-list.md b/windows/keep-secure/exemption-list.md index 0a1aea9187..3ebf7a465b 100644 --- a/windows/keep-secure/exemption-list.md +++ b/windows/keep-secure/exemption-list.md @@ -2,29 +2,36 @@ title: Exemption List (Windows 10) description: Exemption List ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Exemption List +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all computers on the internal network, yet secured from network attacks. However, if they must remain available to all computers on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. +When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. -In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted computers cannot use IPsec to access, which would be added to the exemption list. +In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list. -Generally, the following conditions are reasons to consider adding a computer to the exemption list: +Generally, the following conditions are reasons to consider adding a device to the exemption list: -- If the computer must be accessed by trusted computers but it does not have a compatible IPsec implementation. +- If the device must be accessed by trusted devices but it does not have a compatible IPsec implementation. -- If the computer must provide services to both trusted and untrusted computers, but does not meet the criteria for membership in the boundary zone. +- If the device must provide services to both trusted and untrusted devices, but does not meet the criteria for membership in the boundary zone. -- If the computer must be accessed by trusted computers from different isolated domains that do not have an Active Directory trust relationship established with each other. +- If the device must be accessed by trusted devices from different isolated domains that do not have an Active Directory trust relationship established with each other. -- If the computer is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. +- If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. -- If the computer must support trusted and untrusted computers, but cannot use IPsec to help secure communications to trusted computers. +- If the device must support trusted and untrusted devices, but cannot use IPsec to help secure communications to trusted devices. -For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all computers in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every computer that receives the GPO, including the following: +For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following: - Reduces the overall effectiveness of isolation. @@ -43,12 +50,3 @@ To keep the number of exemptions as small as possible, you have several options: As with defining the boundary zone, create a formal process to approve hosts being added to the exemption list. For a model of processing requests for exemptions, see the decision flowchart in the [Boundary Zone](boundary-zone.md) section. **Next: **[Isolated Domain](isolated-domain.md) - -  - -  - - - - - diff --git a/windows/keep-secure/firewall-gpos.md b/windows/keep-secure/firewall-gpos.md index 95375afd70..b264a38993 100644 --- a/windows/keep-secure/firewall-gpos.md +++ b/windows/keep-secure/firewall-gpos.md @@ -2,23 +2,21 @@ title: Firewall GPOs (Windows 10) description: Firewall GPOs ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Firewall GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -All the computers on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. +All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. The GPO created for the example Woodgrove Bank scenario include the following: - [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-boundary-ws2008.md b/windows/keep-secure/gpo-domiso-boundary.md similarity index 60% rename from windows/keep-secure/gpo-domiso-boundary-ws2008.md rename to windows/keep-secure/gpo-domiso-boundary.md index feafd79586..22db5273b8 100644 --- a/windows/keep-secure/gpo-domiso-boundary-ws2008.md +++ b/windows/keep-secure/gpo-domiso-boundary.md @@ -1,26 +1,32 @@ --- -title: GPO\_DOMISO\_Boundary\_WS2008 (Windows 10) -description: GPO\_DOMISO\_Boundary\_WS2008 +title: GPO\_DOMISO\_Boundary (Windows 10) +description: GPO\_DOMISO\_Boundary ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# GPO\_DOMISO\_Boundary\_WS2008 +# GPO\_DOMISO\_Boundary +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. -This GPO supports the ability for computers that are not part of the isolated domain to access specific servers that must be available to those untrusted computers. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. +This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008. ## IPsec settings - The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain when authentication can be used. ## Connection security rules -Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the computer uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted computer that is not part of the isolated domain connects. +Rename the **Isolated Domain Rule** to **Boundary Zone Rule**. Change the authentication mode to **Request inbound and request outbound**. In this mode, the device uses authentication when it can, such as during communication with a member of the isolated domain. It also supports the "fall back to clear" ability of request mode when an untrusted device that is not part of the isolated domain connects. ## Registry settings @@ -30,17 +36,8 @@ The boundary zone uses the same registry settings as the isolated domain to opti ## Firewall rules -Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other computers. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests. +Copy the firewall rules for the boundary zone from the GPO that contains the firewall rules for the isolated domain. Customize this copy, removing rules for services not needed on servers in this zone, and adding inbound rules to allow the network traffic for the services that are to be accessed by other devices. For example, Woodgrove Bank added a firewall rule to allow inbound network traffic to TCP port 80 for Web client requests. Make sure that the GPO that contains firewall rules for the isolated domain does not also apply to the boundary zone to prevent overlapping, and possibly conflicting rules. **Next: **[Encryption Zone GPOs](encryption-zone-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-encryption-ws2008.md b/windows/keep-secure/gpo-domiso-encryption.md similarity index 100% rename from windows/keep-secure/gpo-domiso-encryption-ws2008.md rename to windows/keep-secure/gpo-domiso-encryption.md diff --git a/windows/keep-secure/gpo-domiso-firewall.md b/windows/keep-secure/gpo-domiso-firewall.md index 5ffd27f985..226c9deac1 100644 --- a/windows/keep-secure/gpo-domiso-firewall.md +++ b/windows/keep-secure/gpo-domiso-firewall.md @@ -2,33 +2,35 @@ title: GPO\_DOMISO\_Firewall (Windows 10) description: GPO\_DOMISO\_Firewall ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # GPO\_DOMISO\_Firewall +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2. +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. ## Firewall settings - This GPO provides the following settings: - Unless otherwise stated, the firewall rules and settings described here are applied to all profiles. - The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed. -- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the computers can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**. +- Under the domain profile, the settings **Display notifications to the user**, **Apply local firewall rules**, and **Apply local connection security rules** are all set to **No**. These settings are applied only to the domain profile because the devices can only receive an exception rule for a required program from a GPO if they are connected to the domain. Under the public and private profiles, those settings are all set to **Yes**. - **Note**   - Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot computers. - -   + >**Note:**  Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. You must deploy the exception rules by adding them to this GPO. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot devices. ## Firewall rules - This GPO provides the following rules: - Built-in firewall rule groups are configured to support typically required network operation. The following rule groups are set to **Allow the connection**: @@ -60,12 +62,3 @@ This GPO provides the following rules: - A firewall exception rule to allow required network traffic for the WGBank dashboard program. This inbound rule allows network traffic for the program Dashboard.exe in the %ProgramFiles%\\WGBank folder. The rule is also filtered to only allow traffic on port 1551. This rule is applied only to the domain profile. **Next: **[Isolated Domain GPOs](isolated-domain-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md index 0b881a5231..0f2faadb9e 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-clients.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-clients.md @@ -2,150 +2,64 @@ title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) description: GPO\_DOMISO\_IsolatedDomain\_Clients ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # GPO\_DOMISO\_IsolatedDomain\_Clients +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client computers that are running Windows 8, Windows 7, or Windows Vista. +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. -Because client computers can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. +Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile. ## General settings - This GPO provides the following settings: - No firewall settings are included in this GPO. Woodgrove Bank created separate GPOs for firewall settings (see the [Firewall GPOs](firewall-gpos.md) section) in order to share them with all clients in all isolation zones with minimum redundancy. - The ICMP protocol is exempted from authentication requirements to support easier network troubleshooting. -- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2, they can remove the weaker key exchange algorithms, and use only the stronger ones. +- Diffie-Hellman Group 2 is specified as the key exchange algorithm. This is the strongest algorithm available that is supported by all the operating systems that are being used at Woodgrove Bank. After Woodgrove Bank has completed the upgrade to versions of Windows that support stronger algorithms, they can remove the weaker key exchange algorithms, and use only the stronger ones. - The registry settings shown in the following table. For more information, see the description of the registry settings in [Isolated Domain](isolated-domain.md). - - - - - - - - - - - - - - - - - - - - - -
SettingValue

Enable PMTU Discovery

1

IPsec Exemptions

3

- -   +| Setting | Value | +| - | - | +| Enable PMTU Discovery | 1 | +| IPsec Exemptions | 3 | - The main mode security method combinations in the order shown in the following table. - - - - - - - - - - - - - - - - - - - - - -
IntegrityEncryption

Secure Hash Algorithm (SHA-1)

Advanced Encryption Standard (AES-128)

SHA-1

3DES

- -   - +| Integrity | Encryption | +| - | - | +| Secure Hash Algorithm (SHA-1) | Advanced Encryption Standard (AES-128) | +| SHA-1 | 3DES | + - The following quick mode security data integrity algorithms combinations in the order shown in the following table. - - - - - - - - - - - - - - - - - - - - -
ProtocolIntegrityKey Lifetime (minutes/KB)

ESP

SHA-1

60/100,000

- -   +| Protocol | Integrity | Key Lifetime (minutes/KB) | +| - | - | - | +| ESP | SHA-1 | 60/100,000 | - The quick mode security data integrity and encryption algorithm combinations in the order shown in the following table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ProtocolIntegrityEncryptionKey Lifetime (minutes/KB)

ESP

SHA-1

AES-128

60/100,000

ESP

SHA-1

3DES

60/100,000

+| Protocol | Integrity | Encryption | Key Lifetime (minutes/KB) | +| - | - | - | - | +| ESP | SHA-1 | AES-128 | 60/100,000| +| ESP | SHA-1 | 3DES | 60/100,000| -   - -**Note**   -Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows. - -  +>**Note:**  Do not use the MD5 and DES algorithms in your GPOs. They are included only for compatibility with previous versions of Windows. ## Connection Security Rules - This GPO provides the following rules: - A connection security rule named **Isolated Domain Rule** with the following settings: @@ -154,28 +68,16 @@ This GPO provides the following rules: - **Require inbound and request outbound** authentication requirements. - **Important**   - On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the computers were successfully communicating by using IPsec, they switched the GPOs to require authentication. + >**Important:**  On this, and all other GPOs that require authentication, Woodgrove Bank first chose to only request authentication. After confirming that the devices were successfully communicating by using IPsec, they switched the GPOs to require authentication. -   - - - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for computers that cannot run Windows or cannot join the domain, but must still participate in the isolated domain. + - For **First authentication methods**, select **Computer Kerberos v5** as the primary method. Add certificate-based authentication from **DC=com,DC=woodgrovebank,CN=CorporateCertServer** for devices that cannot run Windows or cannot join the domain, but must still participate in the isolated domain. - For **Second authentication**, select **User Kerberos v5**, and then select the **Second authentication is optional** check box. -- A connection security rule to exempt computers that are in the exemption list from the requirement to authenticate: +- A connection security rule to exempt devices that are in the exemption list from the requirement to authenticate: - - The IP addresses of all computers on the exemption list must be added individually under **Endpoint 2**. + - The IP addresses of all devices on the exemption list must be added individually under **Endpoint 2**. - Authentication mode is set to **Do not authenticate**. **Next: **[GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md) - -  - -  - - - - - diff --git a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md index 20491ecac5..fb984adf5f 100644 --- a/windows/keep-secure/gpo-domiso-isolateddomain-servers.md +++ b/windows/keep-secure/gpo-domiso-isolateddomain-servers.md @@ -2,30 +2,26 @@ title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) description: GPO\_DOMISO\_IsolatedDomain\_Servers ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # GPO\_DOMISO\_IsolatedDomain\_Servers +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2. +This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. -Because so many of the settings and rules for this GPO are common to those in the GPO for Windows 8, Windows 7 and Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for Windows 8, Windows 7 and Windows Vista, and importing it to the GPO for Windows Server 2012, Windows Server 2008 and Windows Server 2008 R2. After the import, change only the items specified here: +Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here: -- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the computer to the Public profile with a different set of rules (in the case of a server running Windows Server 2008). +- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008). - **Important**   - Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the computer. If you attach a network adapter to a computer that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the computer. - -   + >**Important:**  Windows Vista and Windows Server 2008 support only one network location profile at a time. The profile for the least secure network type is applied to the device. If you attach a network adapter to a device that is not physically connected to a network, the public network location type is associated with the network adapter and applied to the device. **Next: **[Boundary Zone GPOs](boundary-zone-gpos.md) -  - -  - - - - - diff --git a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 17ef2d4aa4..b1adf33fd9 100644 --- a/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/keep-secure/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -35,10 +35,10 @@ The following table lists the three main tasks for articulating, refining, and s

Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.

Predefined deployment goals:

    -

  • [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)

    • -

  • [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)

    • +

  • [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

    • +

  • [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

  • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

    • -

  • [Restrict Access to Sensitive Resources to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)

    • +

  • [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)

@@ -57,4 +57,4 @@ The following table lists the three main tasks for articulating, refining, and s -**Next:** [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) +**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) diff --git a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md index acd8702deb..25f0fba560 100644 --- a/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/keep-secure/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -2,23 +2,30 @@ title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10) description: Implementing Your Windows Firewall with Advanced Security Design Plan ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Implementing Your Windows Firewall with Advanced Security Design Plan +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan: -- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the computers on your network. [Group Policy Analysis and Troubleshooting Overview](http://technet.microsoft.com/library/jj134223.aspx) (http://technet.microsoft.com/library/jj134223.aspx) can help you review and change, if necessary, your Group Policy infrastructure. +- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network. -- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the computers on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external computers to connect to computers in that zone, then you must allow that traffic through the perimeter firewall to the computers in the boundary zone. +- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone. -- **Computers running operating systems other than Windows**. If your network includes computers that are not running the Windows operating system, then you must make sure that required communication with those computers is not blocked by the restrictions put in place by your design. You must do one of the following: +- **Devices running operating systems other than Windows**. If your network includes devices that are not running the Windows operating system, then you must make sure that required communication with those devices is not blocked by the restrictions put in place by your design. You must do one of the following: - - Include those computers in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used. + - Include those devices in the isolated domain or zone by adding certificate-based authentication to your design. Many other operating systems can participate in an isolated domain or isolated server scenario, as long as certificate-based authentication is used. - - Include the computer in the authentication exemption list included in your design. You can choose this option if for any reason the computer cannot participate in the isolated domain design. + - Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design. ## How to implement your Windows Firewall with Advanced Security design using this guide @@ -38,12 +45,3 @@ Use the following parent checklists in this section of the guide to become famil - [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md). - -  - -  - - - - - diff --git a/windows/keep-secure/isolated-domain-gpos.md b/windows/keep-secure/isolated-domain-gpos.md index 022c062ce6..b7f6c3b921 100644 --- a/windows/keep-secure/isolated-domain-gpos.md +++ b/windows/keep-secure/isolated-domain-gpos.md @@ -2,13 +2,20 @@ title: Isolated Domain GPOs (Windows 10) description: Isolated Domain GPOs ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Isolated Domain GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -All of the computers in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. +All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. Each GPO has a security group filter that prevents the GPO from applying to members of the group GP\_DOMISO\_No\_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. For more information, see the [Planning GPO Deployment](planning-gpo-deployment.md) section. @@ -17,12 +24,3 @@ The GPOs created for the Woodgrove Bank isolated domain include the following: - [GPO\_DOMISO\_IsolatedDomain\_Clients](gpo-domiso-isolateddomain-clients.md) - [GPO\_DOMISO\_IsolatedDomain\_Servers](gpo-domiso-isolateddomain-servers.md) - -  - -  - - - - - diff --git a/windows/keep-secure/isolated-domain.md b/windows/keep-secure/isolated-domain.md index 9e52a463a4..3d23484bf9 100644 --- a/windows/keep-secure/isolated-domain.md +++ b/windows/keep-secure/isolated-domain.md @@ -2,26 +2,33 @@ title: Isolated Domain (Windows 10) description: Isolated Domain ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Isolated Domain +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -The isolated domain is the primary zone for trusted computers. The computers in this zone use connection security and firewall rules to control the communications that can be sent between computers in the zone. +The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. -The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted computers. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, computers that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. +The term *domain* in this context means a boundary of communications trust instead of an Active Directory domain. In this solution the two constructs are very similar because Active Directory domain authentication (Kerberos V5) is required for accepting inbound connections from trusted devices. However, many Active Directory domains (or forests) can be linked with trust relationships to provide a single, logical, isolated domain. In addition, devices that authenticate by using certificates can also be included in an isolated domain without joining the Active Directory domain. -For most implementations, an isolated domain will contain the largest number of computers. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. +For most implementations, an isolated domain will contain the largest number of devices. Other isolation zones can be created for the solution if their communication requirements differ from those of the isolated domain. Examples of these differences are what result in the boundary and encryption zones described in this guide. Conceptually, the isolated domain is just the largest isolation zone, and a superset to the other zones. You must create a group in Active Directory to contain members of the isolated domain. You then apply one of several GPOs that contain connection security and firewall rules to the group so that authentication on all inbound network connections is enforced. Creation of the group and how to link the GPOs that apply the rules to its members are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. The GPOs for the isolated domain should contain the following connection security rules and settings. -## GPO settings for isolated domain members running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 +## GPO settings for isolated domain members running at least Windows Vista and Windows Server 2008 -GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008 should include the following: +GPOs for devices running at least Windows Vista and Windows Server 2008 should include the following: - IPsec default settings that specify the following options: @@ -33,35 +40,20 @@ GPOs for computers running Windows 8, Windows 7, Windows Vista, Windows Server If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then also include user-based Kerberos V5 as an optional authentication method. Likewise, if any of your isolated domain members cannot use Kerberos V5 authentication, then include certificate-based authentication as an optional authentication method. - The following connection security rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, where possible, instead of discrete addresses, if applicable in your environment. - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. - **Important**   - Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out. - -   + >**Important:**  Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the policy to require in, request out.  - A registry policy that includes the following values: - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). - -   + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). **Next: **[Boundary Zone](boundary-zone.md) - -  - -  - - - - - diff --git a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 012969637d..3187e17371 100644 --- a/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -23,9 +23,9 @@ Use the following table to determine which Windows Firewall with Advanced Securi | Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design | | - |- | - | - | - | -| [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes| -| [Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md) | -| Yes| Yes| Yes| -| [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-computers.md)| -| -| Yes| Yes| +| [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)| Yes| Yes| Yes| Yes| +| [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) | -| Yes| Yes| Yes| +| [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)| -| -| Yes| Yes| | [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)| -| Optional| Optional| Optional| To examine details for a specific design, click the design title at the top of the column in the preceding table. diff --git a/windows/keep-secure/planning-certificate-based-authentication.md b/windows/keep-secure/planning-certificate-based-authentication.md index 5882c9fec7..69e599b812 100644 --- a/windows/keep-secure/planning-certificate-based-authentication.md +++ b/windows/keep-secure/planning-certificate-based-authentication.md @@ -2,57 +2,53 @@ title: Planning Certificate-based Authentication (Windows 10) description: Planning Certificate-based Authentication ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Certificate-based Authentication +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Sometimes a computer cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the computer can still participate in the isolated domain by using certificate-based authentication. +Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. -The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each computer sends a copy of its certificate to the other computer. Each computer examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local computer. +The non-domain member server, and the clients that must be able to communicate with it, must be configured to use cryptographic certificates based on the X.509 standard. These certificates can be used as an alternate set of credentials. During IKE negotiation, each device sends a copy of its certificate to the other device. Each device examines the received certificate, and then validates its authenticity. To be considered authentic, the received certificate must be validated by a certification authority certificate in the recipient's Trusted Root Certification Authorities store on the local device. -Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS). For more information about creating and maintaining a PKI in your organization, see [Active Directory Certificate Services Overview](http://technet.microsoft.com/library/hh831740.aspx) at http://technet.microsoft.com/library/hh831740.aspx. +Certificates can be acquired from commercial firms, or by an internal certificate server set up as part of the organization's public key infrastructure (PKI). Microsoft provides a complete PKI and certification authority solution with Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Active Directory Certificate Services (AD CS). ## Deploying certificates - No matter how you acquire your certificates, you must deploy them to clients and servers that require them in order to communicate. ### Using Active Directory Certificate Services -If you use AD CS to create your own user and computer certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member computers. Computer certificates are deployed when a domain member computer starts. User certificates are deployed when a user logs on. +If you use AD CS to create your own user and device certificates in-house, then the servers designated as certification authorities (CAs) create the certificates based on administrator-designed templates. AD CS then uses Group Policy to deploy the certificates to domain member devices. Device certificates are deployed when a domain member device starts. User certificates are deployed when a user logs on. -If you want non-domain member computers to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each computer or user includes enough identification information to enable IPsec to match the certificate to both user and computer accounts. +If you want non-domain member devices to be part of a server isolation zone that requires access by only authorized users, make sure to include certificate mapping to associate the certificates with specific user accounts. When certificate mapping is enabled, the certificate issued to each device or user includes enough identification information to enable IPsec to match the certificate to both user and device accounts. -AD CS automatically ensures that certificates issued by the CAs are trusted by the client computers by putting the CA certificates in the correct store on each domain member computer. +AD CS automatically ensures that certificates issued by the CAs are trusted by the client devices by putting the CA certificates in the correct store on each domain member device. -### Using a commercially purchased certificate for computers running Windows +### Using a commercially purchased certificate for devices running Windows -You can import the certificates manually onto each computer if the number of computers is relatively small. For a deployment to more than a handful of computers, use Group Policy. +You can import the certificates manually onto each device if the number of devices is relatively small. For a deployment to more than a handful of devices, use Group Policy. -You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each computer that applies the GPO. +You must first download the vendor's root CA certificate, and then import it to a GPO that deploys it to the Local Computer\\Trusted Root Certification Authorities store on each device that applies the GPO. -You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each computer that applies the GPO. +You must also import the purchased certificate into a GPO that deploys it to the Local Computer\\Personal store on each device that applies the GPO. -### Using a commercially purchased certificate for computers running a non-Windows operating system +### Using a commercially purchased certificate for devices running a non-Windows operating system If you are installing the certificates on an operating system other than Windows, see the documentation for that operating system. ## Configuring IPsec to use the certificates +When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or devices that are members of authorized groups in a server isolation solution. -When the clients and servers have the certificates available, you can configure the IPsec and connection security rules to include those certificates as a valid authentication method. The authentication method requires the subject name of the certificate, for example: **DC=com,DC=woodgrovebank,CN=CorporateCertServer**. Optionally, select **Enable certificate to account mapping** to support using these credentials for restricting access to users or computers that are members of authorized groups in a server isolation solution. - -Starting in Windows Server 2012, the Administrator can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. +Starting in Windows Server 2012,you can configure certificate selection criteria so the desired certificate is selected and/or validated. Enhanced Key Usage (EKU) criteria can be configured, as well as name restrictions and certificate thumbprints. This is configured using the **Advanced** button when choosing certificates for the authentication method in the user interface, or through Windows PowerShell. **Next: **[Documenting the Zones](documenting-the-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-domain-isolation-zones.md b/windows/keep-secure/planning-domain-isolation-zones.md index 79003e56ed..208265eefb 100644 --- a/windows/keep-secure/planning-domain-isolation-zones.md +++ b/windows/keep-secure/planning-domain-isolation-zones.md @@ -2,15 +2,22 @@ title: Planning Domain Isolation Zones (Windows 10) description: Planning Domain Isolation Zones ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Domain Isolation Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have the required information about your network, Active Directory, and client and server computers, you can use that information to make decisions about the isolation zones you want to use in your environment. +After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. -The bulk of the work in planning server and domain isolation is determining which computers to assign to each isolation zone. Correctly choosing the zone for each computer is important to providing the correct level of security without compromising performance or the ability a computer to send or receive required network traffic. +The bulk of the work in planning server and domain isolation is determining which devices to assign to each isolation zone. Correctly choosing the zone for each device is important to providing the correct level of security without compromising performance or the ability for a device to send or receive required network traffic. The zones described in this guide include the following: @@ -21,12 +28,3 @@ The zones described in this guide include the following: - [Boundary Zone](boundary-zone.md) - [Encryption Zone](encryption-zone.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-gpo-deployment.md b/windows/keep-secure/planning-gpo-deployment.md index 9346df25bc..050a5550f7 100644 --- a/windows/keep-secure/planning-gpo-deployment.md +++ b/windows/keep-secure/planning-gpo-deployment.md @@ -2,133 +2,115 @@ title: Planning GPO Deployment (Windows 10) description: Planning GPO Deployment ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning GPO Deployment +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -You can control which GPOs are applied to computers in Active Directory in a combination of three ways: +You can control which GPOs are applied to devices in Active Directory in a combination of three ways: -- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All computers in the OU and its subordinate containers receive and apply the GPO. +- **Active Directory organizational unit hierarchy**. This involves linking the GPO to a specific OU in the Active Directory OU hierarchy. All devices in the OU and its subordinate containers receive and apply the GPO. - Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to computers based on their location within Active Directory. If a computer is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling. + Controlling GPO application through linking to OUs is typically used when you can organize the OU hierarchy according to your domain isolation zone requirements. GPOs can apply settings to devices based on their location within Active Directory. If a device is moved from one OU to another, the policy linked to the second OU will eventually take effect when Group Policy detects the change during polling. -- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which computers receive the GPO by using permissions that only allow correct group members to apply the GPO. +- **Security group filtering**. This involves linking the GPOs to the domain level (or other parent OU) in the OU hierarchy, and then selecting which devices receive the GPO by using permissions that only allow correct group members to apply the GPO. - The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those computers whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO. + The security group filters are attached to the GPOs themselves. A group is added to the security group filter of the GPO in Active Directory, and then assigned Read and Apply Group Policy permissions. Other groups can be explicitly denied Read and Apply Group Policy permissions. Only those devices whose group membership are granted Read and Apply Group Policy permissions without any explicit deny permissions can apply the GPO. -- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a computer is a member of the result set when the WMI filter query runs, the GPO is applied to the computer. +- **WMI filtering**. A WMI filter is a query that is run dynamically when the GPO is evaluated. If a device is a member of the result set when the WMI filter query runs, the GPO is applied to the device. - A WMI filter consists of one or more conditions that are evaluated against the local computer. You can check almost any characteristic of the computer, its operating system, and its installed programs. If all of the specified conditions are true for the computer, the GPO is applied; otherwise the GPO is ignored. + A WMI filter consists of one or more conditions that are evaluated against the local device. You can check almost any characteristic of the device, its operating system, and its installed programs. If all of the specified conditions are true for the device, the GPO is applied; otherwise the GPO is ignored. This guide uses a combination of security group filtering and WMI filtering to provide the most flexible options. If you follow this guidance, even though there might be five different GPOs linked to a specific group because of operating system version differences, only the correct GPO is applied. ## General considerations - -- Deploy your GPOs before you add any computer accounts to the groups that receive the GPOs. That way you can add your computers to the groups in a controlled manner. Be sure to add only a few test computers at first. Before adding many group members, examine the results on the test computers and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue. +- Deploy your GPOs before you add any device accounts to the groups that receive the GPOs. That way you can add your devices to the groups in a controlled manner. Be sure to add only a few test devices at first. Before adding many group members, examine the results on the test devices and verify that the configured firewall and connection security rules have the effect that you want. See the following sections for some suggestions on what to test before you continue. ## Test your deployed groups and GPOs +After you have deployed your GPOs and added some test devices to the groups, confirm the following before you continue with more group members: -After you have deployed your GPOs and added some test computers to the groups, confirm the following before you continue with more group members: +- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt. -- Examine the GPOs that are both assigned to and filtered from the computer. Run the **gpresult** tool at a command prompt. - -- Examine the rules deployed to the computer. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. +- Examine the rules deployed to the device. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes. - Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**. -- Verify that communications are encrypted when the computers require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. +- Verify that communications are encrypted when the devices require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column. - Verify that your programs are unaffected. Run them and confirm that they still work as expected. -After you have confirmed that the GPOs have been correctly applied, and that the computers are now communicating by using IPsec network traffic in request mode, you can begin to add more computers to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the computers. +After you have confirmed that the GPOs have been correctly applied, and that the devices are now communicating by using IPsec network traffic in request mode, you can begin to add more devices to the group accounts, in manageable numbers at a time. Continue to monitor and confirm the correct application of the GPOs to the devices. ## Do not enable require mode until deployment is complete +If you deploy a GPO that requires authentication to a device before the other devices have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the devices are successfully communicating by using IPsec. -If you deploy a GPO that requires authentication to a computer before the other computers have a GPO deployed, communication between them might not be possible. Wait until you have all the zones and their GPOs deployed in request mode and confirm (as described in the previous section) that the computers are successfully communicating by using IPsec. +If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, devices can continue to operate, because request mode enables any device to fall back to clear communications. -If there are problems with GPO deployment, or errors in configuration of one or more of the IPsec GPOs, computers can continue to operate, because request mode enables any computer to fall back to clear communications. - -Only after you have added all of the computers to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. +Only after you have added all of the devices to their zones, and you have confirmed that communications are working as expected, you can start changing the request mode rules to require mode rules where it is required in the zones. We recommend that you enable require mode in the zones one zone at a time, pausing to confirm that they are functioning properly before you continue. Turn the required mode setting on for the server isolation zones first, then the encryption zone, and then the isolated domain. Do not change the boundary zone GPO, because it must stay in request mode for both inbound and outbound connections. -If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of computers to the larger groups. +If you create other zones that require either inbound or outbound require mode, make the setting change in a manner that applies the setting in stages from the smaller groups of devices to the larger groups. ## Example Woodgrove Bank deployment plans +Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of devices. All of the GPOs have the User Configuration section disabled to improve performance. -Woodgrove Bank links all its GPOs to the domain level container in the Active Directory OU hierarchy. It then uses the following WMI filters and security group filters to control the application of the GPOs to the correct subset of computers. All of the GPOs have the User Configuration section disabled to improve performance. +### GPO\_DOMISO\_Firewall -### GPO\_DOMISO\_Firewall\_2008\_Win7-Vista - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType <> "2"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers running versions of Windows earlier than Windows Vista and Windows Server 2008. + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices running versions of Windows earlier than Windows Vista and Windows Server 2008. + +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC. -   +### GPO\_DOMISO\_IsolatedDomain\_Clients -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the CG\_DOMISO\_NO\_IPSEC. - -### GPO\_DOMISO\_IsolatedDomain\_Clients\_Win7Vista - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"` -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. -### GPO\_DOMISO\_IsolatedDomain\_Servers\_WS2008 +### GPO\_DOMISO\_IsolatedDomain\_Servers -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. -   +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_IsolatedDomain. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. +### GPO\_DOMISO\_Boundary -### GPO\_DOMISO\_Boundary\_WS2008 - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. -   +- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to devices that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. -- **Security filter**. This GPO grants Read and Apply Group Policy permissions only to computers that are members of the group CG\_DOMISO\_Boundary. The GPO also explicitly denies Read and Apply Group Policy permissions to members of the group CG\_DOMISO\_NO\_IPSEC. +### GPO\_DOMISO\_Encryption -### GPO\_DOMISO\_Encryption\_WS2008 - -- **WMI filter**. The WMI filter allows this GPO to apply only to computers that match the following WMI query: +- **WMI filter**. The WMI filter allows this GPO to apply only to devices that match the following WMI query: `select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "3"` - **Note**   - This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are computers that are running versions of Windows earlier than Windows Vista and Windows Server 2008. - -   - -- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to computers that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC. - -  - -  - - - - + >**Note:**  This excludes domain controllers (which report a ProductType value of 2). Do not include domain controllers in the isolated domain if there are devices that are running versions of Windows earlier than Windows Vista and Windows Server 2008. +- **Security filter**. This GPO grants Read and Apply permissions in Group Policy only to devices that are members of the group CG\_DOMISO\_Encryption. The GPO also explicitly denies Read and Apply permissions in Group Policy to members of the group CG\_DOMISO\_NO\_IPSEC. diff --git a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md index 83dd7f12ae..fff34a12c7 100644 --- a/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/keep-secure/planning-group-policy-deployment-for-your-isolation-zones.md @@ -2,15 +2,22 @@ title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10) description: Planning Group Policy Deployment for Your Isolation Zones ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Group Policy Deployment for Your Isolation Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have decided on the best logical design of your isolation environment for the network and computer security requirements, you can start the implementation plan. +After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. -You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the computer accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct computers within each group. +You have a list of isolation zones with the security requirements of each. For implementation, you must plan the groups that will hold the device accounts in each zone, the network access groups that will be used to determine who can access an isolated server, and the GPOs with the connection security and firewall rules to apply to corresponding groups. Finally you must determine how you will ensure that the policies will only apply to the correct devices within each group. - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) @@ -19,12 +26,3 @@ You have a list of isolation zones with the security requirements of each. For i - [Planning the GPOs](planning-the-gpos.md) - [Planning GPO Deployment](planning-gpo-deployment.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-isolation-groups-for-the-zones.md b/windows/keep-secure/planning-isolation-groups-for-the-zones.md index 209c9c78e2..b4f667a50b 100644 --- a/windows/keep-secure/planning-isolation-groups-for-the-zones.md +++ b/windows/keep-secure/planning-isolation-groups-for-the-zones.md @@ -2,78 +2,38 @@ title: Planning Isolation Groups for the Zones (Windows 10) description: Planning Isolation Groups for the Zones ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Isolation Groups for the Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A computer is assigned to a zone by adding its computer account to the group which represents that zone. +Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. -**Caution**   -Do not add computers to your groups yet. If a computer is in a group when the GPO is activated then that GPO is applied to the computer. If the GPO is one that requires authentication, and the other computers have not yet received their GPOs, the computer that uses the new GPO might not be able to communicate with the others. - -  +>**Caution:**  Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead. The following table lists typical groups that can be used to manage the domain isolation zones discussed in the Woodgrove Bank example in this guide: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Group nameDescription

CG_DOMISO_No_IPsec

A universal group of computer accounts that do not participate in the IPsec environment. Typically consists of infrastructure computer accounts that will also be included in exemption lists.

-

This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.

CG_DOMISO_IsolatedDomain

A universal group of computer accounts that contains the members of the isolated domain.

-

During the early days of testing, this group might contain only a very small number of computers. During production, it might contain the built-in Domain Computers group to ensure that every computer in the domain participates.

-

Members of this group receive the domain isolation GPO that requires authentication for inbound connections.

CG_DOMISO_Boundary

A universal group of computer accounts that contains the members of the boundary zone.

-

Members of this group receive a GPO that specifies that authentication is requested, but not required.

CG_DOMISO_Encryption

A universal group of computer accounts that contains the members of the encryption zone.

-

Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections.

CG_SRVISO_ServerRole

A universal group of computer accounts that contains the members of the server isolation group.

-

Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.

-

There will be one group for each set of servers that have different user and computer restriction requirements.

- -  +| Group name | Description | +| - | - | +| CG_DOMISO_No_IPsec | A universal group of device accounts that do not participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists.
This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.| +| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
During the early days of testing, this group might contain only a very small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| +| CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.

Members of this group receive a GPO that specifies that authentication is requested, but not required.| +| CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone.
Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections. +| CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group.
Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.
There will be one group for each set of servers that have different user and device restriction requirements. | Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md). -If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the computer. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. +If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific. **Next: **[Planning Network Access Groups](planning-network-access-groups.md) -  - -  - - - - - diff --git a/windows/keep-secure/planning-network-access-groups.md b/windows/keep-secure/planning-network-access-groups.md index e96e8d26f2..4d9b002e7c 100644 --- a/windows/keep-secure/planning-network-access-groups.md +++ b/windows/keep-secure/planning-network-access-groups.md @@ -2,67 +2,32 @@ title: Planning Network Access Groups (Windows 10) description: Planning Network Access Groups ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Network Access Groups +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -A network access group (NAG) is used to identify users and computers that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a computer, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. +A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. -Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the computers or users that are granted access. You can optionally split the NAG into two different groups: one for authorized computers and one for authorized users. +Minimize the number of NAGs to limit the complexity of the solution. You need one NAG for each server isolation group to restrict the devices or users that are granted access. You can optionally split the NAG into two different groups: one for authorized devices and one for authorized users. The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership. -For the Woodgrove Bank scenario, access to the computers running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative computers. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. +For the Woodgrove Bank scenario, access to the devices running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service. - ----- - - - - - - - - - - - - - - - - - - - -
NAG NameNAG Member Users, Computers, or GroupsDescription

CG_NAG_ServerRole_Users

Svr1AdminA

-

Svr1AdminB

-

Group_AppUsers

-

AppSvcAccount

This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.

CG_NAG_ServerRole_Computers

Desktop1

-

Desktop2

-

AdminDT1

-

AppAdminDT1

This group contains all computers that are authorized to make inbound IPsec connections to the isolated servers in this zone.

+| NAG Name | NAG Member Users, Computers, or Groups | Description | +| - | - | - | +| CG_NAG_*ServerRole*_Users| Svr1AdminA
Svr1AdminB
Group_AppUsers
AppSvcAccount| This group is for all users who are authorized to make inbound IPsec connections to the isolated servers in this zone.| +| CG_NAG_*ServerRole*_Computers| Desktop1
Desktop2
AdminDT1
AppAdminDT1| This group contains all devices that are authorized to make inbound IPsec connections to the isolated servers in this zone.| -  - -**Note**   -Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the computer or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5. - -  +>**Note:**  Membership in a NAG does not control the level of IPsec traffic protection. The IKE negotiation is only aware of whether the device or user passed or failed the Kerberos V5 authentication process. The connection security rules in the applied GPO control the security methods that are used for protecting traffic and are independent of the identity being authenticated by Kerberos V5. **Next: **[Planning the GPOs](planning-the-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-server-isolation-zones.md b/windows/keep-secure/planning-server-isolation-zones.md index dc95031002..12688b93c9 100644 --- a/windows/keep-secure/planning-server-isolation-zones.md +++ b/windows/keep-secure/planning-server-isolation-zones.md @@ -2,45 +2,46 @@ title: Planning Server Isolation Zones (Windows 10) description: Planning Server Isolation Zones ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Server Isolation Zones +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any computers that are outside the isolated domain, and encrypts all network connections to server. +Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. -The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or computers who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved computers. +The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices. -To grant access, you add the approved user and computer accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided computer and user accounts for group membership in the NAGs. If either the user or computer is not a member of a required NAG then the network connection is refused. +To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device is not a member of a required NAG then the network connection is refused. ## Isolated domains and isolated servers +If you are using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user. -If you are using an isolated domain, the client computers already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized computer or user. - -If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client computers that you want to access the server to use the appropriate IPsec rules. If the client computers are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. +If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG. ## Creating multiple isolated server zones - Each set of servers that must be accessed by different sets of users should be set up in its own isolated server zone. After one set of GPOs for one isolated server zone has been successfully created and verified, you can copy the GPOs to a new set. You must change the GPO names to reflect the new zone, the name and membership of the isolated server zone group to which the GPOs are applied, and the names and membership of the NAG groups that determine which clients can access the servers in the isolated server zone. ## Creating the GPOs - Creation of the groups and how to link them to the GPOs that apply the rules to members of the groups are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. An isolated server is often a member of the encryption zone. Therefore, copying that GPO set serves as a good starting point. You then modify the rules to additionally restrict access to only NAG members. -### GPO settings for isolated servers running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 +### GPO settings for isolated servers running at least Windows Server 2008 -GPOs for computers running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 should include the following: +GPOs for devices running at least Windows Server 2008 should include the following: -**Note**   -The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone. - -  +>**Note:**  The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone. - IPsec default settings that specify the following options: @@ -52,37 +53,22 @@ The connection security rules described here are identical to the ones for the e If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs. - 4. Authentication methods. Include at least computer-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else computers that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else devices that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method. - The following connection security and firewall rules: - - A connection security rule that exempts all computers on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. + - A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment. - A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication. - **Important**   - Be sure to begin operations by using request in and request out behavior until you are sure that all the computers in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + >**Important:**  Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. -   - - - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both computer and user network access groups. + - A firewall rule that specifies **Allow only secure connections**, **Require encryption**, and on the **Users and Computers** tab includes references to both device and user network access groups. - A registry policy that includes the following values: - Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**. - **Note**   - For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). - -   + >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md). **Next: **[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md index 4609526945..4fcbd977dc 100644 --- a/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/keep-secure/planning-settings-for-a-basic-firewall-policy.md @@ -2,22 +2,26 @@ title: Planning Settings for a Basic Firewall Policy (Windows 10) description: Planning Settings for a Basic Firewall Policy ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Settings for a Basic Firewall Policy +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have identified your requirements, and have the information about the network layout and computers available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the computers. +After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. The following is a list of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis: -- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private** (on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2). Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on computers that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. +- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization. - **Important**   - We recommend that on server computers that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop computers, and only support different profiles on portable computers. - -   + >**Important:**  We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices. - **Firewall state: On**. We recommend that you prevent the user from turning it off. @@ -35,24 +39,12 @@ The following is a list of the firewall settings that you might consider for inc - **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions. -- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another computer on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port. +- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port. - Inbound rules are common on servers, because they host services to which client computers connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required. + Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required. - **Important**   - If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application. - -   + >**Important:**  If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application. - **Outbound rules**. Only create outbound rules to block network traffic that must be prevented in all cases. If your organization prohibits the use of certain network programs, you can support that policy by blocking the known network traffic used by the program. Be sure to test the restrictions before you deploy them to avoid interfering with traffic for needed and authorized programs. **Next: **[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-the-gpos.md b/windows/keep-secure/planning-the-gpos.md index e2809e0d05..b22f0497cd 100644 --- a/windows/keep-secure/planning-the-gpos.md +++ b/windows/keep-secure/planning-the-gpos.md @@ -2,45 +2,45 @@ title: Planning the GPOs (Windows 10) description: Planning the GPOs ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning the GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the computers to the zones. +When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. ## General considerations - A few things to consider as you plan the GPOs: -- Do not allow a computer to be a member of more than one isolation zone. A computer in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior. +- Do not allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior. The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones. -- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The computers will negotiate down from the top of their lists, selecting one that is configured on both computers. So a computer that is running Windows Vista that is connected to a server that is running Windows Server 2012 can communicate by using a much more secure algorithm. +- Ensure that the IPsec algorithms you specify in your GPOs are compatible across all the versions of Windows. The same principle applies to the data integrity and encryption algorithms. We recommend that you include the more advanced algorithms when you have the option of selecting several in an ordered list. The devices will negotiate down from the top of their lists, selecting one that is configured on both devices. - The primary difference in your domain isolation GPOs is whether the rules request or require authentication. - **Caution**   - It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the computers over time, applying a require policy to one computer breaks its ability to communicate with another computer that has not yet received its policy. Using request mode at the beginning enables computers to continue communicating by using plaintext connections if required. After you confirm that your computers are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone. + >**Caution:**  It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone. -   +- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. -- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the computer. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the computer handles network traffic will change accordingly. We recommend for stationary computers, such as desktops and servers, that you assign any rule for the computer to all profiles. Apply GPOs that change rules per network location to computers that must move between networks, such as your portable computers. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. For more information, see Network Location Types at . - - **Note**   - Computers running Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 R2 support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. - -   + >**Note:**  Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs. ## Woodgrove Bank example GPOs -The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which computers receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. +The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section. In this section you can find information about the following: @@ -53,12 +53,3 @@ In this section you can find information about the following: - [Encryption Zone GPOs](encryption-zone-gpos.md) - [Server Isolation GPOs](server-isolation-gpos.md) - -  - -  - - - - - diff --git a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md index e044483cf2..1801d2a86a 100644 --- a/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -2,20 +2,26 @@ title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10) description: Planning to Deploy Windows Firewall with Advanced Security ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning to Deploy Windows Firewall with Advanced Security +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization. ## Reviewing your Windows Firewall with Advanced Security Design - If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points: -- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which computers apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: +- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide: - [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) @@ -23,13 +29,13 @@ If the design team that created the Windows Firewall with Advanced Security desi - [Planning GPO Deployment](planning-gpo-deployment.md) -- The communication to be allowed between members of each of the zones in the isolated domain and computers that are not part of the isolated domain or members of the isolated domain's exemption list. +- The communication to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list. - The recommendation that domain controllers are exempted from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers. -- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between computers might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated. +- The rationale for configuring all IPsec authentication rules to request, not require, authentication until the successful negotiation of IPsec has been confirmed. If the rules are set to require authentication before confirming that authentication is working correctly, then communications between devices might fail. If the rules are set to request authentication only, then an IPsec authentication failure results in fall-back-to-clear behavior, so communications can continue while the authentication failures are investigated. -- The requirement that all computers that must communicate with each other share a common set of: +- The requirement that all devices that must communicate with each other share a common set of: - Authentication methods @@ -37,15 +43,6 @@ If the design team that created the Windows Firewall with Advanced Security desi - Quick mode data integrity algorithms - If at least one set of each does not match between two computers, then the computers cannot successfully communicate. + If at least one set of each does not match between two devices, then the devices cannot successfully communicate. After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md). - -  - -  - - - - - diff --git a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md index 4c5d9ec780..c800eca94d 100644 --- a/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/keep-secure/planning-your-windows-firewall-with-advanced-security-design.md @@ -2,43 +2,47 @@ title: Planning Your Windows Firewall with Advanced Security Design (Windows 10) description: Planning Your Windows Firewall with Advanced Security Design ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Planning Your Windows Firewall with Advanced Security Design +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. ## Basic firewall design - -We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Computers from Unwanted Network Traffic](protect-computers-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. +We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization. When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section. ## Algorithm and method support and selection - -To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths. To review the algorithms and methods supported in versions of the Windows operating system, see IPsec Algorithms and Methods Supported in Windows (). +To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths. ## IPsec performance considerations +Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. -Although IPsec is critically important in securing network traffic going to and from your computers, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your computer from making use of all of the available bandwidth. For example, an IPsec-enabled computer using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. - -IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a computer’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. For more information, see Improving Network Performance by Using IPsec Task Offload (). +IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. ## Domain isolation design Include this design in your plans: -- If you have an Active Directory domain of which most of the computers are members. +- If you have an Active Directory domain of which most of the devices are members. -- If you want to prevent the computers in your organization from accepting any unsolicited network traffic from computers that are not part of the domain. +- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that are not part of the domain. -If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the computers are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. +If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting. When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. @@ -47,9 +51,9 @@ When you are ready to examine the options for creating an isolated domain, see t Include this design in your plans: -- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and computers. +- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices. -- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and computers. +- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices. If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements. @@ -60,37 +64,28 @@ When you are ready to examine the options for isolating servers, see the [Planni Include this design in your plans: -- If you want to implement some of the elements of domain or server isolation on computers that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism. +- If you want to implement some of the elements of domain or server isolation on devices that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism. -- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the computer is not running Windows, or for any other reason. +- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the device is not running Windows, or for any other reason. -- You must enable external computers that are not managed by your organization to access information on one of your servers, and want to do this in a secure way. +- You must enable external devices that are not managed by your organization to access information on one of your servers, and want to do this in a secure way. -If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the computers that require it. +If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it. When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section. ## Documenting your design -After you finish selecting the designs that you will use, you must assign each of your computers to the appropriate isolation zone and document the assignment for use by the deployment team. +After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team. - [Documenting the Zones](documenting-the-zones.md) ## Designing groups and GPOs -After you have selected a design and assigned your computers to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your computers. +After you have selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your devices. When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. **Next: **[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) - -  - -  - - - - - diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index 4a19f0dbf8..0a0d740794 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -15,7 +15,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 Technical Preview -The use of authentication in the previously described goal ([Restrict Access to Only Trusted Computers](restrict-access-to-only-trusted-computers.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. +The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it. diff --git a/windows/keep-secure/server-isolation-gpos.md b/windows/keep-secure/server-isolation-gpos.md index acfe57e0bb..149730d1a5 100644 --- a/windows/keep-secure/server-isolation-gpos.md +++ b/windows/keep-secure/server-isolation-gpos.md @@ -2,35 +2,30 @@ title: Server Isolation GPOs (Windows 10) description: Server Isolation GPOs ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Server Isolation GPOs +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -Each set of computers that have different users or computers accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on computers in the zone. The Woodgrove Bank example has an isolation zone for their computers that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. +Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. -All of the computer accounts for computers in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client computers are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. +All of the device accounts for devices in the SQL Server server isolation zone are added to the group CG\_SRVISO\_WGBANK\_SQL. This group is granted Read and Apply Group Policy permissions in on the GPOs described in this section. The GPOs are only for server versions of Windows. Client devices are not expected to be members of the server isolation zone, although they can access the servers in the zone by being a member of a network access group (NAG) for the zone. -## GPO\_SRVISO\_WS2008 +## GPO\_SRVISO -This GPO is identical to the GPO\_DOMISO\_Encryption\_WS2008 GPO with the following changes: +This GPO is identical to the GPO\_DOMISO\_Encryption GPO with the following changes: - The firewall rule that enforces encryption is modified to include the NAGs on the **Users and Computers** tab of the rule. The NAGs granted permission include CG\_NAG\_SQL\_Users and CG\_NAG\_SQL\_Computers. - **Important**   - Earlier versions of Windows support only computer-based authentication. If you specify that user authentication is mandatory, only users on computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008 can connect. - -   + >**Important:**  Earlier versions of Windows support only device-based authentication. If you specify that user authentication is mandatory, only users on devices that are running at least Windows Vista or Windows Server 2008 can connect. **Next: **[Planning GPO Deployment](planning-gpo-deployment.md) - -  - -  - - - - - diff --git a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md index 915d050d9a..5dabaedf02 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security-deployment-guide.md @@ -2,19 +2,25 @@ title: Windows Firewall with Advanced Security Deployment Guide (Windows 10) description: Windows Firewall with Advanced Security Deployment Guide ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Windows Firewall with Advanced Security Deployment Guide +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -You can use the Windows Firewall with Advanced Security MMC snap-in in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 to help protect the computers and the data that they share across a network. +You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. -You can use Windows Firewall to control access to the computer from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from computer to computer. +You can use Windows Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device. ## About this guide - This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected. Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md). @@ -33,44 +39,24 @@ After you select your design and gather the required information about the zones Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. -**Caution**   -We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the computers in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. - -In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or computer accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded. For more information about the problems associated with excessive group membership, see the following articles in the Microsoft Knowledge Base: - -- Article 327825, “New resolution for problems with Kerberos authentication when users belong to many groups” () - -- Article 263693 “Group Policy may not be applied to users belonging to many groups” () - -- Article 328889 “Users who are members of more than 1,015 groups may fail logon authentication” () +>**Caution:**  We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. +In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded.   - ## What this guide does not provide - This guide does not provide: - Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide. -- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. For more information, see Active Directory Domain Services () and Group Policy (). +- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy. -- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. For this information, see Active Directory Certificate Services (). +- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. ## Overview of Windows Firewall with Advanced Security +Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. -Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the computer by allowing you to create rules that determine which network traffic is permitted to enter the computer from the network and which network traffic the computer is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any computer that is attempting to communicate with your computer. When authentication is required, computers that cannot be authenticated as a trusted computer cannot communicate with your computer. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. - -The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single computer in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. - -For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](http://technet.microsoft.com/library/hh831365.aspx) at http://technet.microsoft.com/library/hh831365.aspx. - -  - -  - - - - +The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. +For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). From ec65ca848bf7efadab2e50f96d2b50f4064313cc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 14:37:45 -0700 Subject: [PATCH 11/26] updating for Windows 10 --- windows/keep-secure/TOC.md | 37 ++++---- ...ters-to-the-membership-group-for-a-zone.md | 84 ----------------- ...ices-to-the-membership-group-for-a-zone.md | 83 ++++++++++++++++ ...ters-to-the-membership-group-for-a-zone.md | 79 ---------------- ...ices-to-the-membership-group-for-a-zone.md | 77 +++++++++++++++ ...ssign-security-group-filters-to-the-gpo.md | 44 +++------ ...ange-rules-from-request-to-require-mode.md | 42 +++------ ...md => configure-authentication-methods.md} | 45 ++++----- ...re-data-protection-quick-mode-settings.md} | 24 ++--- ...y-to-autoenroll-and-deploy-certificates.md | 20 ++-- ...figure-key-exchange-main-mode-settings.md} | 51 ++++------ ...figure-the-rules-to-require-encryption.md} | 32 +++---- .../configure-the-windows-firewall-log.md | 29 +++--- ...on-authentication-certificate-template.md} | 27 +++--- ...notifications-when-a-program-is-blocked.md | 32 ++----- ...hat-certificates-are-deployed-correctly.md | 46 ++++----- .../copy-a-gpo-to-create-a-new-gpo.md | 26 +++-- ...ate-a-group-account-in-active-directory.md | 25 ++--- .../create-a-group-policy-object.md | 27 ++---- ...-an-authentication-exemption-list-rule.md} | 44 ++++----- ...-server-2008-and-windows-server-2008-r2.md | 94 ------------------- .../create-an-authentication-request-rule.md | 84 +++++++++++++++++ ...8-r2.md => create-an-inbound-icmp-rule.md} | 35 +++---- ...s-server-2008-or-windows-server-2008-r2.md | 75 --------------- .../create-an-inbound-port-rule.md | 62 ++++++++++++ ...ate-an-inbound-program-or-service-rule.md} | 47 +++------- ...-r2.md => create-an-outbound-port-rule.md} | 38 +++----- ...te-an-outbound-program-or-service-rule.md} | 40 +++----- ...=> create-inbound-rules-to-support-rpc.md} | 55 ++++------- .../create-wmi-filters-for-the-gpo.md | 51 ++++------ ...s-server-2008-or-windows-server-2008-r2.md | 47 ---------- .../enable-predefined-inbound-rules.md | 36 +++++++ ...md => enable-predefined-outbound-rules.md} | 31 +++--- ...-server-2008-and-windows-server-2008-r2.md | 39 -------- .../exempt-icmp-from-authentication.md | 30 ++++++ ...l-active-directory-certificate-services.md | 77 --------------- .../keep-secure/link-the-gpo-to-the-domain.md | 26 +++-- ...-a-different-zone-or-version-of-windows.md | 51 ++++------ ...agement-console-to-ip-security-policies.md | 20 ++-- ...windows-firewall-with-advanced-security.md | 22 ++--- ...-management-console-to-windows-firewall.md | 22 ++--- ...windows-firewall-with-advanced-security.md | 35 +++---- .../procedures-used-in-this-guide.md | 94 +++++++++---------- ...erver-access-to-members-of-a-group-only.md | 36 +++---- ...rt-a-command-prompt-as-an-administrator.md | 34 ------- ...firewall-and-configure-default-behavior.md | 19 ++-- ...y-that-network-traffic-is-authenticated.md | 48 ++++------ 47 files changed, 843 insertions(+), 1279 deletions(-) delete mode 100644 windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md create mode 100644 windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md delete mode 100644 windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md create mode 100644 windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md rename windows/keep-secure/{configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md => configure-authentication-methods.md} (70%) rename windows/keep-secure/{configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md => configure-data-protection-quick-mode-settings.md} (88%) rename windows/keep-secure/{configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md => configure-key-exchange-main-mode-settings.md} (57%) rename windows/keep-secure/{configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md => configure-the-rules-to-require-encryption.md} (56%) rename windows/keep-secure/{configure-the-workstation-authentication-certificate-templatewfas-dep.md => configure-the-workstation-authentication-certificate-template.md} (74%) rename windows/keep-secure/{create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md => create-an-authentication-exemption-list-rule.md} (50%) delete mode 100644 windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-authentication-request-rule.md rename windows/keep-secure/{create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md => create-an-inbound-icmp-rule.md} (59%) delete mode 100644 windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/create-an-inbound-port-rule.md rename windows/keep-secure/{create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md => create-an-inbound-program-or-service-rule.md} (57%) rename windows/keep-secure/{create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md => create-an-outbound-port-rule.md} (58%) rename windows/keep-secure/{create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md => create-an-outbound-program-or-service-rule.md} (60%) rename windows/keep-secure/{create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md => create-inbound-rules-to-support-rpc.md} (51%) delete mode 100644 windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md create mode 100644 windows/keep-secure/enable-predefined-inbound-rules.md rename windows/keep-secure/{enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md => enable-predefined-outbound-rules.md} (60%) delete mode 100644 windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md create mode 100644 windows/keep-secure/exempt-icmp-from-authentication.md delete mode 100644 windows/keep-secure/install-active-directory-certificate-services.md delete mode 100644 windows/keep-secure/start-a-command-prompt-as-an-administrator.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e035651dd8..ac7b4a1617 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -477,13 +477,12 @@ ######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md) ######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md) ######## [Boundary Zone GPOs](boundary-zone-gpos.md) -######### [GPO_DOMISO_Boundary_WS2008](gpo-domiso-boundary-ws2008.md) +######### [GPO_DOMISO_Boundary](gpo-domiso-boundary.md) ######## [Encryption Zone GPOs](encryption-zone-gpos.md) -######### [GPO_DOMISO_Encryption_WS2008](gpo-domiso-encryption-ws2008.md) +######### [GPO_DOMISO_Encryption](gpo-domiso-encryption.md) ######## [Server Isolation GPOs](server-isolation-gpos.md) ####### [Planning GPO Deployment](planning-gpo-deployment.md) ##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) -##### [Additional Resources](additional-resources-wfasdesign.md) #### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) ##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md) ##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) @@ -506,11 +505,11 @@ ###### [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md) ###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) ###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) -###### [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -###### [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Configure Authentication Methods](configure-authentication-methods.md) +###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection--quick-mode--settings.md) ###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) -###### [Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -###### [Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange--main-mode--settings.md) +###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) ###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) ###### [Configure the Workstation Authentication Certificate Template[wfas_dep]](configure-the-workstation-authentication-certificate-templatewfas-dep.md) ###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) @@ -518,18 +517,18 @@ ###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) ###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) ###### [Create a Group Policy Object](create-a-group-policy-object.md) -###### [Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -###### [Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) -###### [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -###### [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -###### [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -###### [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -###### [Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -###### [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +###### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) +###### [Create an Authentication Request Rule](create-an-authentication-request-rule.md) +###### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) +###### [Create an Inbound Port Rule](create-an-inbound-port-rule.md) +###### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) +###### [Create an Outbound Port Rule](create-an-outbound-port-rule.md) +###### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) +###### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) ###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) -###### [Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -###### [Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -###### [Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) +###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) +###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) ###### [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) ###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) ###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) @@ -538,10 +537,8 @@ ###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) ###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) ###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) -###### [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) ###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) -##### [Additional Resources[wfas_deploy]](additional-resourceswfas-deploy.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) ### [Device Guard deployment guide](device-guard-deployment-guide.md) diff --git a/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md deleted file mode 100644 index cacc2910f5..0000000000 --- a/windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Add Production Computers to the Membership Group for a Zone (Windows 10) -description: Add Production Computers to the Membership Group for a Zone -ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 -author: brianlic-msft ---- - -# Add Production Computers to the Membership Group for a Zone - - -After you test the GPOs for your design on a small set of computers, you can deploy them to the production computers. - -**Caution**   -For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your computers are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode. - -  - -The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new computers that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude computers that must not receive the GPOs. Use computer groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Computers that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). - -Without such a group (or groups), you must either add computers individually or use the groups containing computer accounts that are available to you. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. - -In this topic: - -- [Add the group Domain Computers to the GPO membership group](#bkmk-toadddomaincomputerstothegpomembershipgroup) - -- [Refresh Group Policy on the computers in the membership group](#bkmk-torefreshgrouppolicyonacomputer) - -- [Check which GPOs apply to a computer](#bkmk-toseewhatgposareappliedtoacomputer) - -## - - -**To add domain computers to the GPO membership group** - -1. On a computer that has the Active Directory management tools installed, click the **Start** charm, then click the **Active Directory Users and Computers** tile. - -2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group. - -3. In the details pane, double-click the GPO membership group to which you want to add computers. - -4. Select the **Members** tab, and then click **Add**. - -5. Type **Domain Computers** in the text box, and then click **OK**. - -6. Click **OK** to close the group properties dialog box. - -After a computer is a member of the group, you can force a Group Policy refresh on the computer. - -## - - -**To refresh Group Policy on a computer** - -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: - - ``` syntax - gpupdate /target:computer /force - ``` - -After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. - -## - - -**To see which GPOs are applied to a computer** - -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: - - ``` syntax - gpresult /r /scope:computer - ``` - -  - -  - - - - - diff --git a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md new file mode 100644 index 0000000000..fc07133c99 --- /dev/null +++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md @@ -0,0 +1,83 @@ +--- +title: Add Production Devices to the Membership Group for a Zone (Windows 10) +description: Add Production Devices to the Membership Group for a Zone +ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Add Production Devices to the Membership Group for a Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + + +After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. + +**Caution**   +For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode. + +  + +The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). + +Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. + +In this topic: + +- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group) + +- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device) + +- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device) + +## To add domain devices to the GPO membership group + +1. Open Active Directory Users and Computers. + +2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group. + +3. In the details pane, double-click the GPO membership group to which you want to add computers. + +4. Select the **Members** tab, and then click **Add**. + +5. Type **Domain Computers** in the text box, and then click **OK**. + +6. Click **OK** to close the group properties dialog box. + +After a computer is a member of the group, you can force a Group Policy refresh on the computer. + +## To refresh Group Policy on a device + +From an elevated command prompt, type the following: + +``` syntax +gpupdate /target:computer /force +``` + +After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. + +## To see which GPOs are applied to a device + +From an elevated command prompt, type the following: + +``` syntax +gpresult /r /scope:computer +``` + +  + +  + + + + + diff --git a/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md deleted file mode 100644 index c14ecf58eb..0000000000 --- a/windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Add Test Computers to the Membership Group for a Zone (Windows 10) -description: Add Test Computers to the Membership Group for a Zone -ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 -author: brianlic-msft ---- - -# Add Test Computers to the Membership Group for a Zone - - -Before you deploy your rules to large numbers of computers, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between computers. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of computers only to be sure that the correct GPOs are being processed by each computer. - -Add at least one computer of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a computer among the test group. After Group Policy has been refreshed on each test computer, check the output of the **gpresult** command to confirm that each computer is receiving only the GPOs it is supposed to receive. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. - -In this topic: - -- [Add the test computers to the GPO membership groups](#bkmk-toadddomaincomputerstothegpomembershipgroup) - -- [Refresh Group Policy on the computers in each membership group](#bkmk-torefreshgrouppolicyonacomputer) - -- [Check which GPOs apply to a computer](#bkmk-toseewhatgposareappliedtoacomputer) - -## - - -**To add test computers to the GPO membership groups** - -1. On a computer that has the Active Directory management tools installed, click the **Start** charm, then click the **Active Directory Users and Computers** tile. - -2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account. - -3. In the details pane, double-click the GPO membership group to which you want to add computers. - -4. Select the **Members** tab, and then click **Add**. - -5. Type the name of the computer in the text box, and then click **OK**. - -6. Repeat steps 5 and 6 for each additional computer account or group that you want to add. - -7. Click **OK** to close the group properties dialog box. - -After a computer is a member of the group, you can force a Group Policy refresh on the computer. - -## - - -**To refresh Group Policy on a computer** - -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: - - ``` syntax - gpupdate /target:computer /force - ``` - -After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. - -## - - -**To see which GPOs are applied to a computer** - -- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: - - ``` syntax - gpresult /r /scope:computer - ``` - -  - -  - - - - - diff --git a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md new file mode 100644 index 0000000000..f5f2edf9d6 --- /dev/null +++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md @@ -0,0 +1,77 @@ +--- +title: Add Test Devices to the Membership Group for a Zone (Windows 10) +description: Add Test Devices to the Membership Group for a Zone +ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Add Test Devices to the Membership Group for a Zone + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device. + +Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO. + +In this topic: + +- [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group) + +- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device) + +- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device) + +## To add test devices to the GPO membership groups + +1. Open Active Directory Users and Computers. + +2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account. + +3. In the details pane, double-click the GPO membership group to which you want to add devices. + +4. Select the **Members** tab, and then click **Add**. + +5. Type the name of the device in the text box, and then click **OK**. + +6. Repeat steps 5 and 6 for each additional device account or group that you want to add. + +7. Click **OK** to close the group properties dialog box. + +After a device is a member of the group, you can force a Group Policy refresh on the device. + +## To refresh Group Policy on a device + +From a elevated command prompt, run the following: + +``` syntax +gpupdate /target:device /force +``` + +After Group Policy is refreshed, you can see which GPOs are currently applied to the device. + +## To see which GPOs are applied to a device + +From an elevated command prompt, run the following: + +``` syntax +gpresult /r /scope:computer +``` + +  + +  + + + + + diff --git a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md index 642d680da8..f6dcdfddf4 100644 --- a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md +++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md @@ -2,16 +2,22 @@ title: Assign Security Group Filters to the GPO (Windows 10) description: Assign Security Group Filters to the GPO ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Assign Security Group Filters to the GPO +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. -**Important**   -This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones. +>**Important:**  This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.   @@ -21,40 +27,31 @@ To complete these procedures, you must be a member of the Domain Administrators In this topic: -- [Allow members of a group to apply a GPO](#bkmk-toallowamembersofagrouptoapplyagpo) +- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo) -- [Prevent members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo) - -## +- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo) +## To allow members of a group to apply a GPO Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO. -**To allow members of a group to apply a GPO** - -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. 3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**. - **Note**   - You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. - -   + >**Note:**  You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. 4. Click **Add**. 5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. -## - +## To prevent members of a group from applying a GPO Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain. -**To prevent members of group from applying a GPO** - -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. @@ -71,14 +68,3 @@ Use the following procedure to add a group to the security filter on the GPO tha 8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**. 9. The group appears in the list with **Custom** permissions. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/change-rules-from-request-to-require-mode.md b/windows/keep-secure/change-rules-from-request-to-require-mode.md index 36c2306bb2..156957d053 100644 --- a/windows/keep-secure/change-rules-from-request-to-require-mode.md +++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md @@ -2,13 +2,20 @@ title: Change Rules from Request to Require Mode (Windows 10) description: Change Rules from Request to Require Mode ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Change Rules from Request to Require Mode +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that computers in the boundary zone can continue to accept connections from computers that are not part of the isolated domain. +After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. **Administrative credentials** @@ -16,16 +23,11 @@ To complete these procedures, you must be a member of the Domain Administrators In this topic: -- [Convert a rule in a GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](#bkmk-section1) +- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode) -- [Convert a rule for an earlier version of Windows](#bkmk-section2) +- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices) -- [Refresh policy on the client computers to receive the modified GPOs](#bkmk-section3) - -## - - -**To convert a rule from request to require mode for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** +## To convert a rule from request to require mode 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -37,32 +39,18 @@ In this topic: 5. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**. -## +## To apply the modified GPOs to the client devices - -**To apply the modified GPOs to the client computers** - -1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) and run the following command: +1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt: ``` syntax gpupdate /force ``` -2. To verify that the modified GPO is correctly applied to the client computers, you can run one of the following commands: - - On computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, run the following command: +2. To verify that the modified GPO is correctly applied to the client devices, you can run the following command: ``` syntax gpresult /r /scope computer ``` -3. Examine the command output for the list of GPOs that are applied to the computer, and make sure that the list contains the GPOs you expect to see on that computer. - -  - -  - - - - - +3. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device. diff --git a/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-authentication-methods.md similarity index 70% rename from windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md rename to windows/keep-secure/configure-authentication-methods.md index 6569e0cab2..c637681093 100644 --- a/windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-authentication-methods.md @@ -1,19 +1,24 @@ --- -title: Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) -description: Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +title: Configure Authentication Methods (Windows 10) +description: Configure Authentication Methods ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security + author: brianlic-msft --- -# Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +# Configure Authentication Methods +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. -**Note**   -If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab. - -  +>**Note:**  If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab. **Administrative credentials** @@ -31,11 +36,11 @@ To complete these procedures, you must be a member of the Domain Administrators 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default. - 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use Authenticated IP (AuthIP), including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. @@ -45,7 +50,7 @@ To complete these procedures, you must be a member of the Domain Administrators - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. @@ -55,9 +60,9 @@ To complete these procedures, you must be a member of the Domain Administrators The second authentication method can be one of the following: - - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. @@ -65,20 +70,6 @@ To complete these procedures, you must be a member of the Domain Administrators If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - **Important**   - Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. - -   + >**Important:**  Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. 5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-data-protection-quick-mode-settings.md similarity index 88% rename from windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md rename to windows/keep-secure/configure-data-protection-quick-mode-settings.md index 41a78a8639..1b0e5489ab 100644 --- a/windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md @@ -1,12 +1,19 @@ --- -title: Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) -description: Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +title: Configure Data Protection (Quick Mode) Settings (Windows 10) +description: Configure Data Protection (Quick Mode) Settings ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +# Configure Data Protection (Quick Mode) Settings +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. @@ -53,14 +60,3 @@ To complete these procedures, you must be a member of the Domain Administrators 6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value. 8. Click **OK** three times to save your settings. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md index dca884a135..a3687db1b5 100644 --- a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -2,11 +2,18 @@ title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10) description: Configure Group Policy to Autoenroll and Deploy Certificates ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Configure Group Policy to Autoenroll and Deploy Certificates +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. @@ -16,7 +23,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro **To configure Group Policy to autoenroll certificates** -1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**. +1. Open the Group Policy Management console. 2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. @@ -29,14 +36,3 @@ To complete these procedures, you must be a member of both the Domain Admins gro 6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**. 7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-key-exchange-main-mode-settings.md similarity index 57% rename from windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md rename to windows/keep-secure/configure-key-exchange-main-mode-settings.md index dfb5e88e6c..097d29b877 100644 --- a/windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md @@ -1,12 +1,19 @@ --- -title: Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) -description: Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +title: Configure Key Exchange (Main Mode) Settings (Windows 10) +description: Configure Key Exchange (Main Mode) Settings ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +# Configure Key Exchange (Main Mode) Settings +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. @@ -24,56 +31,32 @@ To complete these procedures, you must be a member of the Domain Administrators 4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**. -5. Select the security methods to be used to help protect the main mode negotiations between the two computers. If the security methods displayed in the list are not what you want, then do the following: +5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following: **Important**   - In Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another computer running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both computers. + In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices. - Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your computers that run Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 have the same methods at the top of the list and the same key exchange algorithm selected. - -   + Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected. **Note**   When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select. -   - 1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**. 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**. - **Caution**   - We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only. - -   + >**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only. 3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. 6. From the list on the right, select the key exchange algorithm that you want to use. - **Caution**   - We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only. + >**Caution:**  We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only.  -   +7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key. -7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two computers requires a new key. - - **Note**   - You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance. - -   + >**Note:**  You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance. 8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key. 9. Click **OK** three times to save your settings. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/configure-the-rules-to-require-encryption.md similarity index 56% rename from windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md rename to windows/keep-secure/configure-the-rules-to-require-encryption.md index 2ffedaee22..cdc97d2167 100644 --- a/windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/configure-the-rules-to-require-encryption.md @@ -1,12 +1,15 @@ --- -title: Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) -description: Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +title: Configure the Rules to Require Encryption (Windows 10) +description: Configure the Rules to Require Encryption ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 - +# Configure the Rules to Require Encryption If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption. @@ -34,28 +37,17 @@ To complete this procedure, you must be a member of the Domain Administrators gr 9. Click **Require encryption for all connection security rules that use these settings**. - This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client computers will use to connect to members of the encryption zone. The client computers receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client computers in that zone will not be able to connect to computers in this zone. + This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone. -10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md). +10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). **Note**   - Not all of the algorithms available in Windows 8 or Windows Server 2012 can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. + Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell. - For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) + For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) -   - -11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating computers select the most secure combination that they can jointly support. +11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. 12. Click **OK** three times to save your changes. - -  - -  - - - - - diff --git a/windows/keep-secure/configure-the-windows-firewall-log.md b/windows/keep-secure/configure-the-windows-firewall-log.md index cb025368ae..0784a64b85 100644 --- a/windows/keep-secure/configure-the-windows-firewall-log.md +++ b/windows/keep-secure/configure-the-windows-firewall-log.md @@ -2,11 +2,19 @@ title: Configure the Windows Firewall Log (Windows 10) description: Configure the Windows Firewall Log ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security + author: brianlic-msft --- # Configure the Windows Firewall Log +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. @@ -16,12 +24,9 @@ To complete these procedures, you must be a member of the Domain Administrators In this topic: -[To configure Windows Firewall logging for Windows Vista or Windows Server 2008](#bkmk-toenablewindowsfirewallandconfigurethedefaultbehavior) +- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log) -## - - -**To configure Windows Firewall logging for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** +## To configure the Windows Firewall log 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -35,10 +40,7 @@ In this topic: 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. - **Important**   - The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file. - -   + >**Important:**  The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file. 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. @@ -49,12 +51,3 @@ In this topic: - To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**. 6. Click **OK** twice. - -  - -  - - - - - diff --git a/windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md similarity index 74% rename from windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md rename to windows/keep-secure/configure-the-workstation-authentication-certificate-template.md index ebe06760bb..89b5eb68e9 100644 --- a/windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md +++ b/windows/keep-secure/configure-the-workstation-authentication-certificate-template.md @@ -2,21 +2,28 @@ title: Configure the Workstation Authentication Certificate Template (Windows 10) description: Configure the Workstation Authentication Certificate Template ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Configure the Workstation Authentication Certificate Template +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for computer certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. +This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. **Administrative credentials** +## To configure the workstation authentication certificate template and autoenrollment To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group. -**To configure the workstation authentication certificate template and autoenrollment** -1. On the computer where AD CS is installed, click the **Start** charm, and then click **Certification Authority**. +1. On the device where AD CS is installed, open the Certification Authority console. 2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**. @@ -32,22 +39,10 @@ To complete these procedures, you must be a member of both the Domain Admins gro 8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**. - **Note**   - If you want do not want to deploy the certificate to every computer in the domain, then specify a different group or groups that contain the computer accounts that you want to receive the certificate. - -   + >**Note:**  If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate. 9. Close the Certificate Templates Console. 10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. 11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**. - -  - -  - - - - - diff --git a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index b494eb1f78..b4990058e6 100644 --- a/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -2,33 +2,30 @@ title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10) description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Configure Windows Firewall to Suppress Notifications When a Program Is Blocked +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in. +To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console. -**Caution**   -If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. +>**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. We recommend that you do not enable these settings until you have created and tested the required rules. -  - **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -In this topic: - -[To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](#bkmk-1) - -## - - -**To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2** +## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -47,12 +44,3 @@ In this topic: 5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. 6. Click **OK** twice. - -  - -  - - - - - diff --git a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md index efb2cee353..0423277e45 100644 --- a/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md @@ -2,15 +2,22 @@ title: Confirm That Certificates Are Deployed Correctly (Windows 10) description: Confirm That Certificates Are Deployed Correctly ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: securit author: brianlic-msft --- # Confirm That Certificates Are Deployed Correctly +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation computers. +After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. -In these procedures, you refresh Group Policy on a client computer, and then confirm that the certificate is deployed correctly. +In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly. **Administrative credentials** @@ -18,39 +25,24 @@ To complete these procedures, you must be a member of the Domain Administrators In this topic: -- [Refresh Group Policy on a computer](#bkmk-torefreshgrouppolicyonacomputer) +- [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device) -- [Verify that a certificate is installed](#bkmk-toverifythatacertificateisinstalled) +- [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed) -## +## To refresh Group Policy on a device + From an elevated command prompt, run the following command: -**To refresh Group Policy on a computer** +``` syntax +gpupdate /target:computer /force +``` -- On a computer running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command: +After Group Policy is refreshed, you can see which GPOs are currently applied to the device. - ``` syntax - gpupdate /target:computer /force - ``` +## To verify that a certificate is installed -After Group Policy is refreshed, you can see which GPOs are currently applied to the computer. - -## - - -**To verify that a certificate is installed** - -1. Click the **Start** charm, type **certmgr.msc**, and then press ENTER. +1. Open the Cerificates console. 2. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**. The CA that you created appears in the list. - -  - -  - - - - - diff --git a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md index 59ce12e2c1..694250fe3b 100644 --- a/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md @@ -2,13 +2,20 @@ title: Copy a GPO to Create a New GPO (Windows 10) description: Copy a GPO to Create a New GPO ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Copy a GPO to Create a New GPO +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To create the GPO for the boundary zone computers, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and Computers MMC snap-in. +To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. **Administrative credentials** @@ -16,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To make a copy of a GPO** -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. @@ -32,7 +39,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr 8. Type the new name, and then press ENTER. -9. You must change the security filters to apply the policy to the correct group of computers. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. +9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. 10. In the confirmation dialog box, click **OK**. @@ -40,15 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client computers running Windows 8, and the new boundary zone GPO is for computers running Windows Server 2012, then select a WMI filter that allows only those computers to read and apply the GPO. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/keep-secure/create-a-group-account-in-active-directory.md b/windows/keep-secure/create-a-group-account-in-active-directory.md index d58c911d10..6aeb64d983 100644 --- a/windows/keep-secure/create-a-group-account-in-active-directory.md +++ b/windows/keep-secure/create-a-group-account-in-active-directory.md @@ -2,13 +2,20 @@ title: Create a Group Account in Active Directory (Windows 10) description: Create a Group Account in Active Directory ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Create a Group Account in Active Directory +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers MMC snap-in. +To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. **Administrative credentials** @@ -16,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To add a new membership group in Active Directory** -1. On a computer that has Active Directory management tools installed, click the **Start** charm, and then click the **Active Directory Users and Computers** tile. +1. Open the Active Directory Users and Computers console. 2. In the navigation pane, select the container in which you want to store your group. This is typically the **Users** container under the domain. @@ -24,10 +31,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr 4. In the **Group name** text box, type the name for your new group. - **Note**   - Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups. - -   + >**Note:**  Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups. 5. In the **Description** text box, enter a description of the purpose of this group. @@ -36,12 +40,3 @@ To complete this procedure, you must be a member of the Domain Administrators gr 7. In the **Group type** section, click **Security**. 8. Click **OK** to save your group. - -  - -  - - - - - diff --git a/windows/keep-secure/create-a-group-policy-object.md b/windows/keep-secure/create-a-group-policy-object.md index c6c8df196b..42a0e5ae62 100644 --- a/windows/keep-secure/create-a-group-policy-object.md +++ b/windows/keep-secure/create-a-group-policy-object.md @@ -2,11 +2,18 @@ title: Create a Group Policy Object (Windows 10) description: Create a Group Policy Object ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Create a Group Policy Object +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview To create a new GPO, use the Active Directory Users and Computers MMC snap-in. @@ -14,9 +21,9 @@ To create a new GPO, use the Active Directory Users and Computers MMC snap-in. To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs. -**To create a new GPO** +To create a new GPO -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. @@ -24,10 +31,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr 4. In the **Name** text box, type the name for your new GPO. - **Note**   - Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. - -   + >**Note:**  Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. 5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**. @@ -38,14 +42,3 @@ To complete this procedure, you must be a member of the Domain Administrators gr 2. In the details pane, click the **Details** tab. 3. Change the **GPO Status** to **User configuration settings disabled**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/create-an-authentication-exemption-list-rule.md similarity index 50% rename from windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md rename to windows/keep-secure/create-an-authentication-exemption-list-rule.md index 2f1df0c3a9..b0a4ec1118 100644 --- a/windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-authentication-exemption-list-rule.md @@ -1,17 +1,24 @@ --- -title: Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) -description: Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +title: Create an Authentication Exemption List Rule (Windows 10) +description: Create an Authentication Exemption List Rule ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 +# Create an Authentication Exemption List Rule +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -In almost any isolated server or isolated domain scenario, there are some computers or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those computers from the authentication requirements of your isolation policies. +In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. **Important**   -Adding computers to the exemption list for a zone reduces security because it permits computers in the zone to send network traffic that is unprotected by IPsec to the computers on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted computers to the exemption list. +Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.   @@ -37,16 +44,13 @@ To complete these procedures, you must be a member of the Domain Administrators - To add an entire subnet by address, click **This IP address or subnet**, and then type the IP address of the subnet, followed by a forward slash (/) and the number of bits in the corresponding subnet mask. For example, **10.50.0.0/16** represents the class B subnet that begins with address 10.50.0.1, and ends with address **10.50.255.254**. Click **OK** when you are finished. - - To add the local computer’s subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**. - - **Note**   - If you select the local subnet from the list rather than typing the subnet address in manually, the computer automatically adjusts the active local subnet to match the computer’s current IP address. - -   + - To add the local device’s subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**. + >**Note:**  If you select the local subnet from the list rather than typing the subnet address in manually, the device automatically adjusts the active local subnet to match the device’s current IP address. + - To add a discrete range of addresses that do not correspond to a subnet, click **This IP address range**, type the beginning and ending IP addresses in the **From** and **To** text boxes, and then click **OK**. - - To exempt all of the remote hosts that the local computer uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**. + - To exempt all of the remote hosts that the local device uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**. 7. Repeat steps 5 and 6 for each exemption that you need to create. @@ -54,20 +58,6 @@ To complete these procedures, you must be a member of the Domain Administrators 9. On the **Profile** page, check the profile for each network location type to which this set of exemptions applies, and then click **Next**. - **Caution**   - If all of the exemptions are on the organization’s network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate. - -   + >**Caution:**  If all of the exemptions are on the organization’s network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate. 10. On the **Name** page, type the name of the exemption rule, type a description, and then click **Finish**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md deleted file mode 100644 index f2168bbc7d..0000000000 --- a/windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) -description: Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 -ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 -author: brianlic-msft ---- - -# Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 - - -After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the computers on the network to use those protocols and methods before they can communicate. - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To create the authentication request rule** - -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. - -3. On the **Rule Type** page, select **Isolation**, and then click **Next**. - -4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**. - - **Caution**   - Do not configure the rule to require inbound authentication until you have confirmed that all of your computers are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the computers to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. - -   - -5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP), which is supported only on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. - - 1. **Default**. Selecting this option tells the computer to request authentication by using the method currently defined as the default on the computer. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) procedure. - - 2. **Computer and User (Kerberos V5)**. Selecting this option tells the computer to request authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. - - 3. **Computer (Kerberos V5)**. Selecting this option tells the computer to request authentication of the computer by using its domain credentials. This option works with other computers than can use IKE v1, including earlier versions of Windows. - - 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. - - The **First authentication method** can be one of the following: - - - **Computer (Kerberos V5)**. Selecting this option tells the computer to request authentication of the computer by using its domain credentials. This option works with other computers than can use IKE v1, including earlier versions of Windows. - - - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. - - - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. - - - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the computer to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. - - If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - - The **Second authentication method** can be one of the following: - - - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1. - - - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using NTLMv2 is not supported by IKE v1. - - - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. - - - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. - - If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. - - **Important**   - Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. - -   - -6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. - -7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. - - - On portable computers, consider clearing the **Private** and **Public** boxes to enable the computer to communicate without authentication when it is away from the domain network. - - - On computers that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. - - Click **Next**. - -8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. - - The new rule appears in the list of connection security rules. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-an-authentication-request-rule.md b/windows/keep-secure/create-an-authentication-request-rule.md new file mode 100644 index 0000000000..1c947f68f9 --- /dev/null +++ b/windows/keep-secure/create-an-authentication-request-rule.md @@ -0,0 +1,84 @@ +--- +title: Create an Authentication Request Rule (Windows 10) +description: Create an Authentication Request Rule +ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Authentication Request Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To create the authentication request rule + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. + +3. On the **Rule Type** page, select **Isolation**, and then click **Next**. + +4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**. + + >**Caution:**  Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network. + +5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP). + + 1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure. + + 2. **Computer and User (Kerberos V5)**. Selecting this option tells the device to request authentication of both the device and the currently logged-on user by using their domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + 3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. + + 4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + + The **First authentication method** can be one of the following: + + - **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. + + - **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + + - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. + + If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + + The **Second authentication method** can be one of the following: + + - **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + + - **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1. + + - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. + + - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + + If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. + + >**Important:**  Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + +6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**. + +7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies. + + - On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network. + + - On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule. + + Click **Next**. + +8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**. + + The new rule appears in the list of connection security rules. diff --git a/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-icmp-rule.md similarity index 59% rename from windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md rename to windows/keep-secure/create-an-inbound-icmp-rule.md index edbbf0d6e5..f76bba3007 100644 --- a/windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-inbound-icmp-rule.md @@ -1,12 +1,19 @@ --- -title: Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) -description: Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +title: Create an Inbound ICMP Rule (Windows 10) +description: Create an Inbound ICMP Rule ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +# Create an Inbound ICMP Rule +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. @@ -16,11 +23,11 @@ To complete these procedures, you must be a member of the Domain Administrators This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see: -- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) -- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) -**To create an inbound ICMP rule** +To create an inbound ICMP rule 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -52,20 +59,4 @@ This topic describes how to create a port rule that allows inbound ICMP network 12. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - 13. On the **Name** page, type a name and description for your rule, and then click **Finish**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md deleted file mode 100644 index 49f4b7d7ba..0000000000 --- a/windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) -description: Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 -ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f -author: brianlic-msft ---- - -# Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 - - -To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see: - -- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - -- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) - -**To create an inbound port rule** - -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, click **Inbound Rules**. - -3. Click **Action**, and then click **New rule**. - -4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. - - **Note**   - Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. - -   - -5. On the **Program** page, click **All programs**, and then click **Next**. - - **Note**   - This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. - -   - -6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. - - If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall. - - To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. - - When you have configured the protocols and ports, click **Next**. - -7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. - -8. On the **Action** page, select **Allow the connection**, and then click **Next**. - -9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - -10. On the **Name** page, type a name and description for your rule, and then click **Finish**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-an-inbound-port-rule.md b/windows/keep-secure/create-an-inbound-port-rule.md new file mode 100644 index 0000000000..e2a911293f --- /dev/null +++ b/windows/keep-secure/create-an-inbound-port-rule.md @@ -0,0 +1,62 @@ +--- +title: Create an Inbound Port Rule (Windows 10) +description: Create an Inbound Port Rule +ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Create an Inbound Port Rule + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see: + +- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) + +- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) + +**To create an inbound port rule** + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. + + >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + +5. On the **Program** page, click **All programs**, and then click **Next**. + + >**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. + +6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. + + If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall. + + To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. + + When you have configured the protocols and ports, click **Next**. + +7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. + +8. On the **Action** page, select **Allow the connection**, and then click **Next**. + +9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. + + >**Note:**  If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + +10. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-inbound-program-or-service-rule.md similarity index 57% rename from windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md rename to windows/keep-secure/create-an-inbound-program-or-service-rule.md index 83fa805eef..51524c047d 100644 --- a/windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-inbound-program-or-service-rule.md @@ -1,25 +1,29 @@ --- -title: Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) -description: Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +title: Create an Inbound Program or Service Rule (Windows 10) +description: Create an Inbound Program or Service Rule ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +# Create an Inbound Program or Service Rule +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. -**Note**   -This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure. - -  +>**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure. **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -**To create an inbound firewall rule for a program or service** +To create an inbound firewall rule for a program or service 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -29,10 +33,7 @@ To complete these procedures, you must be a member of the Domain Administrators 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. - **Note**   - Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. - -   + >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. 5. On the **Program** page, click **This program path**. @@ -57,11 +58,9 @@ To complete these procedures, you must be a member of the Domain Administrators **sc** **sidtype** *<Type> <ServiceName>* - In the preceding command, the value of *<Type>* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**. For more information, see [Vista Services](http://go.microsoft.com/fwlink/?linkid=141454) (http://go.microsoft.com/fwlink/?linkid=141454) and the “Service Security Improvements” section of [Inside the Windows Vista Kernel](http://go.microsoft.com/fwlink/?linkid=141455) (http://go.microsoft.com/fwlink/?linkid=141455). + In the preceding command, the value of *<Type>* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**. -   - -8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). After you have configured the protocol and port options, click **Next**. +8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**. 9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. @@ -69,20 +68,4 @@ To complete these procedures, you must be a member of the Domain Administrators 11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rule to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - 12. On the **Name** page, type a name and description for your rule, and then click **Finish**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-outbound-port-rule.md similarity index 58% rename from windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md rename to windows/keep-secure/create-an-outbound-port-rule.md index d91a6e972b..98c85d581c 100644 --- a/windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-outbound-port-rule.md @@ -1,20 +1,27 @@ --- -title: Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 (Windows 10) -description: Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +title: Create an Outbound Port Rule (Windows 10) +description: Create an Outbound Port Rule ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +# Create an Outbound Port Rule +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -**To create an outbound port rule** +To create an outbound port rule 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -24,10 +31,7 @@ To complete these procedures, you must be a member of the Domain Administrators 4. On the **Rule Type** page of the New Outbound Rule wizard, click **Custom**, and then click **Next**. - **Note**   - Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. - -   + >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. 5. On the **Program** page, click **All programs**, and then click **Next**. @@ -45,20 +49,4 @@ To complete these procedures, you must be a member of the Domain Administrators 9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - 10. On the **Name** page, type a name and description for your rule, and then click **Finish**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-an-outbound-program-or-service-rule.md similarity index 60% rename from windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md rename to windows/keep-secure/create-an-outbound-program-or-service-rule.md index 8552952fbd..342e863ffd 100644 --- a/windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-an-outbound-program-or-service-rule.md @@ -1,20 +1,27 @@ --- -title: Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 (Windows 10) -description: Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +title: Create an Outbound Program or Service Rule (Windows 10) +description: Create an Outbound Program or Service Rule ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 +# Create an Outbound Program or Service Rule +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. +By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -**To create an outbound firewall rule for a program or service** +To create an outbound firewall rule for a program or service 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -24,10 +31,7 @@ To complete these procedures, you must be a member of the Domain Administrators 4. On the **Rule Type** page of the New Outbound Rule Wizard, click **Custom**, and then click **Next**. - **Note**   - Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. - -   + >**Note:**  Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. 5. On the **Program** page, click **This program path**. @@ -41,7 +45,7 @@ To complete these procedures, you must be a member of the Domain Administrators - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**. -8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). When you have configured the protocol and port options, click **Next**. +8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](create-an-outbound-port-rule.md). When you have configured the protocol and port options, click **Next**. 9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. @@ -49,20 +53,4 @@ To complete these procedures, you must be a member of the Domain Administrators 11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - 12. On the **Name** page, type a name and description for your rule, and then click **Finish**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/create-inbound-rules-to-support-rpc.md similarity index 51% rename from windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md rename to windows/keep-secure/create-inbound-rules-to-support-rpc.md index 1c41bd67ec..0ba04d529e 100644 --- a/windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/create-inbound-rules-to-support-rpc.md @@ -1,14 +1,21 @@ --- -title: Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) -description: Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +title: Create Inbound Rules to Support RPC (Windows 10) +description: Create Inbound Rules to Support RPC ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +# Create Inbound Rules to Support RPC +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your computer by allowing network traffic only from computers that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. +To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. **Administrative credentials** @@ -16,20 +23,17 @@ To complete these procedures, you must be a member of the Domain Administrators This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see: -- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) -- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) In this topic: -- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#bkmk-proc1) +- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service) -- [To create a rule to allow inbound network traffic to RPC-enabled network services](#bkmk-proc2) +- [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services) -## - - -**To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service** +## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -55,19 +59,12 @@ In this topic: 12. On the **Action** page, select **Allow the connection**, and then click **Next**. -13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   +13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.   14. On the **Name** page, type a name and description for your rule, and then click **Finish**. -## - -**To create a rule to allow inbound network traffic to RPC-enabled network services** +## To create a rule to allow inbound network traffic to RPC-enabled network services 1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**. @@ -89,20 +86,4 @@ In this topic: 10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - 11. On the **Name** page, type a name and description for your rule, and then click **Finish**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md index adf0d2f7be..f4b066d3e1 100644 --- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md +++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md @@ -2,17 +2,24 @@ title: Create WMI Filters for the GPO (Windows 10) description: Create WMI Filters for the GPO ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Create WMI Filters for the GPO +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer. +To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. -- [To create a WMI filter that queries for a specified version of Windows](#bkmk-1) +- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows) -- [To link a WMI filter to a GPO](#bkmk-2) +- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo) **Administrative credentials** @@ -20,12 +27,9 @@ To complete these procedures, you must be a member of the Domain Administrators First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system. -## +## To create a WMI filter that queries for a specified version of Windows - -**To create a WMI filter that queries for a specified version of Windows** - -1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**. +1. Open the Group Policy Management console. 2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**. @@ -33,10 +37,7 @@ First, create the WMI filter and configure it to look for a specified version (o 4. In the **Name** text box, type the name of the WMI filter. - **Note**   - Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention. - -   + >**Note:**  Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention. 5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description. @@ -50,27 +51,27 @@ First, create the WMI filter and configure it to look for a specified version (o select * from Win32_OperatingSystem where Version like "6.%" ``` - This query will return **true** for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. To set a filter for just Windows 8 and Windows Server 2012, use `"6.2%"`. To specify multiple versions, combine them with `or`, as shown in the following: + This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". To specify multiple versions, combine them with or, as shown in the following: ``` syntax ... where Version like "6.1%" or Version like "6.2%" ``` - To restrict the query to only clients or only servers, add a clause that includes the `ProductType` parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only `ProductType="1"`. For server operating systems that are not domain controllers, use `ProductType="3"`. For domain controllers only, use `ProductType="2"`. This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. + To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. - The following clause returns **true** for all computers that are not domain controllers: + The following clause returns **true** for all devices that are not domain controllers: ``` syntax ... where ProductType="1" or ProductType="3" ``` - The following complete query returns **true** for all computers running Windows 8, and returns **false** for any server operating system or any other client operating system. + The following complete query returns **true** for all devices running Windows 8, and returns **false** for any server operating system or any other client operating system. ``` syntax select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1" ``` - The following query returns **true** for any computer running Windows Server 2012, except domain controllers: + The following query returns **true** for any device running Windows Server 2012, except domain controllers: ``` syntax select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3" @@ -80,26 +81,14 @@ First, create the WMI filter and configure it to look for a specified version (o 10. Click **Save** to save your completed filter. -## - +## To link a WMI filter to a GPO After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs. -**To link a WMI filter to a GPO** - -1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**. +1. Open theGroup Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. 3. Under **WMI Filtering**, select the correct WMI filter from the list. 4. Click **Yes** to accept the filter. - -  - -  - - - - - diff --git a/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md deleted file mode 100644 index 7f8e8b4d05..0000000000 --- a/windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) -description: Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 -ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 -author: brianlic-msft ---- - -# Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 - - -Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To deploy predefined firewall rules that allow inbound network traffic for common network functions** - -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. In the navigation pane, click **Inbound Rules**. - -3. Click **Action**, and then click **New rule**. - -4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. - -5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. - -6. On the **Action** page, select **Allow the connection**, and then click **Finish**. - - The selected rules are added to the GPO and applied to the computers to which the GPO is assigned the next time Group Policy is refreshed. - - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/enable-predefined-inbound-rules.md b/windows/keep-secure/enable-predefined-inbound-rules.md new file mode 100644 index 0000000000..fe16701837 --- /dev/null +++ b/windows/keep-secure/enable-predefined-inbound-rules.md @@ -0,0 +1,36 @@ +--- +title: Enable Predefined Inbound Rules (Windows 10) +description: Enable Predefined Inbound Rules +ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Enable Predefined Inbound Rules + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. + +**Administrative credentials** + +To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To deploy predefined firewall rules that allow inbound network traffic for common network functions + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. In the navigation pane, click **Inbound Rules**. + +3. Click **Action**, and then click **New rule**. + +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. + +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. + +6. On the **Action** page, select **Allow the connection**, and then click **Finish**. diff --git a/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md b/windows/keep-secure/enable-predefined-outbound-rules.md similarity index 60% rename from windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md rename to windows/keep-secure/enable-predefined-outbound-rules.md index b37bf8b4c4..1691399b8a 100644 --- a/windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md +++ b/windows/keep-secure/enable-predefined-outbound-rules.md @@ -1,12 +1,19 @@ --- -title: Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10) -description: Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +title: Enable Predefined Outbound Rules (Windows 10) +description: Enable Predefined Outbound Rules ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- -# Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +# Enable Predefined Outbound Rules +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. @@ -14,7 +21,7 @@ By default, Windows Firewall with Advanced Security allows all outbound network To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -**To deploy predefined firewall rules that block outbound network traffic for common network functions** +To deploy predefined firewall rules that block outbound network traffic for common network functions 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -29,19 +36,3 @@ To complete these procedures, you must be a member of the Domain Administrators 6. On the **Action** page, select **Block the connection**, and then click **Finish**. The selected rules are added to the GPO. - - **Note**   - If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. - -   - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md b/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md deleted file mode 100644 index a431459419..0000000000 --- a/windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10) -description: Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 -ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 -author: brianlic-msft ---- - -# Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 - - -This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. - -**Important**   -Because of its usefulness in troubleshooting network connectivity problems, we recommend that you exempt all ICMP network traffic from authentication requirements unless your network risk analysis indicates a need to protect this traffic. - -  - -**Administrative credentials** - -To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. - -**To exempt ICMP network traffic from authentication** - -1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). - -2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. - -3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/exempt-icmp-from-authentication.md b/windows/keep-secure/exempt-icmp-from-authentication.md new file mode 100644 index 0000000000..a60e483753 --- /dev/null +++ b/windows/keep-secure/exempt-icmp-from-authentication.md @@ -0,0 +1,30 @@ +--- +title: Exempt ICMP from Authentication (Windows 10) +description: Exempt ICMP from Authentication +ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Exempt ICMP from Authentication + +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview + +This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. + +**Administrative credentials** + +To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. + +To exempt ICMP network traffic from authentication + +1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). + +2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**. + +3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**. diff --git a/windows/keep-secure/install-active-directory-certificate-services.md b/windows/keep-secure/install-active-directory-certificate-services.md deleted file mode 100644 index 5fc8bd6b1c..0000000000 --- a/windows/keep-secure/install-active-directory-certificate-services.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Install Active Directory Certificate Services (Windows 10) -description: Install Active Directory Certificate Services -ms.assetid: 6f2ed8ac-b8a6-4819-9c21-be91dedfd619 -author: brianlic-msft ---- - -# Install Active Directory Certificate Services - - -To use certificates in a server isolation or domain isolation design, you must first set up the infrastructure to deploy the certificates. This is called a public key infrastructure (PKI). The services required for a PKI are available in Windows Server 2012 in the form of the Active Directory Certificate Services (AD CS) role. - -**Caution**   -Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see [Active Directory Certificate Services Overview](http://technet.microsoft.com/library/hh831740.aspx). - -  - -To perform this procedure, the computer on which you are installing AD CS must be joined to an Active Directory domain. - -**Administrative credentials** - -To complete this procedure, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group. - -**To install AD CS** - -1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group. - -2. Click **Server Manager** in the taskbar. The Server Manager console opens. Click **Add roles and features**. - -3. On the **Before you begin** page, click **Next**. - -4. On the **Select installation type** page, ensure **Role-based or feature-based installation** is selected and click **Next**. - -5. On the **Select destination server** page, ensure your server is selected and click **Next**. - -6. On the **Select Server Roles** page, select **Active Directory Certificate Services**, and then click **Add Features** and then click **Next**. - -7. On the **Select features** page, click **Next**. - -8. On the **Active Directory Certificate Services** page, click **Next**. - -9. On the **Select role services** page, ensure **Certification Authority** is selected and click **Next**. - -10. On the **Confirm installation selections** page, click **Install**. - - After installation completes, click close. - -11. On the Server Manager Dashboard, click the Notifications flag icon and then click **Configure Active Directory Certificate Services on the destination server**. - -12. On the **Credentials** page, ensure the default user account is a member of both the local Administrators group and the Enterprise Admins group and then click **Next**. - -13. On the **Role Services** page, click **Certification Authority**, and click **Next**. - -14. On the **Setup Type** page, ensure **Enterprise CA** is selected, and click **Next**. - -15. On the **CA Type** page, ensure **Root CA** is selected, and then click **Next**. - -16. On the **Private Key** page, ensure **Create a new private key** is selected, and then click **Next**. - -17. On the **Cryptography for CA** page, keep the default settings for CSP (**RSA\#Microsoft Software Key Storage Provider**) and hash algorithm (**sha1**), and determine the best key character length for your deployment. Large key character lengths provide optimal security, but they can affect server performance. It is recommended that you keep the default setting of 2048 or, if appropriate for your deployment, reduce key character length to 1024. Click **Next**. - -18. On the **CA Name** page, keep the suggested common name for the CA or change the name according to your requirements, and then click **Next**. - -19. On the **Validity Period** page, in **Specify the validity period**, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click **Next**. - -20. On the **CA Database** page, in **Certificate database location** and **Certificate database log location**, specify the folder location for these items. If you specify locations other than the default locations, make sure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. - -21. Click **Next**, click **Configure**, and then click **Close**. - -  - -  - - - - - diff --git a/windows/keep-secure/link-the-gpo-to-the-domain.md b/windows/keep-secure/link-the-gpo-to-the-domain.md index d912164e47..ab224211e6 100644 --- a/windows/keep-secure/link-the-gpo-to-the-domain.md +++ b/windows/keep-secure/link-the-gpo-to-the-domain.md @@ -2,23 +2,30 @@ title: Link the GPO to the Domain (Windows 10) description: Link the GPO to the Domain ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Link the GPO to the Domain +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target computers. +After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. -If the filters comprehensively control the application of the GPO to only the correct computers, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of computers. +If the filters comprehensively control the application of the GPO to only the correct devices, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of devices. **Administrative credentials** To complete this procedure, you must be a member of the Domain Admins group, or otherwise be delegated permissions to modify the GPOs. -**To link the GPO to the domain container in Active Directory** +To link the GPO to the domain container in Active Directory -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, and then expand *YourDomainName*. @@ -28,13 +35,4 @@ To complete this procedure, you must be a member of the Domain Admins group, or 5. The GPO appears in the **Linked Group Policy Objects** tab in the details pane and as a linked item under the domain container in the navigation pane. -6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client computer from the highest link order number to the lowest. - -  - -  - - - - - +6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client device from the highest link order number to the lowest. diff --git a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index f003cb6ee2..95ab7cda01 100644 --- a/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -2,13 +2,20 @@ title: Modify GPO Filters to Apply to a Different Zone or Version of Windows (Windows 10) description: Modify GPO Filters to Apply to a Different Zone or Version of Windows ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Modify GPO Filters to Apply to a Different Zone or Version of Windows +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. +You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. **Administrative credentials** @@ -16,20 +23,15 @@ To complete these procedures, you must be a member of the Domain Administrators In this topic: -- [Change the security group filter for a GPO](#bkmk-toallowmembersofagrouptoapplyagpo) +- [Change the security group filter for a GPO](#to-change-the-security-group-filter-for-a-gpo) -- [Block members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo) +- [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) -- [Remove a block for members of a group from applying a GPO](#bkmk-toremoveablockformembersofgroupfromapplyingagpo) +- [Remove a block for members of a group from applying a GPO](#to-remove-a-block-for-members-of-group-from-applying-a-gpo) -## +## To change the security group filter for a GPO - -Use the following procedure to change a group to the security filter on the GPO that allows group members to apply the GPO. You must remove the reference to the original group, and add the group appropriate for this GPO. - -**To change the security group filter for a GPO** - -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. @@ -39,14 +41,9 @@ Use the following procedure to change a group to the security filter on the GPO 5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain. -## +## To block members of a group from applying a GPO - -Use the following procedure if you need to add a group to the security filter on the GPO that blocks group members from applying the GPO. This can be used on the GPOs for the main isolated domain to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. - -**To block members of group from applying a GPO** - -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. @@ -64,12 +61,9 @@ Use the following procedure if you need to add a group to the security filter on 9. The group appears in the list with custom permissions. -## +## To remove a block for members of group from applying a GPO - -**To remove a block for members of group from applying a GPO** - -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. @@ -78,14 +72,3 @@ Use the following procedure if you need to add a group to the security filter on 4. In the **Groups and users** list, select the group that should no longer be blocked, and then click **Remove**. 5. In the message box, click **OK**. - -If you arrived at this page by clicking a link in a checklist, use your browser’s **Back** button to return to the checklist. - -  - -  - - - - - diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md index 729e906fcc..f29f5afbb7 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md @@ -2,27 +2,25 @@ title: Open the Group Policy Management Console to IP Security Policies (Windows 10) description: Open the Group Policy Management Console to IP Security Policies ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Open the Group Policy Management Console to IP Security Policies +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). **To open a GPO to the IP Security Policies section** -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. -3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (***YourDomainName***)**. - -  - -  - - - - - +3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (***YourDomainName***)**. \ No newline at end of file diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 5d720ae16f..e179647bac 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -2,27 +2,25 @@ title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10) description: Open the Group Policy Management Console to Windows Firewall with Advanced Security ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Open the Group Policy Management Console to Windows Firewall with Advanced Security +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. -**To open a GPO to Windows Firewall with Advanced Security** +To open a GPO to Windows Firewall with Advanced Security -1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile. +1. Open the Group Policy Management console. 2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. -3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then expand **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**. - -  - -  - - - - - +3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**. diff --git a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md index 02b493283f..2d848ec539 100644 --- a/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md @@ -2,27 +2,25 @@ title: Open the Group Policy Management Console to Windows Firewall (Windows 10) description: Open the Group Policy Management Console to Windows Firewall ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Open the Group Policy Management Console to Windows Firewall +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -**To open a GPO to Windows Firewall** +To open a GPO to Windows Firewall -1. Open **Active Directory Users and Computers**. +1. Open the Active Directory Users and Computers console. 2. In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**. 3. Click the **Group Policy** tab, select your GPO, and then click **Edit**. -4. In the navigation pane of the Group Policy Object Editor, expand **Computer Configuration**, expand **Administrative Templates**, expand **Network**, expand **Network Connections**, and then expand **Windows Firewall**. - -  - -  - - - - - +4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**. diff --git a/windows/keep-secure/open-windows-firewall-with-advanced-security.md b/windows/keep-secure/open-windows-firewall-with-advanced-security.md index 5387c113a1..cda993d4ad 100644 --- a/windows/keep-secure/open-windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/open-windows-firewall-with-advanced-security.md @@ -2,13 +2,20 @@ title: Open Windows Firewall with Advanced Security (Windows 10) description: Open Windows Firewall with Advanced Security ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Open Windows Firewall with Advanced Security +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -This procedure shows you how to open the Windows Firewall with Advanced Security MMC snap-in. +This procedure shows you how to open the Windows Firewall with Advanced Security console. **Administrative credentials** @@ -16,22 +23,15 @@ To complete this procedure, you must be a member of the Administrators group. Fo ## Opening Windows Firewall with Advanced Security +- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui) -- [Using the Windows interface](#bkmk-proc1) +- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt) -- [Using a command line](#bkmk-proc2) +## To open Windows Firewall with Advanced Security using the UI -## +Click Start, type **Windows Firewall with Advanced Security**, and the press ENTER. - -**To open Windows Firewall with Advanced Security by using the Windows interface** - -- Click the **Start** charm, right-click the Start page, click **All Apps**, and then click the **Windows Firewall with Advanced Security** tile. - -## - - -**To open Windows Firewall with Advanced Security from a command prompt** +## To open Windows Firewall with Advanced Security from a command prompt 1. Open a command prompt window. @@ -44,12 +44,3 @@ To complete this procedure, you must be a member of the Administrators group. Fo **Additional considerations** Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators. - -  - -  - - - - - diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md index 9793debf2a..5cf2b0eea3 100644 --- a/windows/keep-secure/procedures-used-in-this-guide.md +++ b/windows/keep-secure/procedures-used-in-this-guide.md @@ -2,97 +2,95 @@ title: Procedures Used in This Guide (Windows 10) description: Procedures Used in This Guide ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Procedures Used in This Guide +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. -[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md) +- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) -[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md) +- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) -[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) +- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) -[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) +- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) -[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +- [Configure Authentication Methods](configure-authentication-methods.md) -[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings) -[Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) +- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) -[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings) -[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption) -[Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) +- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) -[Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md) +- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md) -[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) +- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) -[Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) +- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) -[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) +- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) -[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) +- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) -[Create a Group Policy Object](create-a-group-policy-object.md) +- [Create a Group Policy Object](create-a-group-policy-object.md) -[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) -[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +- [Create an Authentication Request Rule](create-an-authentication-request-rule.md) -[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) -[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) -[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) -[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Outbound Port Rule](create-an-outbound-port-rule.md) -[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) -[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) -[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) +- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) -[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) -[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) -[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) +- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) -[Install Active Directory Certificate Services](install-active-directory-certificate-services.md) +- [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) -[Link the GPO to the Domain](link-the-gpo-to-the-domain.md) +- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) -[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) +- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) -[Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) +- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) -[Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md) +- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md) -[Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -[Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) - -[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) - -[Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) - -[Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) - -[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) - -  - -  +- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) +- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md) +- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) +- [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) +- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) +- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) diff --git a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md index 17df17ac12..85d7267abb 100644 --- a/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md @@ -2,30 +2,30 @@ title: Restrict Server Access to Members of a Group Only (Windows 10) description: Restrict Server Access to Members of a Group Only ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Restrict Server Access to Members of a Group Only +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have configured the IPsec connection security rules that force client computers to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those computers or users who have been identified through the authentication process as members of the isolated server’s access group. - -The way in which you restrict access to the isolated server depends on which version of the Windows operating system the server is running. - -- If the server is running Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012, then you create a firewall rule that specifies the user and computer accounts that are allowed. The authentication method used in the connection must support the account type specified. Remember that only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 support user-based authentication. +After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. In this topic: -- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#bkmk-section1) +- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#to-create-a-firewall-rule-that-grants-access-to-an-isolated-server) **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -## - - -**To create a firewall rule that grants access to an isolated server running Windows Server 2008 or later** +## To create a firewall rule that grants access to an isolated server 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone. @@ -41,18 +41,4 @@ To complete these procedures, you must be a member of the Domain Administrators 7. On the **Action** page, click **Allow the connection if it is secure**. If required by your design, you can also click **Customize** and select **Require the connections to be encrypted**. Click **Next**. -8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the computer and user accounts permitted to access the server. - - **Caution**   - Remember that if you specify a user group on the Users page, your authentication scheme must include a method that uses user-based credentials. User-based credentials are only supported on versions of Windows that support AuthIP, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. Earlier versions of Windows and other operating systems that support IKE v1 only do not support user-based authentication; computers running those versions or other operating systems will not be able to connect to the isolated server through this firewall rule. - -   - -  - -  - - - - - +8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the device and user accounts permitted to access the server. diff --git a/windows/keep-secure/start-a-command-prompt-as-an-administrator.md b/windows/keep-secure/start-a-command-prompt-as-an-administrator.md deleted file mode 100644 index 55bd05b936..0000000000 --- a/windows/keep-secure/start-a-command-prompt-as-an-administrator.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Start a Command Prompt as an Administrator (Windows 10) -description: Start a Command Prompt as an Administrator -ms.assetid: 82615224-39df-458f-b165-48af77721527 -author: brianlic-msft ---- - -# Start a Command Prompt as an Administrator - - -This topic describes how to open a command prompt with full administrator permissions. If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions. You must explicitly specify that you require the use of your administrative permissions by using one of the procedures in this topic. - -**Administrative credentials** - -To complete these procedures, you must be a member of the Administrators group. - -**To start a command prompt as an administrator** - -- Right-click the **Start** charm, and then click **Command Prompt (Admin)**. - -**To start a command prompt as an administrator (alternative method)** - -1. Click the **Start** charm. - -2. Type **cmd**, right-click the **Command Prompt** tile, and then click **Run as administrator**. - -  - -  - - - - - diff --git a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md index f796faa837..758bffcd66 100644 --- a/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md @@ -2,22 +2,26 @@ title: Turn on Windows Firewall and Configure Default Behavior (Windows 10) description: Turn on Windows Firewall and Configure Default Behavior ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Turn on Windows Firewall and Configure Default Behavior +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node (for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2) in the Group Policy Management MMC snap-in. +To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console. **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -## - - -**To enable Windows Firewall and configure the default behavior on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2** +## To enable Windows Firewall and configure the default behavior 1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). @@ -25,10 +29,7 @@ To complete these procedures, you must be a member of the Domain Administrators 3. For each network location type (Domain, Private, Public), perform the following steps. - **Note**   - The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design. - -   + >**Note:**  The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design. 1. Click the tab that corresponds to the network location type. diff --git a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md index 40056df757..44e4ba7803 100644 --- a/windows/keep-secure/verify-that-network-traffic-is-authenticated.md +++ b/windows/keep-secure/verify-that-network-traffic-is-authenticated.md @@ -2,24 +2,30 @@ title: Verify That Network Traffic Is Authenticated (Windows 10) description: Verify That Network Traffic Is Authenticated ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # Verify That Network Traffic Is Authenticated +**Applies to** +- Windows 10 +- Windows Server 2016 Technical Preview -After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the computers on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the computers have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. +After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you are working on: -- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, computers on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules are not working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm is not included in a security method combination on the clients, then those clients cannot successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they are working as expected without risking a loss of communications. +- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, devices on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules are not working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm is not included in a security method combination on the clients, then those clients cannot successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they are working as expected without risking a loss of communications. - **Boundary zone.** Confirming correct operation of IPsec is the last step if you are working on the boundary zone GPO. You do not convert the GPO to require mode at any time. - **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode. -**Note**   -In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from . Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your computer. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them. +>**Note:**  In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from . Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.   @@ -27,18 +33,13 @@ In addition to the steps shown in this procedure, you can also use network traff To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. -## For computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 +## To verify that network connections are authenticated by using the Windows Firewall with Advanced Security console - -**To verify that network connections are authenticated by using the Windows Firewall with Advanced Security MMC snap-in** - -1. Click the **Start** charm, type **wf.msc**, and then press ENTER. - - Windows Firewall with Advanced Security opens. +1. Open the Windows Firewall with Advanced Security console. 2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**. - The details pane displays the rules currently in effect on the computer. + The details pane displays the rules currently in effect on the device. 3. **To display the Rule Source column** @@ -50,28 +51,15 @@ To complete these procedures, you must be a member of the Domain Administrators It can take a few moments for the list to be refreshed with the newly added column. -4. Examine the list for the rules from GPOs that you expect to be applied to this computer. - - **Note**   - If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local computer is a member of the appropriate groups and meets the requirements of the WMI filters. - -   +4. Examine the list for the rules from GPOs that you expect to be applied to this device. + >**Note:**  If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local device is a member of the appropriate groups and meets the requirements of the WMI filters. 5. In the navigation pane, expand **Security Associations**, and then click **Main Mode**. - The current list of main mode associations that have been negotiated with other computers appears in the details column. + The current list of main mode associations that have been negotiated with other devices appears in the details column. -6. Examine the list of main mode security associations for sessions between the local computer and the remote computer. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with additional details about the security association. +6. Examine the list of main mode security associations for sessions between the local device and the remote device. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with additional details about the security association. 7. In the navigation pane, click **Quick mode**. -8. Examine the list of quick mode security associations for sessions between the local computer and the remote computer. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values. - -  - -  - - - - - +8. Examine the list of quick mode security associations for sessions between the local device and the remote device. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values. From 50cb9eaf584d06acac36a09c1fbdd558c97fdb30 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 15:05:16 -0700 Subject: [PATCH 12/26] fixing broken links --- windows/keep-secure/TOC.md | 4 ++-- windows/keep-secure/boundary-zone-gpos.md | 2 +- ...list-configuring-rules-for-the-boundary-zone.md | 2 +- ...st-configuring-rules-for-the-encryption-zone.md | 2 +- ...st-configuring-rules-for-the-isolated-domain.md | 4 ++-- ...clients-of-a-standalone-isolated-server-zone.md | 4 ++-- ...-a-certificate-based-isolation-policy-design.md | 4 ++-- ...mplementing-a-domain-isolation-policy-design.md | 2 +- ...-a-standalone-server-isolation-policy-design.md | 6 +++--- .../keep-secure/procedures-used-in-this-guide.md | 14 +++++--------- ...rotect-devices-from-unwanted-network-traffic.md | 2 +- ...n-when-accessing-sensitive-network-resources.md | 2 +- 12 files changed, 22 insertions(+), 26 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index ac7b4a1617..5f9b509e1c 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -501,8 +501,8 @@ ###### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md) ##### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) ##### [Procedures Used in This Guide](procedures-used-in-this-guide.md) -###### [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md) -###### [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md) +###### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) +###### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) ###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) ###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) ###### [Configure Authentication Methods](configure-authentication-methods.md) diff --git a/windows/keep-secure/boundary-zone-gpos.md b/windows/keep-secure/boundary-zone-gpos.md index a9a8a4d8a0..66865b93a6 100644 --- a/windows/keep-secure/boundary-zone-gpos.md +++ b/windows/keep-secure/boundary-zone-gpos.md @@ -25,4 +25,4 @@ The boundary zone GPOs discussed in this guide are only for server versions of W In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed. -- [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary-ws2008.md) +- [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md) diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md index 899be3e221..898aff61c0 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md @@ -28,5 +28,5 @@ This checklist assumes that you have already created the GPO for the isolated do | Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | | If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| | Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md index f0d1aab7e7..8bf35ebe8e 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md @@ -29,5 +29,5 @@ This checklist assumes that you have already created the GPO for the isolated do | Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| | Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md index bec1da29f6..41375ddbad 100644 --- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md @@ -26,11 +26,11 @@ The following checklists include tasks for configuring connection security rules | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| | Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| -| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)| +| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| | Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|   diff --git a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index c7701cd4f8..bd5a21cdb8 100644 --- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -25,8 +25,8 @@ This checklist includes tasks for configuring connection security rules and IPse | To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange--main-mode--settings.md)| -| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection--quick-mode--settings.md)| +| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| +| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| | Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| diff --git a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md index 23e5c64172..1cab0a3744 100644 --- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -24,7 +24,7 @@ This parent checklist includes cross-reference links to important concepts about | Task | Reference | | - | - | | Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | -| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) | -| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)| +| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| | +| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| | On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md index f89ac11201..a57af52e9a 100644 --- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md @@ -30,5 +30,5 @@ The procedures in this section use the Group Policy MMC snap-ins to configure th | Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| | Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| | Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| -| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)| +| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| | After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| diff --git a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md index ba750e4d59..e4ed2e3d00 100644 --- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -27,7 +27,7 @@ This parent checklist includes cross-reference links to important concepts about | - | - | | Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Server Isolation Policy Design](server-isolation-policy-design.md)
[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
[Planning Server Isolation Zones](planning-server-isolation-zones.md) | | Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| -| Create the GPOs and connection security rules for the client computers that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| -| Verify that the connection security rules are protecting network traffic on your test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| +| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| +| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| | After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| -| According to the testing and roll-out schedule in your design plan, add computer accounts for the client computers to the membership group so that you can deploy the settings. | [Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md) | +| According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/keep-secure/procedures-used-in-this-guide.md b/windows/keep-secure/procedures-used-in-this-guide.md index 5cf2b0eea3..d19699b94b 100644 --- a/windows/keep-secure/procedures-used-in-this-guide.md +++ b/windows/keep-secure/procedures-used-in-this-guide.md @@ -27,17 +27,17 @@ The procedures in this section appear in the checklists found earlier in this do - [Configure Authentication Methods](configure-authentication-methods.md) -- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings) +- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md) - [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) -- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings) +- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md) -- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption) +- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) - [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) -- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md) +- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) - [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) @@ -63,7 +63,7 @@ The procedures in this section appear in the checklists found earlier in this do - [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) -- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) +- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) - [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) @@ -73,8 +73,6 @@ The procedures in this section appear in the checklists found earlier in this do - [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) -- [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) - - [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) - [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) @@ -89,8 +87,6 @@ The procedures in this section appear in the checklists found earlier in this do - [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md) -- [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) - - [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md) - [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) diff --git a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md index 5191757d81..a24379dacf 100644 --- a/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md +++ b/windows/keep-secure/protect-devices-from-unwanted-network-traffic.md @@ -35,7 +35,7 @@ A host-based firewall helps secure a device by dropping all network traffic that The following component is recommended for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. For more information about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain. Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations. diff --git a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md index 0a0d740794..890eaf1d99 100644 --- a/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/keep-secure/require-encryption-when-accessing-sensitive-network-resources.md @@ -35,6 +35,6 @@ This goal provides the following benefits: The following components are required for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. For more info about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. **Next: **[Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md) From 3ae47e92b4e4297e8aa7bf63ffdcc8d6b3832e30 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Jun 2016 15:16:02 -0700 Subject: [PATCH 13/26] enabled back navigation on menu --- windows/deploy/TOC.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index cc0388e935..6abf80bb3f 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -1,3 +1,5 @@ +# [What's new in Windows 10](../whats-new/index.md) +# [Plan for Windows 10 deployment](../plan/index.md) # [Deploy Windows 10](index.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) @@ -135,3 +137,5 @@ ###### [XML Elements Library](usmt-xml-elements-library.md) ##### [Offline Migration Reference](offline-migration-reference.md) ## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) +# [Keep Windows 10 secure](.../keep-secure/index.md) +# [Manage and update Windows 10](.../manage/index.md) \ No newline at end of file From c76939967b6786123718a6c6f3cc9fffcc1e0675 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 15:22:30 -0700 Subject: [PATCH 14/26] fixing broken links --- windows/keep-secure/TOC.md | 7 +++---- .../restrict-access-to-only-specified-users-or-devices.md | 2 +- .../keep-secure/restrict-access-to-only-trusted-devices.md | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 5f9b509e1c..2ca5758f52 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -506,12 +506,12 @@ ###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) ###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) ###### [Configure Authentication Methods](configure-authentication-methods.md) -###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection--quick-mode--settings.md) +###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md) ###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) -###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange--main-mode--settings.md) +###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md) ###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) ###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) -###### [Configure the Workstation Authentication Certificate Template[wfas_dep]](configure-the-workstation-authentication-certificate-templatewfas-dep.md) +###### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) ###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) ###### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) ###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) @@ -529,7 +529,6 @@ ###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) ###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) ###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) -###### [Install Active Directory Certificate Services](install-active-directory-certificate-services.md) ###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) ###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) ###### [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) diff --git a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md index 0197fbcba0..049625343b 100644 --- a/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/keep-secure/restrict-access-to-only-specified-users-or-devices.md @@ -39,6 +39,6 @@ This goal, which corresponds to [Server Isolation Policy Design](server-isolatio The following components are required for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. For more info about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. **Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) diff --git a/windows/keep-secure/restrict-access-to-only-trusted-devices.md b/windows/keep-secure/restrict-access-to-only-trusted-devices.md index be3854af23..d2b47a2dbe 100644 --- a/windows/keep-secure/restrict-access-to-only-trusted-devices.md +++ b/windows/keep-secure/restrict-access-to-only-trusted-devices.md @@ -49,6 +49,6 @@ These goals also support optional zones that can be created to add customized pr The following components are required for this deployment goal: -- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. For more info about Active Directory, see [Additional Resources](additional-resources-wfasdesign.md). +- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain. **Next: **[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md) From 782f0f8f16e3392e351e156cd1ee3145017ce60c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 15:39:11 -0700 Subject: [PATCH 15/26] fixing merge conflicts --- windows/keep-secure/audit-account-lockout.md | 4 ---- windows/keep-secure/audit-application-generated.md | 4 ---- windows/keep-secure/audit-application-group-management.md | 4 ---- windows/keep-secure/audit-audit-policy-change.md | 4 ---- windows/keep-secure/audit-authentication-policy-change.md | 4 ---- windows/keep-secure/audit-authorization-policy-change.md | 4 ---- windows/keep-secure/audit-central-access-policy-staging.md | 4 ---- windows/keep-secure/audit-certification-services.md | 4 ---- windows/keep-secure/audit-computer-account-management.md | 4 ---- windows/keep-secure/audit-credential-validation.md | 4 ---- windows/keep-secure/audit-detailed-file-share.md | 4 ---- windows/keep-secure/audit-directory-service-access.md | 4 ---- windows/keep-secure/audit-directory-service-changes.md | 4 ---- windows/keep-secure/audit-directory-service-replication.md | 4 ---- windows/keep-secure/audit-distribution-group-management.md | 4 ---- windows/keep-secure/audit-dpapi-activity.md | 4 ---- windows/keep-secure/audit-file-share.md | 4 ---- windows/keep-secure/audit-file-system.md | 4 ---- windows/keep-secure/audit-filtering-platform-connection.md | 4 ---- windows/keep-secure/audit-filtering-platform-packet-drop.md | 4 ---- windows/keep-secure/audit-filtering-platform-policy-change.md | 4 ---- windows/keep-secure/audit-group-membership.md | 4 ---- windows/keep-secure/audit-handle-manipulation.md | 4 ---- windows/keep-secure/audit-ipsec-driver.md | 4 ---- windows/keep-secure/audit-ipsec-extended-mode.md | 4 ---- windows/keep-secure/audit-ipsec-main-mode.md | 4 ---- windows/keep-secure/audit-ipsec-quick-mode.md | 4 ---- windows/keep-secure/audit-kerberos-authentication-service.md | 4 ---- .../keep-secure/audit-kerberos-service-ticket-operations.md | 4 ---- windows/keep-secure/audit-kernel-object.md | 4 ---- windows/keep-secure/audit-logoff.md | 4 ---- windows/keep-secure/audit-logon.md | 4 ---- windows/keep-secure/audit-mpssvc-rule-level-policy-change.md | 4 ---- windows/keep-secure/audit-network-policy-server.md | 4 ---- windows/keep-secure/audit-non-sensitive-privilege-use.md | 4 ---- windows/keep-secure/audit-other-account-logon-events.md | 4 ---- windows/keep-secure/audit-other-account-management-events.md | 4 ---- windows/keep-secure/audit-other-logonlogoff-events.md | 4 ---- 38 files changed, 152 deletions(-) diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index 4085b5a63b..edda775a9d 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -2,12 +2,8 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index 5ba97a5c15..a031b2592f 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -2,12 +2,8 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index 0deb3d5319..c4ee29610f 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -2,12 +2,8 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index c29f789d2c..dca7c1278d 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -2,12 +2,8 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index 2c23a6ded7..60d6e969e5 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -2,12 +2,8 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index 6b5711357a..e12e71d60c 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -2,12 +2,8 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index 207c079556..dba31f0402 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -2,12 +2,8 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index 33ee066f97..8faf626674 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -2,12 +2,8 @@ title: Audit Certification Services (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index c9daef323f..5f7450d6f6 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -2,12 +2,8 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index ea6a2314ca..6b101b70a6 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -2,12 +2,8 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index bbdf44acb2..e3bcefa79b 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -2,12 +2,8 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index e61d72c1ed..90f32dc571 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -2,12 +2,8 @@ title: Audit Directory Service Access (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index a0257170d5..681d62c3bd 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -2,12 +2,8 @@ title: Audit Directory Service Changes (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index d84bf022c9..9852d81d51 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -2,12 +2,8 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index 13404964d7..a8818d7fbe 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -2,12 +2,8 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index 4c66459ce0..c7c323e5a3 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -2,12 +2,8 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index 6005f92a3e..2e3b971917 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -2,12 +2,8 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 55cac2e347..c2067f4580 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -2,12 +2,8 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index d284284a07..e07ed53034 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -2,12 +2,8 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index 033b1048e4..2f1d92d144 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -2,12 +2,8 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index 8035115b4a..c6b29136a8 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -2,12 +2,8 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index 9a770e3e95..2fbda5d3b5 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -2,12 +2,8 @@ title: Audit Group Membership (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index 54bcdc2d64..5cff0de163 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -2,12 +2,8 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index 8125b82896..8816a8e2ba 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -2,12 +2,8 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index cf9bd5a83c..7220d5ead8 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -2,12 +2,8 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 1af0eed70b..4d9716ac60 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -2,12 +2,8 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index 71f1afee93..a6ce77cdf4 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -2,12 +2,8 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index 7d2af0f81d..b0e5ccc886 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -2,12 +2,8 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index 5fbdfa66fe..0a45922c00 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -2,12 +2,8 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index e8928abb49..80a0b5e30f 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -2,12 +2,8 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index 81be31807c..66730b6282 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -2,12 +2,8 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index f7ff28f320..194c1f3d0b 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -2,12 +2,8 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index 83a72a4045..e7eb1410f4 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -2,12 +2,8 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index 859c030a3a..c053aab03a 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -2,12 +2,8 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index b787a4a0a1..a6052e4d5d 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -2,12 +2,8 @@ title: Audit Non Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index 68e947de07..ee92107d00 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -2,12 +2,8 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index fd359417f7..bce48fe3a4 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -2,12 +2,8 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index b8119d7835..da62c1ddac 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -2,12 +2,8 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 -<<<<<<< HEAD -ms.prod: w10 -======= ms.pagetype: security ms.prod: W10 ->>>>>>> secaudit ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh From fa5ddfcf9d394c41415d2ed3e305b8068e8be0b8 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 15:42:37 -0700 Subject: [PATCH 16/26] changing from ms.prod: W10 to ms.prod: w10 --- windows/index.md | 2 +- ...security-monitoring-recommendations-for-many-audit-events.md | 2 +- windows/keep-secure/audit-account-lockout.md | 2 +- windows/keep-secure/audit-application-generated.md | 2 +- windows/keep-secure/audit-application-group-management.md | 2 +- windows/keep-secure/audit-audit-policy-change.md | 2 +- windows/keep-secure/audit-authentication-policy-change.md | 2 +- windows/keep-secure/audit-authorization-policy-change.md | 2 +- windows/keep-secure/audit-central-access-policy-staging.md | 2 +- windows/keep-secure/audit-certification-services.md | 2 +- windows/keep-secure/audit-computer-account-management.md | 2 +- windows/keep-secure/audit-credential-validation.md | 2 +- windows/keep-secure/audit-detailed-file-share.md | 2 +- windows/keep-secure/audit-directory-service-access.md | 2 +- windows/keep-secure/audit-directory-service-changes.md | 2 +- windows/keep-secure/audit-directory-service-replication.md | 2 +- windows/keep-secure/audit-distribution-group-management.md | 2 +- windows/keep-secure/audit-dpapi-activity.md | 2 +- windows/keep-secure/audit-file-share.md | 2 +- windows/keep-secure/audit-file-system.md | 2 +- windows/keep-secure/audit-filtering-platform-connection.md | 2 +- windows/keep-secure/audit-filtering-platform-packet-drop.md | 2 +- windows/keep-secure/audit-filtering-platform-policy-change.md | 2 +- windows/keep-secure/audit-group-membership.md | 2 +- windows/keep-secure/audit-handle-manipulation.md | 2 +- windows/keep-secure/audit-ipsec-driver.md | 2 +- windows/keep-secure/audit-ipsec-extended-mode.md | 2 +- windows/keep-secure/audit-ipsec-main-mode.md | 2 +- windows/keep-secure/audit-ipsec-quick-mode.md | 2 +- windows/keep-secure/audit-kerberos-authentication-service.md | 2 +- windows/keep-secure/audit-kerberos-service-ticket-operations.md | 2 +- windows/keep-secure/audit-kernel-object.md | 2 +- windows/keep-secure/audit-logoff.md | 2 +- windows/keep-secure/audit-logon.md | 2 +- windows/keep-secure/audit-mpssvc-rule-level-policy-change.md | 2 +- windows/keep-secure/audit-network-policy-server.md | 2 +- windows/keep-secure/audit-non-sensitive-privilege-use.md | 2 +- windows/keep-secure/audit-other-account-logon-events.md | 2 +- windows/keep-secure/audit-other-account-management-events.md | 2 +- windows/keep-secure/audit-other-logonlogoff-events.md | 2 +- windows/keep-secure/audit-other-object-access-events.md | 2 +- windows/keep-secure/audit-other-policy-change-events.md | 2 +- windows/keep-secure/audit-other-privilege-use-events.md | 2 +- windows/keep-secure/audit-other-system-events.md | 2 +- windows/keep-secure/audit-pnp-activity.md | 2 +- windows/keep-secure/audit-process-creation.md | 2 +- windows/keep-secure/audit-process-termination.md | 2 +- windows/keep-secure/audit-registry.md | 2 +- windows/keep-secure/audit-removable-storage.md | 2 +- windows/keep-secure/audit-rpc-events.md | 2 +- windows/keep-secure/audit-sam.md | 2 +- windows/keep-secure/audit-security-group-management.md | 2 +- windows/keep-secure/audit-security-state-change.md | 2 +- windows/keep-secure/audit-security-system-extension.md | 2 +- windows/keep-secure/audit-sensitive-privilege-use.md | 2 +- windows/keep-secure/audit-special-logon.md | 2 +- windows/keep-secure/audit-system-integrity.md | 2 +- windows/keep-secure/audit-user-account-management.md | 2 +- windows/keep-secure/audit-user-device-claims.md | 2 +- windows/keep-secure/event-1100.md | 2 +- windows/keep-secure/event-1102.md | 2 +- windows/keep-secure/event-1104.md | 2 +- windows/keep-secure/event-1105.md | 2 +- windows/keep-secure/event-1108.md | 2 +- windows/keep-secure/event-4608.md | 2 +- windows/keep-secure/event-4610.md | 2 +- windows/keep-secure/event-4611.md | 2 +- windows/keep-secure/event-4612.md | 2 +- windows/keep-secure/event-4614.md | 2 +- windows/keep-secure/event-4615.md | 2 +- windows/keep-secure/event-4616.md | 2 +- windows/keep-secure/event-4618.md | 2 +- windows/keep-secure/event-4621.md | 2 +- windows/keep-secure/event-4622.md | 2 +- windows/keep-secure/event-4624.md | 2 +- windows/keep-secure/event-4625.md | 2 +- windows/keep-secure/event-4626.md | 2 +- windows/keep-secure/event-4627.md | 2 +- windows/keep-secure/event-4634.md | 2 +- windows/keep-secure/event-4647.md | 2 +- windows/keep-secure/event-4648.md | 2 +- windows/keep-secure/event-4649.md | 2 +- windows/keep-secure/event-4656.md | 2 +- windows/keep-secure/event-4657.md | 2 +- windows/keep-secure/event-4658.md | 2 +- windows/keep-secure/event-4660.md | 2 +- windows/keep-secure/event-4661.md | 2 +- windows/keep-secure/event-4662.md | 2 +- windows/keep-secure/event-4663.md | 2 +- windows/keep-secure/event-4664.md | 2 +- windows/keep-secure/event-4670.md | 2 +- windows/keep-secure/event-4671.md | 2 +- windows/keep-secure/event-4672.md | 2 +- windows/keep-secure/event-4673.md | 2 +- windows/keep-secure/event-4674.md | 2 +- windows/keep-secure/event-4675.md | 2 +- windows/keep-secure/event-4688.md | 2 +- windows/keep-secure/event-4689.md | 2 +- windows/keep-secure/event-4690.md | 2 +- windows/keep-secure/event-4691.md | 2 +- windows/keep-secure/event-4692.md | 2 +- windows/keep-secure/event-4693.md | 2 +- windows/keep-secure/event-4694.md | 2 +- windows/keep-secure/event-4695.md | 2 +- windows/keep-secure/event-4696.md | 2 +- windows/keep-secure/event-4697.md | 2 +- windows/keep-secure/event-4698.md | 2 +- windows/keep-secure/event-4699.md | 2 +- windows/keep-secure/event-4700.md | 2 +- windows/keep-secure/event-4701.md | 2 +- windows/keep-secure/event-4702.md | 2 +- windows/keep-secure/event-4703.md | 2 +- windows/keep-secure/event-4704.md | 2 +- windows/keep-secure/event-4705.md | 2 +- windows/keep-secure/event-4706.md | 2 +- windows/keep-secure/event-4707.md | 2 +- windows/keep-secure/event-4713.md | 2 +- windows/keep-secure/event-4714.md | 2 +- windows/keep-secure/event-4715.md | 2 +- windows/keep-secure/event-4716.md | 2 +- windows/keep-secure/event-4717.md | 2 +- windows/keep-secure/event-4718.md | 2 +- windows/keep-secure/event-4719.md | 2 +- windows/keep-secure/event-4720.md | 2 +- windows/keep-secure/event-4722.md | 2 +- windows/keep-secure/event-4723.md | 2 +- windows/keep-secure/event-4724.md | 2 +- windows/keep-secure/event-4725.md | 2 +- windows/keep-secure/event-4726.md | 2 +- windows/keep-secure/event-4731.md | 2 +- windows/keep-secure/event-4732.md | 2 +- windows/keep-secure/event-4733.md | 2 +- windows/keep-secure/event-4734.md | 2 +- windows/keep-secure/event-4735.md | 2 +- windows/keep-secure/event-4738.md | 2 +- windows/keep-secure/event-4739.md | 2 +- windows/keep-secure/event-4740.md | 2 +- windows/keep-secure/event-4741.md | 2 +- windows/keep-secure/event-4742.md | 2 +- windows/keep-secure/event-4743.md | 2 +- windows/keep-secure/event-4749.md | 2 +- windows/keep-secure/event-4750.md | 2 +- windows/keep-secure/event-4751.md | 2 +- windows/keep-secure/event-4752.md | 2 +- windows/keep-secure/event-4753.md | 2 +- windows/keep-secure/event-4764.md | 2 +- windows/keep-secure/event-4765.md | 2 +- windows/keep-secure/event-4766.md | 2 +- windows/keep-secure/event-4767.md | 2 +- windows/keep-secure/event-4768.md | 2 +- windows/keep-secure/event-4769.md | 2 +- windows/keep-secure/event-4770.md | 2 +- windows/keep-secure/event-4771.md | 2 +- windows/keep-secure/event-4772.md | 2 +- windows/keep-secure/event-4773.md | 2 +- windows/keep-secure/event-4774.md | 2 +- windows/keep-secure/event-4775.md | 2 +- windows/keep-secure/event-4776.md | 2 +- windows/keep-secure/event-4777.md | 2 +- windows/keep-secure/event-4778.md | 2 +- windows/keep-secure/event-4779.md | 2 +- windows/keep-secure/event-4780.md | 2 +- windows/keep-secure/event-4781.md | 2 +- windows/keep-secure/event-4782.md | 2 +- windows/keep-secure/event-4793.md | 2 +- windows/keep-secure/event-4794.md | 2 +- windows/keep-secure/event-4798.md | 2 +- windows/keep-secure/event-4799.md | 2 +- windows/keep-secure/event-4800.md | 2 +- windows/keep-secure/event-4801.md | 2 +- windows/keep-secure/event-4802.md | 2 +- windows/keep-secure/event-4803.md | 2 +- windows/keep-secure/event-4816.md | 2 +- windows/keep-secure/event-4817.md | 2 +- windows/keep-secure/event-4818.md | 2 +- windows/keep-secure/event-4819.md | 2 +- windows/keep-secure/event-4826.md | 2 +- windows/keep-secure/event-4864.md | 2 +- windows/keep-secure/event-4865.md | 2 +- windows/keep-secure/event-4866.md | 2 +- windows/keep-secure/event-4867.md | 2 +- windows/keep-secure/event-4902.md | 2 +- windows/keep-secure/event-4904.md | 2 +- windows/keep-secure/event-4905.md | 2 +- windows/keep-secure/event-4906.md | 2 +- windows/keep-secure/event-4907.md | 2 +- windows/keep-secure/event-4908.md | 2 +- windows/keep-secure/event-4909.md | 2 +- windows/keep-secure/event-4910.md | 2 +- windows/keep-secure/event-4911.md | 2 +- windows/keep-secure/event-4912.md | 2 +- windows/keep-secure/event-4913.md | 2 +- windows/keep-secure/event-4928.md | 2 +- windows/keep-secure/event-4929.md | 2 +- windows/keep-secure/event-4930.md | 2 +- windows/keep-secure/event-4931.md | 2 +- windows/keep-secure/event-4932.md | 2 +- windows/keep-secure/event-4933.md | 2 +- windows/keep-secure/event-4934.md | 2 +- windows/keep-secure/event-4935.md | 2 +- windows/keep-secure/event-4936.md | 2 +- windows/keep-secure/event-4937.md | 2 +- windows/keep-secure/event-4944.md | 2 +- windows/keep-secure/event-4945.md | 2 +- windows/keep-secure/event-4946.md | 2 +- windows/keep-secure/event-4947.md | 2 +- windows/keep-secure/event-4948.md | 2 +- windows/keep-secure/event-4949.md | 2 +- windows/keep-secure/event-4950.md | 2 +- windows/keep-secure/event-4951.md | 2 +- windows/keep-secure/event-4952.md | 2 +- windows/keep-secure/event-4953.md | 2 +- windows/keep-secure/event-4954.md | 2 +- windows/keep-secure/event-4956.md | 2 +- windows/keep-secure/event-4957.md | 2 +- windows/keep-secure/event-4958.md | 2 +- windows/keep-secure/event-4964.md | 2 +- windows/keep-secure/event-4985.md | 2 +- windows/keep-secure/event-5024.md | 2 +- windows/keep-secure/event-5025.md | 2 +- windows/keep-secure/event-5027.md | 2 +- windows/keep-secure/event-5028.md | 2 +- windows/keep-secure/event-5029.md | 2 +- windows/keep-secure/event-5030.md | 2 +- windows/keep-secure/event-5031.md | 2 +- windows/keep-secure/event-5032.md | 2 +- windows/keep-secure/event-5033.md | 2 +- windows/keep-secure/event-5034.md | 2 +- windows/keep-secure/event-5035.md | 2 +- windows/keep-secure/event-5037.md | 2 +- windows/keep-secure/event-5038.md | 2 +- windows/keep-secure/event-5039.md | 2 +- windows/keep-secure/event-5051.md | 2 +- windows/keep-secure/event-5056.md | 2 +- windows/keep-secure/event-5057.md | 2 +- windows/keep-secure/event-5058.md | 2 +- windows/keep-secure/event-5059.md | 2 +- windows/keep-secure/event-5060.md | 2 +- windows/keep-secure/event-5061.md | 2 +- windows/keep-secure/event-5062.md | 2 +- windows/keep-secure/event-5063.md | 2 +- windows/keep-secure/event-5064.md | 2 +- windows/keep-secure/event-5065.md | 2 +- windows/keep-secure/event-5066.md | 2 +- windows/keep-secure/event-5067.md | 2 +- windows/keep-secure/event-5068.md | 2 +- windows/keep-secure/event-5069.md | 2 +- windows/keep-secure/event-5070.md | 2 +- windows/keep-secure/event-5136.md | 2 +- windows/keep-secure/event-5137.md | 2 +- windows/keep-secure/event-5138.md | 2 +- windows/keep-secure/event-5139.md | 2 +- windows/keep-secure/event-5140.md | 2 +- windows/keep-secure/event-5141.md | 2 +- windows/keep-secure/event-5142.md | 2 +- windows/keep-secure/event-5143.md | 2 +- windows/keep-secure/event-5144.md | 2 +- windows/keep-secure/event-5145.md | 2 +- windows/keep-secure/event-5148.md | 2 +- windows/keep-secure/event-5149.md | 2 +- windows/keep-secure/event-5150.md | 2 +- windows/keep-secure/event-5151.md | 2 +- windows/keep-secure/event-5152.md | 2 +- windows/keep-secure/event-5153.md | 2 +- windows/keep-secure/event-5154.md | 2 +- windows/keep-secure/event-5155.md | 2 +- windows/keep-secure/event-5156.md | 2 +- windows/keep-secure/event-5157.md | 2 +- windows/keep-secure/event-5158.md | 2 +- windows/keep-secure/event-5159.md | 2 +- windows/keep-secure/event-5168.md | 2 +- windows/keep-secure/event-5376.md | 2 +- windows/keep-secure/event-5377.md | 2 +- windows/keep-secure/event-5378.md | 2 +- windows/keep-secure/event-5447.md | 2 +- windows/keep-secure/event-5632.md | 2 +- windows/keep-secure/event-5633.md | 2 +- windows/keep-secure/event-5712.md | 2 +- windows/keep-secure/event-5888.md | 2 +- windows/keep-secure/event-5889.md | 2 +- windows/keep-secure/event-5890.md | 2 +- windows/keep-secure/event-6144.md | 2 +- windows/keep-secure/event-6145.md | 2 +- windows/keep-secure/event-6281.md | 2 +- windows/keep-secure/event-6400.md | 2 +- windows/keep-secure/event-6401.md | 2 +- windows/keep-secure/event-6402.md | 2 +- windows/keep-secure/event-6403.md | 2 +- windows/keep-secure/event-6404.md | 2 +- windows/keep-secure/event-6405.md | 2 +- windows/keep-secure/event-6406.md | 2 +- windows/keep-secure/event-6407.md | 2 +- windows/keep-secure/event-6408.md | 2 +- windows/keep-secure/event-6409.md | 2 +- windows/keep-secure/event-6410.md | 2 +- windows/keep-secure/event-6416.md | 2 +- windows/keep-secure/event-6419.md | 2 +- windows/keep-secure/event-6420.md | 2 +- windows/keep-secure/event-6421.md | 2 +- windows/keep-secure/event-6422.md | 2 +- windows/keep-secure/event-6423.md | 2 +- windows/keep-secure/event-6424.md | 2 +- windows/keep-secure/other-events.md | 2 +- windows/manage/acquire-apps-windows-store-for-business.md | 2 +- windows/manage/add-unsigned-app-to-code-integrity-policy.md | 2 +- windows/manage/administrative-tools-in-windows-10.md | 2 +- .../app-inventory-managemement-windows-store-for-business.md | 2 +- .../manage/application-development-for-windows-as-a-service.md | 2 +- windows/manage/apps-in-windows-store-for-business.md | 2 +- windows/manage/assign-apps-to-employees.md | 2 +- .../manage/change-history-for-manage-and-update-windows-10.md | 2 +- windows/manage/changes-to-start-policies-in-windows-10.md | 2 +- windows/manage/configure-devices-without-mdm.md | 2 +- .../manage/configure-mdm-provider-windows-store-for-business.md | 2 +- windows/manage/customize-and-export-start-layout.md | 2 +- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +- ...s-10-start-screens-by-using-provisioning-packages-and-icd.md | 2 +- windows/manage/device-guard-signing-portal.md | 2 +- windows/manage/distribute-apps-from-your-private-store.md | 2 +- ...tribute-apps-to-your-employees-windows-store-for-business.md | 2 +- windows/manage/distribute-apps-with-management-tool.md | 2 +- windows/manage/distribute-offline-apps.md | 2 +- windows/manage/find-and-acquire-apps-overview.md | 2 +- .../group-policies-for-enterprise-and-education-editions.md | 2 +- .../how-it-pros-can-use-configuration-service-providers.md | 2 +- windows/manage/index.md | 2 +- windows/manage/introduction-to-windows-10-servicing.md | 2 +- .../manage/join-windows-10-mobile-to-azure-active-directory.md | 2 +- windows/manage/lock-down-windows-10-to-specific-apps.md | 2 +- windows/manage/lock-down-windows-10.md | 2 +- windows/manage/lockdown-xml.md | 2 +- .../manage/manage-apps-windows-store-for-business-overview.md | 2 +- ...windows-operating-system-components-to-microsoft-services.md | 2 +- windows/manage/manage-corporate-devices.md | 2 +- windows/manage/manage-inventory-windows-store-for-business.md | 2 +- windows/manage/manage-orders-windows-store-for-business.md | 2 +- windows/manage/manage-private-store-settings.md | 2 +- windows/manage/manage-settings-windows-store-for-business.md | 2 +- .../manage-users-and-groups-windows-store-for-business.md | 2 +- windows/manage/manage-wifi-sense-in-enterprise.md | 2 +- windows/manage/new-policies-for-windows-10.md | 2 +- windows/manage/prerequisites-windows-store-for-business.md | 2 +- windows/manage/product-ids-in-windows-10-mobile.md | 2 +- windows/manage/reset-a-windows-10-mobile-device.md | 2 +- .../manage/roles-and-permissions-windows-store-for-business.md | 2 +- windows/manage/set-up-a-device-for-anyone-to-use.md | 2 +- .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md | 2 +- .../manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md | 2 +- windows/manage/settings-reference-windows-store-for-business.md | 2 +- windows/manage/settings-that-can-be-locked-down.md | 2 +- .../sign-code-integrity-policy-with-device-guard-signing.md | 2 +- windows/manage/sign-up-windows-store-for-business-overview.md | 2 +- windows/manage/sign-up-windows-store-for-business.md | 2 +- windows/manage/stop-employees-from-using-the-windows-store.md | 2 +- windows/manage/troubleshoot-windows-store-for-business.md | 2 +- .../update-windows-store-for-business-account-settings.md | 2 +- windows/manage/windows-10-mobile-and-mdm.md | 2 +- windows/manage/windows-10-start-layout-options-and-policies.md | 2 +- windows/manage/windows-store-for-business.md | 2 +- windows/manage/working-with-line-of-business-apps.md | 2 +- windows/plan/deployment-considerations-for-windows-to-go.md | 2 +- 362 files changed, 362 insertions(+), 362 deletions(-) diff --git a/windows/index.md b/windows/index.md index 08ec4adaa7..ec5ecb7a39 100644 --- a/windows/index.md +++ b/windows/index.md @@ -2,7 +2,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10) description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile. ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60 -ms.prod: W10 +ms.prod: w10 author: brianlic-msft --- diff --git a/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index 626a7162a6..736833b790 100644 --- a/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -2,7 +2,7 @@ title: Appendix A, Security monitoring recommendations for many audit events (Windows 10) description: Appendix A, Security monitoring recommendations for many audit events ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index edda775a9d..5aa153c7ac 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -3,7 +3,7 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index a031b2592f..fa461c2535 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -3,7 +3,7 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index c4ee29610f..7991c5a92d 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -3,7 +3,7 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index dca7c1278d..3baaef2ff0 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -3,7 +3,7 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index 60d6e969e5..3096a5187c 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -3,7 +3,7 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index e12e71d60c..bb16d06124 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -3,7 +3,7 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index dba31f0402..d2c7077220 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -3,7 +3,7 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index 8faf626674..c41330e98c 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -3,7 +3,7 @@ title: Audit Certification Services (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index 5f7450d6f6..c127ebd500 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -3,7 +3,7 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index 6b101b70a6..5e54e23875 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -3,7 +3,7 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index e3bcefa79b..436399addb 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -3,7 +3,7 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 90f32dc571..039b10f684 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -3,7 +3,7 @@ title: Audit Directory Service Access (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index 681d62c3bd..67d519f452 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -3,7 +3,7 @@ title: Audit Directory Service Changes (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index 9852d81d51..de877d1d2d 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -3,7 +3,7 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index a8818d7fbe..b140fd81cc 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -3,7 +3,7 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index c7c323e5a3..a17a929770 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -3,7 +3,7 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index 2e3b971917..05c490cf67 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -3,7 +3,7 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index c2067f4580..ea941fc892 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -3,7 +3,7 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index e07ed53034..96d8bbd8c3 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -3,7 +3,7 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index 2f1d92d144..093fd674de 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -3,7 +3,7 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index c6b29136a8..ec8d3374dd 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -3,7 +3,7 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index 2fbda5d3b5..f3424483bb 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -3,7 +3,7 @@ title: Audit Group Membership (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index 5cff0de163..c1a20800e5 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -3,7 +3,7 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index 8816a8e2ba..628d86b063 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -3,7 +3,7 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index 7220d5ead8..83cc51ddc1 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -3,7 +3,7 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 4d9716ac60..d06d0749d0 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -3,7 +3,7 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index a6ce77cdf4..6259aa5962 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -3,7 +3,7 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index b0e5ccc886..0565b58eef 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -3,7 +3,7 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index 0a45922c00..5b9d7f1874 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -3,7 +3,7 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index 80a0b5e30f..9815bc9a13 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -3,7 +3,7 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index 66730b6282..152a1a0770 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -3,7 +3,7 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index 194c1f3d0b..99a4cb6528 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -3,7 +3,7 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index e7eb1410f4..7ac4228370 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -3,7 +3,7 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index c053aab03a..f1cdad1e90 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -3,7 +3,7 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index a6052e4d5d..ebc770c912 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -3,7 +3,7 @@ title: Audit Non Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index ee92107d00..194e56d11b 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -3,7 +3,7 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index bce48fe3a4..20b82aa409 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -3,7 +3,7 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index da62c1ddac..cceda79c69 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -3,7 +3,7 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md index 66d034006d..4501674589 100644 --- a/windows/keep-secure/audit-other-object-access-events.md +++ b/windows/keep-secure/audit-other-object-access-events.md @@ -3,7 +3,7 @@ title: Audit Other Object Access Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md index 0af19e0be4..81cb8c52aa 100644 --- a/windows/keep-secure/audit-other-policy-change-events.md +++ b/windows/keep-secure/audit-other-policy-change-events.md @@ -3,7 +3,7 @@ title: Audit Other Policy Change Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md index b5ebe7d056..a411c1b6b4 100644 --- a/windows/keep-secure/audit-other-privilege-use-events.md +++ b/windows/keep-secure/audit-other-privilege-use-events.md @@ -3,7 +3,7 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md index bb1cfd06c3..91f62b06de 100644 --- a/windows/keep-secure/audit-other-system-events.md +++ b/windows/keep-secure/audit-other-system-events.md @@ -3,7 +3,7 @@ title: Audit Other System Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events. ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md index 8558ff0a08..bef34f8715 100644 --- a/windows/keep-secure/audit-pnp-activity.md +++ b/windows/keep-secure/audit-pnp-activity.md @@ -3,7 +3,7 @@ title: Audit PNP Activity (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md index 739cc9cf47..9616b172bf 100644 --- a/windows/keep-secure/audit-process-creation.md +++ b/windows/keep-secure/audit-process-creation.md @@ -3,7 +3,7 @@ title: Audit Process Creation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index 9c526efce5..493f39cc30 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -3,7 +3,7 @@ title: Audit Process Termination (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process. ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md index f994e3be1b..ad25025bc9 100644 --- a/windows/keep-secure/audit-registry.md +++ b/windows/keep-secure/audit-registry.md @@ -3,7 +3,7 @@ title: Audit Registry (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects. ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index 0cd8e17a01..de2555c64a 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -3,7 +3,7 @@ title: Audit Removable Storage (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md index 99e1f92cff..69b62bbff7 100644 --- a/windows/keep-secure/audit-rpc-events.md +++ b/windows/keep-secure/audit-rpc-events.md @@ -3,7 +3,7 @@ title: Audit RPC Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md index 7b097dc097..49b763f835 100644 --- a/windows/keep-secure/audit-sam.md +++ b/windows/keep-secure/audit-sam.md @@ -3,7 +3,7 @@ title: Audit SAM (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md index 4c6f72b3c3..17c4f1861e 100644 --- a/windows/keep-secure/audit-security-group-management.md +++ b/windows/keep-secure/audit-security-group-management.md @@ -3,7 +3,7 @@ title: Audit Security Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed. ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md index 2bf37ca4a0..54492ea27c 100644 --- a/windows/keep-secure/audit-security-state-change.md +++ b/windows/keep-secure/audit-security-state-change.md @@ -3,7 +3,7 @@ title: Audit Security State Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md index 7d83ba191c..b340e3efe0 100644 --- a/windows/keep-secure/audit-security-system-extension.md +++ b/windows/keep-secure/audit-security-system-extension.md @@ -3,7 +3,7 @@ title: Audit Security System Extension (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions. ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index 051c87dd73..220187fc5b 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -3,7 +3,7 @@ title: Audit Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md index e03317f158..2838689d0f 100644 --- a/windows/keep-secure/audit-special-logon.md +++ b/windows/keep-secure/audit-special-logon.md @@ -3,7 +3,7 @@ title: Audit Special Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md index fbb0f1b2f7..90bbb22cde 100644 --- a/windows/keep-secure/audit-system-integrity.md +++ b/windows/keep-secure/audit-system-integrity.md @@ -3,7 +3,7 @@ title: Audit System Integrity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md index eda9df358a..e641522e84 100644 --- a/windows/keep-secure/audit-user-account-management.md +++ b/windows/keep-secure/audit-user-account-management.md @@ -3,7 +3,7 @@ title: Audit User Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed. ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index 3624a64b1e..69c9dc94c2 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -3,7 +3,7 @@ title: Audit User/Device Claims (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-1100.md b/windows/keep-secure/event-1100.md index b6646f9867..3a1a897cf0 100644 --- a/windows/keep-secure/event-1100.md +++ b/windows/keep-secure/event-1100.md @@ -2,7 +2,7 @@ title: 1100(S) The event logging service has shut down. (Windows 10) description: Describes security event 1100(S) The event logging service has shut down. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-1102.md b/windows/keep-secure/event-1102.md index eb7b13ca41..ed03fdf472 100644 --- a/windows/keep-secure/event-1102.md +++ b/windows/keep-secure/event-1102.md @@ -2,7 +2,7 @@ title: 1102(S) The audit log was cleared. (Windows 10) description: Describes security event 1102(S) The audit log was cleared. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-1104.md b/windows/keep-secure/event-1104.md index 4448c4a509..89e9980503 100644 --- a/windows/keep-secure/event-1104.md +++ b/windows/keep-secure/event-1104.md @@ -2,7 +2,7 @@ title: 1104(S) The security log is now full. (Windows 10) description: Describes security event 1104(S) The security log is now full. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-1105.md b/windows/keep-secure/event-1105.md index 3b06cbd87a..75a97f1a66 100644 --- a/windows/keep-secure/event-1105.md +++ b/windows/keep-secure/event-1105.md @@ -2,7 +2,7 @@ title: 1105(S) Event log automatic backup. (Windows 10) description: Describes security event 1105(S) Event log automatic backup. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-1108.md b/windows/keep-secure/event-1108.md index b10c79fa3a..a20422a550 100644 --- a/windows/keep-secure/event-1108.md +++ b/windows/keep-secure/event-1108.md @@ -2,7 +2,7 @@ title: 1108(S) The event logging service encountered an error while processing an incoming event published from %1. (Windows 10) description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4608.md b/windows/keep-secure/event-4608.md index 8e846de721..92e9691726 100644 --- a/windows/keep-secure/event-4608.md +++ b/windows/keep-secure/event-4608.md @@ -2,7 +2,7 @@ title: 4608(S) Windows is starting up. (Windows 10) description: Describes security event 4608(S) Windows is starting up. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4610.md b/windows/keep-secure/event-4610.md index 91f93ccf61..66df4467cd 100644 --- a/windows/keep-secure/event-4610.md +++ b/windows/keep-secure/event-4610.md @@ -2,7 +2,7 @@ title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10) description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4611.md b/windows/keep-secure/event-4611.md index ccb63e2c97..4cd9e414e5 100644 --- a/windows/keep-secure/event-4611.md +++ b/windows/keep-secure/event-4611.md @@ -2,7 +2,7 @@ title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10) description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4612.md b/windows/keep-secure/event-4612.md index ec67b2cc5c..ffdc67f828 100644 --- a/windows/keep-secure/event-4612.md +++ b/windows/keep-secure/event-4612.md @@ -2,7 +2,7 @@ title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10) description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4614.md b/windows/keep-secure/event-4614.md index 223da4ca4c..5afea7b670 100644 --- a/windows/keep-secure/event-4614.md +++ b/windows/keep-secure/event-4614.md @@ -2,7 +2,7 @@ title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10) description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4615.md b/windows/keep-secure/event-4615.md index 9b0a3151ad..7089ff1ad7 100644 --- a/windows/keep-secure/event-4615.md +++ b/windows/keep-secure/event-4615.md @@ -2,7 +2,7 @@ title: 4615(S) Invalid use of LPC port. (Windows 10) description: Describes security event 4615(S) Invalid use of LPC port. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4616.md b/windows/keep-secure/event-4616.md index b2ba578b7c..3be067d588 100644 --- a/windows/keep-secure/event-4616.md +++ b/windows/keep-secure/event-4616.md @@ -2,7 +2,7 @@ title: 4616(S) The system time was changed. (Windows 10) description: Describes security event 4616(S) The system time was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4618.md b/windows/keep-secure/event-4618.md index 755dbc817f..e9b106a0b3 100644 --- a/windows/keep-secure/event-4618.md +++ b/windows/keep-secure/event-4618.md @@ -2,7 +2,7 @@ title: 4618(S) A monitored security event pattern has occurred. (Windows 10) description: Describes security event 4618(S) A monitored security event pattern has occurred. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4621.md b/windows/keep-secure/event-4621.md index e8cef166bc..82eeb320a4 100644 --- a/windows/keep-secure/event-4621.md +++ b/windows/keep-secure/event-4621.md @@ -2,7 +2,7 @@ title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10) description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4622.md b/windows/keep-secure/event-4622.md index 2e1e226db8..09fae3de05 100644 --- a/windows/keep-secure/event-4622.md +++ b/windows/keep-secure/event-4622.md @@ -2,7 +2,7 @@ title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10) description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4624.md b/windows/keep-secure/event-4624.md index 292033d608..3cb4f0c190 100644 --- a/windows/keep-secure/event-4624.md +++ b/windows/keep-secure/event-4624.md @@ -2,7 +2,7 @@ title: 4624(S) An account was successfully logged on. (Windows 10) description: Describes security event 4624(S) An account was successfully logged on. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md index 882c481177..9a040ff053 100644 --- a/windows/keep-secure/event-4625.md +++ b/windows/keep-secure/event-4625.md @@ -2,7 +2,7 @@ title: 4625(F) An account failed to log on. (Windows 10) description: Describes security event 4625(F) An account failed to log on. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4626.md b/windows/keep-secure/event-4626.md index 7ed1c4a5e0..83fa8fe837 100644 --- a/windows/keep-secure/event-4626.md +++ b/windows/keep-secure/event-4626.md @@ -2,7 +2,7 @@ title: 4626(S) User/Device claims information. (Windows 10) description: Describes security event 4626(S) User/Device claims information. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4627.md b/windows/keep-secure/event-4627.md index 33f1daae58..811fd6f830 100644 --- a/windows/keep-secure/event-4627.md +++ b/windows/keep-secure/event-4627.md @@ -2,7 +2,7 @@ title: 4627(S) Group membership information. (Windows 10) description: Describes security event 4627(S) Group membership information. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4634.md b/windows/keep-secure/event-4634.md index 46ecf743dc..10b678d329 100644 --- a/windows/keep-secure/event-4634.md +++ b/windows/keep-secure/event-4634.md @@ -2,7 +2,7 @@ title: 4634(S) An account was logged off. (Windows 10) description: Describes security event 4634(S) An account was logged off. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4647.md b/windows/keep-secure/event-4647.md index 73b26c7c01..16537024f3 100644 --- a/windows/keep-secure/event-4647.md +++ b/windows/keep-secure/event-4647.md @@ -2,7 +2,7 @@ title: 4647(S) User initiated logoff. (Windows 10) description: Describes security event 4647(S) User initiated logoff. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4648.md b/windows/keep-secure/event-4648.md index 9cb907dcb0..0f371abb75 100644 --- a/windows/keep-secure/event-4648.md +++ b/windows/keep-secure/event-4648.md @@ -2,7 +2,7 @@ title: 4648(S) A logon was attempted using explicit credentials. (Windows 10) description: Describes security event 4648(S) A logon was attempted using explicit credentials. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4649.md b/windows/keep-secure/event-4649.md index d360401748..50ea622c1b 100644 --- a/windows/keep-secure/event-4649.md +++ b/windows/keep-secure/event-4649.md @@ -2,7 +2,7 @@ title: 4649(S) A replay attack was detected. (Windows 10) description: Describes security event 4649(S) A replay attack was detected. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4656.md b/windows/keep-secure/event-4656.md index fbe4f6276e..b7e3893812 100644 --- a/windows/keep-secure/event-4656.md +++ b/windows/keep-secure/event-4656.md @@ -2,7 +2,7 @@ title: 4656(S, F) A handle to an object was requested. (Windows 10) description: Describes security event 4656(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4657.md b/windows/keep-secure/event-4657.md index f4795e4e3e..5b669ccb0d 100644 --- a/windows/keep-secure/event-4657.md +++ b/windows/keep-secure/event-4657.md @@ -2,7 +2,7 @@ title: 4657(S) A registry value was modified. (Windows 10) description: Describes security event 4657(S) A registry value was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4658.md b/windows/keep-secure/event-4658.md index 41f3978e7d..3de6b3da02 100644 --- a/windows/keep-secure/event-4658.md +++ b/windows/keep-secure/event-4658.md @@ -2,7 +2,7 @@ title: 4658(S) The handle to an object was closed. (Windows 10) description: Describes security event 4658(S) The handle to an object was closed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4660.md b/windows/keep-secure/event-4660.md index 8621c75ec2..901bc15ae8 100644 --- a/windows/keep-secure/event-4660.md +++ b/windows/keep-secure/event-4660.md @@ -2,7 +2,7 @@ title: 4660(S) An object was deleted. (Windows 10) description: Describes security event 4660(S) An object was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4661.md b/windows/keep-secure/event-4661.md index d57a37f333..278c77f651 100644 --- a/windows/keep-secure/event-4661.md +++ b/windows/keep-secure/event-4661.md @@ -2,7 +2,7 @@ title: 4661(S, F) A handle to an object was requested. (Windows 10) description: Describes security event 4661(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4662.md b/windows/keep-secure/event-4662.md index 2137b547fe..83640072e0 100644 --- a/windows/keep-secure/event-4662.md +++ b/windows/keep-secure/event-4662.md @@ -2,7 +2,7 @@ title: 4662(S, F) An operation was performed on an object. (Windows 10) description: Describes security event 4662(S, F) An operation was performed on an object. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4663.md b/windows/keep-secure/event-4663.md index 18fa7b3352..46cdac8cb0 100644 --- a/windows/keep-secure/event-4663.md +++ b/windows/keep-secure/event-4663.md @@ -2,7 +2,7 @@ title: 4663(S) An attempt was made to access an object. (Windows 10) description: Describes security event 4663(S) An attempt was made to access an object. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4664.md b/windows/keep-secure/event-4664.md index 4a4c04f599..a62808d16d 100644 --- a/windows/keep-secure/event-4664.md +++ b/windows/keep-secure/event-4664.md @@ -2,7 +2,7 @@ title: 4664(S) An attempt was made to create a hard link. (Windows 10) description: Describes security event 4664(S) An attempt was made to create a hard link. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4670.md b/windows/keep-secure/event-4670.md index 5702cf1f4d..a7de5be046 100644 --- a/windows/keep-secure/event-4670.md +++ b/windows/keep-secure/event-4670.md @@ -2,7 +2,7 @@ title: 4670(S) Permissions on an object were changed. (Windows 10) description: Describes security event 4670(S) Permissions on an object were changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4671.md b/windows/keep-secure/event-4671.md index 9e39d86e0a..c1962e0f68 100644 --- a/windows/keep-secure/event-4671.md +++ b/windows/keep-secure/event-4671.md @@ -2,7 +2,7 @@ title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10) description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4672.md b/windows/keep-secure/event-4672.md index 2d0ec716c2..bf0fff94de 100644 --- a/windows/keep-secure/event-4672.md +++ b/windows/keep-secure/event-4672.md @@ -2,7 +2,7 @@ title: 4672(S) Special privileges assigned to new logon. (Windows 10) description: Describes security event 4672(S) Special privileges assigned to new logon. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4673.md b/windows/keep-secure/event-4673.md index 2816879567..5282a6658e 100644 --- a/windows/keep-secure/event-4673.md +++ b/windows/keep-secure/event-4673.md @@ -2,7 +2,7 @@ title: 4673(S, F) A privileged service was called. (Windows 10) description: Describes security event 4673(S, F) A privileged service was called. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4674.md b/windows/keep-secure/event-4674.md index 3693ca894f..41518d4e2b 100644 --- a/windows/keep-secure/event-4674.md +++ b/windows/keep-secure/event-4674.md @@ -2,7 +2,7 @@ title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10) description: Describes security event 4674(S, F) An operation was attempted on a privileged object. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4675.md b/windows/keep-secure/event-4675.md index de11244f51..dc8a19e120 100644 --- a/windows/keep-secure/event-4675.md +++ b/windows/keep-secure/event-4675.md @@ -2,7 +2,7 @@ title: 4675(S) SIDs were filtered. (Windows 10) description: Describes security event 4675(S) SIDs were filtered. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4688.md b/windows/keep-secure/event-4688.md index 9c62824cd3..fa4b2d568d 100644 --- a/windows/keep-secure/event-4688.md +++ b/windows/keep-secure/event-4688.md @@ -2,7 +2,7 @@ title: 4688(S) A new process has been created. (Windows 10) description: Describes security event 4688(S) A new process has been created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4689.md b/windows/keep-secure/event-4689.md index 9acfebcd83..e5f97fe698 100644 --- a/windows/keep-secure/event-4689.md +++ b/windows/keep-secure/event-4689.md @@ -2,7 +2,7 @@ title: 4689(S) A process has exited. (Windows 10) description: Describes security event 4689(S) A process has exited. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4690.md b/windows/keep-secure/event-4690.md index c96c508880..d7ac11d773 100644 --- a/windows/keep-secure/event-4690.md +++ b/windows/keep-secure/event-4690.md @@ -2,7 +2,7 @@ title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10) description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4691.md b/windows/keep-secure/event-4691.md index ed50802c98..ba22553755 100644 --- a/windows/keep-secure/event-4691.md +++ b/windows/keep-secure/event-4691.md @@ -2,7 +2,7 @@ title: 4691(S) Indirect access to an object was requested. (Windows 10) description: Describes security event 4691(S) Indirect access to an object was requested. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4692.md b/windows/keep-secure/event-4692.md index a298a2a73e..aba10585e3 100644 --- a/windows/keep-secure/event-4692.md +++ b/windows/keep-secure/event-4692.md @@ -2,7 +2,7 @@ title: 4692(S, F) Backup of data protection master key was attempted. (Windows 10) description: Describes security event 4692(S, F) Backup of data protection master key was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4693.md b/windows/keep-secure/event-4693.md index 21b507d0f4..3134110a5c 100644 --- a/windows/keep-secure/event-4693.md +++ b/windows/keep-secure/event-4693.md @@ -2,7 +2,7 @@ title: 4693(S, F) Recovery of data protection master key was attempted. (Windows 10) description: Describes security event 4693(S, F) Recovery of data protection master key was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4694.md b/windows/keep-secure/event-4694.md index 930eef2a3b..ebd12e3f78 100644 --- a/windows/keep-secure/event-4694.md +++ b/windows/keep-secure/event-4694.md @@ -2,7 +2,7 @@ title: 4694(S, F) Protection of auditable protected data was attempted. (Windows 10) description: Describes security event 4694(S, F) Protection of auditable protected data was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4695.md b/windows/keep-secure/event-4695.md index ce3643a78f..48d9dd1dc6 100644 --- a/windows/keep-secure/event-4695.md +++ b/windows/keep-secure/event-4695.md @@ -2,7 +2,7 @@ title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10) description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4696.md b/windows/keep-secure/event-4696.md index 5ef396c31e..e4746f74c9 100644 --- a/windows/keep-secure/event-4696.md +++ b/windows/keep-secure/event-4696.md @@ -2,7 +2,7 @@ title: 4696(S) A primary token was assigned to process. (Windows 10) description: Describes security event 4696(S) A primary token was assigned to process. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4697.md b/windows/keep-secure/event-4697.md index b5bd6dc109..0213aa9f0a 100644 --- a/windows/keep-secure/event-4697.md +++ b/windows/keep-secure/event-4697.md @@ -2,7 +2,7 @@ title: 4697(S) A service was installed in the system. (Windows 10) description: Describes security event 4697(S) A service was installed in the system. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4698.md b/windows/keep-secure/event-4698.md index 4829ecd989..5d522281cb 100644 --- a/windows/keep-secure/event-4698.md +++ b/windows/keep-secure/event-4698.md @@ -2,7 +2,7 @@ title: 4698(S) A scheduled task was created. (Windows 10) description: Describes security event 4698(S) A scheduled task was created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4699.md b/windows/keep-secure/event-4699.md index f5e298828f..a1c58890d6 100644 --- a/windows/keep-secure/event-4699.md +++ b/windows/keep-secure/event-4699.md @@ -2,7 +2,7 @@ title: 4699(S) A scheduled task was deleted. (Windows 10) description: Describes security event 4699(S) A scheduled task was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4700.md b/windows/keep-secure/event-4700.md index f0af1f518a..fa5a54c164 100644 --- a/windows/keep-secure/event-4700.md +++ b/windows/keep-secure/event-4700.md @@ -2,7 +2,7 @@ title: 4700(S) A scheduled task was enabled. (Windows 10) description: Describes security event 4700(S) A scheduled task was enabled. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4701.md b/windows/keep-secure/event-4701.md index fcecfb76bd..5c1cafe14f 100644 --- a/windows/keep-secure/event-4701.md +++ b/windows/keep-secure/event-4701.md @@ -2,7 +2,7 @@ title: 4701(S) A scheduled task was disabled. (Windows 10) description: Describes security event 4701(S) A scheduled task was disabled. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4702.md b/windows/keep-secure/event-4702.md index 3c3e7535dc..3d0071fd39 100644 --- a/windows/keep-secure/event-4702.md +++ b/windows/keep-secure/event-4702.md @@ -2,7 +2,7 @@ title: 4702(S) A scheduled task was updated. (Windows 10) description: Describes security event 4702(S) A scheduled task was updated. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4703.md b/windows/keep-secure/event-4703.md index e6ab98abc4..4b6ac99faa 100644 --- a/windows/keep-secure/event-4703.md +++ b/windows/keep-secure/event-4703.md @@ -2,7 +2,7 @@ title: 4703(S) A user right was adjusted. (Windows 10) description: Describes security event 4703(S) A user right was adjusted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4704.md b/windows/keep-secure/event-4704.md index 06708cb228..ee98fd4712 100644 --- a/windows/keep-secure/event-4704.md +++ b/windows/keep-secure/event-4704.md @@ -2,7 +2,7 @@ title: 4704(S) A user right was assigned. (Windows 10) description: Describes security event 4704(S) A user right was assigned. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4705.md b/windows/keep-secure/event-4705.md index 475c72b108..7a5f1008fc 100644 --- a/windows/keep-secure/event-4705.md +++ b/windows/keep-secure/event-4705.md @@ -2,7 +2,7 @@ title: 4705(S) A user right was removed. (Windows 10) description: Describes security event 4705(S) A user right was removed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md index 92a9152b46..c6eba5f6a8 100644 --- a/windows/keep-secure/event-4706.md +++ b/windows/keep-secure/event-4706.md @@ -2,7 +2,7 @@ title: 4706(S) A new trust was created to a domain. (Windows 10) description: Describes security event 4706(S) A new trust was created to a domain. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4707.md b/windows/keep-secure/event-4707.md index 7698e07d9f..9a77188b80 100644 --- a/windows/keep-secure/event-4707.md +++ b/windows/keep-secure/event-4707.md @@ -2,7 +2,7 @@ title: 4707(S) A trust to a domain was removed. (Windows 10) description: Describes security event 4707(S) A trust to a domain was removed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4713.md b/windows/keep-secure/event-4713.md index 46884472bc..47ebf3fbb5 100644 --- a/windows/keep-secure/event-4713.md +++ b/windows/keep-secure/event-4713.md @@ -2,7 +2,7 @@ title: 4713(S) Kerberos policy was changed. (Windows 10) description: Describes security event 4713(S) Kerberos policy was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4714.md b/windows/keep-secure/event-4714.md index c113a6acf4..0531957676 100644 --- a/windows/keep-secure/event-4714.md +++ b/windows/keep-secure/event-4714.md @@ -2,7 +2,7 @@ title: 4714(S) Encrypted data recovery policy was changed. (Windows 10) description: Describes security event 4714(S) Encrypted data recovery policy was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4715.md b/windows/keep-secure/event-4715.md index 5bee7b5421..d0e5dd0ef3 100644 --- a/windows/keep-secure/event-4715.md +++ b/windows/keep-secure/event-4715.md @@ -2,7 +2,7 @@ title: 4715(S) The audit policy (SACL) on an object was changed. (Windows 10) description: Describes security event 4715(S) The audit policy (SACL) on an object was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md index bef6704947..373d14519b 100644 --- a/windows/keep-secure/event-4716.md +++ b/windows/keep-secure/event-4716.md @@ -2,7 +2,7 @@ title: 4716(S) Trusted domain information was modified. (Windows 10) description: Describes security event 4716(S) Trusted domain information was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4717.md b/windows/keep-secure/event-4717.md index a6fc571002..dbe74fada2 100644 --- a/windows/keep-secure/event-4717.md +++ b/windows/keep-secure/event-4717.md @@ -2,7 +2,7 @@ title: 4717(S) System security access was granted to an account. (Windows 10) description: Describes security event 4717(S) System security access was granted to an account. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4718.md b/windows/keep-secure/event-4718.md index a3dce890af..44f5fc4624 100644 --- a/windows/keep-secure/event-4718.md +++ b/windows/keep-secure/event-4718.md @@ -2,7 +2,7 @@ title: 4718(S) System security access was removed from an account. (Windows 10) description: Describes security event 4718(S) System security access was removed from an account. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4719.md b/windows/keep-secure/event-4719.md index 58d6ee111c..7a274992c8 100644 --- a/windows/keep-secure/event-4719.md +++ b/windows/keep-secure/event-4719.md @@ -2,7 +2,7 @@ title: 4719(S) System audit policy was changed. (Windows 10) description: Describes security event 4719(S) System audit policy was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4720.md b/windows/keep-secure/event-4720.md index 7ef1a7b270..157b9b01a3 100644 --- a/windows/keep-secure/event-4720.md +++ b/windows/keep-secure/event-4720.md @@ -2,7 +2,7 @@ title: 4720(S) A user account was created. (Windows 10) description: Describes security event 4720(S) A user account was created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4722.md b/windows/keep-secure/event-4722.md index aaf7fa9ca4..6c96fd0b4a 100644 --- a/windows/keep-secure/event-4722.md +++ b/windows/keep-secure/event-4722.md @@ -2,7 +2,7 @@ title: 4722(S) A user account was enabled. (Windows 10) description: Describes security event 4722(S) A user account was enabled. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4723.md b/windows/keep-secure/event-4723.md index f59314b77b..8c23919260 100644 --- a/windows/keep-secure/event-4723.md +++ b/windows/keep-secure/event-4723.md @@ -2,7 +2,7 @@ title: 4723(S, F) An attempt was made to change an account's password. (Windows 10) description: Describes security event 4723(S, F) An attempt was made to change an account's password. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4724.md b/windows/keep-secure/event-4724.md index b71a0364cc..977955100e 100644 --- a/windows/keep-secure/event-4724.md +++ b/windows/keep-secure/event-4724.md @@ -2,7 +2,7 @@ title: 4724(S, F) An attempt was made to reset an account's password. (Windows 10) description: Describes security event 4724(S, F) An attempt was made to reset an account's password. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4725.md b/windows/keep-secure/event-4725.md index e9e4393343..7dacfe0813 100644 --- a/windows/keep-secure/event-4725.md +++ b/windows/keep-secure/event-4725.md @@ -2,7 +2,7 @@ title: 4725(S) A user account was disabled. (Windows 10) description: Describes security event 4725(S) A user account was disabled. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4726.md b/windows/keep-secure/event-4726.md index 605e5be4b1..ab110e118d 100644 --- a/windows/keep-secure/event-4726.md +++ b/windows/keep-secure/event-4726.md @@ -2,7 +2,7 @@ title: 4726(S) A user account was deleted. (Windows 10) description: Describes security event 4726(S) A user account was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4731.md b/windows/keep-secure/event-4731.md index 3edf72933e..0f6116aca5 100644 --- a/windows/keep-secure/event-4731.md +++ b/windows/keep-secure/event-4731.md @@ -2,7 +2,7 @@ title: 4731(S) A security-enabled local group was created. (Windows 10) description: Describes security event 4731(S) A security-enabled local group was created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4732.md b/windows/keep-secure/event-4732.md index be676a7515..f688280574 100644 --- a/windows/keep-secure/event-4732.md +++ b/windows/keep-secure/event-4732.md @@ -2,7 +2,7 @@ title: 4732(S) A member was added to a security-enabled local group. (Windows 10) description: Describes security event 4732(S) A member was added to a security-enabled local group. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4733.md b/windows/keep-secure/event-4733.md index 5b4c8ee111..b2de4567ac 100644 --- a/windows/keep-secure/event-4733.md +++ b/windows/keep-secure/event-4733.md @@ -2,7 +2,7 @@ title: 4733(S) A member was removed from a security-enabled local group. (Windows 10) description: Describes security event 4733(S) A member was removed from a security-enabled local group. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4734.md b/windows/keep-secure/event-4734.md index 5ee0ad8db7..023be2969c 100644 --- a/windows/keep-secure/event-4734.md +++ b/windows/keep-secure/event-4734.md @@ -2,7 +2,7 @@ title: 4734(S) A security-enabled local group was deleted. (Windows 10) description: Describes security event 4734(S) A security-enabled local group was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4735.md b/windows/keep-secure/event-4735.md index 56b28b5e54..b6dac600b9 100644 --- a/windows/keep-secure/event-4735.md +++ b/windows/keep-secure/event-4735.md @@ -2,7 +2,7 @@ title: 4735(S) A security-enabled local group was changed. (Windows 10) description: Describes security event 4735(S) A security-enabled local group was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4738.md b/windows/keep-secure/event-4738.md index 4eeb20f066..98f22cb17c 100644 --- a/windows/keep-secure/event-4738.md +++ b/windows/keep-secure/event-4738.md @@ -2,7 +2,7 @@ title: 4738(S) A user account was changed. (Windows 10) description: Describes security event 4738(S) A user account was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md index 03f4def1f9..b5873a99e3 100644 --- a/windows/keep-secure/event-4739.md +++ b/windows/keep-secure/event-4739.md @@ -2,7 +2,7 @@ title: 4739(S) Domain Policy was changed. (Windows 10) description: Describes security event 4739(S) Domain Policy was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4740.md b/windows/keep-secure/event-4740.md index 813f534ba7..7ab01449c8 100644 --- a/windows/keep-secure/event-4740.md +++ b/windows/keep-secure/event-4740.md @@ -2,7 +2,7 @@ title: 4740(S) A user account was locked out. (Windows 10) description: Describes security event 4740(S) A user account was locked out. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4741.md b/windows/keep-secure/event-4741.md index 46734b980b..52d8a70a84 100644 --- a/windows/keep-secure/event-4741.md +++ b/windows/keep-secure/event-4741.md @@ -2,7 +2,7 @@ title: 4741(S) A computer account was created. (Windows 10) description: Describes security event 4741(S) A computer account was created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4742.md b/windows/keep-secure/event-4742.md index 43b86b8649..b09dba8333 100644 --- a/windows/keep-secure/event-4742.md +++ b/windows/keep-secure/event-4742.md @@ -2,7 +2,7 @@ title: 4742(S) A computer account was changed. (Windows 10) description: Describes security event 4742(S) A computer account was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4743.md b/windows/keep-secure/event-4743.md index 69365e69e6..42f7e90f14 100644 --- a/windows/keep-secure/event-4743.md +++ b/windows/keep-secure/event-4743.md @@ -2,7 +2,7 @@ title: 4743(S) A computer account was deleted. (Windows 10) description: Describes security event 4743(S) A computer account was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4749.md b/windows/keep-secure/event-4749.md index ebf569aae3..321a4a3e52 100644 --- a/windows/keep-secure/event-4749.md +++ b/windows/keep-secure/event-4749.md @@ -2,7 +2,7 @@ title: 4749(S) A security-disabled global group was created. (Windows 10) description: Describes security event 4749(S) A security-disabled global group was created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4750.md b/windows/keep-secure/event-4750.md index 5feebeb1f2..17f5d8eb84 100644 --- a/windows/keep-secure/event-4750.md +++ b/windows/keep-secure/event-4750.md @@ -2,7 +2,7 @@ title: 4750(S) A security-disabled global group was changed. (Windows 10) description: Describes security event 4750(S) A security-disabled global group was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4751.md b/windows/keep-secure/event-4751.md index 600f534e40..ea37165fce 100644 --- a/windows/keep-secure/event-4751.md +++ b/windows/keep-secure/event-4751.md @@ -2,7 +2,7 @@ title: 4751(S) A member was added to a security-disabled global group. (Windows 10) description: Describes security event 4751(S) A member was added to a security-disabled global group. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4752.md b/windows/keep-secure/event-4752.md index d4d9463173..28d38b44a5 100644 --- a/windows/keep-secure/event-4752.md +++ b/windows/keep-secure/event-4752.md @@ -2,7 +2,7 @@ title: 4752(S) A member was removed from a security-disabled global group. (Windows 10) description: Describes security event 4752(S) A member was removed from a security-disabled global group. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4753.md b/windows/keep-secure/event-4753.md index 4aeb373191..5cc018f286 100644 --- a/windows/keep-secure/event-4753.md +++ b/windows/keep-secure/event-4753.md @@ -2,7 +2,7 @@ title: 4753(S) A security-disabled global group was deleted. (Windows 10) description: Describes security event 4753(S) A security-disabled global group was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4764.md b/windows/keep-secure/event-4764.md index 0fc3fa9b1c..e5bcc13c9a 100644 --- a/windows/keep-secure/event-4764.md +++ b/windows/keep-secure/event-4764.md @@ -2,7 +2,7 @@ title: 4764(S) A group's type was changed. (Windows 10) description: Describes security event 4764(S) A group’s type was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4765.md b/windows/keep-secure/event-4765.md index 261ed56dd4..f1bc1a4995 100644 --- a/windows/keep-secure/event-4765.md +++ b/windows/keep-secure/event-4765.md @@ -2,7 +2,7 @@ title: 4765(S) SID History was added to an account. (Windows 10) description: Describes security event 4765(S) SID History was added to an account. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4766.md b/windows/keep-secure/event-4766.md index 61ed78f50d..b3d0a00060 100644 --- a/windows/keep-secure/event-4766.md +++ b/windows/keep-secure/event-4766.md @@ -2,7 +2,7 @@ title: 4766(F) An attempt to add SID History to an account failed. (Windows 10) description: Describes security event 4766(F) An attempt to add SID History to an account failed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4767.md b/windows/keep-secure/event-4767.md index bad7f26588..a189b84db0 100644 --- a/windows/keep-secure/event-4767.md +++ b/windows/keep-secure/event-4767.md @@ -2,7 +2,7 @@ title: 4767(S) A user account was unlocked. (Windows 10) description: Describes security event 4767(S) A user account was unlocked. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4768.md b/windows/keep-secure/event-4768.md index f8b4558198..edcc1952bc 100644 --- a/windows/keep-secure/event-4768.md +++ b/windows/keep-secure/event-4768.md @@ -2,7 +2,7 @@ title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10) description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4769.md b/windows/keep-secure/event-4769.md index 20c430fa33..ecb3b28900 100644 --- a/windows/keep-secure/event-4769.md +++ b/windows/keep-secure/event-4769.md @@ -2,7 +2,7 @@ title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10) description: Describes security event 4769(S, F) A Kerberos service ticket was requested. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4770.md b/windows/keep-secure/event-4770.md index 5983d931d7..1c353eb67f 100644 --- a/windows/keep-secure/event-4770.md +++ b/windows/keep-secure/event-4770.md @@ -2,7 +2,7 @@ title: 4770(S) A Kerberos service ticket was renewed. (Windows 10) description: Describes security event 4770(S) A Kerberos service ticket was renewed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4771.md b/windows/keep-secure/event-4771.md index ec327a9f1f..ae81985175 100644 --- a/windows/keep-secure/event-4771.md +++ b/windows/keep-secure/event-4771.md @@ -2,7 +2,7 @@ title: 4771(F) Kerberos pre-authentication failed. (Windows 10) description: Describes security event 4771(F) Kerberos pre-authentication failed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4772.md b/windows/keep-secure/event-4772.md index 0bf72a2f75..cc22ebd0d0 100644 --- a/windows/keep-secure/event-4772.md +++ b/windows/keep-secure/event-4772.md @@ -2,7 +2,7 @@ title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10) description: Describes security event 4772(F) A Kerberos authentication ticket request failed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4773.md b/windows/keep-secure/event-4773.md index 1f4a877348..d1edccab49 100644 --- a/windows/keep-secure/event-4773.md +++ b/windows/keep-secure/event-4773.md @@ -2,7 +2,7 @@ title: 4773(F) A Kerberos service ticket request failed. (Windows 10) description: Describes security event 4773(F) A Kerberos service ticket request failed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4774.md b/windows/keep-secure/event-4774.md index 2cb4f23bd1..2b626f9576 100644 --- a/windows/keep-secure/event-4774.md +++ b/windows/keep-secure/event-4774.md @@ -2,7 +2,7 @@ title: 4774(S) An account was mapped for logon. (Windows 10) description: Describes security event 4774(S) An account was mapped for logon. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4775.md b/windows/keep-secure/event-4775.md index 56d51f81fa..f02523531c 100644 --- a/windows/keep-secure/event-4775.md +++ b/windows/keep-secure/event-4775.md @@ -2,7 +2,7 @@ title: 4775(F) An account could not be mapped for logon. (Windows 10) description: Describes security event 4775(F) An account could not be mapped for logon. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4776.md b/windows/keep-secure/event-4776.md index 4b1bd35fc0..c244914722 100644 --- a/windows/keep-secure/event-4776.md +++ b/windows/keep-secure/event-4776.md @@ -2,7 +2,7 @@ title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4777.md b/windows/keep-secure/event-4777.md index db755e968c..7a985dae86 100644 --- a/windows/keep-secure/event-4777.md +++ b/windows/keep-secure/event-4777.md @@ -2,7 +2,7 @@ title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10) description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4778.md b/windows/keep-secure/event-4778.md index 2c47b9958b..ff3e197630 100644 --- a/windows/keep-secure/event-4778.md +++ b/windows/keep-secure/event-4778.md @@ -2,7 +2,7 @@ title: 4778(S) A session was reconnected to a Window Station. (Windows 10) description: Describes security event 4778(S) A session was reconnected to a Window Station. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4779.md b/windows/keep-secure/event-4779.md index f3b2dc262b..2dfd8ef4ab 100644 --- a/windows/keep-secure/event-4779.md +++ b/windows/keep-secure/event-4779.md @@ -2,7 +2,7 @@ title: 4779(S) A session was disconnected from a Window Station. (Windows 10) description: Describes security event 4779(S) A session was disconnected from a Window Station. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4780.md b/windows/keep-secure/event-4780.md index 3aef6e6a3a..f90b4a900a 100644 --- a/windows/keep-secure/event-4780.md +++ b/windows/keep-secure/event-4780.md @@ -2,7 +2,7 @@ title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10) description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4781.md b/windows/keep-secure/event-4781.md index ae172e368c..34064992de 100644 --- a/windows/keep-secure/event-4781.md +++ b/windows/keep-secure/event-4781.md @@ -2,7 +2,7 @@ title: 4781(S) The name of an account was changed. (Windows 10) description: Describes security event 4781(S) The name of an account was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4782.md b/windows/keep-secure/event-4782.md index 100e19c4fe..6d0804b3b3 100644 --- a/windows/keep-secure/event-4782.md +++ b/windows/keep-secure/event-4782.md @@ -2,7 +2,7 @@ title: 4782(S) The password hash an account was accessed. (Windows 10) description: Describes security event 4782(S) The password hash an account was accessed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4793.md b/windows/keep-secure/event-4793.md index 8776180dca..079c4317df 100644 --- a/windows/keep-secure/event-4793.md +++ b/windows/keep-secure/event-4793.md @@ -2,7 +2,7 @@ title: 4793(S) The Password Policy Checking API was called. (Windows 10) description: Describes security event 4793(S) The Password Policy Checking API was called. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4794.md b/windows/keep-secure/event-4794.md index a703f77ede..c3ce16e165 100644 --- a/windows/keep-secure/event-4794.md +++ b/windows/keep-secure/event-4794.md @@ -2,7 +2,7 @@ title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10) description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4798.md b/windows/keep-secure/event-4798.md index 8468f10240..3423f5319b 100644 --- a/windows/keep-secure/event-4798.md +++ b/windows/keep-secure/event-4798.md @@ -2,7 +2,7 @@ title: 4798(S) A user's local group membership was enumerated. (Windows 10) description: Describes security event 4798(S) A user's local group membership was enumerated. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4799.md b/windows/keep-secure/event-4799.md index 7673abf0a6..2084212f59 100644 --- a/windows/keep-secure/event-4799.md +++ b/windows/keep-secure/event-4799.md @@ -2,7 +2,7 @@ title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10) description: Describes security event 4799(S) A security-enabled local group membership was enumerated. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4800.md b/windows/keep-secure/event-4800.md index bba6681e18..3eb3482649 100644 --- a/windows/keep-secure/event-4800.md +++ b/windows/keep-secure/event-4800.md @@ -2,7 +2,7 @@ title: 4800(S) The workstation was locked. (Windows 10) description: Describes security event 4800(S) The workstation was locked. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4801.md b/windows/keep-secure/event-4801.md index 28e2f207b6..b0b69a6e24 100644 --- a/windows/keep-secure/event-4801.md +++ b/windows/keep-secure/event-4801.md @@ -2,7 +2,7 @@ title: 4801(S) The workstation was unlocked. (Windows 10) description: Describes security event 4801(S) The workstation was unlocked. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4802.md b/windows/keep-secure/event-4802.md index c4b49527e7..691f558b08 100644 --- a/windows/keep-secure/event-4802.md +++ b/windows/keep-secure/event-4802.md @@ -2,7 +2,7 @@ title: 4802(S) The screen saver was invoked. (Windows 10) description: Describes security event 4802(S) The screen saver was invoked. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4803.md b/windows/keep-secure/event-4803.md index 118d94f09a..8cfb6407c8 100644 --- a/windows/keep-secure/event-4803.md +++ b/windows/keep-secure/event-4803.md @@ -2,7 +2,7 @@ title: 4803(S) The screen saver was dismissed. (Windows 10) description: Describes security event 4803(S) The screen saver was dismissed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4816.md b/windows/keep-secure/event-4816.md index 9d90f07c17..846e37ddf7 100644 --- a/windows/keep-secure/event-4816.md +++ b/windows/keep-secure/event-4816.md @@ -2,7 +2,7 @@ title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10) description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4817.md b/windows/keep-secure/event-4817.md index 614adbf442..c1bc5e42d5 100644 --- a/windows/keep-secure/event-4817.md +++ b/windows/keep-secure/event-4817.md @@ -2,7 +2,7 @@ title: 4817(S) Auditing settings on object were changed. (Windows 10) description: Describes security event 4817(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md index b8c3c13ecd..f219c35d82 100644 --- a/windows/keep-secure/event-4818.md +++ b/windows/keep-secure/event-4818.md @@ -2,7 +2,7 @@ title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10) description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4819.md b/windows/keep-secure/event-4819.md index 14613c4b7a..b9311464ea 100644 --- a/windows/keep-secure/event-4819.md +++ b/windows/keep-secure/event-4819.md @@ -2,7 +2,7 @@ title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10) description: Describes security event 4819(S) Central Access Policies on the machine have been changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4826.md b/windows/keep-secure/event-4826.md index 655602c5d7..fd9ab17f16 100644 --- a/windows/keep-secure/event-4826.md +++ b/windows/keep-secure/event-4826.md @@ -2,7 +2,7 @@ title: 4826(S) Boot Configuration Data loaded. (Windows 10) description: Describes security event 4826(S) Boot Configuration Data loaded. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4864.md b/windows/keep-secure/event-4864.md index 52abc31dfe..c889c54cdf 100644 --- a/windows/keep-secure/event-4864.md +++ b/windows/keep-secure/event-4864.md @@ -2,7 +2,7 @@ title: 4864(S) A namespace collision was detected. (Windows 10) description: Describes security event 4864(S) A namespace collision was detected. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4865.md b/windows/keep-secure/event-4865.md index 50cf514dd4..90f686c80b 100644 --- a/windows/keep-secure/event-4865.md +++ b/windows/keep-secure/event-4865.md @@ -2,7 +2,7 @@ title: 4865(S) A trusted forest information entry was added. (Windows 10) description: Describes security event 4865(S) A trusted forest information entry was added. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4866.md b/windows/keep-secure/event-4866.md index bc7752fc7b..1fc701f4d1 100644 --- a/windows/keep-secure/event-4866.md +++ b/windows/keep-secure/event-4866.md @@ -2,7 +2,7 @@ title: 4866(S) A trusted forest information entry was removed. (Windows 10) description: Describes security event 4866(S) A trusted forest information entry was removed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4867.md b/windows/keep-secure/event-4867.md index 73c7e92586..57fc10f7da 100644 --- a/windows/keep-secure/event-4867.md +++ b/windows/keep-secure/event-4867.md @@ -2,7 +2,7 @@ title: 4867(S) A trusted forest information entry was modified. (Windows 10) description: Describes security event 4867(S) A trusted forest information entry was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4902.md b/windows/keep-secure/event-4902.md index b6cf1ebb77..f8979e200f 100644 --- a/windows/keep-secure/event-4902.md +++ b/windows/keep-secure/event-4902.md @@ -2,7 +2,7 @@ title: 4902(S) The Per-user audit policy table was created. (Windows 10) description: Describes security event 4902(S) The Per-user audit policy table was created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4904.md b/windows/keep-secure/event-4904.md index 5f46d6c131..85d903d952 100644 --- a/windows/keep-secure/event-4904.md +++ b/windows/keep-secure/event-4904.md @@ -2,7 +2,7 @@ title: 4904(S) An attempt was made to register a security event source. (Windows 10) description: Describes security event 4904(S) An attempt was made to register a security event source. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4905.md b/windows/keep-secure/event-4905.md index 222fd0f263..1bc58fabcc 100644 --- a/windows/keep-secure/event-4905.md +++ b/windows/keep-secure/event-4905.md @@ -2,7 +2,7 @@ title: 4905(S) An attempt was made to unregister a security event source. (Windows 10) description: Describes security event 4905(S) An attempt was made to unregister a security event source. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4906.md b/windows/keep-secure/event-4906.md index 9232c75a41..b7e82beaac 100644 --- a/windows/keep-secure/event-4906.md +++ b/windows/keep-secure/event-4906.md @@ -2,7 +2,7 @@ title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10) description: Describes security event 4906(S) The CrashOnAuditFail value has changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4907.md b/windows/keep-secure/event-4907.md index b3339c3ace..0867cad21e 100644 --- a/windows/keep-secure/event-4907.md +++ b/windows/keep-secure/event-4907.md @@ -2,7 +2,7 @@ title: 4907(S) Auditing settings on object were changed. (Windows 10) description: Describes security event 4907(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4908.md b/windows/keep-secure/event-4908.md index fbb9957571..c76f86b814 100644 --- a/windows/keep-secure/event-4908.md +++ b/windows/keep-secure/event-4908.md @@ -2,7 +2,7 @@ title: 4908(S) Special Groups Logon table modified. (Windows 10) description: Describes security event 4908(S) Special Groups Logon table modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4909.md b/windows/keep-secure/event-4909.md index 650d9bbf8c..f3f6b7d90e 100644 --- a/windows/keep-secure/event-4909.md +++ b/windows/keep-secure/event-4909.md @@ -2,7 +2,7 @@ title: 4909(-) The local policy settings for the TBS were changed. (Windows 10) description: Describes security event 4909(-) The local policy settings for the TBS were changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4910.md b/windows/keep-secure/event-4910.md index f167349c1b..bf7110033f 100644 --- a/windows/keep-secure/event-4910.md +++ b/windows/keep-secure/event-4910.md @@ -2,7 +2,7 @@ title: 4910(-) The group policy settings for the TBS were changed. (Windows 10) description: Describes security event 4910(-) The group policy settings for the TBS were changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4911.md b/windows/keep-secure/event-4911.md index 39d00ba5ee..20a174c857 100644 --- a/windows/keep-secure/event-4911.md +++ b/windows/keep-secure/event-4911.md @@ -2,7 +2,7 @@ title: 4911(S) Resource attributes of the object were changed. (Windows 10) description: Describes security event 4911(S) Resource attributes of the object were changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4912.md b/windows/keep-secure/event-4912.md index 6373e7532b..bc9856672a 100644 --- a/windows/keep-secure/event-4912.md +++ b/windows/keep-secure/event-4912.md @@ -2,7 +2,7 @@ title: 4912(S) Per User Audit Policy was changed. (Windows 10) description: Describes security event 4912(S) Per User Audit Policy was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4913.md b/windows/keep-secure/event-4913.md index b34355d236..96a27d5f9f 100644 --- a/windows/keep-secure/event-4913.md +++ b/windows/keep-secure/event-4913.md @@ -2,7 +2,7 @@ title: 4913(S) Central Access Policy on the object was changed. (Windows 10) description: Describes security event 4913(S) Central Access Policy on the object was changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4928.md b/windows/keep-secure/event-4928.md index b1e99309ef..04ad5cd8c9 100644 --- a/windows/keep-secure/event-4928.md +++ b/windows/keep-secure/event-4928.md @@ -2,7 +2,7 @@ title: 4928(S, F) An Active Directory replica source naming context was established. (Windows 10) description: Describes security event 4928(S, F) An Active Directory replica source naming context was established. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4929.md b/windows/keep-secure/event-4929.md index cb3b05a636..1ce345a023 100644 --- a/windows/keep-secure/event-4929.md +++ b/windows/keep-secure/event-4929.md @@ -2,7 +2,7 @@ title: 4929(S, F) An Active Directory replica source naming context was removed. (Windows 10) description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4930.md b/windows/keep-secure/event-4930.md index bcf9d221ed..83c58cab73 100644 --- a/windows/keep-secure/event-4930.md +++ b/windows/keep-secure/event-4930.md @@ -2,7 +2,7 @@ title: 4930(S, F) An Active Directory replica source naming context was modified. (Windows 10) description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4931.md b/windows/keep-secure/event-4931.md index bf823bacef..90d993cd8f 100644 --- a/windows/keep-secure/event-4931.md +++ b/windows/keep-secure/event-4931.md @@ -2,7 +2,7 @@ title: 4931(S, F) An Active Directory replica destination naming context was modified. (Windows 10) description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4932.md b/windows/keep-secure/event-4932.md index c7555dbed9..4a285d53f7 100644 --- a/windows/keep-secure/event-4932.md +++ b/windows/keep-secure/event-4932.md @@ -2,7 +2,7 @@ title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. (Windows 10) description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4933.md b/windows/keep-secure/event-4933.md index 22c828fb87..ecfdab4b9f 100644 --- a/windows/keep-secure/event-4933.md +++ b/windows/keep-secure/event-4933.md @@ -2,7 +2,7 @@ title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. (Windows 10) description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4934.md b/windows/keep-secure/event-4934.md index 4f0eae2cee..370261af0f 100644 --- a/windows/keep-secure/event-4934.md +++ b/windows/keep-secure/event-4934.md @@ -2,7 +2,7 @@ title: 4934(S) Attributes of an Active Directory object were replicated. (Windows 10) description: Describes security event 4934(S) Attributes of an Active Directory object were replicated. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4935.md b/windows/keep-secure/event-4935.md index ccf6d31bd6..95089ddc63 100644 --- a/windows/keep-secure/event-4935.md +++ b/windows/keep-secure/event-4935.md @@ -2,7 +2,7 @@ title: 4935(F) Replication failure begins. (Windows 10) description: Describes security event 4935(F) Replication failure begins. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4936.md b/windows/keep-secure/event-4936.md index 65cc7c79e9..0d3f01212d 100644 --- a/windows/keep-secure/event-4936.md +++ b/windows/keep-secure/event-4936.md @@ -2,7 +2,7 @@ title: 4936(S) Replication failure ends. (Windows 10) description: Describes security event 4936(S) Replication failure ends. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4937.md b/windows/keep-secure/event-4937.md index 09e0abe080..e828453e4c 100644 --- a/windows/keep-secure/event-4937.md +++ b/windows/keep-secure/event-4937.md @@ -2,7 +2,7 @@ title: 4937(S) A lingering object was removed from a replica. (Windows 10) description: Describes security event 4937(S) A lingering object was removed from a replica. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4944.md b/windows/keep-secure/event-4944.md index f322bb8458..13323d44aa 100644 --- a/windows/keep-secure/event-4944.md +++ b/windows/keep-secure/event-4944.md @@ -2,7 +2,7 @@ title: 4944(S) The following policy was active when the Windows Firewall started. (Windows 10) description: Describes security event 4944(S) The following policy was active when the Windows Firewall started. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4945.md b/windows/keep-secure/event-4945.md index 1b94b91fbc..fb0731ead7 100644 --- a/windows/keep-secure/event-4945.md +++ b/windows/keep-secure/event-4945.md @@ -2,7 +2,7 @@ title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10) description: Describes security event 4945(S) A rule was listed when the Windows Firewall started. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4946.md b/windows/keep-secure/event-4946.md index f73ca913a6..0fea17268d 100644 --- a/windows/keep-secure/event-4946.md +++ b/windows/keep-secure/event-4946.md @@ -2,7 +2,7 @@ title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10) description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4947.md b/windows/keep-secure/event-4947.md index f3381e95ba..3103502558 100644 --- a/windows/keep-secure/event-4947.md +++ b/windows/keep-secure/event-4947.md @@ -2,7 +2,7 @@ title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10) description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4948.md b/windows/keep-secure/event-4948.md index 034b9e1149..8193b2ec9f 100644 --- a/windows/keep-secure/event-4948.md +++ b/windows/keep-secure/event-4948.md @@ -2,7 +2,7 @@ title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10) description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4949.md b/windows/keep-secure/event-4949.md index 2441529ec2..0b8194ac9e 100644 --- a/windows/keep-secure/event-4949.md +++ b/windows/keep-secure/event-4949.md @@ -2,7 +2,7 @@ title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10) description: Describes security event 4949(S) Windows Firewall settings were restored to the default values. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4950.md b/windows/keep-secure/event-4950.md index 69a46b6925..0c8dadbb62 100644 --- a/windows/keep-secure/event-4950.md +++ b/windows/keep-secure/event-4950.md @@ -2,7 +2,7 @@ title: 4950(S) A Windows Firewall setting has changed. (Windows 10) description: Describes security event 4950(S) A Windows Firewall setting has changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4951.md b/windows/keep-secure/event-4951.md index 1878549111..82cf1bbeb8 100644 --- a/windows/keep-secure/event-4951.md +++ b/windows/keep-secure/event-4951.md @@ -2,7 +2,7 @@ title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10) description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4952.md b/windows/keep-secure/event-4952.md index 496d4e324e..06e7cc5bc5 100644 --- a/windows/keep-secure/event-4952.md +++ b/windows/keep-secure/event-4952.md @@ -2,7 +2,7 @@ title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10) description: Describes security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4953.md b/windows/keep-secure/event-4953.md index ba5cea430d..5f4046b134 100644 --- a/windows/keep-secure/event-4953.md +++ b/windows/keep-secure/event-4953.md @@ -2,7 +2,7 @@ title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10) description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4954.md b/windows/keep-secure/event-4954.md index fcf80a82d3..313eef1046 100644 --- a/windows/keep-secure/event-4954.md +++ b/windows/keep-secure/event-4954.md @@ -2,7 +2,7 @@ title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10) description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4956.md b/windows/keep-secure/event-4956.md index 4d3c688ed7..598387895b 100644 --- a/windows/keep-secure/event-4956.md +++ b/windows/keep-secure/event-4956.md @@ -2,7 +2,7 @@ title: 4956(S) Windows Firewall has changed the active profile. (Windows 10) description: Describes security event 4956(S) Windows Firewall has changed the active profile. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4957.md b/windows/keep-secure/event-4957.md index dcd32e2689..1d651773dd 100644 --- a/windows/keep-secure/event-4957.md +++ b/windows/keep-secure/event-4957.md @@ -2,7 +2,7 @@ title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10) description: Describes security event 4957(F) Windows Firewall did not apply the following rule. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4958.md b/windows/keep-secure/event-4958.md index 7ef6e67cbe..aec78e8144 100644 --- a/windows/keep-secure/event-4958.md +++ b/windows/keep-secure/event-4958.md @@ -2,7 +2,7 @@ title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10) description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4964.md b/windows/keep-secure/event-4964.md index 8584a902c5..96d32ccc21 100644 --- a/windows/keep-secure/event-4964.md +++ b/windows/keep-secure/event-4964.md @@ -2,7 +2,7 @@ title: 4964(S) Special groups have been assigned to a new logon. (Windows 10) description: Describes security event 4964(S) Special groups have been assigned to a new logon. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-4985.md b/windows/keep-secure/event-4985.md index 2044f942d0..f9737372fc 100644 --- a/windows/keep-secure/event-4985.md +++ b/windows/keep-secure/event-4985.md @@ -2,7 +2,7 @@ title: 4985(S) The state of a transaction has changed. (Windows 10) description: Describes security event 4985(S) The state of a transaction has changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5024.md b/windows/keep-secure/event-5024.md index 372ee3b767..c06e33a285 100644 --- a/windows/keep-secure/event-5024.md +++ b/windows/keep-secure/event-5024.md @@ -2,7 +2,7 @@ title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10) description: Describes security event 5024(S) The Windows Firewall Service has started successfully. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5025.md b/windows/keep-secure/event-5025.md index 1a83b5eefc..2e871f2ce0 100644 --- a/windows/keep-secure/event-5025.md +++ b/windows/keep-secure/event-5025.md @@ -2,7 +2,7 @@ title: 5025(S) The Windows Firewall Service has been stopped. (Windows 10) description: Describes security event 5025(S) The Windows Firewall Service has been stopped. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5027.md b/windows/keep-secure/event-5027.md index f13f6495e7..d8f0c10631 100644 --- a/windows/keep-secure/event-5027.md +++ b/windows/keep-secure/event-5027.md @@ -2,7 +2,7 @@ title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10) description: Describes security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5028.md b/windows/keep-secure/event-5028.md index 928ccdc1ce..c5dd276e84 100644 --- a/windows/keep-secure/event-5028.md +++ b/windows/keep-secure/event-5028.md @@ -2,7 +2,7 @@ title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. (Windows 10) description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5029.md b/windows/keep-secure/event-5029.md index 152bc5dff1..8bd1677e18 100644 --- a/windows/keep-secure/event-5029.md +++ b/windows/keep-secure/event-5029.md @@ -2,7 +2,7 @@ title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. (Windows 10) description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5030.md b/windows/keep-secure/event-5030.md index 3278d73871..2ae7dc1fd3 100644 --- a/windows/keep-secure/event-5030.md +++ b/windows/keep-secure/event-5030.md @@ -2,7 +2,7 @@ title: 5030(F) The Windows Firewall Service failed to start. (Windows 10) description: Describes security event 5030(F) The Windows Firewall Service failed to start. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5031.md b/windows/keep-secure/event-5031.md index 436e60fe7b..6a4e5a375b 100644 --- a/windows/keep-secure/event-5031.md +++ b/windows/keep-secure/event-5031.md @@ -2,7 +2,7 @@ title: 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. (Windows 10) description: Describes security event 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5032.md b/windows/keep-secure/event-5032.md index 2ba6a05fa2..ae74c91364 100644 --- a/windows/keep-secure/event-5032.md +++ b/windows/keep-secure/event-5032.md @@ -2,7 +2,7 @@ title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. (Windows 10) description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5033.md b/windows/keep-secure/event-5033.md index 5efe78bfdf..850dd18213 100644 --- a/windows/keep-secure/event-5033.md +++ b/windows/keep-secure/event-5033.md @@ -2,7 +2,7 @@ title: 5033(S) The Windows Firewall Driver has started successfully. (Windows 10) description: Describes security event 5033(S) The Windows Firewall Driver has started successfully. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5034.md b/windows/keep-secure/event-5034.md index 30dafbfd3c..ff3fb85462 100644 --- a/windows/keep-secure/event-5034.md +++ b/windows/keep-secure/event-5034.md @@ -2,7 +2,7 @@ title: 5034(S) The Windows Firewall Driver was stopped. (Windows 10) description: Describes security event 5034(S) The Windows Firewall Driver was stopped. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5035.md b/windows/keep-secure/event-5035.md index a5add18971..1bfd2005f7 100644 --- a/windows/keep-secure/event-5035.md +++ b/windows/keep-secure/event-5035.md @@ -2,7 +2,7 @@ title: 5035(F) The Windows Firewall Driver failed to start. (Windows 10) description: Describes security event 5035(F) The Windows Firewall Driver failed to start. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5037.md b/windows/keep-secure/event-5037.md index 56d93b8dc5..74d89cfcb2 100644 --- a/windows/keep-secure/event-5037.md +++ b/windows/keep-secure/event-5037.md @@ -2,7 +2,7 @@ title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. (Windows 10) description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5038.md b/windows/keep-secure/event-5038.md index 800c1a5ffe..03e3a001cb 100644 --- a/windows/keep-secure/event-5038.md +++ b/windows/keep-secure/event-5038.md @@ -2,7 +2,7 @@ title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5039.md b/windows/keep-secure/event-5039.md index 64a191a4b1..7efc527d45 100644 --- a/windows/keep-secure/event-5039.md +++ b/windows/keep-secure/event-5039.md @@ -2,7 +2,7 @@ title: 5039(-) A registry key was virtualized. (Windows 10) description: Describes security event 5039(-) A registry key was virtualized. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5051.md b/windows/keep-secure/event-5051.md index 80d018b51a..925586c371 100644 --- a/windows/keep-secure/event-5051.md +++ b/windows/keep-secure/event-5051.md @@ -2,7 +2,7 @@ title: 5051(-) A file was virtualized. (Windows 10) description: Describes security event 5051(-) A file was virtualized. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5056.md b/windows/keep-secure/event-5056.md index da2580539a..112eec47ed 100644 --- a/windows/keep-secure/event-5056.md +++ b/windows/keep-secure/event-5056.md @@ -2,7 +2,7 @@ title: 5056(S) A cryptographic self-test was performed. (Windows 10) description: Describes security event 5056(S) A cryptographic self-test was performed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5057.md b/windows/keep-secure/event-5057.md index d3f29539c1..1c1207d464 100644 --- a/windows/keep-secure/event-5057.md +++ b/windows/keep-secure/event-5057.md @@ -2,7 +2,7 @@ title: 5057(F) A cryptographic primitive operation failed. (Windows 10) description: Describes security event 5057(F) A cryptographic primitive operation failed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5058.md b/windows/keep-secure/event-5058.md index b7fb73f686..b8b0f16ef4 100644 --- a/windows/keep-secure/event-5058.md +++ b/windows/keep-secure/event-5058.md @@ -2,7 +2,7 @@ title: 5058(S, F) Key file operation. (Windows 10) description: Describes security event 5058(S, F) Key file operation. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5059.md b/windows/keep-secure/event-5059.md index 1e5424b033..3a1b397f62 100644 --- a/windows/keep-secure/event-5059.md +++ b/windows/keep-secure/event-5059.md @@ -2,7 +2,7 @@ title: 5059(S, F) Key migration operation. (Windows 10) description: Describes security event 5059(S, F) Key migration operation. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5060.md b/windows/keep-secure/event-5060.md index 5a3b66e7da..b568ea571b 100644 --- a/windows/keep-secure/event-5060.md +++ b/windows/keep-secure/event-5060.md @@ -2,7 +2,7 @@ title: 5060(F) Verification operation failed. (Windows 10) description: Describes security event 5060(F) Verification operation failed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5061.md b/windows/keep-secure/event-5061.md index ecba2fb27f..886a4d7aba 100644 --- a/windows/keep-secure/event-5061.md +++ b/windows/keep-secure/event-5061.md @@ -2,7 +2,7 @@ title: 5061(S, F) Cryptographic operation. (Windows 10) description: Describes security event 5061(S, F) Cryptographic operation. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5062.md b/windows/keep-secure/event-5062.md index 3b07e9e43c..4f1aa57c3f 100644 --- a/windows/keep-secure/event-5062.md +++ b/windows/keep-secure/event-5062.md @@ -2,7 +2,7 @@ title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10) description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5063.md b/windows/keep-secure/event-5063.md index 113f459251..9a0a83c802 100644 --- a/windows/keep-secure/event-5063.md +++ b/windows/keep-secure/event-5063.md @@ -2,7 +2,7 @@ title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10) description: Describes security event 5063(S, F) A cryptographic provider operation was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5064.md b/windows/keep-secure/event-5064.md index ce3e19d79e..e77dfa511d 100644 --- a/windows/keep-secure/event-5064.md +++ b/windows/keep-secure/event-5064.md @@ -2,7 +2,7 @@ title: 5064(S, F) A cryptographic context operation was attempted. (Windows 10) description: Describes security event 5064(S, F) A cryptographic context operation was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5065.md b/windows/keep-secure/event-5065.md index f3cdb958d2..23b817ac6c 100644 --- a/windows/keep-secure/event-5065.md +++ b/windows/keep-secure/event-5065.md @@ -2,7 +2,7 @@ title: 5065(S, F) A cryptographic context modification was attempted. (Windows 10) description: Describes security event 5065(S, F) A cryptographic context modification was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5066.md b/windows/keep-secure/event-5066.md index b3bc8f6afb..ae0b53e526 100644 --- a/windows/keep-secure/event-5066.md +++ b/windows/keep-secure/event-5066.md @@ -2,7 +2,7 @@ title: 5066(S, F) A cryptographic function operation was attempted. (Windows 10) description: Describes security event 5066(S, F) A cryptographic function operation was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5067.md b/windows/keep-secure/event-5067.md index a5a5618324..64c0a626eb 100644 --- a/windows/keep-secure/event-5067.md +++ b/windows/keep-secure/event-5067.md @@ -2,7 +2,7 @@ title: 5067(S, F) A cryptographic function modification was attempted. (Windows 10) description: Describes security event 5067(S, F) A cryptographic function modification was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5068.md b/windows/keep-secure/event-5068.md index 751ecc249b..2200cc9eed 100644 --- a/windows/keep-secure/event-5068.md +++ b/windows/keep-secure/event-5068.md @@ -2,7 +2,7 @@ title: 5068(S, F) A cryptographic function provider operation was attempted. (Windows 10) description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5069.md b/windows/keep-secure/event-5069.md index 40159c9c39..b58724b2d2 100644 --- a/windows/keep-secure/event-5069.md +++ b/windows/keep-secure/event-5069.md @@ -2,7 +2,7 @@ title: 5069(S, F) A cryptographic function property operation was attempted. (Windows 10) description: Describes security event 5069(S, F) A cryptographic function property operation was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5070.md b/windows/keep-secure/event-5070.md index 388d1f39c6..668edaba15 100644 --- a/windows/keep-secure/event-5070.md +++ b/windows/keep-secure/event-5070.md @@ -2,7 +2,7 @@ title: 5070(S, F) A cryptographic function property modification was attempted. (Windows 10) description: Describes security event 5070(S, F) A cryptographic function property modification was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5136.md b/windows/keep-secure/event-5136.md index 1bc1202256..3350dca361 100644 --- a/windows/keep-secure/event-5136.md +++ b/windows/keep-secure/event-5136.md @@ -2,7 +2,7 @@ title: 5136(S) A directory service object was modified. (Windows 10) description: Describes security event 5136(S) A directory service object was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5137.md b/windows/keep-secure/event-5137.md index d164e1fa1a..892245d530 100644 --- a/windows/keep-secure/event-5137.md +++ b/windows/keep-secure/event-5137.md @@ -2,7 +2,7 @@ title: 5137(S) A directory service object was created. (Windows 10) description: Describes security event 5137(S) A directory service object was created. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5138.md b/windows/keep-secure/event-5138.md index 846ee2eef9..84e80ff027 100644 --- a/windows/keep-secure/event-5138.md +++ b/windows/keep-secure/event-5138.md @@ -2,7 +2,7 @@ title: 5138(S) A directory service object was undeleted. (Windows 10) description: Describes security event 5138(S) A directory service object was undeleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5139.md b/windows/keep-secure/event-5139.md index 192a1c890f..7399a33b15 100644 --- a/windows/keep-secure/event-5139.md +++ b/windows/keep-secure/event-5139.md @@ -2,7 +2,7 @@ title: 5139(S) A directory service object was moved. (Windows 10) description: Describes security event 5139(S) A directory service object was moved. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5140.md b/windows/keep-secure/event-5140.md index bb6cf5f7aa..be40b7a2d5 100644 --- a/windows/keep-secure/event-5140.md +++ b/windows/keep-secure/event-5140.md @@ -2,7 +2,7 @@ title: 5140(S, F) A network share object was accessed. (Windows 10) description: Describes security event 5140(S, F) A network share object was accessed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5141.md b/windows/keep-secure/event-5141.md index 994302f871..238b70281d 100644 --- a/windows/keep-secure/event-5141.md +++ b/windows/keep-secure/event-5141.md @@ -2,7 +2,7 @@ title: 5141(S) A directory service object was deleted. (Windows 10) description: Describes security event 5141(S) A directory service object was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5142.md b/windows/keep-secure/event-5142.md index 291378d2ee..418a6387f7 100644 --- a/windows/keep-secure/event-5142.md +++ b/windows/keep-secure/event-5142.md @@ -2,7 +2,7 @@ title: 5142(S) A network share object was added. (Windows 10) description: Describes security event 5142(S) A network share object was added. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5143.md b/windows/keep-secure/event-5143.md index 3a1fbd38b1..30c4977b0c 100644 --- a/windows/keep-secure/event-5143.md +++ b/windows/keep-secure/event-5143.md @@ -2,7 +2,7 @@ title: 5143(S) A network share object was modified. (Windows 10) description: Describes security event 5143(S) A network share object was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5144.md b/windows/keep-secure/event-5144.md index 18df4dd0df..d74e6e0c0e 100644 --- a/windows/keep-secure/event-5144.md +++ b/windows/keep-secure/event-5144.md @@ -2,7 +2,7 @@ title: 5144(S) A network share object was deleted. (Windows 10) description: Describes security event 5144(S) A network share object was deleted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md index defe7dd401..1370cc6fe1 100644 --- a/windows/keep-secure/event-5145.md +++ b/windows/keep-secure/event-5145.md @@ -2,7 +2,7 @@ title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10) description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5148.md b/windows/keep-secure/event-5148.md index 7f25c44c05..7751cd9686 100644 --- a/windows/keep-secure/event-5148.md +++ b/windows/keep-secure/event-5148.md @@ -2,7 +2,7 @@ title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10) description: Describes security event 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5149.md b/windows/keep-secure/event-5149.md index d50b0bb76b..24b3f6ab89 100644 --- a/windows/keep-secure/event-5149.md +++ b/windows/keep-secure/event-5149.md @@ -2,7 +2,7 @@ title: 5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10) description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5150.md b/windows/keep-secure/event-5150.md index 4d63a3d41e..10ae5b7bcb 100644 --- a/windows/keep-secure/event-5150.md +++ b/windows/keep-secure/event-5150.md @@ -2,7 +2,7 @@ title: 5150(-) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5151.md b/windows/keep-secure/event-5151.md index b37ebfdcff..d1221cb8df 100644 --- a/windows/keep-secure/event-5151.md +++ b/windows/keep-secure/event-5151.md @@ -2,7 +2,7 @@ title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5152.md b/windows/keep-secure/event-5152.md index d106c21fad..af74957188 100644 --- a/windows/keep-secure/event-5152.md +++ b/windows/keep-secure/event-5152.md @@ -2,7 +2,7 @@ title: 5152(F) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5153.md b/windows/keep-secure/event-5153.md index 9f5a9081bd..e02ea78a1e 100644 --- a/windows/keep-secure/event-5153.md +++ b/windows/keep-secure/event-5153.md @@ -2,7 +2,7 @@ title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5154.md b/windows/keep-secure/event-5154.md index b5362105d2..12255300cf 100644 --- a/windows/keep-secure/event-5154.md +++ b/windows/keep-secure/event-5154.md @@ -2,7 +2,7 @@ title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10) description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5155.md b/windows/keep-secure/event-5155.md index 1ab050cf24..369db60297 100644 --- a/windows/keep-secure/event-5155.md +++ b/windows/keep-secure/event-5155.md @@ -2,7 +2,7 @@ title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10) description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5156.md b/windows/keep-secure/event-5156.md index d9f761b96c..faa073a9c3 100644 --- a/windows/keep-secure/event-5156.md +++ b/windows/keep-secure/event-5156.md @@ -2,7 +2,7 @@ title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10) description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5157.md b/windows/keep-secure/event-5157.md index fe9fb634f0..b66541d467 100644 --- a/windows/keep-secure/event-5157.md +++ b/windows/keep-secure/event-5157.md @@ -2,7 +2,7 @@ title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10) description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5158.md b/windows/keep-secure/event-5158.md index 3f28870be7..2e9b42e9b0 100644 --- a/windows/keep-secure/event-5158.md +++ b/windows/keep-secure/event-5158.md @@ -2,7 +2,7 @@ title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10) description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5159.md b/windows/keep-secure/event-5159.md index 0904b2d8d5..02939e687e 100644 --- a/windows/keep-secure/event-5159.md +++ b/windows/keep-secure/event-5159.md @@ -2,7 +2,7 @@ title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10) description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5168.md b/windows/keep-secure/event-5168.md index f9f2941bb6..44c9fe20cc 100644 --- a/windows/keep-secure/event-5168.md +++ b/windows/keep-secure/event-5168.md @@ -2,7 +2,7 @@ title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10) description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5376.md b/windows/keep-secure/event-5376.md index abf37d856d..16034db84c 100644 --- a/windows/keep-secure/event-5376.md +++ b/windows/keep-secure/event-5376.md @@ -2,7 +2,7 @@ title: 5376(S) Credential Manager credentials were backed up. (Windows 10) description: Describes security event 5376(S) Credential Manager credentials were backed up. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5377.md b/windows/keep-secure/event-5377.md index 7984897329..c50b35c2f4 100644 --- a/windows/keep-secure/event-5377.md +++ b/windows/keep-secure/event-5377.md @@ -2,7 +2,7 @@ title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10) description: Describes security event 5377(S) Credential Manager credentials were restored from a backup. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5378.md b/windows/keep-secure/event-5378.md index 2de862ac9c..066229425a 100644 --- a/windows/keep-secure/event-5378.md +++ b/windows/keep-secure/event-5378.md @@ -2,7 +2,7 @@ title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10) description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5447.md b/windows/keep-secure/event-5447.md index a17127df05..f262a70474 100644 --- a/windows/keep-secure/event-5447.md +++ b/windows/keep-secure/event-5447.md @@ -2,7 +2,7 @@ title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10) description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5632.md b/windows/keep-secure/event-5632.md index b247130082..0116808357 100644 --- a/windows/keep-secure/event-5632.md +++ b/windows/keep-secure/event-5632.md @@ -2,7 +2,7 @@ title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10) description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5633.md b/windows/keep-secure/event-5633.md index f1e46ce4cf..bd4d485c9c 100644 --- a/windows/keep-secure/event-5633.md +++ b/windows/keep-secure/event-5633.md @@ -2,7 +2,7 @@ title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10) description: Describes security event 5633(S, F) A request was made to authenticate to a wired network. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5712.md b/windows/keep-secure/event-5712.md index 4a935e0272..0b590700ce 100644 --- a/windows/keep-secure/event-5712.md +++ b/windows/keep-secure/event-5712.md @@ -2,7 +2,7 @@ title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10) description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5888.md b/windows/keep-secure/event-5888.md index edf33acd92..4e35780a9c 100644 --- a/windows/keep-secure/event-5888.md +++ b/windows/keep-secure/event-5888.md @@ -2,7 +2,7 @@ title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10) description: Describes security event 5888(S) An object in the COM+ Catalog was modified. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5889.md b/windows/keep-secure/event-5889.md index 88eacdbca6..7e24a156f3 100644 --- a/windows/keep-secure/event-5889.md +++ b/windows/keep-secure/event-5889.md @@ -2,7 +2,7 @@ title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10) description: Describes security event 5889(S) An object was deleted from the COM+ Catalog. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-5890.md b/windows/keep-secure/event-5890.md index 2e41087f62..896689a521 100644 --- a/windows/keep-secure/event-5890.md +++ b/windows/keep-secure/event-5890.md @@ -2,7 +2,7 @@ title: 5890(S) An object was added to the COM+ Catalog. (Windows 10) description: Describes security event 5890(S) An object was added to the COM+ Catalog. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6144.md b/windows/keep-secure/event-6144.md index 89777613cc..1bcff85f12 100644 --- a/windows/keep-secure/event-6144.md +++ b/windows/keep-secure/event-6144.md @@ -2,7 +2,7 @@ title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10) description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6145.md b/windows/keep-secure/event-6145.md index 440684ab1d..5566da1217 100644 --- a/windows/keep-secure/event-6145.md +++ b/windows/keep-secure/event-6145.md @@ -2,7 +2,7 @@ title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10) description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6281.md b/windows/keep-secure/event-6281.md index 3e5e8b369e..5f76bd8681 100644 --- a/windows/keep-secure/event-6281.md +++ b/windows/keep-secure/event-6281.md @@ -2,7 +2,7 @@ title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10) description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6400.md b/windows/keep-secure/event-6400.md index 3dfd20b90a..814cd9ffca 100644 --- a/windows/keep-secure/event-6400.md +++ b/windows/keep-secure/event-6400.md @@ -2,7 +2,7 @@ title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10) description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6401.md b/windows/keep-secure/event-6401.md index d9f9af15e8..f7d1d86945 100644 --- a/windows/keep-secure/event-6401.md +++ b/windows/keep-secure/event-6401.md @@ -2,7 +2,7 @@ title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10) description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6402.md b/windows/keep-secure/event-6402.md index 1aacc012a3..95d011d2ac 100644 --- a/windows/keep-secure/event-6402.md +++ b/windows/keep-secure/event-6402.md @@ -2,7 +2,7 @@ title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10) description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6403.md b/windows/keep-secure/event-6403.md index 60b2123425..bead5c33d0 100644 --- a/windows/keep-secure/event-6403.md +++ b/windows/keep-secure/event-6403.md @@ -2,7 +2,7 @@ title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10) description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6404.md b/windows/keep-secure/event-6404.md index 2cdc4ef54c..b01dff56dd 100644 --- a/windows/keep-secure/event-6404.md +++ b/windows/keep-secure/event-6404.md @@ -2,7 +2,7 @@ title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10) description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6405.md b/windows/keep-secure/event-6405.md index 696f837a08..e17b4ca9f4 100644 --- a/windows/keep-secure/event-6405.md +++ b/windows/keep-secure/event-6405.md @@ -2,7 +2,7 @@ title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10) description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6406.md b/windows/keep-secure/event-6406.md index ca1f2b9601..0d964b060b 100644 --- a/windows/keep-secure/event-6406.md +++ b/windows/keep-secure/event-6406.md @@ -2,7 +2,7 @@ title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10) description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6407.md b/windows/keep-secure/event-6407.md index 30149be4fd..98a71f5c1c 100644 --- a/windows/keep-secure/event-6407.md +++ b/windows/keep-secure/event-6407.md @@ -2,7 +2,7 @@ title: 6407(-) 1%. (Windows 10) description: Describes security event 6407(-) 1%. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6408.md b/windows/keep-secure/event-6408.md index f968473bbd..29b4a1f469 100644 --- a/windows/keep-secure/event-6408.md +++ b/windows/keep-secure/event-6408.md @@ -2,7 +2,7 @@ title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10) description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6409.md b/windows/keep-secure/event-6409.md index bc69be15aa..7716be0032 100644 --- a/windows/keep-secure/event-6409.md +++ b/windows/keep-secure/event-6409.md @@ -2,7 +2,7 @@ title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10) description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6410.md b/windows/keep-secure/event-6410.md index 95a4a6daed..b0a4c89708 100644 --- a/windows/keep-secure/event-6410.md +++ b/windows/keep-secure/event-6410.md @@ -2,7 +2,7 @@ title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10) description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6416.md b/windows/keep-secure/event-6416.md index 18237f7cc4..9f93d86eb0 100644 --- a/windows/keep-secure/event-6416.md +++ b/windows/keep-secure/event-6416.md @@ -2,7 +2,7 @@ title: 6416(S) A new external device was recognized by the System. (Windows 10) description: Describes security event 6416(S) A new external device was recognized by the System. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6419.md b/windows/keep-secure/event-6419.md index c34be4a0ec..b874b2ea54 100644 --- a/windows/keep-secure/event-6419.md +++ b/windows/keep-secure/event-6419.md @@ -2,7 +2,7 @@ title: 6419(S) A request was made to disable a device. (Windows 10) description: Describes security event 6419(S) A request was made to disable a device. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6420.md b/windows/keep-secure/event-6420.md index cc5ae0a245..ec339814ea 100644 --- a/windows/keep-secure/event-6420.md +++ b/windows/keep-secure/event-6420.md @@ -2,7 +2,7 @@ title: 6420(S) A device was disabled. (Windows 10) description: Describes security event 6420(S) A device was disabled. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6421.md b/windows/keep-secure/event-6421.md index ec9290968a..ea9ce9c6a5 100644 --- a/windows/keep-secure/event-6421.md +++ b/windows/keep-secure/event-6421.md @@ -2,7 +2,7 @@ title: 6421(S) A request was made to enable a device. (Windows 10) description: Describes security event 6421(S) A request was made to enable a device. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6422.md b/windows/keep-secure/event-6422.md index c001a3c903..fb59fad3bf 100644 --- a/windows/keep-secure/event-6422.md +++ b/windows/keep-secure/event-6422.md @@ -2,7 +2,7 @@ title: 6422(S) A device was enabled. (Windows 10) description: Describes security event 6422(S) A device was enabled. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6423.md b/windows/keep-secure/event-6423.md index 1145307d13..09e75dc4cd 100644 --- a/windows/keep-secure/event-6423.md +++ b/windows/keep-secure/event-6423.md @@ -2,7 +2,7 @@ title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10) description: Describes security event 6423(S) The installation of this device is forbidden by system policy. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/event-6424.md b/windows/keep-secure/event-6424.md index 10c2a2eb9e..a91d282a95 100644 --- a/windows/keep-secure/event-6424.md +++ b/windows/keep-secure/event-6424.md @@ -2,7 +2,7 @@ title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10) description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/keep-secure/other-events.md b/windows/keep-secure/other-events.md index 020addb187..6a5cf852d1 100644 --- a/windows/keep-secure/other-events.md +++ b/windows/keep-secure/other-events.md @@ -2,7 +2,7 @@ title: Other Events (Windows 10) description: Describes the Other Events auditing subcategory. ms.pagetype: security -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: Mir0sh diff --git a/windows/manage/acquire-apps-windows-store-for-business.md b/windows/manage/acquire-apps-windows-store-for-business.md index 8e22322f1c..47dc081e5c 100644 --- a/windows/manage/acquire-apps-windows-store-for-business.md +++ b/windows/manage/acquire-apps-windows-store-for-business.md @@ -1,7 +1,7 @@ --- title: Acquire apps in Windows Store for Business (Windows 10) description: As an admin, you can acquire apps from the Windows Store for Business for your employees. Some apps are free, and some have a price. For info on app types that are supported, see Apps in the Windows Store for Business. -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library --- diff --git a/windows/manage/add-unsigned-app-to-code-integrity-policy.md b/windows/manage/add-unsigned-app-to-code-integrity-policy.md index 538034d0f2..8ccdfd7c62 100644 --- a/windows/manage/add-unsigned-app-to-code-integrity-policy.md +++ b/windows/manage/add-unsigned-app-to-code-integrity-policy.md @@ -2,7 +2,7 @@ title: Add unsigned app to code integrity policy (Windows 10) description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/manage/administrative-tools-in-windows-10.md index 5019f298d8..cc42197767 100644 --- a/windows/manage/administrative-tools-in-windows-10.md +++ b/windows/manage/administrative-tools-in-windows-10.md @@ -2,7 +2,7 @@ title: Administrative Tools in Windows 10 (Windows 10) description: Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md index 245d15cac1..16923a2b15 100644 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md @@ -2,7 +2,7 @@ title: App inventory management for Windows Store for Business (Windows 10) description: You can manage all apps that you've acquired on your Inventory page. ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md index cffbdd7092..5b8fc04a92 100644 --- a/windows/manage/application-development-for-windows-as-a-service.md +++ b/windows/manage/application-development-for-windows-as-a-service.md @@ -2,7 +2,7 @@ title: Application development for Windows as a service (Windows 10) description: In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/manage/apps-in-windows-store-for-business.md b/windows/manage/apps-in-windows-store-for-business.md index 30d0677d94..bd94b6ad6f 100644 --- a/windows/manage/apps-in-windows-store-for-business.md +++ b/windows/manage/apps-in-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Apps in Windows Store for Business (Windows 10) description: Windows Store for Business has thousands of apps from many different categories. ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/assign-apps-to-employees.md b/windows/manage/assign-apps-to-employees.md index c6e8393f30..e3be271bfd 100644 --- a/windows/manage/assign-apps-to-employees.md +++ b/windows/manage/assign-apps-to-employees.md @@ -2,7 +2,7 @@ title: Assign apps to employees (Windows 10) description: Administrators can assign online-licensed apps to employees in their organization. ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 3035b4bb6c..5bdd320fd8 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -2,7 +2,7 @@ title: Change history for Manage and update Windows 10 (Windows 10) description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/manage/changes-to-start-policies-in-windows-10.md index 30a8c0a870..8697ff8945 100644 --- a/windows/manage/changes-to-start-policies-in-windows-10.md +++ b/windows/manage/changes-to-start-policies-in-windows-10.md @@ -3,7 +3,7 @@ title: Changes to Group Policy settings for Windows 10 Start (Windows 10) description: Windows 10 has a brand new Start experience. ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F keywords: ["group policy", "start menu", "start screen"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/manage/configure-devices-without-mdm.md index 82e3420ae6..11dd816f58 100644 --- a/windows/manage/configure-devices-without-mdm.md +++ b/windows/manage/configure-devices-without-mdm.md @@ -3,7 +3,7 @@ title: Configure devices without MDM (Windows 10) description: Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10. ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md index 2b94aba619..d187a3674a 100644 --- a/windows/manage/configure-mdm-provider-windows-store-for-business.md +++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Configure an MDM provider (Windows 10) description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses. ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md index 4d1f382a15..bd7b75c0fd 100644 --- a/windows/manage/customize-and-export-start-layout.md +++ b/windows/manage/customize-and-export-start-layout.md @@ -3,7 +3,7 @@ title: Customize and export Start layout (Windows 10) description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236 keywords: ["start screen"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md index 614edb4d66..bf5aed9ec4 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md @@ -3,7 +3,7 @@ title: Customize Windows 10 Start with Group Policy (Windows 10) description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 keywords: ["Start layout", "start menu", "layout", "group policy"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md index d3c9160101..a0ad00415a 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -3,7 +3,7 @@ title: Customize Windows 10 Start with mobile device management (MDM) (Windows 1 description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 keywords: ["start screen", "start menu"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 3af066fdac..cc0c54d783 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -3,7 +3,7 @@ title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10 description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC keywords: ["Start layout", "start menu"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/device-guard-signing-portal.md b/windows/manage/device-guard-signing-portal.md index 4604411897..c511f4b081 100644 --- a/windows/manage/device-guard-signing-portal.md +++ b/windows/manage/device-guard-signing-portal.md @@ -2,7 +2,7 @@ title: Device Guard signing (Windows 10) description: Device Guard signing is a Device Guard feature that is available in the Windows Store for Business. ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md index d751c6d2f2..07e519edc4 100644 --- a/windows/manage/distribute-apps-from-your-private-store.md +++ b/windows/manage/distribute-apps-from-your-private-store.md @@ -2,7 +2,7 @@ title: Distribute apps using your private store (Windows 10) description: The private store is a feature in Windows Store for Business that organizations receive during the sign up process. ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md index 28f762ec11..1c58d0489a 100644 --- a/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md +++ b/windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Distribute apps to your employees from the Windows Store for Business (Windows 10) description: Distribute apps to your employees from Windows Store for Business. You can assign apps to employees, or let employees install them from your private store. ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/distribute-apps-with-management-tool.md b/windows/manage/distribute-apps-with-management-tool.md index 37824f30c5..65abfa89d6 100644 --- a/windows/manage/distribute-apps-with-management-tool.md +++ b/windows/manage/distribute-apps-with-management-tool.md @@ -2,7 +2,7 @@ title: Distribute apps with a management tool (Windows 10) description: You can configure a mobile device management (MDM) tool to synchronize your Store for Business inventory. Store for Business management tool services work with MDM tools to manage content. ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md index 8cb184da6b..82c3720714 100644 --- a/windows/manage/distribute-offline-apps.md +++ b/windows/manage/distribute-offline-apps.md @@ -2,7 +2,7 @@ title: Distribute offline apps (Windows 10) description: Offline licensing is a new licensing option for Windows 10. ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/find-and-acquire-apps-overview.md b/windows/manage/find-and-acquire-apps-overview.md index dbb7882835..28a4e36fef 100644 --- a/windows/manage/find-and-acquire-apps-overview.md +++ b/windows/manage/find-and-acquire-apps-overview.md @@ -2,7 +2,7 @@ title: Find and acquire apps (Windows 10) description: Use the Windows Store for Business to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 5d5f71e9f1..8a39c49e60 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -1,7 +1,7 @@ --- title: Group Policies that apply only to Windows 10 Enterprise and Education Editions (Windows 10) description: Use this topic to learn about Group Policy objects that apply only to Windows 10 Enterprise and Windows 10 Education. -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library --- diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/manage/how-it-pros-can-use-configuration-service-providers.md index 463a578534..bab2563813 100644 --- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/manage/how-it-pros-can-use-configuration-service-providers.md @@ -2,7 +2,7 @@ title: Introduction to configuration service providers (CSPs) for IT pros (Windows 10) description: Configuration service providers (CSPs) expose device configuration settings in Windows 10. ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/index.md b/windows/manage/index.md index 412bfc3d9b..fa16723bc3 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -3,7 +3,7 @@ title: Manage and update Windows 10 (Windows 10) description: Learn about managing and updating Windows 10. ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0 keywords: Windows 10, MDM, WSUS, Windows update -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md index 0c6c2ab9a6..4a7499aac7 100644 --- a/windows/manage/introduction-to-windows-10-servicing.md +++ b/windows/manage/introduction-to-windows-10-servicing.md @@ -3,7 +3,7 @@ title: Windows 10 servicing options for updates and upgrades (Windows 10) description: This article describes the new servicing options available in Windows 10. ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42 keywords: update, LTSB, lifecycle, Windows update, upgrade -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md index cd798c3163..876c02620c 100644 --- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md @@ -2,7 +2,7 @@ title: Join Windows 10 Mobile to Azure Active Directory (Windows 10) description: Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). ms.assetid: 955DD9EC-3519-4752-827E-79CEB1EC8D6B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/manage/lock-down-windows-10-to-specific-apps.md index 095f7b1bbf..800fe35493 100644 --- a/windows/manage/lock-down-windows-10-to-specific-apps.md +++ b/windows/manage/lock-down-windows-10-to-specific-apps.md @@ -3,7 +3,7 @@ title: Lock down Windows 10 to specific apps (Windows 10) description: Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions", "applocker"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md index 61004d8822..4c11f7b7ce 100644 --- a/windows/manage/lock-down-windows-10.md +++ b/windows/manage/lock-down-windows-10.md @@ -3,7 +3,7 @@ title: Lock down Windows 10 (Windows 10) description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D keywords: lockdown -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md index 616e800b95..3baacaad11 100644 --- a/windows/manage/lockdown-xml.md +++ b/windows/manage/lockdown-xml.md @@ -2,7 +2,7 @@ title: Configure Windows 10 Mobile using Lockdown XML (Windows 10) description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/manage-apps-windows-store-for-business-overview.md b/windows/manage/manage-apps-windows-store-for-business-overview.md index f763f788bf..faaed20b58 100644 --- a/windows/manage/manage-apps-windows-store-for-business-overview.md +++ b/windows/manage/manage-apps-windows-store-for-business-overview.md @@ -2,7 +2,7 @@ title: Manage apps in Windows Store for Business (Windows 10) description: Manage settings and access to apps in Windows Store for Business. ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 616f93dc73..b1a2217df3 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -3,7 +3,7 @@ title: Manage connections from Windows operating system components to Microsoft description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 keywords: privacy, manage connections to Microsoft -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library --- diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md index bbfa571b02..87b3a7684b 100644 --- a/windows/manage/manage-corporate-devices.md +++ b/windows/manage/manage-corporate-devices.md @@ -3,7 +3,7 @@ title: Manage corporate devices (Windows 10) description: You can use the same management tools to manage all device types running Windows 10 desktops, laptops, tablets, and phones. ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D keywords: ["MDM", "device management"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md index 0a364336aa..8535d16d65 100644 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ b/windows/manage/manage-inventory-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Manage inventory in Windows Store for Business (Windows 10) description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library --- diff --git a/windows/manage/manage-orders-windows-store-for-business.md b/windows/manage/manage-orders-windows-store-for-business.md index d698699806..bfebed0a7e 100644 --- a/windows/manage/manage-orders-windows-store-for-business.md +++ b/windows/manage/manage-orders-windows-store-for-business.md @@ -1,7 +1,7 @@ --- title: Manage app orders in Windows Store for Business (Windows 10) description: You can view your order history with Windows Store for Business. -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library --- diff --git a/windows/manage/manage-private-store-settings.md b/windows/manage/manage-private-store-settings.md index 835535ff36..dd0d959555 100644 --- a/windows/manage/manage-private-store-settings.md +++ b/windows/manage/manage-private-store-settings.md @@ -2,7 +2,7 @@ title: Manage private store settings (Windows 10) description: The private store is a feature in the Windows Store for Business that organizations receive during the sign up process. ms.assetid: 2D501538-0C6E-4408-948A-2BF5B05F7A0C -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/manage-settings-windows-store-for-business.md b/windows/manage/manage-settings-windows-store-for-business.md index 488b0f26ab..5736a2df33 100644 --- a/windows/manage/manage-settings-windows-store-for-business.md +++ b/windows/manage/manage-settings-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Manage settings for the Windows Store for Business (Windows 10) description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/manage-users-and-groups-windows-store-for-business.md b/windows/manage/manage-users-and-groups-windows-store-for-business.md index 8621faf1e6..a057ed9e67 100644 --- a/windows/manage/manage-users-and-groups-windows-store-for-business.md +++ b/windows/manage/manage-users-and-groups-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Manage user accounts in Windows Store for Business (Windows 10) description: Windows Store for Business manages permissions with a set of roles. Currently, you can assign these roles to individuals in your organization, but not to groups. ms.assetid: 5E7FA071-CABD-4ACA-8AAE-F549EFCE922F -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/manage/manage-wifi-sense-in-enterprise.md index 58d0eadae7..2728a8dd5d 100644 --- a/windows/manage/manage-wifi-sense-in-enterprise.md +++ b/windows/manage/manage-wifi-sense-in-enterprise.md @@ -3,7 +3,7 @@ title: Manage Wi-Fi Sense in your company (Windows 10) description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271 keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: eross-msft diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md index 7bc7dd8224..2da6a7e615 100644 --- a/windows/manage/new-policies-for-windows-10.md +++ b/windows/manage/new-policies-for-windows-10.md @@ -3,7 +3,7 @@ title: New policies for Windows 10 (Windows 10) description: Windows 10 includes the following new policies for management, in addition to policies that were available for Windows 8.1 and Windows Phone 8.1. ms.assetid: 1F24ABD8-A57A-45EA-BA54-2DA2238C573D keywords: ["MDM", "Group Policy"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/prerequisites-windows-store-for-business.md b/windows/manage/prerequisites-windows-store-for-business.md index b3d9b02599..706b1a93a1 100644 --- a/windows/manage/prerequisites-windows-store-for-business.md +++ b/windows/manage/prerequisites-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Prerequisites for Windows Store for Business (Windows 10) description: There are a few prerequisites for using Windows Store for Business. ms.assetid: CEBC6870-FFDD-48AD-8650-8B0DC6B2651D -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/manage/product-ids-in-windows-10-mobile.md index 0dcbc397eb..0e9a15a716 100644 --- a/windows/manage/product-ids-in-windows-10-mobile.md +++ b/windows/manage/product-ids-in-windows-10-mobile.md @@ -3,7 +3,7 @@ title: Product IDs in Windows 10 Mobile (Windows 10) description: You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. ms.assetid: 31116BED-C16A-495A-BD44-93218A087A1C keywords: ["lockdown"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/reset-a-windows-10-mobile-device.md b/windows/manage/reset-a-windows-10-mobile-device.md index 40b79a96a5..15d8ead349 100644 --- a/windows/manage/reset-a-windows-10-mobile-device.md +++ b/windows/manage/reset-a-windows-10-mobile-device.md @@ -2,7 +2,7 @@ title: Reset a Windows 10 Mobile device (Windows 10) description: There are two methods for resetting a Windows 10 Mobile device factory reset and \ 0034;wipe and persist \ 0034; reset. ms.assetid: B42A71F4-DFEE-4D6E-A904-7942D1AAB73F -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md index fae343dfca..6906e95ed6 100644 --- a/windows/manage/roles-and-permissions-windows-store-for-business.md +++ b/windows/manage/roles-and-permissions-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Roles and permissions in Windows Store for Business (Windows 10) description: The first person to sign in to Windows Store for Business must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/manage/set-up-a-device-for-anyone-to-use.md index cc81d0801d..156c44901a 100644 --- a/windows/manage/set-up-a-device-for-anyone-to-use.md +++ b/windows/manage/set-up-a-device-for-anyone-to-use.md @@ -3,7 +3,7 @@ title: Set up a device for anyone to use (kiosk mode) (Windows 10) description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 keywords: ["kiosk", "lockdown", "assigned access"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 55945ea84b..2c481fd829 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -3,7 +3,7 @@ title: Set up a kiosk on Windows 10 Pro, Enterprise, or Education (Windows 10) description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC keywords: ["assigned access", "kiosk", "lockdown"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index bc918aae23..6b5f7c60df 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -3,7 +3,7 @@ title: Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise (Wind description: A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. ms.assetid: 35EC82D8-D9E8-45C3-84E9-B0C8C167BFF7 keywords: ["kiosk", "lockdown", "assigned access"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/settings-reference-windows-store-for-business.md b/windows/manage/settings-reference-windows-store-for-business.md index b3b1cf9083..7cf2f724c9 100644 --- a/windows/manage/settings-reference-windows-store-for-business.md +++ b/windows/manage/settings-reference-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Settings reference Windows Store for Business (Windows 10) description: The Windows Store for Business has a group of settings that admins use to manage the store. ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/manage/settings-that-can-be-locked-down.md index 09b88d9160..325b33fcb7 100644 --- a/windows/manage/settings-that-can-be-locked-down.md +++ b/windows/manage/settings-that-can-be-locked-down.md @@ -3,7 +3,7 @@ title: Settings and quick actions that can be locked down in Windows 10 Mobile ( description: This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. ms.assetid: 69E2F202-D32B-4FAC-A83D-C3051DF02185 keywords: ["lockdown"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md index 45cf03f80d..4fc6b81da0 100644 --- a/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md +++ b/windows/manage/sign-code-integrity-policy-with-device-guard-signing.md @@ -2,7 +2,7 @@ title: Sign code integrity policy with Device Guard signing (Windows 10) description: Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. ms.assetid: 63B56B8B-2A40-44B5-B100-DC50C43D20A9 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/sign-up-windows-store-for-business-overview.md b/windows/manage/sign-up-windows-store-for-business-overview.md index 382b317a88..5aeff64c06 100644 --- a/windows/manage/sign-up-windows-store-for-business-overview.md +++ b/windows/manage/sign-up-windows-store-for-business-overview.md @@ -2,7 +2,7 @@ title: Sign up and get started (Windows 10) description: IT admins can sign up for the Windows Store for Business, and get started working with apps. ms.assetid: 87C6FA60-3AB9-4152-A85C-6A1588A20C7B -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/sign-up-windows-store-for-business.md b/windows/manage/sign-up-windows-store-for-business.md index bbbb7df639..cd31dc1d15 100644 --- a/windows/manage/sign-up-windows-store-for-business.md +++ b/windows/manage/sign-up-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Sign up for Windows Store for Business (Windows 10) description: Before you sign up for Windows Store for Business, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization. ms.assetid: 296AAC02-5C79-4999-B221-4F5F8CEA1F12 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/manage/stop-employees-from-using-the-windows-store.md index a8e3f58f0b..7b3cb2aa7b 100644 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ b/windows/manage/stop-employees-from-using-the-windows-store.md @@ -2,7 +2,7 @@ title: Configure access to Windows Store (Windows 10) description: IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/troubleshoot-windows-store-for-business.md b/windows/manage/troubleshoot-windows-store-for-business.md index 0c9404bb5a..f39d0bcdbf 100644 --- a/windows/manage/troubleshoot-windows-store-for-business.md +++ b/windows/manage/troubleshoot-windows-store-for-business.md @@ -2,7 +2,7 @@ title: Troubleshoot Windows Store for Business (Windows 10) description: Troubleshooting topics for Windows Store for Business. ms.assetid: 243755A3-9B20-4032-9A77-2207320A242A -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index 0150a4f7e4..613556110e 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -1,7 +1,7 @@ --- title: Update Windows Store for Business account settings (Windows 10) description: The Account information page in Windows Store for Business shows information about your organization that you can update, including country or region, organization name, default domain, and language preference. -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/windows-10-mobile-and-mdm.md b/windows/manage/windows-10-mobile-and-mdm.md index a818238913..6e48f9f183 100644 --- a/windows/manage/windows-10-mobile-and-mdm.md +++ b/windows/manage/windows-10-mobile-and-mdm.md @@ -3,7 +3,7 @@ title: Windows 10 Mobile and mobile device management (Windows 10) description: This guide provides an overview of the mobile device and app management technologies in the Windows 10 Mobile operating system. ms.assetid: 6CAA1004-CB65-4FEC-9B84-61AAD2125E5E keywords: telemetry, BYOD, MDM -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile; devices diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md index 5a0c3eadfe..34e40d5095 100644 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ b/windows/manage/windows-10-start-layout-options-and-policies.md @@ -3,7 +3,7 @@ title: Manage Windows 10 Start layout options (Windows 10) description: Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A keywords: ["start screen", "start menu"] -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS diff --git a/windows/manage/windows-store-for-business.md b/windows/manage/windows-store-for-business.md index b718c7ace7..b30c16566a 100644 --- a/windows/manage/windows-store-for-business.md +++ b/windows/manage/windows-store-for-business.md @@ -2,7 +2,7 @@ title: Windows Store for Business (Windows 10) description: Welcome to the Windows Store for Business You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md index 2700a1f83a..e3bfdb63b7 100644 --- a/windows/manage/working-with-line-of-business-apps.md +++ b/windows/manage/working-with-line-of-business-apps.md @@ -2,7 +2,7 @@ title: Working with line-of-business apps (Windows 10) description: Your company can make line-of-business (LOB) applications available through Windows Store for Business. These apps are custom to your company – they might be internal business apps, or apps specific to your business or industry. ms.assetid: 95EB7085-335A-447B-84BA-39C26AEB5AC7 -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: TrudyHa diff --git a/windows/plan/deployment-considerations-for-windows-to-go.md b/windows/plan/deployment-considerations-for-windows-to-go.md index da2f4412e7..5ef6884c18 100644 --- a/windows/plan/deployment-considerations-for-windows-to-go.md +++ b/windows/plan/deployment-considerations-for-windows-to-go.md @@ -3,7 +3,7 @@ title: Deployment considerations for Windows To Go (Windows 10) description: Deployment considerations for Windows To Go ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e keywords: deploy, mobile, device, USB, boot, image, workspace, driver -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.pagetype: mobility ms.sitesec: library From 526658c523cad7d9758766e788db3bc4acc1011c Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Jun 2016 15:45:20 -0700 Subject: [PATCH 17/26] fix TOC --- windows/deploy/TOC.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 6abf80bb3f..f31672bb81 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -137,5 +137,5 @@ ###### [XML Elements Library](usmt-xml-elements-library.md) ##### [Offline Migration Reference](offline-migration-reference.md) ## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) -# [Keep Windows 10 secure](.../keep-secure/index.md) -# [Manage and update Windows 10](.../manage/index.md) \ No newline at end of file +# [Keep Windows 10 secure](../keep-secure/index.md) +# [Manage and update Windows 10](../manage/index.md) \ No newline at end of file From f431cb982656bf9712abd9e85de4bab5c81908a0 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 15:46:46 -0700 Subject: [PATCH 18/26] adding to change history --- .../change-history-for-keep-windows-10-secure.md | 6 ++++++ .../keep-secure/windows-firewall-with-advanced-security.md | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 53fc6a0ef7..98ab141f25 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,6 +12,12 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## June 2016 + +|New or changed topic | Description | +|----------------------|-------------| +| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New | + ## May 2016 |New or changed topic | Description | diff --git a/windows/keep-secure/windows-firewall-with-advanced-security.md b/windows/keep-secure/windows-firewall-with-advanced-security.md index 3adc42213a..51c6967315 100644 --- a/windows/keep-secure/windows-firewall-with-advanced-security.md +++ b/windows/keep-secure/windows-firewall-with-advanced-security.md @@ -1,6 +1,6 @@ --- -title: Windows Firewall with Advanced Security Overview (Windows 10) -description: Windows Firewall with Advanced Security Overview +title: Windows Firewall with Advanced Security (Windows 10) +description: Windows Firewall with Advanced Security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -8,7 +8,7 @@ ms.pagetype: security author: brianlic-msft --- -# Windows Firewall with Advanced Security Overview +# Windows Firewall with Advanced Security **Applies to** - Windows 10 From 7d0722228fc029ba23ff78245bbeafeb04bc0327 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 15:58:04 -0700 Subject: [PATCH 19/26] added security monitoring reference topics to change history --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 98ab141f25..ccdef718f0 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| | [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New | +| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics | ## May 2016 From 930370b5644f4b652172f2312e99b32ae5cf7903 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Jun 2016 16:07:04 -0700 Subject: [PATCH 20/26] adding WFAS to links table in security technologies topic --- windows/keep-secure/security-technologies.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md index 39c9eedbb3..19a6af38ba 100644 --- a/windows/keep-secure/security-technologies.md +++ b/windows/keep-secure/security-technologies.md @@ -24,6 +24,7 @@ Learn more about the different security technologies that are available in Windo | [User Account Control](user-account-control-overview.md)| User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.| | [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)| Windows Defender Advanced Threat Protection (Windows Defender ATP) is an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.| | [Windows Defender in Windows 10](windows-defender-in-windows-10.md)| This topic provides an overview of Windows Defender, including a list of system requirements and new features.| +| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) | Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |     From 893d4bde5caa58c336c4991aab49756b8de3e028 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Jun 2016 16:44:26 -0700 Subject: [PATCH 21/26] moving change history again --- windows/deploy/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deploy/index.md b/windows/deploy/index.md index 4e09532aaf..c6b8e27ed1 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -15,6 +15,7 @@ Learn about deploying Windows 10 for IT professionals. |Topic |Description | |------|------------| +|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. | |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. | @@ -28,7 +29,7 @@ Learn about deploying Windows 10 for IT professionals. |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. | |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. | |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. | -|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | + ## Related topics - [Windows 10 and Windows 10 Mobile](../index.md) From 1329435b6ffacf5b118b479f3092f0a5aa865b9f Mon Sep 17 00:00:00 2001 From: saldana Date: Thu, 2 Jun 2016 17:17:56 -0700 Subject: [PATCH 22/26] Delete index.md --- education/index.md | 1 - 1 file changed, 1 deletion(-) delete mode 100644 education/index.md diff --git a/education/index.md b/education/index.md deleted file mode 100644 index 0bd9ced4cc..0000000000 --- a/education/index.md +++ /dev/null @@ -1 +0,0 @@ -#OP Testing file From e7aff2f5a5aa15ae0e6e6eb113d0ded70c215bea Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Jun 2016 17:54:32 -0700 Subject: [PATCH 23/26] added office support statement --- windows/deploy/usmt-technical-reference.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deploy/usmt-technical-reference.md b/windows/deploy/usmt-technical-reference.md index 5bdf666976..17380ccbb3 100644 --- a/windows/deploy/usmt-technical-reference.md +++ b/windows/deploy/usmt-technical-reference.md @@ -13,6 +13,8 @@ The User State Migration Tool (USMT) 10.0 is included with the Windows Assessme Download the Windows ADK [from this website](http://go.microsoft.com/fwlink/p/?LinkID=526803). +**Note**: USMT version 10.1.10586 supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013. + USMT 10.0 includes three command-line tools: - ScanState.exe From c52e38303fa7d09e4ba8557ac97f912ddd7a421f Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Jun 2016 18:07:59 -0700 Subject: [PATCH 24/26] updated changelog --- windows/deploy/change-history-for-deploy-windows-10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index ef6b329f37..ce380b474a 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc | New or changed topic | Description | |----------------------|-------------| | [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New | +| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated | ## May 2016 | New or changed topic | Description | From 9295197ecd3c42cf32fbfbbf65b00d000b9ba9bb Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Fri, 3 Jun 2016 04:14:38 -0700 Subject: [PATCH 25/26] changed link from 8.1 ADK to 10 --- windows/deploy/configure-a-pxe-server-to-load-windows-pe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index a304a10c23..b1c649a58a 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -21,7 +21,7 @@ This walkthrough describes how to configure a PXE server to load Windows PE by ## Prerequisites -- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://www.microsoft.com/en-us/download/details.aspx?id=39982) (Windows ADK) installed. +- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](http://go.microsoft.com/fwlink/p/?LinkId=526740) (Windows ADK) installed. - A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required. - A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download. - A file server: A server hosting a network file share. From b2eaf641df05cde3f9ca69bfe6c2dab57cefcc33 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Fri, 3 Jun 2016 04:49:03 -0700 Subject: [PATCH 26/26] fix slash literal --- windows/deploy/configure-a-pxe-server-to-load-windows-pe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index b1c649a58a..0fbc6b75e9 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -59,7 +59,7 @@ All four of the roles specified above can be hosted on the same computer or each ``` Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount ``` -5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot: +5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\\PXE-1\TFTPRoot: ``` net use y: \\PXE-1\TFTPRoot