deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fixing spacing issues

Browse Source
This commit is contained in:
Brian Lich 2016-05-19 14:52:11 -07:00
parent bfa34cacc3
commit eb9290389d
85 changed files with 2243 additions and 3427 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
View File

@ -2,20 +2,28 @@
title: AD DS schema extensions to support TPM backup (Windows 10)
description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AD DS schema extensions to support TPM backup
**Applies to**
- Windows 10
This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization.
## Why a schema extension is needed
The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. The following are the two schema extensions that you can use to bring your Windows Server 2008 R2 domain to parity with Windows Server 2012:
### <a href="" id="tpmschemaextension-ldf-"></a>TpmSchemaExtension.ldf
This schema extension brings parity with the Windows Server 2012 schema and is required if you want to store the TPM owner authorization value for a computer running Windows 8 in a Windows Server 2008 R2 AD DS domain. With this extension the TPM owner authorization information will be stored in a separate TPM object linked to the corresponding computer object.
``` syntax
#===============================================================================
#
@ -212,11 +220,13 @@ dn: CN=TPM Devices,DC=X
changetype: add
objectClass: msTPM-InformationObjectsContainer
```
You should be aware that only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. If you are planning to support such scenarios, you will need to update the schema further as shown in the schema extension example, TpmSchemaExtensionACLChanges.ldf.
### TpmSchemaExtensionACLChanges.ldf
This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS.
**Important**  
After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects.
> **Important**  After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects.
 
``` syntax
#===============================================================================

7
windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
View File

@ -2,17 +2,22 @@
title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10)
description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Add rules for packaged apps to existing AppLocker rule-set
**Applies to**
- Windows 10
This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT).
You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center.
RSAT comes with the Group Policy Management Console which allows you to edit the GPO or GPOs where your existing AppLocker policy are authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.
 
 

88
windows/keep-secure/add-workstations-to-domain.md
View File

@ -2,90 +2,94 @@
title: Add workstations to domain (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Add workstations to domain
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Add workstations to domain** security policy setting.
## Reference
This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain.
Adding a machine account to the domain allows the device to participate in Active Directory-based networking.
Constant: SeMachineAccountPrivilege
### Possible values
- User-defined list of accounts
- Not Defined
### Best practices
- Configure this setting so that only authorized members of the IT team are allowed to add devices to the domain.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\
### Default values
By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Authenticated Users</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
</tbody>
</table>
 
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Not Defined |
| Stand-Alone Server Default Settings | Not Defined |
| Domain Controller Effective Default Settings | Authenticated Users |
| Member Server Effective Default Settings | Not Defined |
| Client Computer Effective Default Settings | Not Defined |
## Policy management
Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right.
Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computers container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right.
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This policy has the following security considerations:
### Vulnerability
The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group.
The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group.
### Countermeasure
Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain.
### Potential impact
For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
- [User Rights Assignment](user-rights-assignment.md)
 
 

94
windows/keep-secure/adjust-memory-quotas-for-a-process.md
View File

@ -2,101 +2,91 @@
title: Adjust memory quotas for a process (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Adjust memory quotas for a process
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Adjust memory quotas for a process** security policy setting.
## Reference
This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers.
Constant: SeIncreaseQuotaPrivilege
### Possible values
- User-defined list of accounts
- Not Defined
### Best practices
1. Restrict the **Adjust memory quotas for a process** user right to only users who require the ability to adjust memory quotas to perform their jobs.
2. If this user right is necessary for a user account, it can be assigned to a local machine account instead of to a domain account.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\
### Default values
By default, members of the Administrators, Local Service, and Network Service groups have this right.
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Administrators</p>
<p>Local Service</p>
<p>Network Service</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Administrators</p>
<p>Local Service</p>
<p>Network Service</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Local Service</p>
<p>Network Service</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Local Service</p>
<p>Network Service</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Local Service</p>
<p>Network Service</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Local Service</p>
<p>Network Service</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Administrators<br>Local Service<br>Network Service |
| Default Domain Controller Policy | Administrators<br>Local Service<br>Network Service |
| Stand-Alone Server Default Settings | Administrators<br>Local Service<br>Network Service |
| Domain Controller Effective Default Settings | Administrators<br>Local Service<br>Network Service |
| Member Server Effective Default Settings | Administrators<br>Local Service<br>Network Service |
| Client Computer Effective Default Settings | Administrators<br>Local Service<br>Network Service |
 
## Policy management
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
A user with the **Adjust memory quotas for a process** privilege can reduce the amount of memory that is available to any process, which could cause business-critical network applications to become slow or to fail. This privilege could be used by a malicious user to start a denial-of-service (DoS) attack.
### Countermeasure
Restrict the **Adjust memory quotas for a process** user right to users who require it to perform their jobs, such as application administrators who maintain database management systems or domain administrators who manage the organization's directory and its supporting infrastructure.
### Potential impact
Organizations that have not restricted users to roles with limited privileges may find it difficult to impose this countermeasure. Also, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Adjust memory quotas for a process** user right to additional accounts that are required by those components. IIS requires that this privilege be explicitly assigned to the IWAM\_&lt;ComputerName&gt;, Network Service, and Service accounts. Otherwise, this countermeasure should have no impact on most computers. If this user right is necessary for a user account, it can be assigned to a local computer account instead of to a domain account.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
- [User Rights Assignment](user-rights-assignment.md)
 
 

92
windows/keep-secure/administer-applocker.md
View File

@ -2,98 +2,66 @@
title: Administer AppLocker (Windows 10)
description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Administer AppLocker
**Applies to**
- Windows 10
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe).
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
- Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
**Note**  
For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
> **Note**  For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
 
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Maintain AppLocker policies](maintain-applocker-policies.md)</p></td>
<td align="left"><p>This topic describes how to maintain rules within AppLocker policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Edit an AppLocker policy](edit-an-applocker-policy.md)</p></td>
<td align="left"><p>This topic for IT professionals describes the steps required to modify an AppLocker policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)</p></td>
<td align="left"><p>This topic discusses the steps required to test an AppLocker policy prior to deployment.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)</p></td>
<td align="left"><p>This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)</p></td>
<td align="left"><p>This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)</p></td>
<td align="left"><p>This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Optimize AppLocker performance](optimize-applocker-performance.md)</p></td>
<td align="left"><p>This topic for IT professionals describes how to optimize AppLocker policy enforcement.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)</p></td>
<td align="left"><p>This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)</p></td>
<td align="left"><p>This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Working with AppLocker rules](working-with-applocker-rules.md)</p></td>
<td align="left"><p>This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Working with AppLocker policies](working-with-applocker-policies.md)</p></td>
<td align="left"><p>This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.</p></td>
</tr>
</tbody>
</table>
 
| Topic | Description |
| - | - |
| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. |
| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. |
| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. |
## <a href="" id="bkmk-using-snapins"></a>Using the MMC snap-ins to administer AppLocker
You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
### Administer Applocker using Group Policy
You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
1. Open the Group Policy Management Console (GPMC).
2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
### Administer AppLocker on the local PC
1. Click **Start**, type **local security policy**, and then click **Local Security Policy**.
2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
## Using Windows PowerShell to administer AppLocker
For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).
 
 

111
windows/keep-secure/administer-security-policy-settings.md
View File

@ -2,28 +2,39 @@
title: Administer security policy settings (Windows 10)
description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
ms.assetid: 7617d885-9d28-437a-9371-171197407599
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Administer security policy settings
**Applies to**
- Windows 10
This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization.
Security settings policies are rules that you can configure on a device, or multiple devices, for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain.
Security settings can control:
- User authentication to a network or device.
- The resources that users are permitted to access.
- Whether to record a users or groups actions in the event log.
- Membership in a group.
For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md).
To manage security configurations for multiple computers, you can use one of the following options:
- Edit specific security settings in a GPO.
- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>Whats changed in how settings are administered?
Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
<table>
<colgroup>
@ -82,7 +93,9 @@ Over time, new ways to manage security policy settings have been introduced, whi
</table>
 
## <a href="" id="bkmk-secpol"></a>Using the Local Security Policy snap-in
The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
- Account Policies
- Local Policies
- Windows Firewall with Advanced Security
@ -92,26 +105,40 @@ The Local Security Policy snap-in (Secpol.msc) restricts the view of local polic
- Application Control Policies
- IP Security Policies on Local Computer
- Advanced Audit Policy Configuration
Policies set locally might be overwritten if the computer is joined to the domain.
The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see [Working with the Security Configuration Manager](#bkmk-scmtool) in this topic.
## <a href="" id="bkmk-secedit"></a>Using the secedit command-line tool
The secedit command-line tool works with security templates and provides six primary functions:
- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
- The **Analyze** parameter compares the servers security configuration with the selected template.
- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
- The **Export** parameter allows you to export the settings from a database into a security settings template.
- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
- The **Generate Rollback** parameter saves the servers current security settings into a security template so it can be used to restore most of the servers security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
## <a href="" id="bkmk-scm"></a>Using the Security Compliance Manager
The Security Compliance Manager is a downloadable tool that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and for Microsoft applications. It contains a complete database of recommended security settings, methods to customize your baselines, and the option to implement those settings in multiple formats—including XLS, GPOs, Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP). The Security Compliance Manager is used to export the baselines to your environment to automate the security baseline deployment and compliance verification process.
**To administer security policies by using the Security Compliance Manager**
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog.
2. Read the relevant security baseline documentation that is included in this tool.
3. Download and import the relevant security baselines. The installation process steps you through baseline selection.
4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
## <a href="" id="bkmk-scw"></a>Using the Security Configuration Wizard
The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller.
The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy.
SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller.
The following are considerations for using SCW:
- SCW disables unnecessary services and provides Windows Firewall with Advanced Security support.
- Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file.
- You can deploy security policies that you create with SCW by using Group Policy.
@ -119,19 +146,25 @@ The following are considerations for using SCW:
- SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
- All apps that use the IP protocol and ports must be running on the server when you run SCW.
- In some cases, you must be connected to the Internet to use the links in the SCW help.
**Note**  
The SCW is available only on Windows Server and only applicable to server installations.
> **Note**  The SCW is available only on Windows Server and only applicable to server installations.
 
The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
- Create a security policy that can be applied to any server on your network.
- Edit an existing security policy.
- Apply an existing security policy.
- Roll back the last applied security policy.
The Security Policy Wizard configures services and network security based on the servers role, as well as configures auditing and registry settings.
For more information about SCW, including procedures, see [Security Configuration Wizard](http://technet.microsoft.com/library/cc754997.aspx).
## <a href="" id="bkmk-scmtool"></a>Working with the Security Configuration Manager
The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](http://technet.microsoft.com/library/cc758219(WS.10).aspx).
The following table lists the features of the Security Configuration Manager.
<table>
<colgroup>
@ -169,18 +202,32 @@ The following table lists the features of the Security Configuration Manager.
</table>
 
### <a href="" id="bkmk-seccfgana"></a>Security Configuration and Analysis
Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security.
### <a href="" id="h2-359808543"></a>Security analysis
The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security.
Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time.
Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals.
Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security
Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals.
### <a href="" id="h2-359810173"></a>Security configuration
Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template.
### <a href="" id="bkmk-sectmpl"></a>Security templates
With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration.
Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once.
To apply a security template to your local device, you can use Security Configuration and Analysis or the secedit command-line tool.
Security templates can be used to define:
- Account Policies
- Password Policy
- Account Lockout Policy
@ -194,67 +241,105 @@ Security templates can be used to define:
- System Services: Startup and permissions for system services
- Registry: Permissions for registry keys
- File System: Permissions for folders and files
Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template.
### <a href="" id="bkmk-secextensions"></a>Security settings extension to Group Policy
Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain.
Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control:
- How users are authenticated to a network or device
- What resources users are authorized to use.
- Whether or not a user's or group's actions are recorded in the event log.
- Group membership.
You can change the security configuration on multiple computers in two ways:
- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object.
- Change a few select settings with security settings.
### <a href="" id="bkmk-localsecpol"></a>Local Security Policy
A security policy is a combination of security settings that affect the security on a device. You can use your local security policy to edit account policies and local policies on your local device
With the local security policy, you can control:
- Who accesses your device.
- What resources users are authorized to use on your device.
- Whether or not a users or group's actions are recorded in the event log.
If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence.
1. Organizational unit policy
2. Domain policy
3. Site policy
4. Local computer policy
If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts.
### Using the Security Configuration Manager
For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](http://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
- [Applying security settings](#bkmk-applysecsettings)
- [Importing and exporting security templates](#bkmk-impexpsectmpl)
- [Analyzing security and viewing results](#bkmk-anasecviewresults)
- [Resolving security discrepancies](#bkmk-resolvesecdiffs)
- [Automating security configuration tasks](#bkmk-autoseccfgtasks)
### <a href="" id="bkmk-applysecsettings"></a>Applying security settings
Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object:
- When a device is restarted, the settings on that device will be refreshed.
- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe.
**Precedence of a policy when more than one policy is applied to a computer**
For security settings that are defined by more than one policy, the following order of precedence is observed:
1. Organizational Unit Policy
2. Domain Policy
3. Site Policy
4. Local computer Policy
For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
**Note**  
Use gpresult.exe to find out what policies are applied to a device and in what order.
For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
> **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
 
**Persistence in security settings**
Security settings may still persist even if a setting is no longer defined in the policy that originally applied it.
Persistence in security settings occurs when:
- The setting has not been previously defined for the device.
- The setting is for a registry object.
- The setting is for a file system object.
All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing."
Registry and file settings will maintain the values applied through policy until that setting is set to other values.
**Filtering security settings based on group membership**
You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy.
### <a href="" id="bkmk-impexpsectmpl"></a>Importing and exporting security templates
Security Configuration and Analysis provides the ability to import and export security templates into or from a database.
If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object.
### <a href="" id="bkmk-anasecviewresults"></a>Analyzing security and viewing results
Security Configuration and Analysis performs security analysis by comparing the current state of system security against an *analysis database*. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence.
Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**.
<table>
<colgroup>
<col width="50%" />
@ -292,18 +377,24 @@ Security Configuration and Analysis displays the analysis results by security ar
</table>
 
If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template.
### <a href="" id="bkmk-resolvesecdiffs"></a>Resolving security discrepancies
You can resolve discrepancies between analysis database and system settings by:
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.
- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### <a href="" id="bkmk-autoseccfgtasks"></a>Automating security configuration tasks
By calling the secedit.exe tool at a command prompt from a batch file or automatic task scheduler, you can use it to automatically create and apply templates, and analyze system security. You can also run it dynamically from a command prompt.
Secedit.exe is useful when you have multiple devices on which security must be analyzed or configured, and you need to perform these tasks during off-hours.
## <a href="" id="bkmk-grouppolicy"></a>Working with Group Policy tools
Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop.
 
 

115
windows/keep-secure/advanced-security-auditing-faq.md
View File

@ -2,16 +2,20 @@
title: Advanced security auditing FAQ (Windows 10)
description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Advanced security auditing FAQ
**Applies to**
- Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
- [What is Windows security auditing and why might I want to use it?](#bkmk-1)
- [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2)
- [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3)
@ -30,100 +34,118 @@ This topic for the IT professional lists questions and answers about understandi
- [What are the best tools to model and manage audit policy?](#bkmk-17)
- [Where can I find information about all the possible events that I might receive?](#bkmk-11)
- [Where can I find more detailed information?](#bkmk-18)
## <a href="" id="bkmk-1"></a>What is Windows security auditing and why might I want to use it?
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
## <a href="" id="bkmk-2"></a>What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are a number of additional differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logonrelated behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later.
## <a href="" id="bkmk-3"></a>What is the interaction between basic audit policy settings and advanced audit policy settings?
Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied.
**Important**  
Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
> **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
 
## <a href="" id="bkmk-4"></a>How are audit settings merged by Group Policy?
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Auditing subcategory</th>
<th align="left">Setting configured in an OU GPO (higher priority)</th>
<th align="left">Setting configured in a domain GPO (lower priority)</th>
<th align="left">Resulting policy for the target computer</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Detailed File Share Auditing</p></td>
<td align="left"><p>Success</p></td>
<td align="left"><p>Failure</p></td>
<td align="left"><p>Success</p></td>
</tr>
<tr class="even">
<td align="left"><p>Process Creation Auditing</p></td>
<td align="left"><p>Disabled</p></td>
<td align="left"><p>Success</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Logon Auditing</p></td>
<td align="left"><p>Success</p></td>
<td align="left"><p>Failure</p></td>
<td align="left"><p>Failure</p></td>
</tr>
</tbody>
</table>
 
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
| - | - | - | -|
| Detailed File Share Auditing | Success | Failure | Success |
| Process Creation Auditing | Disabled | Success | Disabled |
| Logon Auditing | Success | Failure | Failure |
## <a href="" id="bkmk-14"></a>What is the difference between an object DACL and an object SACL?
All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
- A system access control list (SACL) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
## <a href="" id="bkmk-13"></a>Why are audit policies applied on a per-computer basis rather than per user?
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
## <a href="" id="bkmk-12"></a>What are the differences in auditing functionality between versions of Windows?
Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings.
## <a href="" id="bkmk-15"></a>Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server?
To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.
## <a href="" id="bkmk-5"></a>What is the difference between success and failure events? Is something wrong if I get a failure audit?
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password.
## <a href="" id="bkmk-6"></a>How can I set an audit policy that affects all objects on a computer?
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
## <a href="" id="bkmk-7"></a>How do I figure out why someone was able to access a resource?
Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
## <a href="" id="bkmk-8"></a>How do I know when changes are made to access control settings, by whom, and what the changes were?
To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
- **Audit File System** subcategory: Enable for success, failure, or success and failure
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory.
## <a href="" id="bkmk-19"></a>How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to **Not configured**.
2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings will not be restored.
## <a href="" id="bkmk-10"></a>How can I monitor if changes are made to audit policy settings?
Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
- Permissions and audit settings on the audit policy object are changed
- The system audit policy is changed
- Security event sources are registered or unregistered
@ -131,20 +153,31 @@ Changes to security audit policies are critical security events. You can use the
- The value of **CrashOnAuditFail** is modified
- Audit settings on a file or registry key are changed
- A Special Groups list is changed
## <a href="" id="bkmk-16"></a>How can I minimize the number of events that are generated?
Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
## <a href="" id="bkmk-17"></a>What are the best tools to model and manage audit policies?
The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies.
On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policyrelated management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data.
## <a href="" id="bkmk-11"></a>Where can I find information about all the possible events that I might receive?
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
- [Windows 8 and Windows Server 2012 Security Event Details](http://www.microsoft.com/download/details.aspx?id=35753)
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780)
- [Security Audit Events for Windows Server 2008 and Windows Vista](http://go.microsoft.com/fwlink/p/?linkid=121868)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
## <a href="" id="bkmk-18"></a>Where can I find more detailed information?
To learn more about security audit policies, see the following resources:
- [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
- [Security Monitoring and Attack Detection Planning Guide](http://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
- [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780)

46
windows/keep-secure/advanced-security-auditing.md
View File

@ -2,48 +2,26 @@
title: Advanced security audit policies (Windows 10)
description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Advanced security audit policies
**Applies to**
- Windows 10
Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)</p></td>
<td align="left"><p>This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Advanced security auditing FAQ](advanced-security-auditing-faq.md)</p></td>
<td align="left"><p>This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)</p></td>
<td align="left"><p>This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)</p></td>
<td align="left"><p>This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.</p></td>
</tr>
</tbody>
</table>
 
 
 
| Topic | Description |
| - | - |
| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
| [Advanced security auditing FAQ](advanced-security-auditing-faq.md) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.

100
windows/keep-secure/allow-log-on-locally.md
View File

@ -2,118 +2,106 @@
title: Allow log on locally (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Allow log on locally
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Allow log on locally** security policy setting.
## Reference
This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
**Note**  
Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.
> **Note:**  Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.
 
Constant: SeInteractiveLogonRight
### Possible values
- User-defined list of accounts
- Not Defined
By default, the members of the following groups have this right on workstations and servers:
- Administrators
- Backup Operators
- Users
By default, the members of the following groups have this right on domain controllers:
- Account Operators
- Administrators
- Backup Operators
- Print Operators
- Server Operators
### Best practices
1. Restrict this user right to legitimate users who must log on to the console of the device.
2. If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Account Operators</p>
<p>Administrators</p>
<p>Backup Operators</p>
<p>Print Operators</p>
<p>Server Operators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p>
<p>Users</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Account Operators</p>
<p>Administrators</p>
<p>Backup Operators</p>
<p>Print Operators</p>
<p>Server Operators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p>
<p>Users</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p>
<p>Users</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not Defined |
| Default Domain Controller Policy | Account Operators<br>Administrators<br>Backup Operators<br>Print Operators<br>Server Operators |
| Stand-Alone Server Default Settings| Administrators<br>Backup Operators<br>Users |
| Domain Controller Effective Default Settings | Account Operators<br>Administrators<br>Backup Operators<br>Print Operators<br>Server Operators |
| Member Server Effective Default Settings | Administrators<br>Backup Operators<br>Users |
| Client Computer Effective Default Settings | Administrators<br>Backup Operators<br>Users |
 
## Policy management
Restarting the device is not required to implement this change.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Modifying this setting might affect compatibility with clients, services, and applications. Use caution when removing service accounts that are used by components and by programs on member devices and on domain controllers in the domain from the default domain controller's policy. Also use caution when removing users or security groups that log on to the console of member devices in the domain, or removing service accounts that are defined in the local Security Accounts Manager (SAM) database of member devices or of workgroup devices.
If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the **Allowed logon locally** system right or grant the right to that user account.
The domain controllers in the domain share the Default Domain Controllers Group Policy Object (GPO). When you grant an account the **Allow logon locally** right, you are allowing that account to log on locally to all domain controllers in the domain.
If the Users group is listed in the **Allow log on locally** setting for a GPO, all domain users can log on locally. The Users built-in group contains Domain Users as a member.
### Group Policy
Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Any account with the **Allow log on locally** user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
### Countermeasure
For domain controllers, assign the **Allow log on locally** user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group.
Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the **Deny log on locally** user right.
### Potential impact
If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Allow log on locally** user right to additional accounts that are required by those components. IIS requires that this user right be assigned to the IUSR\_*&lt;ComputerName&gt;* account. You should confirm that delegated activities are not adversely affected by any changes that you make to the **Allow log on locally** user rights assignments.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
- [User Rights Assignment](user-rights-assignment.md)
 
 

94
windows/keep-secure/allow-log-on-through-remote-desktop-services.md
View File

@ -2,97 +2,99 @@
title: Allow log on through Remote Desktop Services (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Allow log on through Remote Desktop Services
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Allow log on through Remote Desktop Services** security policy setting.
## Reference
This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
Constant: SeRemoteInteractiveLogonRight
### Possible values
- User-defined list of accounts
- Not Defined
### Best practices
- To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers.
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Remote Desktop Users</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Administrators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Remote Desktop Users</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Remote Desktop Users</p></td>
</tr>
</tbody>
</table>
 
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Administrators |
| Stand-Alone Server Default Settings | Administrators<br>Remote Desktop Users |
| Domain Controller Effective Default Settings | Administrators |
| Member Server Effective Default Settings | Administrators<br>Remote Desktop Users |
| Client Computer Effective Default Settings | Administrators<br>Remote Desktop Users |
## Policy management
This section describes different features and tools available to help you manage this policy.
### Group Policy
To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server.
To exclude users or groups, you can assign the **Deny log on through Remote Desktop Services** user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the **Allow log on through Remote Desktop Services** user right.
For more information, see [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md).
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Any account with the **Allow log on through Remote Desktop Services** user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.
### Countermeasure
For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
**Caution**  
For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
> **Caution:**  For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
 
Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
### Potential impact
Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
- [User Rights Assignment](user-rights-assignment.md)
 
 

17
windows/keep-secure/applocker-architecture-and-components.md
View File

@ -2,25 +2,38 @@
title: AppLocker architecture and components (Windows 10)
description: This topic for IT professional describes AppLockers basic architecture and its major components.
ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker architecture and components
**Applies to**
- Windows 10
This topic for IT professional describes AppLockers basic architecture and its major components.
AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions.
AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy.
**A new process is created**
When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run.
**A DLL is loaded**
When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process.
**A script is run**
Before a script file is run, the script host (for example. for .ps1 files the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it is allowed to run. In each case, the actions taken by AppLocker are written to the event log.
## Related topics
[AppLocker technical reference](applocker-technical-reference.md)
- [AppLocker technical reference](applocker-technical-reference.md)
 
 

63
windows/keep-secure/applocker-functions.md
View File

@ -2,18 +2,24 @@
title: AppLocker functions (Windows 10)
description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker functions
**Applies to**
- Windows 10
This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.
## Functions
The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN:
- [SaferGetPolicyInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159781)
- [SaferCreateLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159782)
- [SaferCloseLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159783)
@ -22,52 +28,23 @@ The following list includes the SRP functions beginning with Windows Server 200
- [SaferGetLevelInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159787)
- [SaferRecordEventLogEntry Function](http://go.microsoft.com/fwlink/p/?LinkId=159789)
- [SaferiIsExecutableFileType Function](http://go.microsoft.com/fwlink/p/?LinkId=159790)
## Security level ID
AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Security level ID</th>
<th align="left">SRP</th>
<th align="left">AppLocker</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>SAFER_LEVELID_FULLYTRUSTED</p></td>
<td align="left"><p>Supported</p></td>
<td align="left"><p>Supported</p></td>
</tr>
<tr class="even">
<td align="left"><p>SAFER_LEVELID_NORMALUSER</p></td>
<td align="left"><p>Supported</p></td>
<td align="left"><p>Not supported</p></td>
</tr>
<tr class="odd">
<td align="left"><p>SAFER_LEVELID_CONSTRAINED</p></td>
<td align="left"><p>Supported</p></td>
<td align="left"><p>Not supported</p></td>
</tr>
<tr class="even">
<td align="left"><p>SAFER_LEVELID_UNTRUSTED</p></td>
<td align="left"><p>Supported</p></td>
<td align="left"><p>Not supported</p></td>
</tr>
<tr class="odd">
<td align="left"><p>SAFER_LEVELID_DISALLOWED</p></td>
<td align="left"><p>Supported</p></td>
<td align="left"><p>Supported</p></td>
</tr>
</tbody>
</table>
| Security level ID | SRP | AppLocker |
| - | - | - |
| SAFER_LEVELID_FULLYTRUSTED | Supported | Supported |
| SAFER_LEVELID_NORMALUSER | Supported | Not supported |
| SAFER_LEVELID_CONSTRAINED | Supported | Not supported |
| SAFER_LEVELID_UNTRUSTED | Supported | Not supported |
| SAFER_LEVELID_DISALLOWED | Supported | Supported |
 
In addition, URL zone ID is not supported in AppLocker.
## Related topics
[AppLocker technical reference](applocker-technical-reference.md)
- [AppLocker technical reference](applocker-technical-reference.md)
 
 

155
windows/keep-secure/applocker-overview.md
View File

@ -2,42 +2,66 @@
title: AppLocker (Windows 10)
description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker
**Applies to**
- Windows 10
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
AppLocker can help you:
- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
- Simplify creating and managing AppLocker rules by using Windows PowerShell.
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
- **Application inventory**
AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
- **Protection against unwanted software**
AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.
- **Licensing conformance**
AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
- **Software standardization**
AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
- **Manageability improvement**
AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
## New and changed functionality
To find out what's new in AppLocker for Windows 10, see [What's new in AppLocker?](../whats-new/applocker.md)
## When to use AppLocker
In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.
Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls.
AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
The following are examples of scenarios in which AppLocker can be used:
- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
@ -47,116 +71,67 @@ The following are examples of scenarios in which AppLocker can be used:
- A single user or small group of users needs to use a specific app that is denied for all others.
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
- In addition to other measures, you need to control the access to sensitive data through app usage.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
## System requirements
AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
AppLocker rules can be created on domain controllers.
## Installing AppLocker
AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
**Note**  
The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
> **Note:**  The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
 
### Using AppLocker on Server Core
AppLocker on Server Core installations is not supported.
### Virtualization considerations
You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
### Security considerations
Application control policies specify which apps are allowed to run on the local computer.
The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
For additional information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md).
When you use AppLocker to create application control policies, you should be aware of the following security considerations:
- Who has the rights to set AppLocker policies?
- How do you validate that the policies are enforced?
- What events should you audit?
For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Setting</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Accounts created</p></td>
<td align="left"><p>None</p></td>
</tr>
<tr class="even">
<td align="left"><p>Authentication method</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Management interfaces</p></td>
<td align="left"><p>AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell</p></td>
</tr>
<tr class="even">
<td align="left"><p>Ports opened</p></td>
<td align="left"><p>None</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Minimum privileges required</p></td>
<td align="left"><p>Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Protocols used</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Scheduled Tasks</p></td>
<td align="left"><p>Appidpolicyconverter.exe is put in a scheduled task to be run on demand.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Security Policies</p></td>
<td align="left"><p>None required. AppLocker creates security policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>System Services required</p></td>
<td align="left"><p>Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Storage of credentials</p></td>
<td align="left"><p>None</p></td>
</tr>
</tbody>
</table>
| Setting | Default value |
| - | - |
| Accounts created | None |
| Authentication method | Not applicable |
| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
| Ports opened | None |
| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. |
| Protocols used | Not applicable |
| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
| Security Policies | None required. AppLocker creates security policies. |
| System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
| Storage of credentials | None |
 
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Administer AppLocker](administer-applocker.md)</p></td>
<td align="left"><p>This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[AppLocker design guide](applocker-policies-design-guide.md)</p></td>
<td align="left"><p>This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[AppLocker deployment guide](applocker-policies-deployment-guide.md)</p></td>
<td align="left"><p>This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[AppLocker technical reference](applocker-technical-reference.md)</p></td>
<td align="left"><p>This overview topic for IT professionals provides links to the topics in the technical reference.</p></td>
</tr>
</tbody>
</table>
 
 
 
| Topic | Description |
| - | - |
| [Administer AppLocker](administer-applocker.md) | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. |

60
windows/keep-secure/applocker-policies-deployment-guide.md
View File

@ -2,20 +2,29 @@
title: AppLocker deployment guide (Windows 10)
description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker deployment guide
**Applies to**
- Windows 10
This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.
This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
## Prerequisites to deploying AppLocker policies
The following are prerequisites or recommendations to deploying policies:
- Understand the capabilities of AppLocker:
- [AppLocker](applocker-overview.md)
- Document your application control policy deployment plan by addressing these tasks:
@ -27,43 +36,18 @@ The following are prerequisites or recommendations to deploying policies:
- [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
- [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
- [Create your AppLocker planning document](create-your-applocker-planning-document.md)
## Contents of this guide
This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)</p></td>
<td align="left"><p>This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)</p></td>
<td align="left"><p>This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)</p></td>
<td align="left"><p>This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Create Your AppLocker policies](create-your-applocker-policies.md)</p></td>
<td align="left"><p>This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)</p></td>
<td align="left"><p>This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.</p></td>
</tr>
</tbody>
</table>
 
 
 
| Topic | Description |
| - | - |
| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. |
| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. |
| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. |
| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |

63
windows/keep-secure/applocker-policies-design-guide.md
View File

@ -2,63 +2,36 @@
title: AppLocker design guide (Windows 10)
description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker design guide
**Applies to**
- Windows 10
This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
This guide provides important designing and planning information for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group.
This guide does not cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md).
To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md).
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)</p></td>
<td align="left"><p>This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Determine your application control objectives](determine-your-application-control-objectives.md)</p></td>
<td align="left"><p>This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)</p></td>
<td align="left"><p>This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Select the types of rules to create](select-types-of-rules-to-create.md)</p></td>
<td align="left"><p>This topic lists resources you can use when selecting your application control policy rules by using AppLocker.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)</p></td>
<td align="left"><p>This overview topic describes the process to follow when you are planning to deploy AppLocker rules.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Plan for AppLocker policy management](plan-for-applocker-policy-management.md)</p></td>
<td align="left"><p>This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Create your AppLocker planning document](create-your-applocker-planning-document.md)</p></td>
<td align="left"><p>This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.</p></td>
</tr>
</tbody>
</table>
| Topic | Description |
| - | - |
| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. |
| [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. |
| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. |
| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
| [Create your AppLocker planning document](create-your-applocker-planning-document.md) | This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. |
 
After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
 
 
 

25
windows/keep-secure/applocker-policy-use-scenarios.md
View File

@ -2,29 +2,47 @@
title: AppLocker policy use scenarios (Windows 10)
description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker policy use scenarios
**Applies to**
- Windows 10
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows:
1. **App inventory**
AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access.
2. **Protection against unwanted software**
AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails.
3. **Licensing conformance**
AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements.
4. **Software standardization**
AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
5. **Manageability improvement**
AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers.
AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use
the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers.
### Use scenarios
The following are examples of scenarios in which AppLocker can be used:
- Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage.
- The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed.
- Your organization's security policy dictates the use of only licensed software, so you need to determine which apps are not licensed or prevent unauthorized users from running licensed software.
@ -37,7 +55,8 @@ The following are examples of scenarios in which AppLocker can be used:
- A single user or small group of users needs to use a specific app that is denied for all others.
- Some computers in your organization are shared by people who have different software usage needs.
- In addition to other measures, you need to control the access to sensitive data through app usage.
## Related topics
[AppLocker technical reference](applocker-technical-reference.md)
- [AppLocker technical reference](applocker-technical-reference.md)
 
 

45
windows/keep-secure/applocker-processes-and-interactions.md
View File

@ -2,64 +2,97 @@
title: AppLocker processes and interactions (Windows 10)
description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker processes and interactions
**Applies to**
- Windows 10
This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.
## How policies are implemented by AppLocker
AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure.
The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service is not running, policies will not be enforced. The Application Identity service returns the information from the binary—even if product or binary names are empty—to the results pane of the Local Security Policy snap-in.
AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information:
- Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form).
- The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.)
- The rule condition containing the **appid** attributes.
For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*").
An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made.
### Understanding AppLocker rules
An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to five different types, or collections, of files:
- An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications.
- A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js.
- A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, mst and .msp (Windows Installer patch).
- A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx.
- A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension.
There are three different types of conditions that can be applied to rules:
- A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed.
- A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories.
- A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes.
<!-- -->
- [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps.
- [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash.
- [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
- [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
- [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.
- [Executable rules in AppLocker](executable-rules-in-applocker.md)
- [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
- [Script rules in AppLocker](script-rules-in-applocker.md)
- [DLL rules in AppLocker](dll-rules-in-applocker.md)
- [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
- [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset.
- [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
Each AppLocker rule collection functions as an allowed list of files.
### Understanding AppLocker policies
An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers.
- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced.
### Understanding AppLocker and Group Policy
Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies.
- [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied.
When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules.
AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied.
## Related topics
[AppLocker technical reference](applocker-technical-reference.md)
 
 
- [AppLocker technical reference](applocker-technical-reference.md)

63
windows/keep-secure/applocker-settings.md
View File

@ -2,61 +2,32 @@
title: AppLocker settings (Windows 10)
description: This topic for the IT professional lists the settings used by AppLocker.
ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker settings
**Applies to**
- Windows 10
This topic for the IT professional lists the settings used by AppLocker.
The following table describes the settings and values used by AppLocker.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Setting</th>
<th align="left">Value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Registry path</p></td>
<td align="left"><p>Policies are stored in <strong>\HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2</strong></p></td>
</tr>
<tr class="even">
<td align="left"><p>Firewall ports</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Security policies</p></td>
<td align="left"><p>Custom created, no default</p></td>
</tr>
<tr class="even">
<td align="left"><p>Group Policy settings</p></td>
<td align="left"><p>Custom created, no default</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Network ports</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
<tr class="even">
<td align="left"><p>Service accounts</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Performance counters</p></td>
<td align="left"><p>Not applicable</p></td>
</tr>
</tbody>
</table>
| Setting | Value |
| - | - |
| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** |
| Firewall ports | Not applicable |
| Security policies | Custom created, no default |
| Group Policy settings | Custom created, no default |
| Network ports | Not applicable |
| Service accounts | Not applicable |
| Performance counters | Not applicable |
 
## Related topics
[AppLocker technical reference](applocker-technical-reference.md)
 
 
- [AppLocker technical reference](applocker-technical-reference.md)

76
windows/keep-secure/applocker-technical-reference.md
View File

@ -2,72 +2,32 @@
title: AppLocker technical reference (Windows 10)
description: This overview topic for IT professionals provides links to the topics in the technical reference.
ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# AppLocker technical reference
**Applies to**
- Windows 10
This overview topic for IT professionals provides links to the topics in the technical reference.
AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[What Is AppLocker?](what-is-applocker.md)</p></td>
<td align="left"><p>This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Requirements to use AppLocker](requirements-to-use-applocker.md)</p></td>
<td align="left"><p>This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[AppLocker policy use scenarios](applocker-policy-use-scenarios.md)</p></td>
<td align="left"><p>This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[How AppLocker works](how-applocker-works-techref.md)</p></td>
<td align="left"><p>This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[AppLocker architecture and components](applocker-architecture-and-components.md)</p></td>
<td align="left"><p>This topic for IT professional describes AppLockers basic architecture and its major components.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[AppLocker processes and interactions](applocker-processes-and-interactions.md)</p></td>
<td align="left"><p>This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[AppLocker functions](applocker-functions.md)</p></td>
<td align="left"><p>This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Security considerations for AppLocker](security-considerations-for-applocker.md)</p></td>
<td align="left"><p>This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Tools to Use with AppLocker](tools-to-use-with-applocker.md)</p></td>
<td align="left"><p>This topic for the IT professional describes the tools available to create and administer AppLocker policies.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[AppLocker Settings](applocker-settings.md)</p></td>
<td align="left"><p>This topic for the IT professional lists the settings used by AppLocker.</p></td>
</tr>
</tbody>
</table>
 
 
 
| Topic | Description |
| - | - |
| [What Is AppLocker?](what-is-applocker.md) | This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. |
| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. |
| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLockers basic architecture and its major components. |
| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. |
| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. |
| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. |
| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. |
| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. |

13
windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -2,19 +2,24 @@
title: Apply a basic audit policy on a file or folder (Windows 10)
description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Apply a basic audit policy on a file or folder
**Applies to**
- Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right.
**To apply or modify auditing policy settings for a local file or folder**
1. 2.Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
2. Click **Advanced**.
3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**.
4. Do one of the following:
@ -25,9 +30,11 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- To audit successful events, click **Success.**
- To audit failure events, click **Fail.**
- To audit all events, click **All.**
**Important**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
> **Important:**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
 
## Additional considerations
- After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
- Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

34
windows/keep-secure/audit-account-lockout.md
View File

@ -2,41 +2,35 @@
title: Audit Account Lockout (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Account Lockout
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume: Low
Default setting: Success
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4625</p></td>
<td align="left"><p>An account failed to log on.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4625 | An account failed to log on. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

49
windows/keep-secure/audit-application-generated.md
View File

@ -2,54 +2,39 @@
title: Audit Application Generated (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Application Generated
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
The following events can generate audit activity:
- Creation, deletion, or initialization of an application client context
- Application operations
Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application.
Event volume: Depends on the installed app's use of the Windows Auditing APIs
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4665</p></td>
<td align="left"><p>An attempt was made to create an application client context.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4666</p></td>
<td align="left"><p>An application attempted an operation:</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4667</p></td>
<td align="left"><p>An application client context was deleted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4668</p></td>
<td align="left"><p>An application was initialized.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4665 | An attempt was made to create an application client context. |
| 4666 | An application attempted an operation: |
| 4667 | An application client context was deleted. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

77
windows/keep-secure/audit-application-group-management.md
View File

@ -2,77 +2,42 @@
title: Audit Application Group Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Application Group Management
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed.
Application group management tasks include:
- An application group is created, changed, or deleted.
- A member is added to or removed from an application group.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4783</p></td>
<td align="left"><p>A basic application group was created.</p>
<p></p></td>
</tr>
<tr class="even">
<td align="left"><p>4784</p></td>
<td align="left"><p>A basic application group was changed.</p>
<p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>4785</p></td>
<td align="left"><p>A member was added to a basic application group.</p>
<p></p></td>
</tr>
<tr class="even">
<td align="left"><p>4786</p></td>
<td align="left"><p>A member was removed from a basic application group.</p>
<p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>4787</p></td>
<td align="left"><p>A non-member was added to a basic application group.</p>
<p></p></td>
</tr>
<tr class="even">
<td align="left"><p>4788</p></td>
<td align="left"><p>A non-member was removed from a basic application group.</p>
<p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>4789</p></td>
<td align="left"><p>A basic application group was deleted.</p>
<p></p></td>
</tr>
<tr class="even">
<td align="left"><p>4790</p></td>
<td align="left"><p>An LDAP query group was created.</p>
<p></p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4783 | A basic application group was created. |
| 4784 | A basic application group was changed. |
| 4785 | A member was added to a basic application group. |
| 4786 | A member was removed from a basic application group. |
| 4787 | A non-member was added to a basic application group. |
| 4788 | A non-member was removed from a basic application group. |
| 4789 | A basic application group was deleted. |
| 4790 | An LDAP query group was created. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

93
windows/keep-secure/audit-audit-policy-change.md
View File

@ -2,95 +2,54 @@
title: Audit Audit Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Audit Policy Change
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy.
Changes to audit policy that are audited include:
- Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**).
- Changing the system audit policy.
- Registering and unregistering security event sources.
- Changing per-user audit settings.
- Changing the value of **CrashOnAuditFail**.
- Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).
**Note**  
SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
> **Note:** SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
 
- Changing anything in the Special Groups list.
**Important**  
Changes to the audit policy are critical security events.
> **Important:**  Changes to the audit policy are critical security events.
 
Event volume: Low
Default: Success
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4715</p></td>
<td align="left"><p>The audit policy (SACL) on an object was changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4719</p></td>
<td align="left"><p>System audit policy was changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4817</p></td>
<td align="left"><p>Auditing settings on an object were changed.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event is logged only on computers running the supported versions of the Windows operating system.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>4902</p></td>
<td align="left"><p>The Per-user audit policy table was created.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4904</p></td>
<td align="left"><p>An attempt was made to register a security event source.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4905</p></td>
<td align="left"><p>An attempt was made to unregister a security event source.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4906</p></td>
<td align="left"><p>The CrashOnAuditFail value has changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4907</p></td>
<td align="left"><p>Auditing settings on object were changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4908</p></td>
<td align="left"><p>Special Groups Logon table modified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4912</p></td>
<td align="left"><p>Per User Audit Policy was changed.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4715 | The audit policy (SACL) on an object was changed. |
| 4719 | System audit policy was changed. |
| 4817 | Auditing settings on an object were changed. <br> **Note: ** This event is logged only on computers running the supported versions of the Windows operating system. |
| 4902 | The Per-user audit policy table was created. |
| 4904 | An attempt was made to register a security event source. |
| 4905 | An attempt was made to unregister a security event source. |
| 4906 | The CrashOnAuditFail value has changed. |
| 4907 | Auditing settings on object were changed. |
| 4908 | Special Groups Logon table modified. |
| 4912 | Per User Audit Policy was changed. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

207
windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
View File

@ -2,192 +2,117 @@
title: Audit Audit the access of global system objects (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting.
ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit: Audit the access of global system objects
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.
## Reference
If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](basic-audit-object-access.md) audit setting, access to these system objects is audited.
Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created.
The threat is that a globally visible named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low.
Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there is no way to filter which events get recorded and which do not. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it is unlikely to have the source code or a description of what each named object is used for; therefore, it is unlikely that many organizations could benefit from enabling this policy setting.
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
- Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Disabled |
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
### Group Policy
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
### Auditing
To audit attempts to access global system objects, you can use one of two security audit policy settings:
- [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access
- [Audit object access](basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate.
If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4659</p></td>
<td align="left"><p>A handle to an object was requested with intent to delete.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4660</p></td>
<td align="left"><p>An object was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4661</p></td>
<td align="left"><p>A handle to an object was requested.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4663</p></td>
<td align="left"><p>An attempt was made to access an object.</p></td>
</tr>
</tbody>
</table>
 
If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>560</p></td>
<td align="left"><p>Access was granted to an already existing object.</p></td>
</tr>
<tr class="even">
<td align="left"><p>562</p></td>
<td align="left"><p>A handle to an object was closed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>563</p></td>
<td align="left"><p>An attempt was made to open an object with the intent to delete it.</p>
<div class="alert">
<strong>Note</strong>  
<p>This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>564</p></td>
<td align="left"><p>A protected object was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>565</p></td>
<td align="left"><p>Access was granted to an already existing object type.</p></td>
</tr>
<tr class="even">
<td align="left"><p>567</p></td>
<td align="left"><p>A permission associated with a handle was used.</p>
<div class="alert">
<strong>Note</strong>  
<p>A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>569</p></td>
<td align="left"><p>The resource manager in Authorization Manager attempted to create a client context.</p></td>
</tr>
<tr class="even">
<td align="left"><p>570</p></td>
<td align="left"><p>A client attempted to access an object.</p>
<div class="alert">
<strong>Note</strong>  
<p>An event will be generated for every attempted operation on the object.</p>
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4659 | A handle to an object was requested with intent to delete. |
| 4660 | An object was deleted. |
| 4661 | A handle to an object was requested. |
| 4663 | An attempt was made to access an object. |
 
If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
| 560 | Access was granted to an already existing object. |
| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.<br>**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 564 | A protected object was deleted. |
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.<br>**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.<br>**Note: ** An event will be generated for every attempted operation on the object. |
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
A globally visible named object, if incorrectly secured, could be acted upon by malicious software by using the name of the object. For instance, if a synchronization object such as a mutex had a poorly chosen discretionary access control list (DACL), malicious software could access that mutex by name and cause the program that created it to malfunction. However, the risk of such an occurrence is very low.
### Countermeasure
Enable the **Audit: Audit the access of global system objects** setting.
### Potential impact
If you enable the **Audit: Audit the access of global system objects** setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there is no way to choose which events are recorded from this setting. Even organizations that have the resources to analyze events that are generated by this policy setting are not likely to have the source code or a description of what each named object is used for. Therefore, it is unlikely that most organizations would benefit by enabling this policy setting.
To reduce the number of audit events generated, use the advanced audit policy.
## Related topics
[Security Options](security-options.md)
 
 
- [Security Options](security-options.md)

81
windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
View File

@ -2,85 +2,86 @@
title: Audit Audit the use of Backup and Restore privilege (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting.
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit: Audit the use of Backup and Restore privilege
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.
## Reference
The **Audit: Audit the use of Backup and Restore privilege** policy setting determines whether to audit the use of all user rights, including Backup and Restore, when the **Audit privilege use** policy setting is configured. Enabling both policy settings generates an audit event for every file that is backed up or restored.
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
- Set **Audit: Audit the use of Backup and Restore privilege** to Disabled. Enabling this policy setting can generate a large number of security events, which might cause servers to respond slowly and force the security event log to record numerous events of little significance.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Disabled |
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
### Auditing
Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited.
Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner.
Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md), which can help you manage the number of events generated.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
When the backup and restore function is used, it creates a copy of the file system that is identical to the target of the backup. Making regular backup and restore volumes is an important part of your incident response plan. However, a malicious user could use a legitimate backup copy to gain access to information or to impersonate a legitimate network resource to compromise your enterprise.
### Countermeasure
Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
For more information about configuring this key, see Microsoft Knowledge Base article [100879](http://go.microsoft.com/fwlink/p/?LinkId=100879).
### Potential impact
If you enable this policy setting, a large number of security events could be generated, which could cause servers to respond slowly and force the security event log to record numerous events of little significance. If you increase the security event log size to reduce the chances of a system shutdown, an excessively large log file may affect system performance.
## Related topics
[Security Options](security-options.md)
- [Security Options](security-options.md)
 
 

79
windows/keep-secure/audit-authentication-policy-change.md
View File

@ -2,21 +2,26 @@
title: Audit Authentication Policy Change (Windows 10)
description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Authentication Policy Change
**Applies to**
- Windows 10
This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy.
Changes made to authentication policy include:
- Creation, modification, and removal of forest and domain trusts.
- Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
**Note**  
The audit event is logged when the policy is applied, not when settings are modified by the administrator.
> **Note:**  The audit event is logged when the policy is applied, not when settings are modified by the administrator.
 
- When any of the following user rights is granted to a user or group:
- **Access this computer from the network**
@ -25,61 +30,27 @@ Changes made to authentication policy include:
- **Logon as a batch job**
- **Logon as a service**
- Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
Event volume: Low
Default: Success
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4713</p></td>
<td align="left"><p>Kerberos policy was changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4716</p></td>
<td align="left"><p>Trusted domain information was modified.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4717</p></td>
<td align="left"><p>System security access was granted to an account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4718</p></td>
<td align="left"><p>System security access was removed from an account.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4739</p></td>
<td align="left"><p>Domain Policy was changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4864</p></td>
<td align="left"><p>A namespace collision was detected.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4865</p></td>
<td align="left"><p>A trusted forest information entry was added.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4866</p></td>
<td align="left"><p>A trusted forest information entry was removed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4867</p></td>
<td align="left"><p>A trusted forest information entry was modified.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4713 | Kerberos policy was changed. |
| 4716 | Trusted domain information was modified. |
| 4717 | System security access was granted to an account. |
| 4718 | System security access was removed from an account. |
| 4739 | Domain Policy was changed. |
| 4864 | A namespace collision was detected. |
| 4865 | A trusted forest information entry was added. |
| 4866 | A trusted forest information entry was removed. |
| 4867 | A trusted forest information entry was modified. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

56
windows/keep-secure/audit-authorization-policy-change.md
View File

@ -2,63 +2,39 @@
title: Audit Authorization Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Authorization Policy Change
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
Authorization policy changes that can be audited include:
- Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory.
- Changing the Encrypting File System (EFS) policy.
<<<<<<< HEAD
Event volume: Low
=======
Event volume: Very high
>>>>>>> master
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4704</p></td>
<td align="left"><p>A user right was assigned.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4705</p></td>
<td align="left"><p>A user right was removed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4706</p></td>
<td align="left"><p>A new trust was created to a domain.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4707</p></td>
<td align="left"><p>A trust to a domain was removed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4714</p></td>
<td align="left"><p>Encrypted data recovery policy was changed.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4704 | A user right was assigned. |
| 4705 | A user right was removed. |
| 4706 | A new trust was created to a domain. |
| 4707 | A trust to a domain was removed. |
| 4714 | Encrypted data recovery policy was changed. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

32
windows/keep-secure/audit-central-access-policy-staging.md
View File

@ -2,38 +2,30 @@
title: Audit Central Access Policy Staging (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Central Access Policy Staging
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy.
Event volume: Medium
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4818</p></td>
<td align="left"><p>Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4818 | Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

185
windows/keep-secure/audit-certification-services.md
View File

@ -2,17 +2,22 @@
title: Audit Certification Services (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Certification Services
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
- AD CS starts, shuts down, is backed up, or is restored.
- Certificate revocation list (CRL)-related tasks are performed.
- Certificates are requested, issued, or revoked.
@ -24,149 +29,49 @@ Examples of AD CS operations include:
- Security permissions for AD CS role services are modified.
- Keys are archived, imported, or retrieved.
- The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
Event volume: Low to medium on servers that host AD CS role services
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4868</p></td>
<td align="left"><p>The certificate manager denied a pending certificate request.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4869</p></td>
<td align="left"><p>Certificate Services received a resubmitted certificate request.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4870</p></td>
<td align="left"><p>Certificate Services revoked a certificate.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4871</p></td>
<td align="left"><p>Certificate Services received a request to publish the certificate revocation list (CRL).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4872</p></td>
<td align="left"><p>Certificate Services published the certificate revocation list (CRL).</p></td>
</tr>
<tr class="even">
<td align="left"><p>4873</p></td>
<td align="left"><p>A certificate request extension changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4874</p></td>
<td align="left"><p>One or more certificate request attributes changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4875</p></td>
<td align="left"><p>Certificate Services received a request to shut down.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4876</p></td>
<td align="left"><p>Certificate Services backup started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4877</p></td>
<td align="left"><p>Certificate Services backup completed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4878</p></td>
<td align="left"><p>Certificate Services restore started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4879</p></td>
<td align="left"><p>Certificate Services restore completed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4880</p></td>
<td align="left"><p>Certificate Services started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4881</p></td>
<td align="left"><p>Certificate Services stopped.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4882</p></td>
<td align="left"><p>The security permissions for Certificate Services changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4883</p></td>
<td align="left"><p>Certificate Services retrieved an archived key.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4884</p></td>
<td align="left"><p>Certificate Services imported a certificate into its database.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4885</p></td>
<td align="left"><p>The audit filter for Certificate Services changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4886</p></td>
<td align="left"><p>Certificate Services received a certificate request.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4887</p></td>
<td align="left"><p>Certificate Services approved a certificate request and issued a certificate.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4888</p></td>
<td align="left"><p>Certificate Services denied a certificate request.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4889</p></td>
<td align="left"><p>Certificate Services set the status of a certificate request to pending.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4890</p></td>
<td align="left"><p>The certificate manager settings for Certificate Services changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4891</p></td>
<td align="left"><p>A configuration entry changed in Certificate Services.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4892</p></td>
<td align="left"><p>A property of Certificate Services changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4893</p></td>
<td align="left"><p>Certificate Services archived a key.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4894</p></td>
<td align="left"><p>Certificate Services imported and archived a key.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4895</p></td>
<td align="left"><p>Certificate Services published the CA certificate to Active Directory Domain Services.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4896</p></td>
<td align="left"><p>One or more rows have been deleted from the certificate database.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4897</p></td>
<td align="left"><p>Role separation enabled:</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4898</p></td>
<td align="left"><p>Certificate Services loaded a template.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4868 | The certificate manager denied a pending certificate request. |
| 4869 | Certificate Services received a resubmitted certificate request. |
| 4870 | Certificate Services revoked a certificate. |
| 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). |
| 4872 | Certificate Services published the certificate revocation list (CRL). |
| 4873 | A certificate request extension changed. |
| 4874 | One or more certificate request attributes changed. |
| 4875 | Certificate Services received a request to shut down. |
| 4876 | Certificate Services backup started. |
| 4877 | Certificate Services backup completed. |
| 4878 | Certificate Services restore started. |
| 4879 | Certificate Services restore completed. |
| 4880 | Certificate Services started. |
| 4881 | Certificate Services stopped. |
| 4882 | The security permissions for Certificate Services changed. |
| 4883 | Certificate Services retrieved an archived key. |
| 4884 | Certificate Services imported a certificate into its database. |
| 4885 | The audit filter for Certificate Services changed. |
| 4886 | Certificate Services received a certificate request. |
| 4887 | Certificate Services approved a certificate request and issued a certificate. |
| 4888 | Certificate Services denied a certificate request. |
| 4889 | Certificate Services set the status of a certificate request to pending. |
| 4890 | The certificate manager settings for Certificate Services changed. |
| 4891 | A configuration entry changed in Certificate Services. |
| 4892 | A property of Certificate Services changed. |
| 4893 | Certificate Services archived a key. |
| 4894 | Certificate Services imported and archived a key. |
| 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. |
| 4896 | One or more rows have been deleted from the certificate database. |
| 4897 | Role separation enabled: |
| 4898 | Certificate Services loaded a template. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

43
windows/keep-secure/audit-computer-account-management.md
View File

@ -2,47 +2,34 @@
title: Audit Computer Account Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Computer Account Management
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4741</p></td>
<td align="left"><p>A computer account was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4742</p></td>
<td align="left"><p>A computer account was changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4743</p></td>
<td align="left"><p>A computer account was deleted.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4741 | A computer account was created. |
| 4742 | A computer account was changed. |
| 4743 | A computer account was deleted. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

57
windows/keep-secure/audit-credential-validation.md
View File

@ -2,59 +2,42 @@
title: Audit Credential Validation (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Credential Validation
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
- For domain accounts, the domain controller is authoritative.
- For local accounts, the local computer is authoritative.
Event volume: High on domain controllers
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they
may occur in conjunction with or on separate computers from Logon and Logoff events.
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4774</p></td>
<td align="left"><p>An account was mapped for logon.</p>
<p></p></td>
</tr>
<tr class="even">
<td align="left"><p>4775</p></td>
<td align="left"><p>An account could not be mapped for logon.</p>
<p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>4776</p></td>
<td align="left"><p>The domain controller attempted to validate the credentials for an account.</p>
<p></p></td>
</tr>
<tr class="even">
<td align="left"><p>4777</p></td>
<td align="left"><p>The domain controller failed to validate the credentials for an account.</p>
<p></p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4774 | An account was mapped for logon. |
| 4775 | An account could not be mapped for logon. |
| 4776 | The domain controller attempted to validate the credentials for an account. |
| 4777 | The domain controller failed to validate the credentials for an account. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

66
windows/keep-secure/audit-detailed-directory-service-replication.md
View File

@ -8,61 +8,33 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
---
# Audit Detailed Directory Service Replication
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
This audit subcategory can be useful to diagnose replication issues.
Event volume: These events can create a very high volume of event data.
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4928</p></td>
<td align="left"><p>An Active Directory replica source naming context was established.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4929</p></td>
<td align="left"><p>An Active Directory replica source naming context was removed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4930</p></td>
<td align="left"><p>An Active Directory replica source naming context was modified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4931</p></td>
<td align="left"><p>An Active Directory replica destination naming context was modified.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4934</p></td>
<td align="left"><p>Attributes of an Active Directory object were replicated.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4935</p></td>
<td align="left"><p>Replication failure begins.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4936</p></td>
<td align="left"><p>Replication failure ends.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4937</p></td>
<td align="left"><p>A lingering object was removed from a replica.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4928 | An Active Directory replica source naming context was established. |
| 4929 | An Active Directory replica source naming context was removed. |
| 4930 | An Active Directory replica source naming context was modified. |
| 4931 | An Active Directory replica destination naming context was modified. |
| 4934 | Attributes of an Active Directory object were replicated. |
| 4935 | Replication failure begins. |
| 4936 | Replication failure ends. |
| 4937 | A lingering object was removed from a replica. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

35
windows/keep-secure/audit-detailed-file-share.md
View File

@ -2,42 +2,33 @@
title: Audit Detailed File Share (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Detailed File Share
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder.
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
**Note**  
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
> **Note:**  There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
 
Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>5145</p></td>
<td align="left"><p>A network share object was checked to see whether the client can be granted desired access.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 5145 | A network share object was checked to see whether the client can be granted desired access. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

35
windows/keep-secure/audit-directory-service-access.md
View File

@ -2,42 +2,33 @@
title: Audit Directory Service Access (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Directory Service Access
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems.
**Important**  
Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.
> **Important:**  Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.
 
Event volume: High on servers running AD DS role services; none on client computers
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4662</p></td>
<td align="left"><p>An operation was performed on an object.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4662 | An operation was performed on an object. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

59
windows/keep-secure/audit-directory-service-changes.md
View File

@ -2,65 +2,48 @@
title: Audit Directory Service Changes (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Directory Service Changes
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
The types of changes that are reported are:
- Create
- Delete
- Modify
- Move
- Undelete
Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.
**Important**  
Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
> **Important:**  Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
 
This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy.
Event volume: High on domain controllers; none on client computers
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>5136</p></td>
<td align="left"><p>A directory service object was modified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5137</p></td>
<td align="left"><p>A directory service object was created.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5138</p></td>
<td align="left"><p>A directory service object was undeleted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5139</p></td>
<td align="left"><p>A directory service object was moved.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5141</p></td>
<td align="left"><p>A directory service object was deleted.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 5136 | A directory service object was modified. |
| 5137 | A directory service object was created. |
| 5138 | A directory service object was undeleted. |
| 5139 | A directory service object was moved. |
| 5141 | A directory service object was deleted. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

37
windows/keep-secure/audit-directory-service-replication.md
View File

@ -2,42 +2,31 @@
title: Audit Directory Service Replication (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Directory Service Replication
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
Event volume: Medium on domain controllers; none on client computers
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4932</p></td>
<td align="left"><p>Synchronization of a replica of an Active Directory naming context has begun.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4933</p></td>
<td align="left"><p>Synchronization of a replica of an Active Directory naming context has ended.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event Message |
| - | - |
| 4932 | Synchronization of a replica of an Active Directory naming context has begun. |
| 4933 | Synchronization of a replica of an Active Directory naming context has ended. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

106
windows/keep-secure/audit-distribution-group-management.md
View File

@ -2,97 +2,51 @@
title: Audit Distribution Group Management (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Distribution Group Management
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks.
Tasks for distribution-group management that can be audited include:
- A distribution group is created, changed, or deleted.
- A member is added to or removed from a distribution group.
This subcategory to which this policy belongs is logged only on domain controllers.
**Note**  
Distribution groups cannot be used to manage access control permissions.
> **Note:**  Distribution groups cannot be used to manage access control permissions.
 
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4744</p></td>
<td align="left"><p>A security-disabled local group was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4745</p></td>
<td align="left"><p>A security-disabled local group was changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4746</p></td>
<td align="left"><p>A member was added to a security-disabled local group.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4747</p></td>
<td align="left"><p>A member was removed from a security-disabled local group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4748</p></td>
<td align="left"><p>A security-disabled local group was deleted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4749</p></td>
<td align="left"><p>A security-disabled global group was created.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4750</p></td>
<td align="left"><p>A security-disabled global group was changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4751</p></td>
<td align="left"><p>A member was added to a security-disabled global group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4752</p></td>
<td align="left"><p>A member was removed from a security-disabled global group.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4753</p></td>
<td align="left"><p>A security-disabled global group was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4759</p></td>
<td align="left"><p>A security-disabled universal group was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4760</p></td>
<td align="left"><p>A security-disabled universal group was changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4761</p></td>
<td align="left"><p>A member was added to a security-disabled universal group.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4762</p></td>
<td align="left"><p>A member was removed from a security-disabled universal group.</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
| Event ID | Event message |
| - | - |
| 4744 | A security-disabled local group was created. |
| 4745 | A security-disabled local group was changed. |
| 4746 | A member was added to a security-disabled local group. |
| 4747 | A member was removed from a security-disabled local group. |
| 4748 | A security-disabled local group was deleted. |
| 4749 | A security-disabled global group was created. |
| 4750 | A security-disabled global group was changed. |
| 4751 | A member was added to a security-disabled global group. |
| 4752 | A member was removed from a security-disabled global group. |
| 4753 | A security-disabled global group was deleted. |
| 4759 | A security-disabled universal group was created. |
| 4760 | A security-disabled universal group was changed. |
| 4761 | A member was added to a security-disabled universal group. |
| 4762 | A member was removed from a security-disabled universal group. |
 ## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

48
windows/keep-secure/audit-dpapi-activity.md
View File

@ -2,53 +2,37 @@
title: Audit DPAPI Activity (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit DPAPI Activity
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720).
Event volume: Low
Default: Not configured
If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4692</p></td>
<td align="left"><p>Backup of data protection master key was attempted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4693</p></td>
<td align="left"><p>Recovery of data protection master key was attempted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4694</p></td>
<td align="left"><p>Protection of auditable protected data was attempted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4695</p></td>
<td align="left"><p>Unprotection of auditable protected data was attempted.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4692 | Backup of data protection master key was attempted. |
| 4693 | Recovery of data protection master key was attempted. |
| 4694 | Protection of auditable protected data was attempted. |
| 4695 | Unprotection of auditable protected data was attempted. |
 
## Related resource
[Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)
- [Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)
 
 

63
windows/keep-secure/audit-file-share.md
View File

@ -2,66 +2,39 @@
title: Audit File Share (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit File Share
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed.
Audit events are not generated when shares are created, deleted, or when share permissions change.
**Note**  
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
> **Note:**  There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
 
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing)
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>5140</p></td>
<td align="left"><p>A network share object was accessed.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>5142</p></td>
<td align="left"><p>A network share object was added.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5143</p></td>
<td align="left"><p>A network share object was modified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5144</p></td>
<td align="left"><p>A network share object was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5168</p></td>
<td align="left"><p>SPN check for SMB/SMB2 failed.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - |- |
| 5140 | A network share object was accessed.<br>**Note:** This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. |
| 5142 | A network share object was added. |
| 5143 | A network share object was modified. |
| 5144 | A network share object was deleted. |
| 5168 | SPN check for SMB/SMB2 failed. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

44
windows/keep-secure/audit-file-system.md
View File

@ -2,51 +2,39 @@
title: Audit File System (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
author: brianlic-msft
---
# Audit File System
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects.
Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
Event volume: Varies, depending on how file system SACLs are configured
No audit events are generated for the default file system SACLs.
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4664</p></td>
<td align="left"><p>An attempt was made to create a hard link.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4985</p></td>
<td align="left"><p>The state of a transaction has changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5051</p></td>
<td align="left"><p>A file was virtualized.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4664 | An attempt was made to create a hard link. |
| 4985 | The state of a transaction has changed. |
| 5051 | A file was virtualized. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

80
windows/keep-secure/audit-filtering-platform-connection.md
View File

@ -2,80 +2,48 @@
title: Audit Filtering Platform Connection (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Filtering Platform Connection
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
This security policy enables you to audit the following types of actions:
- The Windows Firewall service blocks an application from accepting incoming connections on the network.
- The Windows Filtering Platform allows or blocks a connection.
- The Windows Filtering Platform permits or blocks a bind to a local port.
- The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port.
Event volume: High
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>5031</p></td>
<td align="left"><p>The Windows Firewall Service blocked an application from accepting incoming connections on the network.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5140</p></td>
<td align="left"><p>A network share object was accessed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5150</p></td>
<td align="left"><p>The Windows Filtering Platform blocked a packet.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5151</p></td>
<td align="left"><p>A more restrictive Windows Filtering Platform filter has blocked a packet.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5154</p></td>
<td align="left"><p>The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5155</p></td>
<td align="left"><p>The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5156</p></td>
<td align="left"><p>The Windows Filtering Platform has allowed a connection.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5157</p></td>
<td align="left"><p>The Windows Filtering Platform has blocked a connection.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5158</p></td>
<td align="left"><p>The Windows Filtering Platform has permitted a bind to a local port.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5159</p></td>
<td align="left"><p>The Windows Filtering Platform has blocked a bind to a local port.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
| 5140 | A network share object was accessed. |
| 5150 | The Windows Filtering Platform blocked a packet. |
| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. |
| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
| 5156 | The Windows Filtering Platform has allowed a connection. |
| 5157 | The Windows Filtering Platform has blocked a connection. |
| 5158 | The Windows Filtering Platform has permitted a bind to a local port. |
| 5159 | The Windows Filtering Platform has blocked a bind to a local port. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

39
windows/keep-secure/audit-filtering-platform-packet-drop.md
View File

@ -2,44 +2,35 @@
title: Audit Filtering Platform Packet Drop (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Filtering Platform Packet Drop
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network.
Event volume: High
Default setting: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>5152</p></td>
<td align="left"><p>The Windows Filtering Platform blocked a packet.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5153</p></td>
<td align="left"><p>A more restrictive Windows Filtering Platform filter has blocked a packet.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 5152 | The Windows Filtering Platform blocked a packet. |
| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

14
windows/keep-secure/audit-filtering-platform-policy-change.md
View File

@ -2,24 +2,33 @@
title: Audit Filtering Platform Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Filtering Platform Policy Change
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
This security policy setting determines whether the operating system generates audit events for:
- IPsec services status.
- Changes to IPsec settings.
- Status and changes to the Windows Filtering Platform engine and providers.
- IPsec Policy Agent service activities.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
@ -210,6 +219,7 @@ Default: Not configured
</table>
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

90
windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md
View File

@ -2,90 +2,94 @@
title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting.
ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
**Applies to**
- Windows 10
Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting.
## Reference
You can manage your audit policy in a more precise way by using audit policy subcategories.
There are over 40 auditing subcategories that provide precise details about activities on a device. For info about these subcategories, see the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
### Possible values
- Enabled
- Disabled
### Best practices
- Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Enabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Enabled |
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Enabled |
| Client Computer Effective Default Settings | Enabled |
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
### Group Policy
All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
### Auditing
To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value , prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.
If the category level audit policy that is set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.
### Command-line tools
You can use auditpol.exe to display and manage audit policies from a command prompt.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events, and the key information that needed to be audited was difficult to find.
### Countermeasure
Enable audit policy subcategories as needed to track specific events.
### Potential impacts
If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the **SCENoApplyLegacyAuditPolicy** key.
**Important**  
Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
**SCENoApplyLegacyAuditPolicy** key.
> **Important:**  Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
 
## Related topics
[Security Options](security-options.md)
- [Security Options](security-options.md)
 
 

36
windows/keep-secure/audit-group-membership.md
View File

@ -2,43 +2,37 @@
title: Audit Group Membership (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Group Membership
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Group Membership**, which enables you to audit group memberships when they are enumerated on the client PC.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
**Note**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.
> **Note:**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.
 
Multiple events are generated if the group membership information cannot fit in a single security audit event
Event volume: High
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4627</p></td>
<td align="left"><p>Group membership information.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4627 | Group membership information. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

47
windows/keep-secure/audit-handle-manipulation.md
View File

@ -2,50 +2,37 @@
title: Audit Handle Manipulation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Handle Manipulation
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL.
**Important**  
Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).
> **Important:**  Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).
 
Event volume: High, depending on how SACLs are configured
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4656</p></td>
<td align="left"><p>A handle to an object was requested.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4658</p></td>
<td align="left"><p>The handle to an object was closed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4690</p></td>
<td align="left"><p>An attempt was made to duplicate a handle to an object.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4656 | A handle to an object was requested. |
| 4658 | The handle to an object was closed. |
| 4690 | An attempt was made to duplicate a handle to an object. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

86
windows/keep-secure/audit-ipsec-driver.md
View File

@ -2,87 +2,53 @@
title: Audit IPsec Driver (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit IPsec Driver
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver.
The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver:
- Startup and shutdown of IPsec services.
- Packets dropped due to integrity-check failure.
- Packets dropped due to replay-check failure.
- Packets dropped due to being in plaintext.
- Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.)
- Failure to process IPsec filters.
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
Event volume: Medium
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4960</p></td>
<td align="left"><p>IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4961</p></td>
<td align="left"><p>IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4962</p></td>
<td align="left"><p>IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4963</p></td>
<td align="left"><p>IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4965</p></td>
<td align="left"><p>IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5478</p></td>
<td align="left"><p>IPsec Services has started successfully.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5479</p></td>
<td align="left"><p>IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5480</p></td>
<td align="left"><p>IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5483</p></td>
<td align="left"><p>IPsec Services failed to initialize RPC server. IPsec Services could not be started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5484</p></td>
<td align="left"><p>IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5485</p></td>
<td align="left"><p>IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. |
| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. |
| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. |
| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. |
| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. |
| 5478 | IPsec Services has started successfully. |
| 5479 | IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
| 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
| 5483 | IPsec Services failed to initialize RPC server. IPsec Services could not be started. |
| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

109
windows/keep-secure/audit-ipsec-extended-mode.md
View File

@ -2,106 +2,41 @@
title: Audit IPsec Extended Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit IPsec Extended Mode
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation.
AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications.
Event volume: High
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4978</p></td>
<td align="left"><p>During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4979</p></td>
<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>4980</p></td>
<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information:</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>4981</p></td>
<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>4982</p></td>
<td align="left"><p>IPsec Main Mode and Extended Mode security associations were established.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>4983</p></td>
<td align="left"><p>An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>4984</p></td>
<td align="left"><p>An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.</p>
<div class="alert">
<strong>Note</strong>  
<p>This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.</p>
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
| 4979 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. |
| 4980 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: |
| 4981 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. |
| 4982 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. |
| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. |
| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

87
windows/keep-secure/audit-ipsec-main-mode.md
View File

@ -2,87 +2,42 @@
title: Audit IPsec Main Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit IPsec Main Mode
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities.
Event volume: High
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4646</p></td>
<td align="left"><p>Security ID: %1</p></td>
</tr>
<tr class="even">
<td align="left"><p>4650</p></td>
<td align="left"><p>An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4651</p></td>
<td align="left"><p>An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4652</p></td>
<td align="left"><p>An IPsec Main Mode negotiation failed.</p>
<div class="alert">
<strong>Note</strong>  
<p>This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>4653</p></td>
<td align="left"><p>An IPsec Main Mode negotiation failed.</p>
<div class="alert">
<strong>Note</strong>  
<p>This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>4655</p></td>
<td align="left"><p>An IPsec Main Mode security association ended.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4976</p></td>
<td align="left"><p>During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5049</p></td>
<td align="left"><p>An IPsec Security Association was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5453</p></td>
<td align="left"><p>An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4646 | Security ID: %1 |
| 4650 | An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. |
| 4651 | An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. |
| 4652 | An IPsec Main Mode negotiation failed.<br>**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. |
| 4653 | An IPsec Main Mode negotiation failed.<br>**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
| 4655 | An IPsec Main Mode security association ended. |
| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
| 5049 | An IPsec Security Association was deleted. |
| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

43
windows/keep-secure/audit-ipsec-quick-mode.md
View File

@ -2,49 +2,36 @@
title: Audit IPsec Quick Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit IPsec Quick Mode
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.
Event volume: High
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4977</p></td>
<td align="left"><p>During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5451</p></td>
<td align="left"><p>An IPsec Quick Mode security association was established.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5452</p></td>
<td align="left"><p>An IPsec Quick Mode security association ended.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
|- |- |
| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.|
| 5451 | An IPsec Quick Mode security association was established.|
| 5452 | An IPsec Quick Mode security association ended.|
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

43
windows/keep-secure/audit-kerberos-authentication-service.md
View File

@ -2,48 +2,35 @@
title: Audit Kerberos Authentication Service (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Kerberos Authentication Service
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
Event volume: High on Kerberos Key Distribution Center servers
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4768</p></td>
<td align="left"><p>A Kerberos authentication ticket (TGT) was requested.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4771</p></td>
<td align="left"><p>Kerberos preauthentication failed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4772</p></td>
<td align="left"><p>A Kerberos authentication ticket request failed.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4768 | A Kerberos authentication ticket (TGT) was requested. |
| 4771 | Kerberos preauthentication failed. |
| 4772 | A Kerberos authentication ticket request failed. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

39
windows/keep-secure/audit-kerberos-service-ticket-operations.md
View File

@ -2,46 +2,37 @@
title: Audit Kerberos Service Ticket Operations (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Kerberos Service Ticket Operations
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
Event volume:
- High on a domain controller that is in a Key Distribution Center (KDC)
- Low on domain members
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4769</p></td>
<td align="left"><p>A Kerberos service ticket was requested.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4770</p></td>
<td align="left"><p>A Kerberos service ticket was renewed.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4769 | A Kerberos service ticket was requested. |
| 4770 | A Kerberos service ticket was renewed. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

52
windows/keep-secure/audit-kernel-object.md
View File

@ -2,56 +2,40 @@
title: Audit Kernel Object (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Kernel Object
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled.
**Note**  
The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.
> **Note:**  The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.
 
Event volume: High if you have enabled one of the Global Object Access Auditing settings
Default setting: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4659</p></td>
<td align="left"><p>A handle to an object was requested with intent to delete.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4660</p></td>
<td align="left"><p>An object was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4661</p></td>
<td align="left"><p>A handle to an object was requested.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4663</p></td>
<td align="left"><p>An attempt was made to access an object.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4659 | A handle to an object was requested with intent to delete. |
| 4660 | An object was deleted. |
| 4661 | A handle to an object was requested. |
| 4663 | An attempt was made to access an object. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-logoff.md
View File

@ -2,48 +2,38 @@
title: Audit Logoff (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Logoff
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
**Note**  
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
> **Note: **  There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
 
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
Event volume: Low
Default: Success
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4634</p></td>
<td align="left"><p>An account was logged off.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4647</p></td>
<td align="left"><p>User initiated logoff.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4634 | An account was logged off. |
| 4647 | User initiated logoff. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

51
windows/keep-secure/audit-logon.md
View File

@ -2,57 +2,44 @@
title: Audit Logon (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Logon
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
- Logon success and failure.
- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command.
- Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
Event volume: Low on a client computer; medium on a domain controller or network server
Default: Success for client computers; success and failure for servers
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4624</p></td>
<td align="left"><p>An account was successfully logged on.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4625</p></td>
<td align="left"><p>An account failed to log on.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4648</p></td>
<td align="left"><p>A logon was attempted using explicit credentials.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4675</p></td>
<td align="left"><p>SIDs were filtered.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4624 | An account was successfully logged on. |
| 4625 | An account failed to log on. |
| 4648 | A logon was attempted using explicit credentials. |
| 4675 | SIDs were filtered. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

100
windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
View File

@ -2,98 +2,54 @@
title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit MPSSVC Rule-Level Policy Change
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computers threat protection against malware. The tracked activities include:
- Active policies when the Windows Firewall service starts.
- Changes to Windows Firewall rules.
- Changes to the Windows Firewall exception list.
- Changes to Windows Firewall settings.
- Rules ignored or not applied by the Windows Firewall service.
- Changes to Windows Firewall Group Policy settings.
Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4944</p></td>
<td align="left"><p>The following policy was active when the Windows Firewall started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4945</p></td>
<td align="left"><p>A rule was listed when the Windows Firewall started.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4946</p></td>
<td align="left"><p>A change has been made to Windows Firewall exception list. A rule was added.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4947</p></td>
<td align="left"><p>A change has been made to Windows Firewall exception list. A rule was modified.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4948</p></td>
<td align="left"><p>A change has been made to Windows Firewall exception list. A rule was deleted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4949</p></td>
<td align="left"><p>Windows Firewall settings were restored to the default values.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4950</p></td>
<td align="left"><p>A Windows Firewall setting has changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4951</p></td>
<td align="left"><p>A rule has been ignored because its major version number was not recognized by Windows Firewall.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4952</p></td>
<td align="left"><p>Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4953</p></td>
<td align="left"><p>A rule has been ignored by Windows Firewall because it could not parse the rule.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4954</p></td>
<td align="left"><p>Windows Firewall Group Policy settings have changed. The new settings have been applied.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4956</p></td>
<td align="left"><p>Windows Firewall has changed the active profile.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4957</p></td>
<td align="left"><p>Windows Firewall did not apply the following rule:</p></td>
</tr>
<tr class="even">
<td align="left"><p>4958</p></td>
<td align="left"><p>Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4944 | The following policy was active when the Windows Firewall started. |
| 4945 | A rule was listed when the Windows Firewall started. |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added. |
| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. |
| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. |
| 4949 | Windows Firewall settings were restored to the default values. |
| 4950 | A Windows Firewall setting has changed. |
| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. |
| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. |
| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. |
| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. |
| 4956 | Windows Firewall has changed the active profile. |
| 4957 | Windows Firewall did not apply the following rule: |
| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

73
windows/keep-secure/audit-network-policy-server.md
View File

@ -2,71 +2,40 @@
title: Audit Network Policy Server (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Network Policy Server
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
NAP events can be used to help understand the overall health of the network.
Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers
Default: Success and failure
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>6272</p></td>
<td align="left"><p>Network Policy Server granted access to a user.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6273</p></td>
<td align="left"><p>Network Policy Server denied access to a user.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6274</p></td>
<td align="left"><p>Network Policy Server discarded the request for a user.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6275</p></td>
<td align="left"><p>Network Policy Server discarded the accounting request for a user.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6276</p></td>
<td align="left"><p>Network Policy Server quarantined a user.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6277</p></td>
<td align="left"><p>Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6278</p></td>
<td align="left"><p>Network Policy Server granted full access to a user because the host met the defined health policy.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6279</p></td>
<td align="left"><p>Network Policy Server locked the user account due to repeated failed authentication attempts.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6280</p></td>
<td align="left"><p>Network Policy Server unlocked the user account.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 6272 | Network Policy Server granted access to a user. |
| 6273 | Network Policy Server denied access to a user. |
| 6274 | Network Policy Server discarded the request for a user. |
| 6275 | Network Policy Server discarded the accounting request for a user. |
| 6276 | Network Policy Server quarantined a user. |
| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. |
| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. |
| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. |
| 6280 | Network Policy Server unlocked the user account. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

45
windows/keep-secure/audit-non-sensitive-privilege-use.md
View File

@ -2,17 +2,22 @@
title: Audit Non-Sensitive Privilege Use (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Non-Sensitive Privilege Use
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
The following privileges are non-sensitive:
- **Access Credential Manager as a trusted caller**
- **Access this computer from the network**
- **Add workstations to domain**
@ -43,37 +48,21 @@ The following privileges are non-sensitive:
- **Remove computer from docking station**
- **Shut down the system**
- **Synchronize directory service data**
If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
Event volume: Very high
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4672</p></td>
<td align="left"><p>Special privileges assigned to new logon.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4673</p></td>
<td align="left"><p>A privileged service was called.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4674</p></td>
<td align="left"><p>An operation was attempted on a privileged object.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4672 | Special privileges assigned to new logon. |
| 4673 | A privileged service was called. |
| 4674 | An operation was attempted on a privileged object. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

83
windows/keep-secure/audit-other-account-logon-events.md
View File

@ -2,86 +2,53 @@
title: Audit Other Account Logon Events (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Other Account Logon Events
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
Examples can include the following:
- Remote Desktop session disconnections
- New Remote Desktop sessions
- Locking and unlocking a workstation
- Invoking a screen saver
- Dismissing a screen saver
- Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice
**Note**  
This condition could be caused by a network misconfiguration.
> **Note:**  This condition could be caused by a network misconfiguration.
 
- Access to a wireless network granted to a user or computer account
- Access to a wired 802.1x network granted to a user or computer account
Event volume: Varies, depending on system use
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4649</p></td>
<td align="left"><p>A replay attack was detected.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4778</p></td>
<td align="left"><p>A session was reconnected to a Window Station.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4779</p></td>
<td align="left"><p>A session was disconnected from a Window Station.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4800</p></td>
<td align="left"><p>The workstation was locked.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4801</p></td>
<td align="left"><p>The workstation was unlocked.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4802</p></td>
<td align="left"><p>The screen saver was invoked.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4803</p></td>
<td align="left"><p>The screen saver was dismissed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5378</p></td>
<td align="left"><p>The requested credentials delegation was disallowed by policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5632</p></td>
<td align="left"><p>A request was made to authenticate to a wireless network.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5633</p></td>
<td align="left"><p>A request was made to authenticate to a wired network.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4649 | A replay attack was detected. |
| 4778 | A session was reconnected to a Window Station. |
| 4779 | A session was disconnected from a Window Station. |
| 4800 | The workstation was locked. |
| 4801 | The workstation was unlocked. |
| 4802 | The screen saver was invoked. |
| 4803 | The screen saver was dismissed. |
| 5378 | The requested credentials delegation was disallowed by policy. |
| 5632 | A request was made to authenticate to a wireless network. |
| 5633 | A request was made to authenticate to a wired network. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

41
windows/keep-secure/audit-other-account-management-events.md
View File

@ -2,49 +2,38 @@
title: Audit Other Account Management Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Other Account Management Events
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events.
Events can be generated for user account management auditing when:
- The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.
- The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.
- Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**.
**Note**  
These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.
> **Note:**  These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.
 
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event Message Summary</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4782</p></td>
<td align="left"><p>The password hash for an account was accessed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4793</p></td>
<td align="left"><p>The Password Policy Checking API was called.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4782 | The password hash for an account was accessed. |
| 4793 | The Password Policy Checking API was called. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

80
windows/keep-secure/audit-other-logonlogoff-events.md
View File

@ -2,82 +2,50 @@
title: Audit Other Logon/Logoff Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Other Logon/Logoff Events
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events.
These other logon or logoff events include:
- A Remote Desktop session connects or disconnects.
- A workstation is locked or unlocked.
- A screen saver is invoked or dismissed.
- A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
- A user is granted access to a wireless network. It can either be a user account or the computer account.
- A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.
Logon events are essential to understanding user activity and detecting potential attacks.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4649</p></td>
<td align="left"><p>A replay attack was detected.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4778</p></td>
<td align="left"><p>A session was reconnected to a Window Station.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4779</p></td>
<td align="left"><p>A session was disconnected from a Window Station.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4800</p></td>
<td align="left"><p>The workstation was locked.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4801</p></td>
<td align="left"><p>The workstation was unlocked.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4802</p></td>
<td align="left"><p>The screen saver was invoked.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4803</p></td>
<td align="left"><p>The screen saver was dismissed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5378</p></td>
<td align="left"><p>The requested credentials delegation was disallowed by policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5632</p></td>
<td align="left"><p>A request was made to authenticate to a wireless network.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5633</p></td>
<td align="left"><p>A request was made to authenticate to a wired network.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4649 | A replay attack was detected. |
| 4778 | A session was reconnected to a Window Station. |
| 4779 | A session was disconnected from a Window Station. |
| 4800 | The workstation was locked. |
| 4801 | The workstation was unlocked. |
| 4802 | The screen saver was invoked. |
| 4803 | The screen saver was dismissed. |
| 5378 | The requested credentials delegation was disallowed by policy. |
| 5632 | A request was made to authenticate to a wireless network. |
| 5633 | A request was made to authenticate to a wired network. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

91
windows/keep-secure/audit-other-object-access-events.md
View File

@ -2,92 +2,55 @@
title: Audit Other Object Access Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Other Object Access Events
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
For scheduler jobs, the following actions are audited:
- Job created.
- Job deleted.
- Job enabled.
- Job disabled.
- Job updated.
For COM+ objects, the following actions are audited:
- Catalog object added.
- Catalog object updated.
- Catalog object deleted.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4671</p></td>
<td align="left"><p>An application attempted to access a blocked ordinal through the TBS.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4691</p></td>
<td align="left"><p>Indirect access to an object was requested.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4698</p></td>
<td align="left"><p>A scheduled task was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4699</p></td>
<td align="left"><p>A scheduled task was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4700</p></td>
<td align="left"><p>A scheduled task was enabled.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4701</p></td>
<td align="left"><p>A scheduled task was disabled.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4702</p></td>
<td align="left"><p>A scheduled task was updated.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5148</p></td>
<td align="left"><p>The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5149</p></td>
<td align="left"><p>The DoS attack has subsided and normal processing is being resumed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5888</p></td>
<td align="left"><p>An object in the COM+ Catalog was modified.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5889</p></td>
<td align="left"><p>An object was deleted from the COM+ Catalog.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5890</p></td>
<td align="left"><p>An object was added to the COM+ Catalog.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4671 | An application attempted to access a blocked ordinal through the TBS. |
| 4691 | Indirect access to an object was requested. |
| 4698 | A scheduled task was created. |
| 4699 | A scheduled task was deleted. |
| 4700 | A scheduled task was enabled. |
| 4701 | A scheduled task was disabled. |
| 4702 | A scheduled task was updated. |
| 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
| 5149 | The DoS attack has subsided and normal processing is being resumed. |
| 5888 | An object in the COM+ Catalog was modified. |
| 5889 | An object was deleted from the COM+ Catalog. |
| 5890 | An object was added to the COM+ Catalog. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

99
windows/keep-secure/audit-other-policy-change-events.md
View File

@ -2,95 +2,50 @@
title: Audit Other Policy Change Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Other Policy Change Events
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
These other activities in the Policy Change category that can be audited include:
- Trusted Platform Module (TPM) configuration changes.
- Kernel-mode cryptographic self tests.
- Cryptographic provider operations.
- Cryptographic context operations or modifications.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4670</p></td>
<td align="left"><p>Permissions on an object were changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4909</p></td>
<td align="left"><p>The local policy settings for the TBS were changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4910</p></td>
<td align="left"><p>The group policy settings for the TBS were changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5063</p></td>
<td align="left"><p>A cryptographic provider operation was attempted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5064</p></td>
<td align="left"><p>A cryptographic context operation was attempted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5065</p></td>
<td align="left"><p>A cryptographic context modification was attempted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5066</p></td>
<td align="left"><p>A cryptographic function operation was attempted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5067</p></td>
<td align="left"><p>A cryptographic function modification was attempted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5068</p></td>
<td align="left"><p>A cryptographic function provider operation was attempted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5069</p></td>
<td align="left"><p>A cryptographic function property operation was attempted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5070</p></td>
<td align="left"><p>A cryptographic function property modification was attempted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5447</p></td>
<td align="left"><p>A Windows Filtering Platform filter has been changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6144</p></td>
<td align="left"><p>Security policy in the group policy objects has been applied successfully.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6145</p></td>
<td align="left"><p>One or more errors occurred while processing security policy in the group policy objects.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4670 | Permissions on an object were changed. |
| 4909 | The local policy settings for the TBS were changed. |
| 4910 | The group policy settings for the TBS were changed. |
| 5063 | A cryptographic provider operation was attempted. |
| 5064 | A cryptographic context operation was attempted. |
| 5065 | A cryptographic context modification was attempted. |
| 5066 | A cryptographic function operation was attempted. |
| 5067 | A cryptographic function modification was attempted. |
| 5068 | A cryptographic function provider operation was attempted. |
| 5069 | A cryptographic function property operation was attempted. |
| 5070 | A cryptographic function property modification was attempted. |
| 5447 | A Windows Filtering Platform filter has been changed. |
| 6144 | Security policy in the group policy objects has been applied successfully. |
| 6145 | One or more errors occurred while processing security policy in the group policy objects. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

8
windows/keep-secure/audit-other-privilege-use-events.md
View File

@ -2,17 +2,21 @@
title: Audit Other Privilege Use Events (Windows 10)
description: This security policy setting is not used.
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Other Privilege Use Events
**Applies to**
- Windows 10
This security policy setting is not used.
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

142
windows/keep-secure/audit-other-system-events.md
View File

@ -2,129 +2,59 @@
title: Audit Other System Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Other System Events
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events.
The system events in this category include:
- Startup and shutdown of the Windows Firewall service and driver.
- Security policy processing by the Windows Firewall service.
- Cryptography key file and migration operations.
**Important**  
Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.
> **Important:**  Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.
 
Event volume: Low
Default: Success and failure
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>5024</p></td>
<td align="left"><p>The Windows Firewall Service has started successfully.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5025</p></td>
<td align="left"><p>The Windows Firewall Service has been stopped.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5027</p></td>
<td align="left"><p>The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5028</p></td>
<td align="left"><p>The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5029</p></td>
<td align="left"><p>The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5030</p></td>
<td align="left"><p>The Windows Firewall Service failed to start.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5032</p></td>
<td align="left"><p>Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5033</p></td>
<td align="left"><p>The Windows Firewall Driver has started successfully.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5034</p></td>
<td align="left"><p>The Windows Firewall Driver has been stopped.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5035</p></td>
<td align="left"><p>The Windows Firewall Driver failed to start.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5037</p></td>
<td align="left"><p>The Windows Firewall Driver detected critical runtime error. Terminating.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5058</p></td>
<td align="left"><p>Key file operation.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5059</p></td>
<td align="left"><p>Key migration operation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6400</p></td>
<td align="left"><p>BranchCache: Received an incorrectly formatted response while discovering availability of content.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6401</p></td>
<td align="left"><p>BranchCache: Received invalid data from a peer. Data discarded.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6402</p></td>
<td align="left"><p>BranchCache: The message to the hosted cache offering it data is incorrectly formatted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6403</p></td>
<td align="left"><p>BranchCache: The hosted cache sent an incorrectly formatted response to the client.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6404</p></td>
<td align="left"><p>BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6405</p></td>
<td align="left"><p>BranchCache: %2 instance(s) of event id %1 occurred.</p></td>
</tr>
<tr class="even">
<td align="left"><p>6406</p></td>
<td align="left"><p>%1 registered to Windows Firewall to control filtering for the following: %2</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6407</p></td>
<td align="left"><p>1%</p></td>
</tr>
<tr class="even">
<td align="left"><p>6408</p></td>
<td align="left"><p>Registered product %1 failed and Windows Firewall is now controlling the filtering for %2</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 5024 | The Windows Firewall Service has started successfully. |
| 5025 | The Windows Firewall Service has been stopped. |
| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. |
| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. |
| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. |
| 5030 | The Windows Firewall Service failed to start. |
| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.|
| 5033 | The Windows Firewall Driver has started successfully. |
| 5034 | The Windows Firewall Driver has been stopped. |
| 5035 | The Windows Firewall Driver failed to start. |
| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating.|
| 5058 | Key file operation. |
| 5059 | Key migration operation.|
| 6400 | BranchCache: Received an incorrectly formatted response while discovering availability of content.|
| 6401 | BranchCache: Received invalid data from a peer. Data discarded. |
| 6402 | BranchCache: The message to the hosted cache offering it data is incorrectly formatted.|
| 6403 | BranchCache: The hosted cache sent an incorrectly formatted response to the client. |
| 6404 | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.|
| 6405 | BranchCache: %2 instance(s) of event id %1 occurred. |
| 6406 | %1 registered to Windows Firewall to control filtering for the following: %2|
| 6407 | 1% |
| 6408 | Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

34
windows/keep-secure/audit-pnp-activity.md
View File

@ -2,40 +2,32 @@
title: Audit PNP Activity (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit PNP Activity
**Applies to**
- Windows 10
\[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered.
Event volume: Varies, depending on how the computer is used
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>6416</p></td>
<td align="left"><p>A new external device was recognized by the system.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 6416 | A new external device was recognized by the system. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

31
windows/keep-secure/audit-policy.md
View File

@ -2,29 +2,36 @@
title: Audit Policy (Windows 10)
description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Policy
**Applies to**
- Windows 10
Provides information about basic audit policies that are available in Windows and links to information about each setting.
The security audit policy settings under **Security Settings\\Local Policies\\Audit Policy** provide broad security audit capabilities for client devices and servers that cannot use advanced security audit policy settings.
The basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** are:
[Audit account logon events](basic-audit-account-logon-events.md)
[Audit account management](basic-audit-account-management.md)
[Audit directory service access](basic-audit-directory-service-access.md)
[Audit logon events](basic-audit-logon-events.md)
[Audit object access](basic-audit-object-access.md)
[Audit policy change](basic-audit-policy-change.md)
[Audit privilege use](basic-audit-privilege-use.md)
[Audit process tracking](basic-audit-process-tracking.md)
[Audit system events](basic-audit-system-events.md)
- [Audit account logon events](basic-audit-account-logon-events.md)
- [Audit account management](basic-audit-account-management.md)
- [Audit directory service access](basic-audit-directory-service-access.md)
- [Audit logon events](basic-audit-logon-events.md)
- [Audit object access](basic-audit-object-access.md)
- [Audit policy change](basic-audit-policy-change.md)
- [Audit privilege use](basic-audit-privilege-use.md)
- [Audit process tracking](basic-audit-process-tracking.md)
- [Audit system events](basic-audit-system-events.md)
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
[Security auditing](security-auditing-overview.md)
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
- [Security auditing](security-auditing-overview.md)
 
 

38
windows/keep-secure/audit-process-creation.md
View File

@ -2,44 +2,34 @@
title: Audit Process Creation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Process Creation
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
Event volume: Low to medium, depending on system usage
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4688</p></td>
<td align="left"><p>A new process has been created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4696</p></td>
<td align="left"><p>A primary token was assigned to a process.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4688 | A new process has been created.|
| 4696 | A primary token was assigned to a process.|
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

37
windows/keep-secure/audit-process-termination.md
View File

@ -2,42 +2,37 @@
title: Audit Process Termination (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Process Termination
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a process ends.
This policy setting can help you track user activity and understand how the computer is used.
Event volume: Varies, depending on how the computer is used
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4689</p></td>
<td align="left"><p>A process has exited.</p></td>
</tr>
</tbody>
</table>
 
| Event ID | Event message |
| - | - |
| 4689 | A process has exited. |
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-registry.md
View File

@ -2,45 +2,37 @@
title: Audit Registry (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Registry
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects.
Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching
SACL.
Event volume: Low to medium, depending on how registry SACLs are configured
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4657</p></td>
<td align="left"><p>A registry value was modified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5039</p></td>
<td align="left"><p>A registry key was virtualized.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4657 | A registry value was modified. |
| 5039 | A registry key was virtualized. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

11
windows/keep-secure/audit-removable-storage.md
View File

@ -2,18 +2,24 @@
title: Audit Removable Storage (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive.
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Removable Storage
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive.
Event volume: Low
Default: Not configured
<table>
<colgroup>
<col width="50%" />
@ -117,6 +123,7 @@ Default: Not configured
</table>
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

33
windows/keep-secure/audit-rpc-events.md
View File

@ -2,39 +2,32 @@
title: Audit RPC Events (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit RPC Events
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit RPC Events**, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
RPC is a technology for creating distributed client/server programs. RPC is an interprocess communication technique that enables client and server software to communicate. For more information, see [What Is RPC?](http://technet.microsoft.com/library/cc787851.aspx).
Event volume: High on RPC servers
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>5712</p></td>
<td align="left"><p>A Remote Procedure Call (RPC) was attempted.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 5712 | A Remote Procedure Call (RPC) was attempted. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

58
windows/keep-secure/audit-sam.md
View File

@ -2,66 +2,52 @@
title: Audit SAM (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit SAM
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
SAM objects include the following:
- SAM\_ALIAS: A local group
- SAM\_GROUP: A group that is not a local group
- SAM\_USER: A user account
- SAM\_DOMAIN: A domain
- SAM\_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
**Note**  
Only the SACL for SAM\_SERVER can be modified.
> **Note:**  Only the SACL for SAM\_SERVER can be modified.
 
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
Event volume: High on domain controllers
**Note**  
For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).
> **Note:**  For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).
 
Default setting: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4659</p></td>
<td align="left"><p>A handle to an object was requested with intent to delete.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4660</p></td>
<td align="left"><p>An object was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4661</p></td>
<td align="left"><p>A handle to an object was requested.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4663</p></td>
<td align="left"><p>An attempt was made to access an object.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4659 | A handle to an object was requested with intent to delete.|
| 4660 | An object was deleted. |
| 4661 | A handle to an object was requested.|
| 4663 | An attempt was made to access an object.|
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

111
windows/keep-secure/audit-security-group-management.md
View File

@ -2,103 +2,52 @@
title: Audit Security Group Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed.
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Security Group Management
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit Security Group Management**, which determines whether the operating system generates audit events when specific security group management tasks are performed.
Tasks for security group management include:
- A security group is created, changed, or deleted.
- A member is added to or removed from a security group.
- A group's type is changed.
Security groups can be used for access control permissions and also as distribution lists.
Event volume: Low
Default: Success
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4727</p></td>
<td align="left"><p>A security-enabled global group was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4728</p></td>
<td align="left"><p>A member was added to a security-enabled global group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4729</p></td>
<td align="left"><p>A member was removed from a security-enabled global group.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4730</p></td>
<td align="left"><p>A security-enabled global group was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4731</p></td>
<td align="left"><p>A security-enabled local group was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4732</p></td>
<td align="left"><p>A member was added to a security-enabled local group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4733</p></td>
<td align="left"><p>A member was removed from a security-enabled local group.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4734</p></td>
<td align="left"><p>A security-enabled local group was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4735</p></td>
<td align="left"><p>A security-enabled local group was changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4737</p></td>
<td align="left"><p>A security-enabled global group was changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4754</p></td>
<td align="left"><p>A security-enabled universal group was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4755</p></td>
<td align="left"><p>A security-enabled universal group was changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4756</p></td>
<td align="left"><p>A member was added to a security-enabled universal group.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4757</p></td>
<td align="left"><p>A member was removed from a security-enabled universal group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4758</p></td>
<td align="left"><p>A security-enabled universal group was deleted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4764</p></td>
<td align="left"><p>A group's type was changed.</p></td>
</tr>
</tbody>
</table>
 
| Event ID | Event message |
| - | - |
| 4727 | A security-enabled global group was created. |
| 4728 | A member was added to a security-enabled global group. |
| 4729 | A member was removed from a security-enabled global group. |
| 4730 | A security-enabled global group was deleted. |
| 4731 | A security-enabled local group was created. |
| 4732 | A member was added to a security-enabled local group.|
| 4733 | A member was removed from a security-enabled local group.|
| 4734 | A security-enabled local group was deleted. |
| 4735 | A security-enabled local group was changed. |
| 4737 | A security-enabled global group was changed. |
| 4754 | A security-enabled universal group was created.|
| 4755 | A security-enabled universal group was changed. |
| 4756 | A member was added to a security-enabled universal group.|
| 4757 | A member was removed from a security-enabled universal group.|
| 4758 | A security-enabled universal group was deleted. |
| 4764 | A group's type was changed. |
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

59
windows/keep-secure/audit-security-state-change.md
View File

@ -2,65 +2,44 @@
title: Audit Security State Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Security State Change
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system.
Changes in the security state of the operating system include:
- System startup and shutdown.
- Change of system time.
- System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**.
**Important**  
Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.
> **Important:**  Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.
 
System startup and shutdown events are important for understanding system usage.
Event volume: Low
Default: Success
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event Message Summary</th>
<th align="left">Minimum Requirement</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4608</p></td>
<td align="left"><p>Windows is starting up.</p></td>
<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
</tr>
<tr class="even">
<td align="left"><p>4609</p></td>
<td align="left"><p>Windows is shutting down.</p></td>
<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4616</p></td>
<td align="left"><p>The system time was changed.</p></td>
<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
</tr>
<tr class="even">
<td align="left"><p>4621</p></td>
<td align="left"><p>Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.</p></td>
<td align="left"><p>Windows Vista, Windows Server 2008</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message summary | Minimum requirement |
| - | - | - |
| 4608 | Windows is starting up. | Windows Vista, Windows Server 2008 |
| 4609 | Windows is shutting down. | Windows Vista, Windows Server 2008 |
| 4616 | The system time was changed.| Windows Vista, Windows Server 2008 |
| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.| Windows Vista, Windows Server 2008 |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

57
windows/keep-secure/audit-security-system-extension.md
View File

@ -2,62 +2,43 @@
title: Audit Security System Extension (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions.
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Security System Extension
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions.
Changes to security system extensions in the operating system include the following activities:
- A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
- A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
**Important**  
Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
> **Important:**  Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
 
Event volume: Low
These events are expected to appear more on a domain controller than on client computers or member servers.
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4610</p></td>
<td align="left"><p>An authentication package has been loaded by the Local Security Authority.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4611</p></td>
<td align="left"><p>A trusted logon process has been registered with the Local Security Authority.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4614</p></td>
<td align="left"><p>A notification package has been loaded by the Security Account Manager.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4622</p></td>
<td align="left"><p>A security package has been loaded by the Local Security Authority.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4697</p></td>
<td align="left"><p>A service was installed in the system.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4610 | An authentication package has been loaded by the Local Security Authority. |
| 4611 | A trusted logon process has been registered with the Local Security Authority.|
| 4614 | A notification package has been loaded by the Security Account Manager. |
| 4622 | A security package has been loaded by the Local Security Authority. |
| 4697 | A service was installed in the system. |
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

70
windows/keep-secure/audit-sensitive-privilege-use.md
View File

@ -2,63 +2,51 @@
title: Audit Sensitive Privilege Use (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Sensitive Privilege Use
**Applies to**
- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
Actions that can be audited include:
- A privileged service is called.
- One of the following privileges is called:
**Act as part of the operating system**
**Back up files and directories**
**Create a token object**
**Debug programs**
**Enable computer and user accounts to be trusted for delegation**
**Generate security audits**
**Impersonate a client after authentication**
**Load and unload device drivers**
**Manage auditing and security log**
**Modify firmware environment values**
**Replace a process-level token**
**Restore files and directories**
**Take ownership of files or other objects**
- **Act as part of the operating system**
- **Back up files and directories**
- **Create a token object**
- **Debug programs**
- **Enable computer and user accounts to be trusted for delegation**
- **Generate security audits**
- **Impersonate a client after authentication**
- **Load and unload device drivers**
- **Manage auditing and security log**
- **Modify firmware environment values**
- **Replace a process-level token**
- **Restore files and directories**
- **Take ownership of files or other objects**
If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
Event volume: High
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4672</p></td>
<td align="left"><p>Special privileges assigned to new logon.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4673</p></td>
<td align="left"><p>A privileged service was called.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4674</p></td>
<td align="left"><p>An operation was attempted on a privileged object.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4672 | Special privileges assigned to new logon.|
| 4673 | A privileged service was called. |
| 4674 | An operation was attempted on a privileged object.|
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

81
windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
View File

@ -2,18 +2,24 @@
title: Audit Shut down system immediately if unable to log security audits (Windows 10)
description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting.
ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit: Shut down system immediately if unable to log security audits
**Applies to**
- Windows 10
Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting.
## Reference
The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**.
With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears:
<table>
<colgroup>
@ -28,72 +34,67 @@ With **Audit: Shut down system immediately if unable to log security audits** se
</table>
 
To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired.
If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident.
### Possible values
- Enabled
- Disabled
- Not defined
### Best practices
- Depending on your security audit requirements, you can enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review. However, enabling this setting will increase the number of events logged.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Not defined</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>DC Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Disabled</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined
| Default Domain Controler Policy | Not defined
| Stand-Alone Server Default Settings | Disabled
| DC Effective Default Settings | Disabled
| Member Server Effective Default Settings | Disabled
| Client Computer Effective Default Settings | Disabled
 
## Policy management
This section describes features and tools that are available to help you manage this policy.
The administrative burden of enabling this policy setting can be very high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security log. Additionally, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it cannot guarantee that every data file for every application will still be in a usable form when the system is restarted.
### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
### Group Policy
Modifying this setting may affect compatibility with clients, services, and applications.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
If the computer is unable to record events to the security event log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of security event log events to purposely force a shutdown.
### Countermeasure
Enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review.
### Potential impact
If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there is no guarantee that every data file for every application will still be in a usable form when the device restarts.
## Related topics
[Security Options](security-options.md)
- [Security Options](security-options.md)
 
 

35
windows/keep-secure/audit-special-logon.md
View File

@ -2,43 +2,38 @@
title: Audit Special Logon (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit Special Logon
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
This security policy setting determines whether the operating system generates audit events when:
- A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
- A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183).
Users holding special privileges can potentially make changes to the system. We recommend that you track their activity.
Event volume: Low
Default: Success
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4964</p></td>
<td align="left"><p>Special groups have been assigned to a new logon.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4964 | Special groups have been assigned to a new logon.|
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

87
windows/keep-secure/audit-system-integrity.md
View File

@ -2,88 +2,51 @@
title: Audit System Integrity (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit System Integrity
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem.
Activities that violate the integrity of the security subsystem include the following:
- Audited events are lost due to a failure of the auditing system.
- A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
- A remote procedure call (RPC) integrity violation is detected.
- A code integrity violation with an invalid hash value of an executable file is detected.
- Cryptographic tasks are performed.
**Important**  
Violations of security subsystem integrity are critical and could indicate a potential security attack.
> **Important:**  Violations of security subsystem integrity are critical and could indicate a potential security attack.
 
Event volume: Low
Default: Success and failure
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4612</p></td>
<td align="left"><p>Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4615</p></td>
<td align="left"><p>Invalid use of LPC port.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4618</p></td>
<td align="left"><p>A monitored security event pattern has occurred.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4816</p></td>
<td align="left"><p>RPC detected an integrity violation while decrypting an incoming message.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5038</p></td>
<td align="left"><p>Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5056</p></td>
<td align="left"><p>A cryptographic self-test was performed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5057</p></td>
<td align="left"><p>A cryptographic primitive operation failed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5060</p></td>
<td align="left"><p>Verification operation failed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5061</p></td>
<td align="left"><p>Cryptographic operation.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5062</p></td>
<td align="left"><p>A kernel-mode cryptographic self-test was performed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>6281</p></td>
<td align="left"><p>Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
| 4615 | Invalid use of LPC port. |
| 4618 | A monitored security event pattern has occurred.|
| 4816 | RPC detected an integrity violation while decrypting an incoming message.|
| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.|
| 5056 | A cryptographic self-test was performed. |
| 5057 | A cryptographic primitive operation failed.|
| 5060 | Verification operation failed. |
| 5061 | Cryptographic operation. |
| 5062 | A kernel-mode cryptographic self-test was performed.|
| 6281 | Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.|
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

110
windows/keep-secure/audit-user-account-management.md
View File

@ -2,106 +2,56 @@
title: Audit User Account Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed.
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit User Account Management
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed.
Tasks that are audited for user account management include:
- A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
- A user account password is set or changed.
- Security identifier (SID) history is added to a user account.
- The Directory Services Restore Mode password is set.
- Permissions are changed on accounts that are members of administrator groups.
- Credential Manager credentials are backed up or restored.
This policy setting is essential for tracking events that involve provisioning and managing user accounts.
Event volume: Low
Default: Success
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4720</p></td>
<td align="left"><p>A user account was created.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4722</p></td>
<td align="left"><p>A user account was enabled.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4723</p></td>
<td align="left"><p>An attempt was made to change an account's password.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4724</p></td>
<td align="left"><p>An attempt was made to reset an account's password.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4725</p></td>
<td align="left"><p>A user account was disabled.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4726</p></td>
<td align="left"><p>A user account was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4738</p></td>
<td align="left"><p>A user account was changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4740</p></td>
<td align="left"><p>A user account was locked out.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4765</p></td>
<td align="left"><p>SID History was added to an account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4766</p></td>
<td align="left"><p>An attempt to add SID History to an account failed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4767</p></td>
<td align="left"><p>A user account was unlocked.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4780</p></td>
<td align="left"><p>The ACL was set on accounts which are members of administrators groups.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4781</p></td>
<td align="left"><p>The name of an account was changed:</p></td>
</tr>
<tr class="even">
<td align="left"><p>4794</p></td>
<td align="left"><p>An attempt was made to set the Directory Services Restore Mode.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5376</p></td>
<td align="left"><p>Credential Manager credentials were backed up.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5377</p></td>
<td align="left"><p>Credential Manager credentials were restored from a backup.</p></td>
</tr>
</tbody>
</table>
| Event ID | Event message |
| - | - |
| 4720 | A user account was created. |
| 4722 | A user account was enabled. |
| 4723 | An attempt was made to change an account's password.|
| 4724 | An attempt was made to reset an account's password. |
| 4725 | A user account was disabled. |
| 4726 | A user account was deleted. |
| 4738 | A user account was changed. |
| 4740 | A user account was locked out.|
| 4765 | SID History was added to an account.|
| 4766 | An attempt to add SID History to an account failed.|
| 4767 | A user account was unlocked. |
| 4780 | The ACL was set on accounts which are members of administrators groups.|
| 4781 | The name of an account was changed: |
| 4794 | An attempt was made to set the Directory Services Restore Mode.|
| 5376 | Credential Manager credentials were backed up. |
| 5377 | Credential Manager credentials were restored from a backup.|
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

11
windows/keep-secure/audit-user-device-claims.md
View File

@ -2,18 +2,24 @@
title: Audit User/Device Claims (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit User/Device Claims
**Applies to**
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims.
Event volume:
Default: Not configured
<table>
<colgroup>
<col width="50%" />
@ -52,6 +58,7 @@ Default: Not configured
</table>
 
## Related topics
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

95
windows/keep-secure/back-up-files-and-directories.md
View File

@ -2,108 +2,109 @@
title: Back up files and directories (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Back up files and directories
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting.
## Reference
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply.
This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system:
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Read Permissions
Default on workstations and servers:
- Administrators
- Backup Operators
Default on domain controllers:
- Administrators
- Backup Operators
- Server Operators
Constant: SeBackupPrivilege
### Possible values
- User-defined list of accounts
- Not Defined
### Best practices
1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.
2. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
### Default values
By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right.
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Server type or GPO</th>
<th align="left">Default value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Default Domain Policy</p></td>
<td align="left"><p>Not Defined</p></td>
</tr>
<tr class="even">
<td align="left"><p>Default Domain Controller Policy</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p>
<p>Server Operators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Stand-Alone Server Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p></td>
</tr>
<tr class="even">
<td align="left"><p>Domain Controller Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p>
<p>Server Operators</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Member Server Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p></td>
</tr>
<tr class="even">
<td align="left"><p>Client Computer Effective Default Settings</p></td>
<td align="left"><p>Administrators</p>
<p>Backup Operators</p></td>
</tr>
</tbody>
</table>
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Administrators<br>Backup Operators<br>Server Operators|
| Stand-Alone Server Default Settings | Administrators<br>Backup Operators|
| Domain Controller Effective Default Settings | Administrators<br>Backup Operators<br>Server Operators|
| Member Server Effective Default Settings | Administrators<br>Backup Operators|
| Client Computer Effective Default Settings | Administrators<br>Backup Operators|
 
## Policy management
A restart of the device is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings
2. Site policy settings
3. Domain policy settings
4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
### Vulnerability
Users who can back up data from a device could take the backup media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set.
### Countermeasure
Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right.
### Potential impact
Changes in the membership of the groups that have the **Back up files and directories** user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
- [User Rights Assignment](user-rights-assignment.md)
 
 

221
windows/plan/chromebook-migration-guide.md
View File

@ -2,45 +2,60 @@
title: Chromebook migration guide (Windows 10)
description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
ms.pagetype: edu; devices
keywords: ["migrate", "automate", "device"]
keywords: migrate, automate, device
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu; devices
author: craigash
---
# Chromebook migration guide
**Applies to**
- Windows 10
In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.
## <a href="" id="plan-migration"></a>Plan Chromebook migration
Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process.
In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration.
## <a href="" id="plan-app-migrate-replace"></a>Plan for app migration or replacement
App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts.
**Identify the apps currently in use on Chromebook devices**
Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
**Note**  
The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
<<<<<<< HEAD
 
=======
>>>>>>> master
In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.
## <a href="" id="plan-migration"></a>Plan Chromebook migration
Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process.
In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration.
## <a href="" id="plan-app-migrate-replace"></a>Plan for app migration or replacement
App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts.
**Identify the apps currently in use on Chromebook devices**
Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio).
> **Note**  The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
You can divide the apps into the following categories:
- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio.
- **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use).
Record the following information about each app in your app portfolio:
- App name
- App type (such as offline app, online app, web app, and so on)
- App publisher or developer
- App version currently in use
- App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low)
Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps.
### <a href="" id="select-googleapps"></a>
**Select Google Apps replacements**
Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device.
Table 1. Google App replacements
| If you use this Google app on a Chromebook | Use this app on a Windows device |
|--------------------------------------------|--------------------------------------|
| Google Docs | Word 2016 or Word Online |
@ -52,25 +67,45 @@ Table 1. Google App replacements
| Google Drive | Microsoft OneDrive for Business |
 
It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide.
**Find the same or similar apps in the Windows Store**
In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section.
In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS.
Record the Windows app that replaces the Chromebook app in your app portfolio.
### <a href="" id="perform-testing-webapps"></a>
**Perform app compatibility testing for web apps**
The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms.
Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio.
## <a href="" id="plan-migrate-user-device-settings"></a>Plan for migration of user and device settings
Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console.
However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom.
In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution.
At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide.
At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the
case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide.
**Identify Google Admin Console settings to migrate**
You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices.
![figure 1](images/chromebook-fig1-googleadmin.png)
Figure 1. Google Admin Console
Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
Table 2. Settings in the Device Management node in the Google Admin Console
<table>
<colgroup>
<col width="50%" />
@ -119,7 +154,9 @@ Table 2. Settings in the Device Management node in the Google Admin Console
</table>
 
Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
Table 3. Settings in the Security node in the Google Admin Console
<table>
<colgroup>
<col width="50%" />
@ -157,12 +194,17 @@ Table 3. Settings in the Security node in the Google Admin Console
</table>
 
**Identify locally-configured settings to migrate**
In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
![figure 2](images/fig2-locallyconfig.png)
Figure 2. Locally-configured settings on Chromebook
Table 4. Locally-configured settings
| Section | Settings |
|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Section | Settings |
| - | - |
| Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. |
| Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the users wallpaper to maintain similar user experience. |
| Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. |
@ -184,91 +226,149 @@ Table 4. Locally-configured settings
 
Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration.
Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration.
**Prioritize settings to migrate**
After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low.
Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate.
## <a href="" id="plan-email-migrate"></a>Plan for email migration
Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration.
Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252).
**Identify the list of user mailboxes to migrate**
In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff.
Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate.
Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](http://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process.
**Identify companion devices that access Google Apps Gmail**
In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes.
After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox.
In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690254).
**Identify the optimal timing for the migration**
Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend.
Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016.
## <a href="" id="plan-cloud-storage-migration"></a>Plan for cloud storage migration
Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process.
In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan.
**Identify cloud storage services currently in use**
Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following:
- Name of the cloud storage service
- Cloud storage service vendor
- Associated licensing costs or fees
- Approximate storage currently in use per user
Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section.
**Optimize cloud storage services migration plan**
Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements.
Consider the following to help optimize your cloud storage services migration plan:
- **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate.
- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage.
- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs.
Record your optimization changes in your cloud storage services migration plan.
## <a href="" id="plan-cloud-services"></a>Plan for cloud services migration
Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections.
In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services.
### <a href="" id="identify-cloud-services-inuse"></a>
**Identify cloud services currently in use**
You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service:
- Cloud service name
- Cloud service provider
- Number of users that use the cloud service
**Select cloud services to migrate**
One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features.
Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services:
- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive.
- **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity.
- **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services.
- **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices).
Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide.
**Prioritize cloud services**
After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low.
Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority.
Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate.
### <a href="" id="select-cs-migrationstrat"></a>
**Select cloud services migration strategy**
When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time.
Consider the following when you create your cloud services migration strategy:
- **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses.
- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks.
- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use.
- **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms.
- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years.
- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal.
## <a href="" id="plan-windevice-deploy"></a>Plan for Windows device deployment
You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks.
In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation.
### <a href="" id="select-windows-device-deploy"></a>
**Select a Windows device deployment strategy**
What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies.
For each classroom that has Chromebook devices, select a combination of the following device deployment strategies:
- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices.
- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum.
- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum.
- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices.
- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices.
If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration.
Record the combination of Windows device deployment strategies that you selected.
### <a href="" id="plan-adservices"></a>
**Plan for AD DS and Azure AD services**
The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services.
In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD.
Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD.
Table 5. Select on-premises AD DS, Azure AD, or hybrid
<table>
<colgroup>
<col width="25%" />
@ -325,11 +425,15 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
</table>
 
### <a href="" id="plan-userdevapp-manage"></a>
**Plan device, user, and app management**
You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle.
Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device.
Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan.
Table 6. Device, user, and app management products and technologies
<table style="width:100%;">
<colgroup>
<col width="14%" />
@ -437,34 +541,61 @@ Table 6. Device, user, and app management products and technologies
</table>
 
You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
Record the device, user, and app management products and technologies that you selected.
### <a href="" id="plan-network-infra-remediation"></a>
**Plan network infrastructure remediation**
In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices.
Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary:
- **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements.
However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other.
- **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices.
If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices.
- **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices.
If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices.
- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices.
However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices.
For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources:
- [Chromebook vs. Windows Notebook Network Traffic Analysis](http://go.microsoft.com/fwlink/p/?LinkId=690255)
- [Hidden Cost of Chromebook Deployments](http://go.microsoft.com/fwlink/p/?LinkId=690256)
- [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](http://go.microsoft.com/fwlink/p/?LinkId=690257)
- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices.
If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices.
At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide.
## Perform Chromebook migration
Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created.
In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide.
You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important.
## <a href="" id="network-infra-remediation"></a>Perform network infrastructure remediation
The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform.
It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each.
Table 7. Network infrastructure products and technologies and deployment resources
<table>
<colgroup>
<col width="50%" />
@ -495,10 +626,14 @@ Table 7. Network infrastructure products and technologies and deployment resourc
</table>
 
If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
## Perform AD DS and Azure AD services deployment or remediation
It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations.
In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both.
Table 8. AD DS, Azure AD and deployment resources
<table>
<colgroup>
<col width="50%" />
@ -531,9 +666,13 @@ Table 8. AD DS, Azure AD and deployment resources
 
If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
## Prepare device, user, and app management systems
In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings.
Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems.
Table 9. Management systems and deployment resources
<table>
<colgroup>
<col width="50%" />
@ -587,10 +726,15 @@ Table 9. Management systems and deployment resources
</table>
 
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
## <a href="" id="perform-app-migration-or-replacement-"></a>Perform app migration or replacement
In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer.
In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide.
Table 10. Management systems and app deployment resources
<table>
<colgroup>
<col width="50%" />
@ -629,60 +773,81 @@ Table 10. Management systems and app deployment resources
</table>
 
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
## <a href="" id="migrate-user-device-settings"></a>Perform migration of user and device settings
In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device.
Perform the user and device setting migration by using the following steps:
1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune).
2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings.
3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings.
4. Verify that all higher-priority user and device settings have been configured in your management system.
If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section.
## Perform email migration
In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices.
Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252).
Alternatively, if you want to migrate to Office 365 from:
- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server:
- [Cutover Exchange Migration and Single Sign-On](http://go.microsoft.com/fwlink/p/?LinkId=690266)
- [Step-By-Step: Migration of Exchange 2003 Server to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690267)
- [Step-By-Step: Migrating from Exchange 2007 to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690268)
- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor.
## Perform cloud storage migration
In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices.
Manually migrate the cloud storage migration by using the following steps:
1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device.
2. Sign in as the user in the Google Drive app.
3. Sign in as the user in the OneDrive for Business or OneDrive app.
4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage.
5. Optionally uninstall the Google Drive app.
There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors.
## Perform cloud services migration
<<<<<<< HEAD
In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices.
=======
In the [Plan for cloud services migration](#plan-cloud-services) section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices.
>>>>>>> master
Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected.
There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors.
## Perform Windows device deployment
In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices.
For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until youve deployed all Windows devices.
In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources:
In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy
Windows 10 images to the devices, see the following resources:
- [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911)
- [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918)
- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324)
- [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265)
- [Operating System Deployment in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733916)
In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment:
- Enroll the device with your management system.
- Ensure that Windows Defender is enabled and configured to receive updates.
- Ensure that Windows Update is enabled and configured to receive updates.
- Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016).
After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices.
## Related topics
[Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
[Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)
- [Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254)
- [Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)