deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updating for Windows 10

Browse Source
This commit is contained in:
Brian Lich 2016-06-02 14:37:45 -07:00
parent 8863c8459e
commit ec65ca848b
47 changed files with 843 additions and 1279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
windows/keep-secure/TOC.md
View File

@ -477,13 +477,12 @@
######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
######## [Boundary Zone GPOs](boundary-zone-gpos.md)
######### [GPO_DOMISO_Boundary_WS2008](gpo-domiso-boundary-ws2008.md)
######### [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
######## [Encryption Zone GPOs](encryption-zone-gpos.md)
######### [GPO_DOMISO_Encryption_WS2008](gpo-domiso-encryption-ws2008.md)
######### [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
######## [Server Isolation GPOs](server-isolation-gpos.md)
####### [Planning GPO Deployment](planning-gpo-deployment.md)
##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
##### [Additional Resources](additional-resources-wfasdesign.md)
#### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md)
##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
@ -506,11 +505,11 @@
###### [Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)
###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
###### [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
###### [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
###### [Configure Authentication Methods](configure-authentication-methods.md)
###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection--quick-mode--settings.md)
###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
###### [Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
###### [Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange--main-mode--settings.md)
###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
###### [Configure the Workstation Authentication Certificate Template[wfas_dep]](configure-the-workstation-authentication-certificate-templatewfas-dep.md)
###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
@ -518,18 +517,18 @@
###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
###### [Create a Group Policy Object](create-a-group-policy-object.md)
###### [Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
###### [Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
###### [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
###### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
###### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
###### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
###### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
###### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
###### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
###### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
###### [Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
###### [Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
###### [Install Active Directory Certificate Services](install-active-directory-certificate-services.md)
###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
@ -538,10 +537,8 @@
###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
###### [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md)
###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
##### [Additional Resources[wfas_deploy]](additional-resourceswfas-deploy.md)
## [Enterprise security guides](windows-10-enterprise-security-guides.md)
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
### [Device Guard deployment guide](device-guard-deployment-guide.md)

84
windows/keep-secure/add-production-computers-to-the-membership-group-for-a-zone.md
View File

@ -1,84 +0,0 @@
---
title: Add Production Computers to the Membership Group for a Zone (Windows 10)
description: Add Production Computers to the Membership Group for a Zone
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
author: brianlic-msft
---
# Add Production Computers to the Membership Group for a Zone
After you test the GPOs for your design on a small set of computers, you can deploy them to the production computers.
**Caution**  
For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your computers are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
 
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new computers that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude computers that must not receive the GPOs. Use computer groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Computers that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
Without such a group (or groups), you must either add computers individually or use the groups containing computer accounts that are available to you.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
In this topic:
- [Add the group Domain Computers to the GPO membership group](#bkmk-toadddomaincomputerstothegpomembershipgroup)
- [Refresh Group Policy on the computers in the membership group](#bkmk-torefreshgrouppolicyonacomputer)
- [Check which GPOs apply to a computer](#bkmk-toseewhatgposareappliedtoacomputer)
## <a href="" id="bkmk-toadddomaincomputerstothegpomembershipgroup"></a>
**To add domain computers to the GPO membership group**
1. On a computer that has the Active Directory management tools installed, click the **Start** charm, then click the **Active Directory Users and Computers** tile.
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
3. In the details pane, double-click the GPO membership group to which you want to add computers.
4. Select the **Members** tab, and then click **Add**.
5. Type **Domain Computers** in the text box, and then click **OK**.
6. Click **OK** to close the group properties dialog box.
After a computer is a member of the group, you can force a Group Policy refresh on the computer.
## <a href="" id="bkmk-torefreshgrouppolicyonacomputer"></a>
**To refresh Group Policy on a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax
gpupdate /target:computer /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
## <a href="" id="bkmk-toseewhatgposareappliedtoacomputer"></a>
**To see which GPOs are applied to a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax
gpresult /r /scope:computer
```
 
 

83
windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Add Production Devices to the Membership Group for a Zone (Windows 10)
description: Add Production Devices to the Membership Group for a Zone
ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Add Production Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
**Caution**  
For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
 
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
In this topic:
- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
## To add domain devices to the GPO membership group
1. Open Active Directory Users and Computers.
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
3. In the details pane, double-click the GPO membership group to which you want to add computers.
4. Select the **Members** tab, and then click **Add**.
5. Type **Domain Computers** in the text box, and then click **OK**.
6. Click **OK** to close the group properties dialog box.
After a computer is a member of the group, you can force a Group Policy refresh on the computer.
## To refresh Group Policy on a device
From an elevated command prompt, type the following:
``` syntax
gpupdate /target:computer /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
## To see which GPOs are applied to a device
From an elevated command prompt, type the following:
``` syntax
gpresult /r /scope:computer
```
 
 

79
windows/keep-secure/add-test-computers-to-the-membership-group-for-a-zone.md
View File

@ -1,79 +0,0 @@
---
title: Add Test Computers to the Membership Group for a Zone (Windows 10)
description: Add Test Computers to the Membership Group for a Zone
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
author: brianlic-msft
---
# Add Test Computers to the Membership Group for a Zone
Before you deploy your rules to large numbers of computers, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between computers. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of computers only to be sure that the correct GPOs are being processed by each computer.
Add at least one computer of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a computer among the test group. After Group Policy has been refreshed on each test computer, check the output of the **gpresult** command to confirm that each computer is receiving only the GPOs it is supposed to receive.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
In this topic:
- [Add the test computers to the GPO membership groups](#bkmk-toadddomaincomputerstothegpomembershipgroup)
- [Refresh Group Policy on the computers in each membership group](#bkmk-torefreshgrouppolicyonacomputer)
- [Check which GPOs apply to a computer](#bkmk-toseewhatgposareappliedtoacomputer)
## <a href="" id="bkmk-toadddomaincomputerstothegpomembershipgroup"></a>
**To add test computers to the GPO membership groups**
1. On a computer that has the Active Directory management tools installed, click the **Start** charm, then click the **Active Directory Users and Computers** tile.
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
3. In the details pane, double-click the GPO membership group to which you want to add computers.
4. Select the **Members** tab, and then click **Add**.
5. Type the name of the computer in the text box, and then click **OK**.
6. Repeat steps 5 and 6 for each additional computer account or group that you want to add.
7. Click **OK** to close the group properties dialog box.
After a computer is a member of the group, you can force a Group Policy refresh on the computer.
## <a href="" id="bkmk-torefreshgrouppolicyonacomputer"></a>
**To refresh Group Policy on a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax
gpupdate /target:computer /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
## <a href="" id="bkmk-toseewhatgposareappliedtoacomputer"></a>
**To see which GPOs are applied to a computer**
- For a computer that is running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
``` syntax
gpresult /r /scope:computer
```
 
 

77
windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Add Test Devices to the Membership Group for a Zone (Windows 10)
description: Add Test Devices to the Membership Group for a Zone
ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Add Test Devices to the Membership Group for a Zone
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
In this topic:
- [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
## To add test devices to the GPO membership groups
1. Open Active Directory Users and Computers.
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
3. In the details pane, double-click the GPO membership group to which you want to add devices.
4. Select the **Members** tab, and then click **Add**.
5. Type the name of the device in the text box, and then click **OK**.
6. Repeat steps 5 and 6 for each additional device account or group that you want to add.
7. Click **OK** to close the group properties dialog box.
After a device is a member of the group, you can force a Group Policy refresh on the device.
## To refresh Group Policy on a device
From a elevated command prompt, run the following:
``` syntax
gpupdate /target:device /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
## To see which GPOs are applied to a device
From an elevated command prompt, run the following:
``` syntax
gpresult /r /scope:computer
```
 
 

44
windows/keep-secure/assign-security-group-filters-to-the-gpo.md
View File

@ -2,16 +2,22 @@
title: Assign Security Group Filters to the GPO (Windows 10)
description: Assign Security Group Filters to the GPO
ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Assign Security Group Filters to the GPO
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
**Important**  
This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
>**Important:**  This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
 
@ -21,40 +27,31 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
- [Allow members of a group to apply a GPO](#bkmk-toallowamembersofagrouptoapplyagpo)
- [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
- [Prevent members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo)
## <a href="" id="bkmk-toallowamembersofagrouptoapplyagpo"></a>
- [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
## To allow members of a group to apply a GPO
Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
**To allow members of a group to apply a GPO**
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
**Note**  
You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
 
>**Note:**  You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
4. Click **Add**.
5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
## <a href="" id="bkmk-topreventmembersofgroupfromapplyingagpo"></a>
## To prevent members of a group from applying a GPO
Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
**To prevent members of group from applying a GPO**
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
@ -71,14 +68,3 @@ Use the following procedure to add a group to the security filter on the GPO tha
8. Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
9. The group appears in the list with **Custom** permissions.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

42
windows/keep-secure/change-rules-from-request-to-require-mode.md
View File

@ -2,13 +2,20 @@
title: Change Rules from Request to Require Mode (Windows 10)
description: Change Rules from Request to Require Mode
ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Change Rules from Request to Require Mode
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that computers in the boundary zone can continue to accept connections from computers that are not part of the isolated domain.
After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
**Administrative credentials**
@ -16,16 +23,11 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
- [Convert a rule in a GPO for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](#bkmk-section1)
- [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode)
- [Convert a rule for an earlier version of Windows](#bkmk-section2)
- [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices)
- [Refresh policy on the client computers to receive the modified GPOs](#bkmk-section3)
## <a href="" id="bkmk-section1"></a>
**To convert a rule from request to require mode for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
## To convert a rule from request to require mode
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -37,32 +39,18 @@ In this topic:
5. In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**.
## <a href="" id="bkmk-section3"></a>
## To apply the modified GPOs to the client devices
**To apply the modified GPOs to the client computers**
1. The next time each computer refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md) and run the following command:
1. The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt:
``` syntax
gpupdate /force
```
2. To verify that the modified GPO is correctly applied to the client computers, you can run one of the following commands:
On computers that are running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, run the following command:
2. To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
``` syntax
gpresult /r /scope computer
```
3. Examine the command output for the list of GPOs that are applied to the computer, and make sure that the list contains the GPOs you expect to see on that computer.
 
 
3. Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.

45
windows/keep-secure/configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md → windows/keep-secure/configure-authentication-methods.md
View File

@ -1,19 +1,24 @@
---
title: Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10)
description: Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
title: Configure Authentication Methods (Windows 10)
description: Configure Authentication Methods
ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
# Configure Authentication Methods
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
**Note**  
If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab.
 
>**Note:**  If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab.
**Administrative credentials**
@ -31,11 +36,11 @@ To complete these procedures, you must be a member of the Domain Administrators
1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default.
2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use Authenticated IP (AuthIP), including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials.
5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
@ -45,7 +50,7 @@ To complete these procedures, you must be a member of the Domain Administrators
- **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
- **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
@ -55,9 +60,9 @@ To complete these procedures, you must be a member of the Domain Administrators
The second authentication method can be one of the following:
- **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.
@ -65,20 +70,6 @@ To complete these procedures, you must be a member of the Domain Administrators
If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
**Important**  
Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
 
>**Important:**  Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

24
windows/keep-secure/configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md → windows/keep-secure/configure-data-protection-quick-mode-settings.md
View File

@ -1,12 +1,19 @@
---
title: Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10)
description: Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
title: Configure Data Protection (Quick Mode) Settings (Windows 10)
description: Configure Data Protection (Quick Mode) Settings
ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
# Configure Data Protection (Quick Mode) Settings
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
@ -53,14 +60,3 @@ To complete these procedures, you must be a member of the Domain Administrators
6. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
8. Click **OK** three times to save your settings.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

20
windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
View File

@ -2,11 +2,18 @@
title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
description: Configure Group Policy to Autoenroll and Deploy Certificates
ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure Group Policy to Autoenroll and Deploy Certificates
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
@ -16,7 +23,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro
**To configure Group Policy to autoenroll certificates**
1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**.
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
@ -29,14 +36,3 @@ To complete these procedures, you must be a member of both the Domain Admins gro
6. Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**.
7. Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

51
windows/keep-secure/configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md → windows/keep-secure/configure-key-exchange-main-mode-settings.md
View File

@ -1,12 +1,19 @@
---
title: Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10)
description: Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
title: Configure Key Exchange (Main Mode) Settings (Windows 10)
description: Configure Key Exchange (Main Mode) Settings
ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
# Configure Key Exchange (Main Mode) Settings
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
@ -24,56 +31,32 @@ To complete these procedures, you must be a member of the Domain Administrators
4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**.
5. Select the security methods to be used to help protect the main mode negotiations between the two computers. If the security methods displayed in the list are not what you want, then do the following:
5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following:
**Important**  
In Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another computer running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both computers.
In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your computers that run Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 have the same methods at the top of the list and the same key exchange algorithm selected.
 
Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
**Note**  
When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select.
 
1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**.
2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**.
**Caution**  
We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
 
>**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
6. From the list on the right, select the key exchange algorithm that you want to use.
**Caution**  
We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only.
>**Caution:**  We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only. 
 
7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key.
7. In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two computers requires a new key.
**Note**  
You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance.
 
>**Note:**  You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance.
8. In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key.
9. Click **OK** three times to save your settings.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

32
windows/keep-secure/configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md → windows/keep-secure/configure-the-rules-to-require-encryption.md
View File

@ -1,12 +1,15 @@
---
title: Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10)
description: Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
title: Configure the Rules to Require Encryption (Windows 10)
description: Configure the Rules to Require Encryption
ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
# Configure the Rules to Require Encryption
If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption.
@ -34,28 +37,17 @@ To complete this procedure, you must be a member of the Domain Administrators gr
9. Click **Require encryption for all connection security rules that use these settings**.
This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client computers will use to connect to members of the encryption zone. The client computers receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client computers in that zone will not be able to connect to computers in this zone.
This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone.
10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md).
10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
**Note**  
Not all of the algorithms available in Windows 8 or Windows Server 2012 can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
 
11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating computers select the most secure combination that they can jointly support.
11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
12. Click **OK** three times to save your changes.
 
 

29
windows/keep-secure/configure-the-windows-firewall-log.md
View File

@ -2,11 +2,19 @@
title: Configure the Windows Firewall Log (Windows 10)
description: Configure the Windows Firewall Log
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure the Windows Firewall Log
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
@ -16,12 +24,9 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
[To configure Windows Firewall logging for Windows Vista or Windows Server 2008](#bkmk-toenablewindowsfirewallandconfigurethedefaultbehavior)
- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log)
## <a href="" id="bkmk-1"></a>
**To configure Windows Firewall logging for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
## To configure the Windows Firewall log
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -35,10 +40,7 @@ In this topic:
3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
**Important**  
The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
 
>**Important:**  The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
@ -49,12 +51,3 @@ In this topic:
- To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
6. Click **OK** twice.
 
 

27
windows/keep-secure/configure-the-workstation-authentication-certificate-templatewfas-dep.md → windows/keep-secure/configure-the-workstation-authentication-certificate-template.md
View File

@ -2,21 +2,28 @@
title: Configure the Workstation Authentication Certificate Template (Windows 10)
description: Configure the Workstation Authentication Certificate Template
ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure the Workstation Authentication Certificate Template
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for computer certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
**Administrative credentials**
## To configure the workstation authentication certificate template and autoenrollment
To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.
**To configure the workstation authentication certificate template and autoenrollment**
1. On the computer where AD CS is installed, click the **Start** charm, and then click **Certification Authority**.
1. On the device where AD CS is installed, open the Certification Authority console.
2. In the navigation pane, right-click **Certificate Templates**, and then click **Manage**.
@ -32,22 +39,10 @@ To complete these procedures, you must be a member of both the Domain Admins gro
8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
**Note**  
If you want do not want to deploy the certificate to every computer in the domain, then specify a different group or groups that contain the computer accounts that you want to receive the certificate.
 
>**Note:**  If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate.
9. Close the Certificate Templates Console.
10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**.
 
 

32
windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -2,33 +2,30 @@
title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10)
description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
**Caution**  
If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
>**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
We recommend that you do not enable these settings until you have created and tested the required rules.
 
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
In this topic:
[To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](#bkmk-1)
## <a href="" id="bkmk-1"></a>
**To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2**
## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -47,12 +44,3 @@ In this topic:
5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**.
6. Click **OK** twice.
 
 

40
windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md
View File

@ -2,15 +2,22 @@
title: Confirm That Certificates Are Deployed Correctly (Windows 10)
description: Confirm That Certificates Are Deployed Correctly
ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: securit
author: brianlic-msft
---
# Confirm That Certificates Are Deployed Correctly
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation computers.
After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
In these procedures, you refresh Group Policy on a client computer, and then confirm that the certificate is deployed correctly.
In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly.
**Administrative credentials**
@ -18,39 +25,24 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
- [Refresh Group Policy on a computer](#bkmk-torefreshgrouppolicyonacomputer)
- [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device)
- [Verify that a certificate is installed](#bkmk-toverifythatacertificateisinstalled)
- [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed)
## <a href="" id="bkmk-torefreshgrouppolicyonacomputer"></a>
## To refresh Group Policy on a device
**To refresh Group Policy on a computer**
- On a computer running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2, [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md), and then type the following command:
From an elevated command prompt, run the following command:
``` syntax
gpupdate /target:computer /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
## <a href="" id="bkmk-toverifythatacertificateisinstalled"></a>
## To verify that a certificate is installed
**To verify that a certificate is installed**
1. Click the **Start** charm, type **certmgr.msc**, and then press ENTER.
1. Open the Cerificates console.
2. In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**.
The CA that you created appears in the list.
 
 

26
windows/keep-secure/copy-a-gpo-to-create-a-new-gpo.md
View File

@ -2,13 +2,20 @@
title: Copy a GPO to Create a New GPO (Windows 10)
description: Copy a GPO to Create a New GPO
ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Copy a GPO to Create a New GPO
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To create the GPO for the boundary zone computers, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and Computers MMC snap-in.
To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in.
**Administrative credentials**
@ -16,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
**To make a copy of a GPO**
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**.
@ -32,7 +39,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
8. Type the new name, and then press ENTER.
9. You must change the security filters to apply the policy to the correct group of computers. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**.
9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**.
10. In the confirmation dialog box, click **OK**.
@ -40,15 +47,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr
12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**.
13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client computers running Windows 8, and the new boundary zone GPO is for computers running Windows Server 2012, then select a WMI filter that allows only those computers to read and apply the GPO.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 
13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016 Technical Preview, then select a WMI filter that allows only those devices to read and apply the GPO.

25
windows/keep-secure/create-a-group-account-in-active-directory.md
View File

@ -2,13 +2,20 @@
title: Create a Group Account in Active Directory (Windows 10)
description: Create a Group Account in Active Directory
ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create a Group Account in Active Directory
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers MMC snap-in.
To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console.
**Administrative credentials**
@ -16,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
**To add a new membership group in Active Directory**
1. On a computer that has Active Directory management tools installed, click the **Start** charm, and then click the **Active Directory Users and Computers** tile.
1. Open the Active Directory Users and Computers console.
2. In the navigation pane, select the container in which you want to store your group. This is typically the **Users** container under the domain.
@ -24,10 +31,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
4. In the **Group name** text box, type the name for your new group.
**Note**  
Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups.
 
>**Note:**  Be sure to use a name that clearly indicates its purpose. Check to see if your organization has a naming convention for groups.
5. In the **Description** text box, enter a description of the purpose of this group.
@ -36,12 +40,3 @@ To complete this procedure, you must be a member of the Domain Administrators gr
7. In the **Group type** section, click **Security**.
8. Click **OK** to save your group.
 
 

27
windows/keep-secure/create-a-group-policy-object.md
View File

@ -2,11 +2,18 @@
title: Create a Group Policy Object (Windows 10)
description: Create a Group Policy Object
ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create a Group Policy Object
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
@ -14,9 +21,9 @@ To create a new GPO, use the Active Directory Users and Computers MMC snap-in.
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to create new GPOs.
**To create a new GPO**
To create a new GPO
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**.
@ -24,10 +31,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
4. In the **Name** text box, type the name for your new GPO.
**Note**  
Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
 
>**Note:**  Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs.
5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**.
@ -38,14 +42,3 @@ To complete this procedure, you must be a member of the Domain Administrators gr
2. In the details pane, click the **Details** tab.
3. Change the **GPO Status** to **User configuration settings disabled**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

42
windows/keep-secure/create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md → windows/keep-secure/create-an-authentication-exemption-list-rule.md
View File

@ -1,17 +1,24 @@
---
title: Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10)
description: Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
title: Create an Authentication Exemption List Rule (Windows 10)
description: Create an Authentication Exemption List Rule
ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
# Create an Authentication Exemption List Rule
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
In almost any isolated server or isolated domain scenario, there are some computers or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those computers from the authentication requirements of your isolation policies.
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
**Important**  
Adding computers to the exemption list for a zone reduces security because it permits computers in the zone to send network traffic that is unprotected by IPsec to the computers on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted computers to the exemption list.
Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
 
@ -37,16 +44,13 @@ To complete these procedures, you must be a member of the Domain Administrators
- To add an entire subnet by address, click **This IP address or subnet**, and then type the IP address of the subnet, followed by a forward slash (/) and the number of bits in the corresponding subnet mask. For example, **10.50.0.0/16** represents the class B subnet that begins with address 10.50.0.1, and ends with address **10.50.255.254**. Click **OK** when you are finished.
- To add the local computers subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**.
- To add the local devices subnet, click **Predefined set of computers**, select **Local subnet** from the list, and then click **OK**.
**Note**  
If you select the local subnet from the list rather than typing the subnet address in manually, the computer automatically adjusts the active local subnet to match the computers current IP address.
 
>**Note:**  If you select the local subnet from the list rather than typing the subnet address in manually, the device automatically adjusts the active local subnet to match the devices current IP address.
- To add a discrete range of addresses that do not correspond to a subnet, click **This IP address range**, type the beginning and ending IP addresses in the **From** and **To** text boxes, and then click **OK**.
- To exempt all of the remote hosts that the local computer uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**.
- To exempt all of the remote hosts that the local device uses for a specified network service, click **Predefined set of computers**, select the network service from the list, and then click **OK**.
7. Repeat steps 5 and 6 for each exemption that you need to create.
@ -54,20 +58,6 @@ To complete these procedures, you must be a member of the Domain Administrators
9. On the **Profile** page, check the profile for each network location type to which this set of exemptions applies, and then click **Next**.
**Caution**  
If all of the exemptions are on the organizations network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate.
 
>**Caution:**  If all of the exemptions are on the organizations network and that network is managed by an Active Directory domain, then consider restricting the rule to the Domain profile only. Selecting the wrong profile can reduce the protection for your computer because any computer with an IP address that matches an exemption rule will not be required to authenticate.
10. On the **Name** page, type the name of the exemption rule, type a description, and then click **Finish**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

94
windows/keep-secure/create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -1,94 +0,0 @@
---
title: Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10)
description: Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
author: brianlic-msft
---
# Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the computers on the network to use those protocols and methods before they can communicate.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To create the authentication request rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.
3. On the **Rule Type** page, select **Isolation**, and then click **Next**.
4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**.
**Caution**  
Do not configure the rule to require inbound authentication until you have confirmed that all of your computers are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the computers to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
 
5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP), which is supported only on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2.
1. **Default**. Selecting this option tells the computer to request authentication by using the method currently defined as the default on the computer. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md) procedure.
2. **Computer and User (Kerberos V5)**. Selecting this option tells the computer to request authentication of both the computer and the currently logged-on user by using their domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
3. **Computer (Kerberos V5)**. Selecting this option tells the computer to request authentication of the computer by using its domain credentials. This option works with other computers than can use IKE v1, including earlier versions of Windows.
4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The **First authentication method** can be one of the following:
- **Computer (Kerberos V5)**. Selecting this option tells the computer to request authentication of the computer by using its domain credentials. This option works with other computers than can use IKE v1, including earlier versions of Windows.
- **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
- **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the computer to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only.
If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
The **Second authentication method** can be one of the following:
- **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP, including Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. User-based authentication using NTLMv2 is not supported by IKE v1.
- **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups.
- **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails.
**Important**  
Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
 
6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
- On portable computers, consider clearing the **Private** and **Public** boxes to enable the computer to communicate without authentication when it is away from the domain network.
- On computers that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
Click **Next**.
8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
The new rule appears in the list of connection security rules.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

84
windows/keep-secure/create-an-authentication-request-rule.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Create an Authentication Request Rule (Windows 10)
description: Create an Authentication Request Rule
ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create an Authentication Request Rule
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To create the authentication request rule
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.
3. On the **Rule Type** page, select **Isolation**, and then click **Next**.
4. On the **Requirements** page, select **Request authentication for inbound and outbound connections**.
>**Caution:**  Do not configure the rule to require inbound authentication until you have confirmed that all of your devices are receiving the correct GPOs, and are successfully negotiating IPsec and authenticating with each other. Allowing the devices to communicate even when authentication fails prevents any errors in the GPOs or their distribution from breaking communications on your network.
5. On the **Authentication Method** page, select the authentication option you want to use on your network. To select multiple methods that are tried in order until one succeeds, click **Advanced**, click **Customize**, and then click **Add** to add methods to the list. Second authentication methods require Authenticated IP (AuthIP).
1. **Default**. Selecting this option tells the device to request authentication by using the method currently defined as the default on the device. This default might have been configured when the operating system was installed or it might have been configured by Group Policy. Selecting this option is appropriate when you have configured system-wide settings by using the [Configure Authentication Methods](configure-authentication-methods.md) procedure.
2. **Computer and User (Kerberos V5)**. Selecting this option tells the device to request authentication of both the device and the currently logged-on user by using their domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
3. **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
4. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
The **First authentication method** can be one of the following:
- **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows.
- **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
- **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only.
If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
The **Second authentication method** can be one of the following:
- **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
- **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1.
- **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups.
- **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule.
If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails.
>**Important:**  Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
6. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.
7. On the **Profile** page, select the check boxes for the network location type profiles to which this rule applies.
- On portable devices, consider clearing the **Private** and **Public** boxes to enable the device to communicate without authentication when it is away from the domain network.
- On devices that do not move from network to network, consider selecting all of the profiles. Doing so prevents an unexpected switch in the network location type from disabling the rule.
Click **Next**.
8. On the **Name** page, type a name for the connection security rule and a description, and then click **Finish**.
The new rule appears in the list of connection security rules.

35
windows/keep-secure/create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md → windows/keep-secure/create-an-inbound-icmp-rule.md
View File

@ -1,12 +1,19 @@
---
title: Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10)
description: Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
title: Create an Inbound ICMP Rule (Windows 10)
description: Create an Inbound ICMP Rule
ms.assetid: 267b940a-79d9-4322-b53b-81901e357344
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
# Create an Inbound ICMP Rule
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
@ -16,11 +23,11 @@ To complete these procedures, you must be a member of the Domain Administrators
This topic describes how to create a port rule that allows inbound ICMP network traffic. For other inbound port rule types, see:
- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
**To create an inbound ICMP rule**
To create an inbound ICMP rule
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -52,20 +59,4 @@ This topic describes how to create a port rule that allows inbound ICMP network
12. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
13. On the **Name** page, type a name and description for your rule, and then click **Finish**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

75
windows/keep-secure/create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -1,75 +0,0 @@
---
title: Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10)
description: Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
author: brianlic-msft
---
# Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see:
- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
**To create an inbound port rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
**Note**  
Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 
5. On the **Program** page, click **All programs**, and then click **Next**.
**Note**  
This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
 
6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number.
If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
When you have configured the protocols and ports, click **Next**.
7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
8. On the **Action** page, select **Allow the connection**, and then click **Next**.
9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

62
windows/keep-secure/create-an-inbound-port-rule.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Create an Inbound Port Rule (Windows 10)
description: Create an Inbound Port Rule
ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create an Inbound Port Rule
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
This topic describes how to create a standard port rule for a specified protocol or TCP or UDP port number. For other inbound port rule types, see:
- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
**To create an inbound port rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
>**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **All programs**, and then click **Next**.
>**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number.
If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.
When you have configured the protocols and ports, click **Next**.
7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
8. On the **Action** page, select **Allow the connection**, and then click **Next**.
9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
>**Note:**  If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
10. On the **Name** page, type a name and description for your rule, and then click **Finish**.

47
windows/keep-secure/create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md → windows/keep-secure/create-an-inbound-program-or-service-rule.md
View File

@ -1,25 +1,29 @@
---
title: Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10)
description: Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
title: Create an Inbound Program or Service Rule (Windows 10)
description: Create an Inbound Program or Service Rule
ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
# Create an Inbound Program or Service Rule
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
**Note**  
This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md) procedure in addition to the steps in this procedure.
 
>**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To create an inbound firewall rule for a program or service**
To create an inbound firewall rule for a program or service
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -29,10 +33,7 @@ To complete these procedures, you must be a member of the Domain Administrators
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
**Note**  
Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 
>**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **This program path**.
@ -57,11 +58,9 @@ To complete these procedures, you must be a member of the Domain Administrators
**sc** **sidtype** *&lt;Type&gt; &lt;ServiceName&gt;*
In the preceding command, the value of *&lt;Type&gt;* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**. For more information, see [Vista Services](http://go.microsoft.com/fwlink/?linkid=141454) (http://go.microsoft.com/fwlink/?linkid=141454) and the “Service Security Improvements” section of [Inside the Windows Vista Kernel](http://go.microsoft.com/fwlink/?linkid=141455) (http://go.microsoft.com/fwlink/?linkid=141455).
In the preceding command, the value of *&lt;Type&gt;* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**.
 
8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). After you have configured the protocol and port options, click **Next**.
8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**.
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
@ -69,20 +68,4 @@ To complete these procedures, you must be a member of the Domain Administrators
11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rule to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
12. On the **Name** page, type a name and description for your rule, and then click **Finish**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

38
windows/keep-secure/create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md → windows/keep-secure/create-an-outbound-port-rule.md
View File

@ -1,20 +1,27 @@
---
title: Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 (Windows 10)
description: Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2
title: Create an Outbound Port Rule (Windows 10)
description: Create an Outbound Port Rule
ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2
# Create an Outbound Port Rule
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To create an outbound port rule**
To create an outbound port rule
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -24,10 +31,7 @@ To complete these procedures, you must be a member of the Domain Administrators
4. On the **Rule Type** page of the New Outbound Rule wizard, click **Custom**, and then click **Next**.
**Note**  
Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 
>**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **All programs**, and then click **Next**.
@ -45,20 +49,4 @@ To complete these procedures, you must be a member of the Domain Administrators
9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

40
windows/keep-secure/create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md → windows/keep-secure/create-an-outbound-program-or-service-rule.md
View File

@ -1,20 +1,27 @@
---
title: Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2 (Windows 10)
description: Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2
title: Create an Outbound Program or Service Rule (Windows 10)
description: Create an Outbound Program or Service Rule
ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2
# Create an Outbound Program or Service Rule
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To create an outbound firewall rule for a program or service**
To create an outbound firewall rule for a program or service
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -24,10 +31,7 @@ To complete these procedures, you must be a member of the Domain Administrators
4. On the **Rule Type** page of the New Outbound Rule Wizard, click **Custom**, and then click **Next**.
**Note**  
Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 
>**Note:**  Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **This program path**.
@ -41,7 +45,7 @@ To complete these procedures, you must be a member of the Domain Administrators
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then click **Apply to service with this service short name**, and type the short name for the service in the text box. Click **OK**, and then click **Next**.
8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md). When you have configured the protocol and port options, click **Next**.
8. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](create-an-outbound-port-rule.md). When you have configured the protocol and port options, click **Next**.
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
@ -49,20 +53,4 @@ To complete these procedures, you must be a member of the Domain Administrators
11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
12. On the **Name** page, type a name and description for your rule, and then click **Finish**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

55
windows/keep-secure/create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md → windows/keep-secure/create-inbound-rules-to-support-rpc.md
View File

@ -1,14 +1,21 @@
---
title: Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10)
description: Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
title: Create Inbound Rules to Support RPC (Windows 10)
description: Create Inbound Rules to Support RPC
ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
# Create Inbound Rules to Support RPC
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your computer by allowing network traffic only from computers that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
**Administrative credentials**
@ -16,20 +23,17 @@ To complete these procedures, you must be a member of the Domain Administrators
This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see:
- [Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
- [Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
In this topic:
- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#bkmk-proc1)
- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service)
- [To create a rule to allow inbound network traffic to RPC-enabled network services](#bkmk-proc2)
- [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services)
## <a href="" id="bkmk-proc1"></a>
**To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service**
## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -55,19 +59,12 @@ In this topic:
12. On the **Action** page, select **Allow the connection**, and then click **Next**.
13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.  
14. On the **Name** page, type a name and description for your rule, and then click **Finish**.
## <a href="" id="bkmk-proc2"></a>
**To create a rule to allow inbound network traffic to RPC-enabled network services**
## To create a rule to allow inbound network traffic to RPC-enabled network services
1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**.
@ -89,20 +86,4 @@ In this topic:
10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider applying the rules to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
11. On the **Name** page, type a name and description for your rule, and then click **Finish**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

51
windows/keep-secure/create-wmi-filters-for-the-gpo.md
View File

@ -2,17 +2,24 @@
title: Create WMI Filters for the GPO (Windows 10)
description: Create WMI Filters for the GPO
ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Create WMI Filters for the GPO
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer.
To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device.
- [To create a WMI filter that queries for a specified version of Windows](#bkmk-1)
- [To create a WMI filter that queries for a specified version of Windows](#to-create-a-wmi-filter-that-queries-for-a-specified-version-of-windows)
- [To link a WMI filter to a GPO](#bkmk-2)
- [To link a WMI filter to a GPO](#to-link-a-wmi-filter-to-a-gpo)
**Administrative credentials**
@ -20,12 +27,9 @@ To complete these procedures, you must be a member of the Domain Administrators
First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system.
## <a href="" id="bkmk-1"></a>
## To create a WMI filter that queries for a specified version of Windows
**To create a WMI filter that queries for a specified version of Windows**
1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**.
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**.
@ -33,10 +37,7 @@ First, create the WMI filter and configure it to look for a specified version (o
4. In the **Name** text box, type the name of the WMI filter.
**Note**  
Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
 
>**Note:**  Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description.
@ -50,27 +51,27 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "6.%"
```
This query will return **true** for computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. To set a filter for just Windows 8 and Windows Server 2012, use `"6.2%"`. To specify multiple versions, combine them with `or`, as shown in the following:
This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". To specify multiple versions, combine them with or, as shown in the following:
``` syntax
... where Version like "6.1%" or Version like "6.2%"
```
To restrict the query to only clients or only servers, add a clause that includes the `ProductType` parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only `ProductType="1"`. For server operating systems that are not domain controllers, use `ProductType="3"`. For domain controllers only, use `ProductType="2"`. This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
The following clause returns **true** for all computers that are not domain controllers:
The following clause returns **true** for all devices that are not domain controllers:
``` syntax
... where ProductType="1" or ProductType="3"
```
The following complete query returns **true** for all computers running Windows 8, and returns **false** for any server operating system or any other client operating system.
The following complete query returns **true** for all devices running Windows 8, and returns **false** for any server operating system or any other client operating system.
``` syntax
select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1"
```
The following query returns **true** for any computer running Windows Server 2012, except domain controllers:
The following query returns **true** for any device running Windows Server 2012, except domain controllers:
``` syntax
select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3"
@ -80,26 +81,14 @@ First, create the WMI filter and configure it to look for a specified version (o
10. Click **Save** to save your completed filter.
## <a href="" id="bkmk-2"></a>
## To link a WMI filter to a GPO
After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.
**To link a WMI filter to a GPO**
1. On a computer that has the Group Policy Management feature installed, click **Start**, click **Administrative Tools**, and then click **Group Policy Management**.
1. Open theGroup Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
3. Under **WMI Filtering**, select the correct WMI filter from the list.
4. Click **Yes** to accept the filter.
 
 

47
windows/keep-secure/enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md
View File

@ -1,47 +0,0 @@
---
title: Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10)
description: Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7
author: brianlic-msft
---
# Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To deploy predefined firewall rules that allow inbound network traffic for common network functions**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**.
5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**.
6. On the **Action** page, select **Allow the connection**, and then click **Finish**.
The selected rules are added to the GPO and applied to the computers to which the GPO is assigned the next time Group Policy is refreshed.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

36
windows/keep-secure/enable-predefined-inbound-rules.md Normal file
View File

@ -0,0 +1,36 @@
---
title: Enable Predefined Inbound Rules (Windows 10)
description: Enable Predefined Inbound Rules
ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Enable Predefined Inbound Rules
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To deploy predefined firewall rules that allow inbound network traffic for common network functions
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**.
5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**.
6. On the **Action** page, select **Allow the connection**, and then click **Finish**.

31
windows/keep-secure/enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md → windows/keep-secure/enable-predefined-outbound-rules.md
View File

@ -1,12 +1,19 @@
---
title: Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 (Windows 10)
description: Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
title: Enable Predefined Outbound Rules (Windows 10)
description: Enable Predefined Outbound Rules
ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
# Enable Predefined Outbound Rules
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
@ -14,7 +21,7 @@ By default, Windows Firewall with Advanced Security allows all outbound network
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To deploy predefined firewall rules that block outbound network traffic for common network functions**
To deploy predefined firewall rules that block outbound network traffic for common network functions
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -29,19 +36,3 @@ To complete these procedures, you must be a member of the Domain Administrators
6. On the **Action** page, select **Block the connection**, and then click **Finish**.
The selected rules are added to the GPO.
**Note**  
If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network cards cable. A disconnected network card is automatically assigned to the Public network location type.
 
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

39
windows/keep-secure/exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md
View File

@ -1,39 +0,0 @@
---
title: Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 (Windows 10)
description: Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
author: brianlic-msft
---
# Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
**Important**  
Because of its usefulness in troubleshooting network connectivity problems, we recommend that you exempt all ICMP network traffic from authentication requirements unless your network risk analysis indicates a need to protect this traffic.
 
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To exempt ICMP network traffic from authentication**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

30
windows/keep-secure/exempt-icmp-from-authentication.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Exempt ICMP from Authentication (Windows 10)
description: Exempt ICMP from Authentication
ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Exempt ICMP from Authentication
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To exempt ICMP network traffic from authentication
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.

77
windows/keep-secure/install-active-directory-certificate-services.md
View File

@ -1,77 +0,0 @@
---
title: Install Active Directory Certificate Services (Windows 10)
description: Install Active Directory Certificate Services
ms.assetid: 6f2ed8ac-b8a6-4819-9c21-be91dedfd619
author: brianlic-msft
---
# Install Active Directory Certificate Services
To use certificates in a server isolation or domain isolation design, you must first set up the infrastructure to deploy the certificates. This is called a public key infrastructure (PKI). The services required for a PKI are available in Windows Server 2012 in the form of the Active Directory Certificate Services (AD CS) role.
**Caution**  
Creation of a full PKI for an enterprise environment with all of the appropriate security considerations included in the design is beyond the scope of this guide. The following procedure shows you only the basics of installing an issuing certificate server; it is appropriate for a test lab environment only. For more information about deploying AD CS in a production environment, see [Active Directory Certificate Services Overview](http://technet.microsoft.com/library/hh831740.aspx).
 
To perform this procedure, the computer on which you are installing AD CS must be joined to an Active Directory domain.
**Administrative credentials**
To complete this procedure, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.
**To install AD CS**
1. Log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.
2. Click **Server Manager** in the taskbar. The Server Manager console opens. Click **Add roles and features**.
3. On the **Before you begin** page, click **Next**.
4. On the **Select installation type** page, ensure **Role-based or feature-based installation** is selected and click **Next**.
5. On the **Select destination server** page, ensure your server is selected and click **Next**.
6. On the **Select Server Roles** page, select **Active Directory Certificate Services**, and then click **Add Features** and then click **Next**.
7. On the **Select features** page, click **Next**.
8. On the **Active Directory Certificate Services** page, click **Next**.
9. On the **Select role services** page, ensure **Certification Authority** is selected and click **Next**.
10. On the **Confirm installation selections** page, click **Install**.
After installation completes, click close.
11. On the Server Manager Dashboard, click the Notifications flag icon and then click **Configure Active Directory Certificate Services on the destination server**.
12. On the **Credentials** page, ensure the default user account is a member of both the local Administrators group and the Enterprise Admins group and then click **Next**.
13. On the **Role Services** page, click **Certification Authority**, and click **Next**.
14. On the **Setup Type** page, ensure **Enterprise CA** is selected, and click **Next**.
15. On the **CA Type** page, ensure **Root CA** is selected, and then click **Next**.
16. On the **Private Key** page, ensure **Create a new private key** is selected, and then click **Next**.
17. On the **Cryptography for CA** page, keep the default settings for CSP (**RSA\#Microsoft Software Key Storage Provider**) and hash algorithm (**sha1**), and determine the best key character length for your deployment. Large key character lengths provide optimal security, but they can affect server performance. It is recommended that you keep the default setting of 2048 or, if appropriate for your deployment, reduce key character length to 1024. Click **Next**.
18. On the **CA Name** page, keep the suggested common name for the CA or change the name according to your requirements, and then click **Next**.
19. On the **Validity Period** page, in **Specify the validity period**, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click **Next**.
20. On the **CA Database** page, in **Certificate database location** and **Certificate database log location**, specify the folder location for these items. If you specify locations other than the default locations, make sure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files.
21. Click **Next**, click **Configure**, and then click **Close**.
 
 

26
windows/keep-secure/link-the-gpo-to-the-domain.md
View File

@ -2,23 +2,30 @@
title: Link the GPO to the Domain (Windows 10)
description: Link the GPO to the Domain
ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Link the GPO to the Domain
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target computers.
After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices.
If the filters comprehensively control the application of the GPO to only the correct computers, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of computers.
If the filters comprehensively control the application of the GPO to only the correct devices, then you can link the GPO to the domain container. Alternatively, you can link the GPO to a site container or organizational unit if you want to limit application of the GPO to that subset of devices.
**Administrative credentials**
To complete this procedure, you must be a member of the Domain Admins group, or otherwise be delegated permissions to modify the GPOs.
**To link the GPO to the domain container in Active Directory**
To link the GPO to the domain container in Active Directory
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, and then expand *YourDomainName*.
@ -28,13 +35,4 @@ To complete this procedure, you must be a member of the Domain Admins group, or
5. The GPO appears in the **Linked Group Policy Objects** tab in the details pane and as a linked item under the domain container in the navigation pane.
6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client computer from the highest link order number to the lowest.
 
 
6. You can adjust the order of the linked GPOs to ensure that the higher priority GPOs are processed last. Select a GPO and click the up or down arrows to move it. The GPOs are processed by the client device from the highest link order number to the lowest.

51
windows/keep-secure/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
View File

@ -2,13 +2,20 @@
title: Modify GPO Filters to Apply to a Different Zone or Version of Windows (Windows 10)
description: Modify GPO Filters to Apply to a Different Zone or Version of Windows
ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Modify GPO Filters to Apply to a Different Zone or Version of Windows
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
**Administrative credentials**
@ -16,20 +23,15 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
- [Change the security group filter for a GPO](#bkmk-toallowmembersofagrouptoapplyagpo)
- [Change the security group filter for a GPO](#to-change-the-security-group-filter-for-a-gpo)
- [Block members of a group from applying a GPO](#bkmk-topreventmembersofgroupfromapplyingagpo)
- [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo)
- [Remove a block for members of a group from applying a GPO](#bkmk-toremoveablockformembersofgroupfromapplyingagpo)
- [Remove a block for members of a group from applying a GPO](#to-remove-a-block-for-members-of-group-from-applying-a-gpo)
## <a href="" id="bkmk-toallowmembersofagrouptoapplyagpo"></a>
## To change the security group filter for a GPO
Use the following procedure to change a group to the security filter on the GPO that allows group members to apply the GPO. You must remove the reference to the original group, and add the group appropriate for this GPO.
**To change the security group filter for a GPO**
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
@ -39,14 +41,9 @@ Use the following procedure to change a group to the security filter on the GPO
5. In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
## <a href="" id="bkmk-topreventmembersofgroupfromapplyingagpo"></a>
## To block members of a group from applying a GPO
Use the following procedure if you need to add a group to the security filter on the GPO that blocks group members from applying the GPO. This can be used on the GPOs for the main isolated domain to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain.
**To block members of group from applying a GPO**
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
@ -64,12 +61,9 @@ Use the following procedure if you need to add a group to the security filter on
9. The group appears in the list with custom permissions.
## <a href="" id="bkmk-toremoveablockformembersofgroupfromapplyingagpo"></a>
## To remove a block for members of group from applying a GPO
**To remove a block for members of group from applying a GPO**
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
@ -78,14 +72,3 @@ Use the following procedure if you need to add a group to the security filter on
4. In the **Groups and users** list, select the group that should no longer be blocked, and then click **Remove**.
5. In the message box, click **OK**.
If you arrived at this page by clicking a link in a checklist, use your browsers **Back** button to return to the checklist.
 
 

18
windows/keep-secure/open-the-group-policy-management-console-to-ip-security-policies.md
View File

@ -2,27 +2,25 @@
title: Open the Group Policy Management Console to IP Security Policies (Windows 10)
description: Open the Group Policy Management Console to IP Security Policies
ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Open the Group Policy Management Console to IP Security Policies
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC).
**To open a GPO to the IP Security Policies section**
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (***YourDomainName***)**.
 
 

22
windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
View File

@ -2,27 +2,25 @@
title: Open the Group Policy Management Console to Windows Firewall with Advanced Security (Windows 10)
description: Open the Group Policy Management Console to Windows Firewall with Advanced Security
ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Open the Group Policy Management Console to Windows Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security.
**To open a GPO to Windows Firewall with Advanced Security**
To open a GPO to Windows Firewall with Advanced Security
1. On a computer that has the Group Policy Management feature installed, click the **Start** charm, and then click the **Group Policy Management** tile.
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then expand **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**.
 
 
3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**.

22
windows/keep-secure/open-the-group-policy-management-console-to-windows-firewall.md
View File

@ -2,27 +2,25 @@
title: Open the Group Policy Management Console to Windows Firewall (Windows 10)
description: Open the Group Policy Management Console to Windows Firewall
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Open the Group Policy Management Console to Windows Firewall
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
**To open a GPO to Windows Firewall**
To open a GPO to Windows Firewall
1. Open **Active Directory Users and Computers**.
1. Open the Active Directory Users and Computers console.
2. In the navigation pane, expand *YourDomainName*, right-click the container that your GPO is linked to, and then click **Properties**.
3. Click the **Group Policy** tab, select your GPO, and then click **Edit**.
4. In the navigation pane of the Group Policy Object Editor, expand **Computer Configuration**, expand **Administrative Templates**, expand **Network**, expand **Network Connections**, and then expand **Windows Firewall**.
 
 
4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**.

35
windows/keep-secure/open-windows-firewall-with-advanced-security.md
View File

@ -2,13 +2,20 @@
title: Open Windows Firewall with Advanced Security (Windows 10)
description: Open Windows Firewall with Advanced Security
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Open Windows Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
This procedure shows you how to open the Windows Firewall with Advanced Security MMC snap-in.
This procedure shows you how to open the Windows Firewall with Advanced Security console.
**Administrative credentials**
@ -16,22 +23,15 @@ To complete this procedure, you must be a member of the Administrators group. Fo
## Opening Windows Firewall with Advanced Security
- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
- [Using the Windows interface](#bkmk-proc1)
- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
- [Using a command line](#bkmk-proc2)
## To open Windows Firewall with Advanced Security using the UI
## <a href="" id="bkmk-proc1"></a>
Click Start, type **Windows Firewall with Advanced Security**, and the press ENTER.
**To open Windows Firewall with Advanced Security by using the Windows interface**
- Click the **Start** charm, right-click the Start page, click **All Apps**, and then click the **Windows Firewall with Advanced Security** tile.
## <a href="" id="bkmk-proc2"></a>
**To open Windows Firewall with Advanced Security from a command prompt**
## To open Windows Firewall with Advanced Security from a command prompt
1. Open a command prompt window.
@ -44,12 +44,3 @@ To complete this procedure, you must be a member of the Administrators group. Fo
**Additional considerations**
Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
 
 

94
windows/keep-secure/procedures-used-in-this-guide.md
View File

@ -2,97 +2,95 @@
title: Procedures Used in This Guide (Windows 10)
description: Procedures Used in This Guide
ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Procedures Used in This Guide
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
[Add Production Computers to the Membership Group for a Zone](add-production-computers-to-the-membership-group-for-a-zone.md)
- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
[Add Test Computers to the Membership Group for a Zone](add-test-computers-to-the-membership-group-for-a-zone.md)
- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
[Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
[Configure Authentication Methods on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-authentication-methods-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
- [Configure Authentication Methods](configure-authentication-methods.md)
[Configure Data Protection (Quick Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-data-protection--quick-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings)
[Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
[Configure Key Exchange (Main Mode) Settings on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-key-exchange--main-mode--settings-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings)
[Configure the Rules to Require Encryption on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](configure-the-rules-to-require-encryption-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption)
[Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
[Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)
- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-templatewfas-dep.md)
[Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
[Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
[Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
[Create a Group Policy Object](create-a-group-policy-object.md)
- [Create a Group Policy Object](create-a-group-policy-object.md)
[Create an Authentication Exemption List Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-exemption-list-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
[Create an Authentication Request Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](create-an-authentication-request-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
- [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
[Create an Inbound ICMP Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-icmp-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
[Create an Inbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
[Create an Inbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-an-inbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
[Create an Outbound Port Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-port-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
[Create an Outbound Program or Service Rule on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008 or Windows Server 2008 R2](create-an-outbound-program-or-service-rule-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
[Create Inbound Rules to Support RPC on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc-on-windows-8-windows-7--windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
[Enable Predefined Inbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-inbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
[Enable Predefined Outbound Rules on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2](enable-predefined-outbound-rules-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-or-windows-server-2008-r2.md)
- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
[Exempt ICMP from Authentication on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2](exempt-icmp-from-authentication-on-windows-8-windows-7-windows-vista-windows-server-2012-windows-server-2008-and-windows-server-2008-r2.md)
- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
[Install Active Directory Certificate Services](install-active-directory-certificate-services.md)
- [Install Active Directory Certificate Services](install-active-directory-certificate-services.md)
[Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
[Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
[Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
[Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
[Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
[Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
[Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md)
[Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
[Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
 
 
- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
- [Start a Command Prompt as an Administrator](start-a-command-prompt-as-an-administrator.md)
- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

36
windows/keep-secure/restrict-server-access-to-members-of-a-group-only.md
View File

@ -2,30 +2,30 @@
title: Restrict Server Access to Members of a Group Only (Windows 10)
description: Restrict Server Access to Members of a Group Only
ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Restrict Server Access to Members of a Group Only
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
After you have configured the IPsec connection security rules that force client computers to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those computers or users who have been identified through the authentication process as members of the isolated servers access group.
The way in which you restrict access to the isolated server depends on which version of the Windows operating system the server is running.
- If the server is running Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012, then you create a firewall rule that specifies the user and computer accounts that are allowed. The authentication method used in the connection must support the account type specified. Remember that only Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 support user-based authentication.
After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated servers access group.
In this topic:
- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#bkmk-section1)
- [Create a firewall rule to access isolated servers running Windows Server 2008 or later](#to-create-a-firewall-rule-that-grants-access-to-an-isolated-server)
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
## <a href="" id="bkmk-section1"></a>
**To create a firewall rule that grants access to an isolated server running Windows Server 2008 or later**
## To create a firewall rule that grants access to an isolated server
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
@ -41,18 +41,4 @@ To complete these procedures, you must be a member of the Domain Administrators
7. On the **Action** page, click **Allow the connection if it is secure**. If required by your design, you can also click **Customize** and select **Require the connections to be encrypted**. Click **Next**.
8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the computer and user accounts permitted to access the server.
**Caution**  
Remember that if you specify a user group on the Users page, your authentication scheme must include a method that uses user-based credentials. User-based credentials are only supported on versions of Windows that support AuthIP, such as Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2. Earlier versions of Windows and other operating systems that support IKE v1 only do not support user-based authentication; computers running those versions or other operating systems will not be able to connect to the isolated server through this firewall rule.
 
 
 
8. On the **Users and Computers** page, select the check box for the type of accounts (computer or user) you want to allow, click **Add**, and then enter the group account that contains the device and user accounts permitted to access the server.

34
windows/keep-secure/start-a-command-prompt-as-an-administrator.md
View File

@ -1,34 +0,0 @@
---
title: Start a Command Prompt as an Administrator (Windows 10)
description: Start a Command Prompt as an Administrator
ms.assetid: 82615224-39df-458f-b165-48af77721527
author: brianlic-msft
---
# Start a Command Prompt as an Administrator
This topic describes how to open a command prompt with full administrator permissions. If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions. You must explicitly specify that you require the use of your administrative permissions by using one of the procedures in this topic.
**Administrative credentials**
To complete these procedures, you must be a member of the Administrators group.
**To start a command prompt as an administrator**
- Right-click the **Start** charm, and then click **Command Prompt (Admin)**.
**To start a command prompt as an administrator (alternative method)**
1. Click the **Start** charm.
2. Type **cmd**, right-click the **Command Prompt** tile, and then click **Run as administrator**.
 
 

19
windows/keep-secure/turn-on-windows-firewall-and-configure-default-behavior.md
View File

@ -2,22 +2,26 @@
title: Turn on Windows Firewall and Configure Default Behavior (Windows 10)
description: Turn on Windows Firewall and Configure Default Behavior
ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Turn on Windows Firewall and Configure Default Behavior
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node (for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2) in the Group Policy Management MMC snap-in.
To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
## <a href="" id="bkmk-1"></a>
**To enable Windows Firewall and configure the default behavior on Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
## To enable Windows Firewall and configure the default behavior
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
@ -25,10 +29,7 @@ To complete these procedures, you must be a member of the Domain Administrators
3. For each network location type (Domain, Private, Public), perform the following steps.
**Note**  
The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design.
 
>**Note:**  The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design.
1. Click the tab that corresponds to the network location type.

48
windows/keep-secure/verify-that-network-traffic-is-authenticated.md
View File

@ -2,24 +2,30 @@
title: Verify That Network Traffic Is Authenticated (Windows 10)
description: Verify That Network Traffic Is Authenticated
ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Verify That Network Traffic Is Authenticated
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the computers on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the computers have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot.
After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot.
In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you are working on:
- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, computers on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules are not working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm is not included in a security method combination on the clients, then those clients cannot successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they are working as expected without risking a loss of communications.
- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, devices on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules are not working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm is not included in a security method combination on the clients, then those clients cannot successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they are working as expected without risking a loss of communications.
- **Boundary zone.** Confirming correct operation of IPsec is the last step if you are working on the boundary zone GPO. You do not convert the GPO to require mode at any time.
- **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode.
**Note**  
In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from <http://go.microsoft.com/fwlink/?linkid=94770>. Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your computer. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
>**Note:**  In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from <http://go.microsoft.com/fwlink/?linkid=94770>. Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
 
@ -27,18 +33,13 @@ In addition to the steps shown in this procedure, you can also use network traff
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
## <a href="" id="bkmk-proceduresforcomputersthatarerunningwindowsvistaorwindowsserver2008"></a>For computers running Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
## To verify that network connections are authenticated by using the Windows Firewall with Advanced Security console
**To verify that network connections are authenticated by using the Windows Firewall with Advanced Security MMC snap-in**
1. Click the **Start** charm, type **wf.msc**, and then press ENTER.
Windows Firewall with Advanced Security opens.
1. Open the Windows Firewall with Advanced Security console.
2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**.
The details pane displays the rules currently in effect on the computer.
The details pane displays the rules currently in effect on the device.
3. **To display the Rule Source column**
@ -50,28 +51,15 @@ To complete these procedures, you must be a member of the Domain Administrators
It can take a few moments for the list to be refreshed with the newly added column.
4. Examine the list for the rules from GPOs that you expect to be applied to this computer.
**Note**  
If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local computer is a member of the appropriate groups and meets the requirements of the WMI filters.
 
4. Examine the list for the rules from GPOs that you expect to be applied to this device.
>**Note:**  If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local device is a member of the appropriate groups and meets the requirements of the WMI filters.
5. In the navigation pane, expand **Security Associations**, and then click **Main Mode**.
The current list of main mode associations that have been negotiated with other computers appears in the details column.
The current list of main mode associations that have been negotiated with other devices appears in the details column.
6. Examine the list of main mode security associations for sessions between the local computer and the remote computer. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with additional details about the security association.
6. Examine the list of main mode security associations for sessions between the local device and the remote device. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with additional details about the security association.
7. In the navigation pane, click **Quick mode**.
8. Examine the list of quick mode security associations for sessions between the local computer and the remote computer. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values.
 
 
8. Examine the list of quick mode security associations for sessions between the local device and the remote device. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values.