diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 075a516838..71e1376860 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -12,7 +12,8 @@
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
- "RestApi": "Content"
+ "RestApi": "Content",
+ "ZonePivotGroups": "Toc"
},
"build_entry_point": "docs",
"template_folder": "_themes"
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index 010894a61d..c93ec2fbed 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -50,7 +50,8 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC)
|------------------|---------------|----------------|----------|----------------|
| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 10/11 UWP Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Windows 11 Win32 Store apps | Windows 11 | :heavy_check_mark: | | |
| Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index e65bab8900..187268cec0 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -47,15 +47,15 @@ Drivers are automatically enabled because they're beneficial to device systems.
### Set when devices receive feature and quality updates
-#### I want to receive pre-release versions of the next feature update
+#### I want to receive prerelease versions of the next feature update
1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
-1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
-1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
+1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
@@ -113,7 +113,7 @@ We recommended that you allow to update automatically--this is the default behav
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Option 3, and then set the following policies as appropriate for your plan:
@@ -181,7 +181,7 @@ We recommend that you use the default notifications as they aim to provide the b
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
-Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto-restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
+Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
#### I want to manage the update settings a user can access
diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md
index fa5d96ef91..27338890ca 100644
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@@ -16,7 +16,7 @@ With UAC, each application that requires the *administrator access token* must p
Windows protects processes by marking their integrity levels. Integrity levels are measurements of trust:
- A *high integrity application* is one that performs tasks that modify system data, such as a disk partitioning application
-- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web brows
+- A *low integrity application* is one that performs tasks that could potentially compromise the operating system, like as a Web browser
Applications with lower integrity levels can't modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provides valid administrator credentials.
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 3648c69063..eaa7ed73d3 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: Advanced security audit policy settings
+title: Advanced security audit policy settings
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.author: vinpa
@@ -10,7 +10,7 @@ ms.pagetype: security
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ The security audit policy settings under **Security Settings\\Advanced Audit Pol
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
- - every file and folder
+ - every file and folder
- registry key on a computer
- file share.
@@ -34,7 +34,7 @@ You can access these audit policy settings through the Local Security Policy sna
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
- That are of little or no concern to you
-- That create an excessive number of log entries.
+- That create an excessive number of log entries.
In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
@@ -63,7 +63,7 @@ The security audit policy settings in this category can be used to monitor chang
Detailed Tracking security policy settings and audit events can be used for the following purposes:
- To monitor the activities of individual applications and users on that computer
-- To understand how a computer is being used.
+- To understand how a computer is being used.
This category includes the following subcategories:
@@ -161,12 +161,12 @@ Global Object Access Auditing policy settings allow administrators to define com
Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
-- Setting the Global Object Access Auditing policy to log all the activities for a specific user
+- Setting the Global Object Access Auditing policy to log all the activities for a specific user
- Enabling the policy to track "Access denied" events for the file system or registry can help
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
-
+
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index b6bf8dec61..1aed416fd1 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policies
-description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
+title: Advanced security audit policies
+description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,21 +12,21 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/6/2021
ms.technology: itpro-security
---
# Advanced security audit policies
-Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently.
-When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
+Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently.
+When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
-| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies |
-| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
+| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies |
+| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
+| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate.
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index c613a28ed2..d8dcb28e30 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -1,8 +1,8 @@
---
-title: Apply a basic audit policy on a file or folder
+title: Apply a basic audit policy on a file or folder
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -40,18 +40,18 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- To audit failure events, select **Fail.**
- To audit all events, select **All.**
-
+
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
-
+
- **This folder only**
- **This folder, subfolders and files**
- **This folder and subfolders**
- **This folder and files**
- **Subfolders and files only**
- - **Subfolders only**
+ - **Subfolders only**
- **Files only**
-
+
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
- **List folder contents**
@@ -60,8 +60,8 @@ To complete this procedure, you must be signed in as a member of the built-in Ad
- **Full control**
- **Modify**
- **Write**
-
-> [!IMPORTANT]
+
+> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## More considerations
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index fd97b2de5e..1b9208a8d5 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -1,5 +1,5 @@
---
-title: Audit Token Right Adjusted
+title: Audit Token Right Adjusted
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
manager: aaroncz
author: vinaypamnani-msft
@@ -8,13 +8,13 @@ ms.pagetype: security
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
-ms.topic: article
+ms.topic: reference
---
# Audit Token Right Adjusted
-Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
+Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation).
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 7773933079..017fb5ec82 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit account logon events
+title: Audit account logon events
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -45,9 +45,9 @@ You can configure this security setting by opening the appropriate policy under
| 681 | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 9a6340c3a8..e3e8fa199c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -1,8 +1,8 @@
---
-title: Audit account management
+title: Audit account management
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Examples of account management events include:
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
-If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
+If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:**
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 6da1a9c54e..82647ef71b 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -1,8 +1,8 @@
---
-title: Basic audit directory service access
+title: Basic audit directory service access
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,7 +26,7 @@ By default, this value is set to no auditing in the Default Domain Controller Gr
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
> **Note:** You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
-
+
**Default:**
- Success on domain controllers.
@@ -41,9 +41,9 @@ There is only one directory service access event, which is identical to the Obje
| Directory service access events | Description |
|---------------------------------|----------------------------------------|
| 566 | A generic object operation took place. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 523fee4769..4b5e68258f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -1,8 +1,8 @@
---
-title: Audit logon events
+title: Audit logon events
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -41,11 +41,11 @@ You can configure this security setting by opening the appropriate policy under
| - | - |
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
-| 4634 | The logoff process was completed for a user. |
+| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
-
+
When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type.
@@ -60,9 +60,9 @@ When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also li
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index c9e7094492..66a2833e20 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -1,8 +1,8 @@
---
-title: Audit object access
+title: Audit object access
description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index bd7e9a9b7e..4db162688d 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -1,8 +1,8 @@
---
-title: Audit policy change
+title: Audit policy change
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,30 +37,30 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Policy change events | Description |
| - | - |
-| 608 | A user right was assigned.|
+| 608 | A user right was assigned.|
| 609 | A user right was removed. |
-| 610 | A trust relationship with another domain was created.|
-| 611 | A trust relationship with another domain was removed.|
-| 612 | An audit policy was changed.|
-| 613 | An Internet Protocol security (IPSec) policy agent started.|
+| 610 | A trust relationship with another domain was created.|
+| 611 | A trust relationship with another domain was removed.|
+| 612 | An audit policy was changed.|
+| 613 | An Internet Protocol security (IPSec) policy agent started.|
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
-| 616 | An IPSec policy agent encountered a potentially serious failure.|
+| 616 | An IPSec policy agent encountered a potentially serious failure.|
| 617 | A Kerberos policy changed. |
-| 618 | Encrypted Data Recovery policy changed.|
-| 620 | A trust relationship with another domain was modified.|
+| 618 | Encrypted Data Recovery policy changed.|
+| 620 | A trust relationship with another domain was modified.|
| 621 | System access was granted to an account. |
-| 622 | System access was removed from an account.|
-| 623 | Per user auditing policy was set for a user.|
+| 622 | System access was removed from an account.|
+| 623 | Per user auditing policy was set for a user.|
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.
**Note** When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
| 769 | Trusted forest information was added.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 770 | Trusted forest information was deleted.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
| 771 | Trusted forest information was modified.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
-| 805 | The event log service read the security log configuration for a session.
-
+| 805 | The event log service read the security log configuration for a session.
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 1382bf0fcb..11a05ab720 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -1,8 +1,8 @@
---
-title: Audit privilege use
+title: Audit privilege use
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -46,10 +46,10 @@ You can configure this security setting under Computer Configuration\\Windows Se
| - | - |
| 576 | Specified privileges were added to a user's access token.
**Note:** This event is generated when the user logs on.|
| 577 | A user attempted to perform a privileged system service operation. |
-| 578 | Privileges were used on an already open handle to a protected object. |
-
+| 578 | Privileges were used on an already open handle to a protected object. |
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index b7eb7ea1fd..796e7f323f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -1,8 +1,8 @@
---
-title: Audit process tracking
+title: Audit process tracking
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,20 +34,20 @@ You can configure this security setting under Computer Configuration\\Windows Se
| Process tracking events | Description |
| - | - |
-| 592 | A new process was created.|
+| 592 | A new process was created.|
| 593 | A process exited. |
-| 594 | A handle to an object was duplicated.|
-| 595 | Indirect access to an object was obtained.|
+| 594 | A handle to an object was duplicated.|
+| 595 | Indirect access to an object was obtained.|
| 596 | A data protection master key was backed up.
**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
-| 597 | A data protection master key was recovered from a recovery server.|
+| 597 | A data protection master key was recovered from a recovery server.|
| 598 | Auditable data was protected. |
-| 599 | Auditable data was unprotected.|
-| 600 | A process was assigned a primary token.|
+| 599 | Auditable data was unprotected.|
+| 600 | A process was assigned a primary token.|
| 601 | A user attempted to install a service. |
| 602 | A scheduler job was created. |
-
+
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 0af90ae965..c3a231e65c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -1,8 +1,8 @@
---
-title: Audit system events
+title: Audit system events
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -37,14 +37,14 @@ You can configure this security setting by opening the appropriate policy under
| Logon events | Description |
| - | - |
-| 512 | Windows is starting up. |
+| 512 | Windows is starting up. |
| 513 | Windows is shutting down. |
-| 514 | An authentication package was loaded by the Local Security Authority.|
-| 515 | A trusted logon process has registered with the Local Security Authority.|
-| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
+| 514 | An authentication package was loaded by the Local Security Authority.|
+| 515 | A trusted logon process has registered with the Local Security Authority.|
+| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
| 517 | The audit log was cleared. |
-| 518 | A notification package was loaded by the Security Accounts Manager.|
-| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
+| 518 | A notification package was loaded by the Security Accounts Manager.|
+| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
| 520 | The system time was changed.
**Note:** This audit normally appears twice.|
## Related topics
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 95d4e51fe0..93ea3850e5 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policies
+title: Basic security audit policies
description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -34,15 +34,15 @@ The event categories that you can choose to audit are:
- Audit process tracking
- Audit system events
-If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.
+If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category, for auditing objects on a domain controller, or the audit object access category, for auditing objects on a member server or workstation. After you enable the object access category, you can specify the types of access you want to audit for each group or user.
## In this section
-| Topic | Description |
+| Article | Description |
| - | - |
| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
-| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. |
-| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
+| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful or failed access attempts in the security log. |
+| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 9c9d050b55..70b4c9c798 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Basic security audit policy settings
+title: Basic security audit policy settings
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/06/2021
ms.technology: itpro-security
---
@@ -26,18 +26,18 @@ Basic security audit policy settings are found under Computer Configuration\\Win
| Topic | Description |
| - | - |
-| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
-| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
-| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
+| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
+| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
+| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
-| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
+| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
-| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
+| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
-
+
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 9a49d95bbe..90f66f7720 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -1,8 +1,8 @@
---
-title: Create a basic audit policy for an event category
+title: Create a basic audit policy for an event category
description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/07/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index a248fd4f79..9e83c5b9cc 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -1,8 +1,8 @@
---
-title: File System (Global Object Access Auditing)
+title: File System (Global Object Access Auditing)
description: The policy setting, File System (Global Object Access Auditing), enables you to configure a global system access control list (SACL) for an entire computer.
ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index c9acfc2f7a..ba9bfd059d 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -1,5 +1,5 @@
---
-title: How to get a list of XML data name elements in
+title: How to get a list of XML data name elements in
description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in .
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -8,11 +8,11 @@ ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 09/09/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
-ms.topic: how-to
+ms.topic: reference
---
# How to get a list of XML data name elements in EventData
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 471ed8c690..2f42573827 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -1,8 +1,8 @@
---
-title: Monitor central access policy and rule definitions
+title: Monitor central access policy and rule definitions
description: Learn how to use advanced security auditing options to monitor changes to central access policy and central access rule definitions.
ms.assetid: 553f98a6-7606-4518-a3c5-347a33105130
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Follow the procedures in this article to configure settings to monitor changes t
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
+
**Configure settings to monitor central access policy and rule definition changes**
1. Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index 541639f07d..60d4da3a45 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -1,8 +1,8 @@
---
-title: Monitor claim types
+title: Monitor claim types
description: Learn how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.
ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Use the following procedures to configure settings to monitor changes to claim t
Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
+
**To configure settings to monitor changes to claim types**
1. Sign in to your domain controller by using domain administrator credential.
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index d9e2b2025d..69a7d74967 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -1,8 +1,8 @@
---
-title: Monitor resource attribute definitions
+title: Monitor resource attribute definitions
description: Learn how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ For information about monitoring changes to the resource attributes that apply t
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
+
**To configure settings to monitor changes to resource attributes**
1. Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index 806cdbef89..19e11f0da4 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -1,8 +1,8 @@
---
-title: Monitor central access policies for files or folders
+title: Monitor central access policies for files or folders
description: Monitor changes to central access policies associated with files and folders, when using advanced security auditing options for dynamic access control objects.
ms.assetid: 2ea8fc23-b3ac-432f-87b0-6a16506e8eed
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Use the following procedures to configure settings to monitor central access pol
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
+
**To configure settings to monitor central access policies associated with files or folders**
1. Sign in to your domain controller by using domain administrator credentials.
@@ -66,7 +66,7 @@ After you configure settings to monitor changes to the central access policies t
4. Select the **Central Policy** tab, select **Change**, select a different central access policy (if one is available) or select **No Central Access Policy**, and then select **OK** twice.
> [!NOTE]
> You must select a setting that is different than your original setting to generate the audit event.
-
+
5. In Server Manager, select **Tools**, and then select **Event Viewer**.
6. Expand **Windows Logs**, and then select **Security**.
7. Look for event 4913, which is generated when the central access policy that's associated with a file or folder changes. This event includes the security identifiers (SIDs) of the old and new central access policies.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index c3c6bd7919..84de3a7b3a 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -1,8 +1,8 @@
---
-title: Monitor central access policies on a file server
+title: Monitor central access policies on a file server
description: Learn how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options.
ms.assetid: 126b051e-c20d-41f1-b42f-6cff24dcf20c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ Use the following procedures to configure and verify security auditing settings
3. In the console tree, select the flexible access Group Policy Object, and then select **Edit**.
4. Select **Computer Configuration** > **Security Settings** > **Advanced Audit Policy Configuration** > **Policy Change** > **Other Policy Change Events**.
- > [!NOTE]
+ > [!NOTE]
> This policy setting monitors policy changes that might not be captured otherwise, such as CAP changes or trusted platform module configuration changes.
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index 4008b0c158..21f8121312 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -1,8 +1,8 @@
---
-title: Monitor the resource attributes on files and folders
+title: Monitor the resource attributes on files and folders
description: Learn how to use advanced security auditing options to monitor attempts to change settings on the resource attributes of files.
ms.assetid: 4944097b-320f-44c7-88ed-bf55946a358b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ If your organization has a carefully thought out authorization configuration for
Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview) .
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
+
**To monitor changes to resource attributes on files**
1. Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 5142eff8ca..26a826e404 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -1,8 +1,8 @@
---
-title: Monitor the use of removable storage devices
+title: Monitor the use of removable storage devices
description: Learn how advanced security auditing options can be used to monitor attempts to use removable storage devices to access network resources.
ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index d97b9e646f..7fc2ba75cf 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -1,8 +1,8 @@
---
-title: Monitor user and device claims during sign-in
+title: Monitor user and device claims during sign-in
description: Learn how to monitor user and device claims that are associated with a user’s security token. This advice assumes you have deployed Dynamic Access Control.
ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Device claims are associated with the system that is used to access resources th
Use the following procedures to monitor changes to user claims and device claims in the user’s sign-in token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-
+
**To monitor user and device claims in user logon token**
1. Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index 02b8e42af0..35b3eb2d9c 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -1,8 +1,8 @@
---
-title: Plan and deploy advanced security audit policies
+title: Plan and deploy advanced security audit policies
description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -120,7 +120,7 @@ The following table provides an example of a resource analysis for an organizati
| Payroll data| Corp-Finance-1| Accounting: Read/write on Corp-Finance-1
Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2
Lab Assistants: Write only on MedRec-2
Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1
Public: Read only on Web-Ext-1| Low| Public education and corporate image|
-
+
### Users
Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate.
@@ -140,7 +140,7 @@ The following table illustrates an analysis of users on a network. Our example c
| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.|
-
+
### Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
@@ -151,14 +151,14 @@ Security and auditing requirements and audit event volume can vary considerably
> [!NOTE]
> For more information about auditing:
> - In Exchange Server, see [Exchange 2010 Security Guide](/previous-versions/office/exchange-server-2010/bb691338(v=exchg.141)).
- > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
+ > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
> - In SQL Server 2012, see [SQL Server Audit (Database Engine)](/sql/relational-databases/security/auditing/sql-server-audit-database-engine).
-
+
- The operating system versions
> [!NOTE]
> The operating system version determines which auditing options are available and the volume of audit event data.
-
+
- The business value of the data
For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network.
@@ -171,7 +171,7 @@ The following table illustrates an analysis of computers in an organization.
| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
| Portable computers | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
| Web servers | Windows Server 2008 R2 | WebSrv OU|
-
+
### Regulatory requirements
Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries/regions have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
@@ -199,7 +199,7 @@ By using Group Policy, you can apply your security audit policy to defined group
> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
-
+
The following examples show how you can apply audit policies to an organization's OU structure:
@@ -210,8 +210,8 @@ The following examples show how you can apply audit policies to an organization'
## Map your security auditing goals to a security audit policy configuration
After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of:
-- Computers that need to be monitored
-- Activities that you want to audit
+- Computers that need to be monitored
+- Activities that you want to audit
- Audit events that your audit configuration will generate
- Administrators available to analyze and act upon audit data
@@ -230,7 +230,7 @@ You can view and configure security audit policy settings in the supported versi
- *Security Settings\\Local Policies\\Audit Policy*
- *Security Settings\\Local Policies\\Security Options*
- *Security Settings\\Advanced Audit Policy Configuration*
-
+
For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
### Choose audit settings to use
@@ -255,16 +255,16 @@ Compromise to an organization's data resources can cause tremendous financial lo
> [!NOTE]
> To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
-
+
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes.
-
+
- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented.
> [!IMPORTANT]
> The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
-
+
### User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers.
@@ -279,7 +279,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!NOTE]
> There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated.
-
+
- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons.
- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done.
- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section.
@@ -288,7 +288,7 @@ In most cases, these attempts are legitimate, and the network needs to make data
> [!IMPORTANT]
> On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer.
-
+
- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
@@ -301,7 +301,7 @@ The following network activity policy settings enable you to monitor security-re
>[!NOTE]
>**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed.
-
+
- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers.
- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index ac19f5355d..b82b7aa8de 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -1,8 +1,8 @@
---
-title: Registry (Global Object Access Auditing)
+title: Registry (Global Object Access Auditing)
description: The Advanced Security Audit policy setting, Registry (Global Object Access Auditing), enables you to configure a global system access control list (SACL).
ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index da20ec1bb0..a4e0800569 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -1,8 +1,8 @@
---
-title: Security auditing
+title: Security auditing
description: Learn about security auditing features in Windows, and how your organization can benefit from using them to make your network more secure and easily managed.
ms.assetid: 2d9b8142-49bd-4a33-b246-3f0c2a5f32d4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 0d0c6e1fb7..076763b3d8 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -1,8 +1,8 @@
---
-title: Using advanced security auditing options to monitor dynamic access control objects
+title: Using advanced security auditing options to monitor dynamic access control objects
description: Domain admins can set up advanced security audit options in Windows 10 to target specific users, or monitor potentially significant activity on multiple devices
ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -40,9 +40,9 @@ Domain administrators can create and deploy expression-based security audit poli
| [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. |
| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.|
-
+
>**Important:** This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
-
+
## Related topics
- [Security auditing](security-auditing-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 25265ee877..88b1438852 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -1,8 +1,8 @@
---
-title: View the security event log
+title: View the security event log
description: The security log records each event as defined by the audit policies you set on each object.
ms.assetid: 20DD2ACD-241A-45C5-A92F-4BE0D9F198B9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index ef99d2c066..2ede0f5748 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -1,8 +1,8 @@
---
-title: Which editions of Windows support advanced audit policy configuration
+title: Which editions of Windows support advanced audit policy configuration
description: This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
ms.assetid: 87c71cc5-522d-4771-ac78-34a2a0825f31
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/09/2021
ms.technology: itpro-security
---
@@ -20,7 +20,7 @@ ms.technology: itpro-security
# Which editions of Windows support advanced audit policy configuration
-Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
-There's no difference in security auditing support between 32-bit and 64-bit versions.
-Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
+Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
+There's no difference in security auditing support between 32-bit and 64-bit versions.
+Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index dc6bf37ae5..81f50b4fda 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -1,8 +1,8 @@
---
-title: Access Credential Manager as a trusted caller
+title: Access Credential Manager as a trusted caller
description: Describes best practices, security considerations, and more for the security policy setting, Access Credential Manager as a trusted caller.
ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table shows the default value for the server type or Group Policy
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,4 +93,4 @@ None. Not defined is the default configuration.
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index b5ace4fc62..f8a0e483fd 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Access this computer from the network - security policy setting
+title: Access this computer from the network - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/11/2021
ms.technology: itpro-security
---
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values for the
| Domain controller effective default settings | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access |
| Member server effective default settings | Everyone, Administrators, Users, Backup Operators |
| Client computer effective default settings |Everyone, Administrators, Users, Backup Operators |
-
+
## Policy management
When you modify this user right, the following actions might cause users and services to experience network access issues:
@@ -103,11 +103,11 @@ Users who can connect from their device to the network can access resources on t
### Countermeasure
-Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
+Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared
from servers in the domain if members of the **Domain Users** group are included in the local **Users** group.
> **Note** If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement.
-
+
### Potential impact
If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can sign in to the domain or use network resources. If you remove this user right on member servers, users can't connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to other accounts that are required by those components. It's important to verify that authorized users are assigned this user right for the devices that they need to access the network.
@@ -116,5 +116,5 @@ If running Windows Server or Azure Stack HCI Failover Clustering, don't remove A
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 89634c3e27..ab6ba1901c 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -1,8 +1,8 @@
---
-title: Account lockout duration
+title: Account lockout duration
description: Describes the best practices, location, values, and security considerations for the Account lockout duration security policy setting.
ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/16/2021
ms.technology: itpro-security
---
@@ -40,7 +40,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
-It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
+It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
### Location
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not applicable |
-
+
## Security considerations
More than a few unsuccessful password submissions during an attempt to sign in to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track sign-in attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
@@ -78,5 +78,5 @@ Configuring the **Account lockout duration** policy setting to 0 so that account
## Related topics
[Account Lockout Policy](account-lockout-policy.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index fe39bbcede..1872b25b41 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -1,8 +1,8 @@
---
-title: Account Lockout Policy
+title: Account Lockout Policy
description: Describes the Account Lockout Policy settings and links to information about each policy setting.
ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/11/2018
ms.technology: itpro-security
---
@@ -41,9 +41,9 @@ The following topics provide a discussion of each policy setting's implementatio
| [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
| [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index a735631952..2bae54f4e2 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Account lockout threshold
+title: Account lockout threshold
description: Describes the best practices, location, values, and security considerations for the Account lockout threshold security policy setting.
ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -52,7 +52,7 @@ The threshold that you select is a balance between operational efficiency and se
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain controller effective default settings | 0 invalid sign-in attempts |
| Member server effective default settings |0 invalid sign-in attempts |
| Effective GPO default settings on client computers |0 invalid sign-in attempts |
-
+
### Policy management
This section describes features and tools that are available to help you manage this policy setting.
@@ -88,7 +88,7 @@ Implementation of this policy setting depends on your operational environment. C
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
-For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
+For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
## Security considerations
@@ -105,7 +105,7 @@ However, a DoS attack could be performed on a domain that has an account lockout
> [!NOTE]
> Offline password attacks are not countered by this policy setting.
-
+
### Countermeasure
Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
@@ -114,11 +114,11 @@ Because vulnerabilities can exist when this value is configured and when it's no
- The password policy setting requires all users to have complex passwords of eight or more characters.
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment.
-
+
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
-
+
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index a3fdbe5a3f..4504d333df 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -1,8 +1,8 @@
---
-title: Account Policies
+title: Account Policies
description: An overview of account policies in Windows and provides links to policy descriptions.
ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ An overview of account policies in Windows and provides links to policy descript
All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
> [!NOTE]
> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
-
+
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users sign in to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where both an OU account policy and a domain policy don't apply.
## In this section
@@ -38,7 +38,7 @@ The only exception is when another account policy is defined for an organization
| [Password Policy](password-policy.md) | An overview of password policies for Windows and links to information for each policy setting. |
| [Account Lockout Policy](account-lockout-policy.md) | Describes the Account Lockout Policy settings and links to information about each policy setting. |
| [Kerberos Policy](kerberos-policy.md) | Describes the Kerberos Policy settings and provides links to policy setting descriptions. |
-
+
## Related topics
[Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 23e43f6d45..179f5ba556 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Administrator account status
+title: Accounts Administrator account status
description: Describes the best practices, location, values, and security considerations for the Accounts Administrator account status security policy setting.
ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
@@ -87,7 +87,7 @@ When you start a device in safe mode, the disabled administrator account is enab
### How to access a disabled Administrator account
You can use the following methods to access a disabled Administrator account:
-- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
+- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.
- For domain-joined computers: remotely run the command **net user administrator /active: yes** by using psexec to enable the default local administrator account.
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index ab6175a99f..1ac6245b9b 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -1,8 +1,8 @@
---
-title: Accounts Block Microsoft accounts
+title: Accounts Block Microsoft accounts
description: Describes the best practices, location, values, management, and security considerations for the Accounts Block Microsoft accounts security policy setting.
ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/10/2017
ms.technology: itpro-security
---
@@ -67,7 +67,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -95,4 +95,4 @@ Establishing greater control over accounts in your organization can give you mor
## Related topics
[Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index ca1a50819a..6c768ad6d6 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -1,8 +1,8 @@
---
-title: Accounts Guest account status - security policy setting
+title: Accounts Guest account status - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Disabled |
| Member Server Effective Default Settings | Disabled |
| Client Computer Effective Default Settings | Disabled |
-
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
@@ -76,5 +76,5 @@ All network users must be authenticated before they can access shared resources.
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index 05b4e8f3ea..947a4c0f6f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -1,8 +1,8 @@
---
-title: Accounts Limit local account use of blank passwords
+title: Accounts Limit local account use of blank passwords
description: Learn best practices, security considerations, and more for the policy setting, Accounts Limit local account use of blank passwords to console logon only.
ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Enabled |
| Member Server Effective Default Settings | Enabled |
| Client Computer Effective Default Settings | Enabled |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index 0e9b3c3257..44905ab096 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename administrator account
+title: Accounts Rename administrator account
description: This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.
ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Administrator |
| Member Server Effective Default Settings | Administrator |
| Client Computer Effective Default Settings | Administrator |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,5 +93,5 @@ You must provide users who are authorized to use this account with the new accou
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index da35071790..d034cdf835 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -1,8 +1,8 @@
---
-title: Accounts Rename guest account - security policy setting
+title: Accounts Rename guest account - security policy setting
description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
| DC Effective Default Settings | Guest |
| Member Server Effective Default Settings | Guest |
| Client Computer Effective Default Settings | *User-defined text* |
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
+The guest account exists in all Windows server and client operating system versions beginning with Windows Server 2003 and Windows XP Professional. Because the account name is well known, it provides a vector for a malicious user to get access to network resources and attempt to elevate privileges
or install software that could be used for a later attack on your system.
### Countermeasure
@@ -92,5 +92,5 @@ There should be little impact because the Guest account is disabled by default i
## Related topics
[Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index d8915c4e18..1bdbf787f1 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -1,8 +1,8 @@
---
-title: Act as part of the operating system
+title: Act as part of the operating system
description: Describes the best practices, location, values, policy management, and security considerations for the Act as part of the operating system security policy setting.
ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -21,7 +21,7 @@ ms.technology: itpro-security
**Applies to**
- Windows 11
-- Windows 10
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Act as part of the operating system** security policy setting.
@@ -51,11 +51,11 @@ The following table lists the actual and effective default policy values for the
| - | - |
| Default domain policy | Not defined |
| Default domain controller policy| Not defined |
-| Stand-alone server default settings | Not defined |
+| Stand-alone server default settings | Not defined |
| Domain controller effective default settings | Not defined |
| Member server effective default settings | Not defined |
| Client computer effective default settings | Not defined |
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -90,4 +90,4 @@ There should be little or no impact because the **Act as part of the operating s
## Related topics
[User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
index 139d15f4ec..fb594e8748 100644
--- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
@@ -1,13 +1,13 @@
---
title: Add workstations to domain
description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -81,7 +81,7 @@ This policy has the following security considerations:
### Vulnerability
-The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
+The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could sign in with that account, and then add a personal domain account to the local Administrators group.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 5ec3171725..5c9b499b8b 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -1,8 +1,8 @@
---
-title: Adjust memory quotas for a process
+title: Adjust memory quotas for a process
description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting.
ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,7 +53,7 @@ By default, members of the Administrators, Local Service, and Network Service gr
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Administrators
Local Service
Network Service |
| Default Domain Controller Policy | Administrators
Local Service
Network Service |
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service |
| Member Server Effective Default Settings | Administrators
Local Service
Network Service |
| Client Computer Effective Default Settings | Administrators
Local Service
Network Service |
-
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
@@ -97,5 +97,5 @@ Organizations that have not restricted users to roles with limited privileges ma
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index bca371957d..3a11417c5b 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Administer security policy settings
+title: Administer security policy settings
description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
ms.assetid: 7617d885-9d28-437a-9371-171197407599
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -250,7 +250,7 @@ For example, a workstation that is joined to a domain will have its local securi
both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
> [!NOTE]
-> Use gpresult.exe to find out what policies are applied to a device and in what order.
+> Use gpresult.exe to find out what policies are applied to a device and in what order.
For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
**Persistence in security settings**
@@ -300,10 +300,10 @@ To avoid continued flagging of settings that you've investigated and determined
You can resolve discrepancies between analysis database and system settings by:
- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**.
-- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
-- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
-Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
-You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
+- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels.
+- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.
+Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.
+You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.
In general, don't use **Configure Computer Now** when you're analyzing security for domain-based clients, since you'll have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
### Automating security configuration tasks
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 5c246fea41..ec8dd1980d 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index aa212b8064..b76363e1b5 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Allow log on through Remote Desktop Services
+title: Allow log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting. Allow a sign-in through Remote Desktop Services.
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,11 +55,11 @@ The following table lists the actual and effective default policy values. Defaul
| Default Domain Policy | Not Defined |
| Default Domain Controller Policy | Not Defined |
| Domain Controller Local Security Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
-| Domain Controller Effective Default Settings | Administrators |
+| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users |
+| Domain Controller Effective Default Settings | Administrators |
| Member Server Effective Default Settings | Administrators
Remote Desktop Users |
| Client Computer Effective Default Settings | Administrators
Remote Desktop Users |
-
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -96,7 +96,7 @@ Any account with the **Allow log on through Remote Desktop Services** user right
For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and don't run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
> **Caution:** For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
-
+
Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
### Potential impact
@@ -106,5 +106,5 @@ Removal of the **Allow log on through Remote Desktop Services** user right from
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 5957adf4ab..25ef7bc3d6 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -1,8 +1,8 @@
---
-title: Audit the access of global system objects
+title: Audit the access of global system objects
description: Describes the best practices, location, values, and security considerations for the audit of the access to global system objects security policy setting.
ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -86,22 +86,22 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| Event ID | Event message |
| - | - |
-| 4659 | A handle to an object was requested with intent to delete. |
-| 4660 | An object was deleted. |
-| 4661 | A handle to an object was requested. |
-| 4663 | An attempt was made to access an object. |
-
+| 4659 | A handle to an object was requested with intent to delete. |
+| 4660 | An object was deleted. |
+| 4661 | A handle to an object was requested. |
+| 4663 | An attempt was made to access an object. |
+
If the [Audit Object Access](../auditing/basic-audit-object-access.md) setting is configured, the following events are generated:
| Event ID | Event message |
| - | - |
-| 560 | Access was granted to an already existing object. |
-| 562 | A handle to an object was closed. |
+| 560 | Access was granted to an already existing object. |
+| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 564 | A protected object was deleted. |
-| 565 | Access was granted to an already existing object type. |
+| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
-| 569 | The resource manager in Authorization Manager attempted to create a client context. |
+| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. |
## Security considerations
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index 7d38765755..011e035679 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -2,7 +2,7 @@
title: "Audit: Audit the use of Backup and Restore privilege (Windows 10)"
description: "Describes the best practices, location, values, and security considerations for the 'Audit: Audit the use of Backup and Restore privilege' security policy setting."
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/01/2019
ms.technology: itpro-security
---
@@ -51,11 +51,11 @@ The following table lists the actual and effective default values for this polic
| - | - |
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -92,4 +92,4 @@ If you enable this policy setting, a large number of security events could be ge
## Related topics
- [Security Options](security-options.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 5caf39e495..663cfb1d30 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -1,8 +1,8 @@
---
-title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
+title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
description: Learn more about the security policy setting, Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Enabled |
| DC Effective Default Settings | Enabled |
-| Member Server Effective Default Settings | Enabled |
-| Client Computer Effective Default Settings | Enabled |
-
+| Member Server Effective Default Settings | Enabled |
+| Client Computer Effective Default Settings | Enabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -93,12 +93,12 @@ Enable audit policy subcategories as needed to track specific events.
### Potential impacts
-If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
+If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the
**SCENoApplyLegacyAuditPolicy** key.
> **Important:** Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
-
+
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md
index a542276f2e..bf27ff18aa 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md
@@ -1,8 +1,8 @@
---
-title: Audit Policy
+title: Audit Policy
description: Provides information about basic audit policies that are available in Windows and links to information about each setting.
ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index 61bd4aecfc..da06353caf 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Audit Shut down system immediately if unable to log security audits
+title: Audit Shut down system immediately if unable to log security audits
description: Best practices, security considerations, and more for the security policy setting, Audit Shut down system immediately if unable to log security audits.
ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined
-| Default Domain Controller Policy | Not defined
-| Stand-Alone Server Default Settings | Disabled
-| DC Effective Default Settings | Disabled
-| Member Server Effective Default Settings | Disabled
-| Client Computer Effective Default Settings | Disabled
-
+| Default Domain Policy | Not defined
+| Default Domain Controller Policy | Not defined
+| Stand-Alone Server Default Settings | Disabled
+| DC Effective Default Settings | Disabled
+| Member Server Effective Default Settings | Disabled
+| Client Computer Effective Default Settings | Disabled
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -96,5 +96,5 @@ If you enable this policy setting, the administrative burden can be significant,
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index 40d4bdfda2..3bd99b5590 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Back up files and directories - security policy setting
+title: Back up files and directories - security policy setting
description: Describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -78,7 +78,7 @@ The following table lists the actual and effective default policy values for the
| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
| Member Server Effective Default Settings | Administrators
Backup Operators|
| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -115,5 +115,5 @@ Changes in the membership of the groups that have the user right to back up file
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index 6f06c8e9a2..f4a8745518 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -1,8 +1,8 @@
---
-title: Bypass traverse checking
+title: Bypass traverse checking
description: Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting.
ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
-| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
-
+| Default Domain Policy| Not Defined |
+| Default Domain Controller Policy | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Domain Controller Effective Default Settings | Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users
Everyone
Local Service
Network Service|
+
## Policy management
Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs). The ability to traverse the folder doesn't provide any Read or Write permissions to the user.
@@ -98,4 +98,4 @@ The Windows operating systems and many applications were designed with the expec
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index e09a09a6bb..d985a6eaf9 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -1,8 +1,8 @@
---
-title: Change the system time - security policy setting
+title: Change the system time - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined |
+| Default Domain Policy| Not Defined |
| Default Domain Controller Policy | Administrators
Server Operators
Local Service|
| Stand-Alone Server Default Settings | Administrators
Local Service|
-| DC Effective Default Settings | Administrators
Server Operators
Local Service|
+| DC Effective Default Settings | Administrators
Server Operators
Local Service|
| Member Server Effective Default Settings | Administrators
Local Service|
-| Client Computer Effective Default Settings | Administrators
Local Service|
-
+| Client Computer Effective Default Settings | Administrators
Local Service|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index dffd58d25b..3ac7b50a9c 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -1,8 +1,8 @@
---
-title: Change the time zone - security policy setting
+title: Change the time zone - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not Defined|
-| Default Domain Controller Policy | Administrators
Users|
-| Stand-Alone Server Default Settings | Administrators
Users|
-| Domain Controller Effective Default Settings | Administrators
Users|
-| Member Server Effective Default Settings | Administrators
Users|
-| Client Computer Effective Default Settings | Administrators
Users|
-
+| Default Domain Policy| Not Defined|
+| Default Domain Controller Policy | Administrators
Users|
+| Stand-Alone Server Default Settings | Administrators
Users|
+| Domain Controller Effective Default Settings | Administrators
Users|
+| Member Server Effective Default Settings | Administrators
Users|
+| Client Computer Effective Default Settings | Administrators
Users|
+
## Policy management
A restart of the device is not required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index 0a179de698..a28a19a33f 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Create a pagefile - security policy setting
+title: Create a pagefile - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Administrators |
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Administrators |
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index 90c8d547a4..6c50cc0ce0 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -1,8 +1,8 @@
---
-title: Create a token object
+title: Create a token object
description: Describes the best practices, location, values, policy management, and security considerations for the Create a token object security policy setting.
ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined |
-| Domain Controller Effective Default Settings | Local System |
-| Member Server Effective Default Settings | Local System |
-| Client Computer Effective Default Settings | Local System |
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined |
+| Domain Controller Effective Default Settings | Local System |
+| Member Server Effective Default Settings | Local System |
+| Client Computer Effective Default Settings | Local System |
+
## Policy management
A restart of the device isn't required for this policy setting to be effective.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
>**Caution:** A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
-
+
Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users sign in to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they're currently logged on. They could escalate their privileges or create a DoS condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index 748588c0e1..18fb5d25ad 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -1,8 +1,8 @@
---
-title: Create global objects
+title: Create global objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create global objects security policy setting.
ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined |
-| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Policy | Not Defined |
+| Default Domain Controller Policy | Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
A restart of the device isn't required for this policy setting to take effect.
@@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat
The **Create global objects** user right is required for a user account to create global objects in Remote Desktop sessions. Users can still create session-specfic objects without being assigned this user right. Assigning this right can be a security risk.
-By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
+By default, members of the **Administrators** group, the System account, and services that are started by the Service Control Manager are assigned the **Create global objects** user right. Users who are added to the **Remote Desktop Users** group also have this user right.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index 29994f1b96..e5d58fc80d 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -1,8 +1,8 @@
---
-title: Create permanent shared objects
+title: Create permanent shared objects
description: Describes the best practices, location, values, policy management, and security considerations for the Create permanent shared objects security policy setting.
ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined |
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | **LocalSystem**|
-| Member Server Effective Default Settings | **LocalSystem**|
-| Client Computer Effective Default Settings | **LocalSystem**|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined |
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | **LocalSystem**|
+| Member Server Effective Default Settings | **LocalSystem**|
+| Client Computer Effective Default Settings | **LocalSystem**|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index e728e58567..970e2ddfd7 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -1,8 +1,8 @@
---
-title: Create symbolic links
+title: Create symbolic links
description: Describes the best practices, location, values, policy management, and security considerations for the Create symbolic links security policy setting.
ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not Defined|
-| Default Domain Controller Policy | Not Defined|
-| Stand-Alone Server Default Settings | Not Defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not Defined|
+| Default Domain Controller Policy | Not Defined|
+| Stand-Alone Server Default Settings | Not Defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 03d85f19cb..6426a749bf 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Learn about best practices and more for the syntax policy setting, DCOM Machine Access Restrictions in Security Descriptor Definition Language (SDDL).
ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,12 +55,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value
| - | - |
| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank |
-| Stand-Alone Server Default Settings | Blank |
-| DC Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Controller Policy | Blank |
+| Stand-Alone Server Default Settings | Blank |
+| DC Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -72,7 +72,7 @@ None. Changes to this policy become effective without a computer restart when th
The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This precedence means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users aren't changed. Use care in configuring the list of users and groups.
-If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
+If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click
**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This information defines the setting and sets the appropriate SDDL value.
## Security considerations
@@ -96,5 +96,5 @@ Windows implements default COM ACLs when they're installed. Modifying these ACLs
## Related topics
- [Security Options](security-options.md)
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index d4c07f3415..5accd3bbbc 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -1,8 +1,8 @@
---
-title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
+title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
description: Best practices and more for the security policy setting, DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define more computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an extra access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers.
-The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
+The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local
Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running.
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Blank |
-| Default Domain Controller Policy | Blank|
-| Stand-Alone Server Default Settings |Blank |
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Blank |
+| Default Domain Controller Policy | Blank|
+| Stand-Alone Server Default Settings |Blank |
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index d5058a6e3f..c65db98a6f 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -1,8 +1,8 @@
---
-title: Debug programs
+title: Debug programs
description: Describes the best practices, location, values, policy management, and security considerations for the Debug programs security policy setting.
ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators |
-| Stand-Alone Server Default Settings | Administrators |
-| Domain Controller Effective Default Settings | Administrators |
-| Member Server Effective Default Settings | Administrators |
-| Client Computer Effective Default Settings | Administrators |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators |
+| Stand-Alone Server Default Settings | Administrators |
+| Domain Controller Effective Default Settings | Administrators |
+| Member Server Effective Default Settings | Administrators |
+| Client Computer Effective Default Settings | Administrators |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
+The **Debug programs** user right can be exploited to capture sensitive device information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert malware.
By default, the **Debug programs** user right is assigned only to administrators, which helps mitigate risk from this vulnerability.
### Countermeasure
@@ -93,7 +93,7 @@ Remove the accounts of all users and groups that do not require the **Debug prog
### Potential impact
-If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
+If you revoke this user right, no one can debug programs. However, typical circumstances rarely require this capability on production devices. If an issue arises that requires an application to be debugged on a production server, you can move the server to a different organizational unit (OU)
temporarily and assign the **Debug programs** user right to a separate Group Policy for that OU.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index b069fd1da1..09c0633dea 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -1,8 +1,8 @@
---
-title: Deny access to this computer from the network
+title: Deny access to this computer from the network
description: Best practices, location, values, policy management, and security considerations for the Deny access to this computer from the network security policy setting.
ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/19/2021
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index 42bdc8d2a2..c4bc52c008 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a batch job
+title: Deny log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a batch job security policy setting.
ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -73,7 +73,7 @@ This policy setting might conflict with and negate the **Log on as a batch job**
On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
-For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
+For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index 8e61df03d2..7bdd2075ca 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Deny log on as a service
+title: Deny log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on as a service security policy setting.
ms.assetid: f1114964-df86-4278-9b11-e35c66949794
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined |
-| Domain Controller Effective Default Settings | Not defined |
-| Member Server Effective Default Settings | Not defined |
-| Client Computer Effective Default Settings | Not defined |
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined |
+| Domain Controller Effective Default Settings | Not defined |
+| Member Server Effective Default Settings | Not defined |
+| Client Computer Effective Default Settings | Not defined |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
+Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure
services, and an attacker who already has that level of access could configure the service to run by using the System account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 8cc1881127..263496c85d 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -1,8 +1,8 @@
---
-title: Deny log on locally
+title: Deny log on locally
description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on locally security policy setting.
ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index 6a3f748155..24e896eb79 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -1,8 +1,8 @@
---
-title: Deny log on through Remote Desktop Services
+title: Deny log on through Remote Desktop Services
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Deny log on through Remote Desktop Services.
ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,12 +51,12 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index c0ec06ad12..abbf2b5679 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Devices Allow undock without having to log on
+title: Devices Allow undock without having to log on
description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting.
ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must sign in to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
>**Note:** Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
-
+
Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that don't have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
### Possible values
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index c27928a04e..c2b35adf67 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -1,8 +1,8 @@
---
-title: Devices Allowed to format and eject removable media
+title: Devices Allowed to format and eject removable media
description: Describes the best practices, location, values, and security considerations for the Devices Allowed to format and eject removable media security policy setting.
ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -73,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
+Users could move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices eject media when a mechanical button
is pressed diminishes the advantage of this policy setting.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index 40487ac65b..9a909d447c 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -1,8 +1,8 @@
---
-title: Devices Prevent users from installing printer drivers
+title: Devices Prevent users from installing printer drivers
description: Describes the best practices, location, values, and security considerations for the Devices Prevent users from installing printer drivers security policy setting.
ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/05/2022
ms.technology: itpro-security
---
@@ -44,7 +44,7 @@ Although it might be appropriate in some organizations to allow users to install
- It's advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting doesn't affect a user's ability to add a local printer.
> [!NOTE]
-> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
+> After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
+It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become less
stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index 2f3acd5122..30a9097f46 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Restrict CD-ROM access to locally logged-on user
+title: Restrict CD-ROM access to locally logged-on user
description: Describes the best practices, location, values, and security considerations for the Devices Restrict CD-ROM access to locally logged-on user only security policy setting.
ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Disabled |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
+A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run
applications from removable media on the server.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index 511ccc907f..0a4d6c2250 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -1,8 +1,8 @@
---
-title: Devices Restrict floppy access to locally logged-on user only
+title: Devices Restrict floppy access to locally logged-on user only
description: Describes the best practices, location, values, and security considerations for the Devices Restrict floppy access to locally logged-on user only security policy setting.
ms.assetid: 92997910-da95-4c03-ae6f-832915423898
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index 28361156ef..8d5b95d46a 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -1,13 +1,13 @@
---
title: Domain controller Allow server operators to schedule tasks
description: Describes the best practices, location, values, and security considerations for the Domain controller Allow server operators to schedule tasks security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -24,7 +24,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines whether server operators can use the **at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that account is the Local System account.
>**Note:** This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
-
+
Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is, the Local System account. This synchronization with the local account means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
The impact of enabling this policy setting should be small for most organizations. Users, including those users in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
index 24614ad5c4..af6812e273 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
@@ -7,7 +7,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/26/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index 39803ce695..0745e54ec3 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -1,13 +1,13 @@
---
title: Domain controller LDAP server signing requirements
description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server signing requirements security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/6
If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
>**Caution:** If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
-
+
### Possible values
- None. Data signatures aren't required to bind with the server. If the client computer requests data signing, the server supports it.
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | None|
-| Member Server Effective Default Settings | None|
-| Client Computer Effective Default Settings | None|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | None|
+| Member Server Effective Default Settings | None|
+| Client Computer Effective Default Settings | None|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 63d863c555..dcc3e3be66 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -1,13 +1,13 @@
---
title: Refuse machine account password changes policy
description: Describes the best practices, location, values, and security considerations for the Domain controller Refuse machine account password changes security policy setting.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
|---|---|
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Not defined |
-| DC Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Not applicable |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Not applicable |
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index d918369b03..820c7facca 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt or sign secure channel data (always)
+title: Domain member Digitally encrypt or sign secure channel data (always)
description: Best practices, location, values, and security considerations for the policy setting, Domain member Digitally encrypt or sign secure channel data (always).
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,7 +49,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Enabled
- The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
+ The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure
channel traffic.
- Disabled
@@ -67,7 +67,7 @@ When a device joins a domain, a machine account is created. After being connecte
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
>**Note:** You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -103,7 +103,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
+When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and
sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index c277be4b30..0086d01e2c 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally encrypt secure channel data (when possible)
+title: Domain member Digitally encrypt secure channel data (when possible)
description: Best practices, security considerations, and more for the security policy setting, Domain member Digitally encrypt secure channel data (when possible).
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over
the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -54,7 +54,7 @@ When a device joins a domain, a machine account is created. After the device is
The domain member won't attempt to negotiate secure channel encryption.
>**Note:** If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
-
+
- Not defined
### Best practices
@@ -74,12 +74,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Controller Policy | Enabled|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index 302edcac50..cadfa2282e 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -1,8 +1,8 @@
---
-title: Domain member Digitally sign secure channel data (when possible)
+title: Domain member Digitally sign secure channel data (when possible)
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Digitally sign secure channel data (when possible).
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
+This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the
secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated.
The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic:
@@ -60,7 +60,7 @@ When a device joins a domain, a machine account is created. After the device is
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
>**Note:** You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Enabled |
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Enabled |
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index 72e15d7783..324f36b008 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -1,8 +1,8 @@
---
-title: Domain member Disable machine account password changes
+title: Domain member Disable machine account password changes
description: Describes the best practices, location, values, and security considerations for the Domain member Disable machine account password changes security policy setting.
ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/27/2019
ms.technology: itpro-security
---
@@ -44,8 +44,8 @@ Verify that the **Domain member: Disable machine account password changes** opti
3. You may want to consider using this policy setting in specific environments, such as the following ones:
- Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image.
- - Embedded devices that don't have write access to the OS volume.
-
+ - Embedded devices that don't have write access to the OS volume.
+
In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command:
```
@@ -62,15 +62,15 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO | Default value |
+| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Disabled |
-| Default Domain Controller Policy | Disabled|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Disabled |
+| Default Domain Controller Policy | Disabled|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
+By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices
that can't automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index aacfa76378..278f2854fa 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -1,8 +1,8 @@
---
-title: Domain member Maximum machine account password age
+title: Domain member Maximum machine account password age
description: Describes the best practices, location, values, and security considerations for the Domain member Maximum machine account password age security policy setting.
ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 05/29/2020
ms.technology: itpro-security
---
@@ -31,8 +31,8 @@ The **Domain member: Maximum machine account password age** policy setting deter
In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the **Domain member: Disable machine account password changes** policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md).
-> [!IMPORTANT]
-> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
+> [!IMPORTANT]
+> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.
For more information, see [Machine Account Password Process](https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026).
@@ -43,7 +43,7 @@ For more information, see [Machine Account Password Process](https://techcommuni
### Best practices
-We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
+We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites.
### Location
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 30 days|
-| DC Effective Default Settings | 30 days|
-| Member Server Effective Default Settings|30 days|
-| Client Computer Effective Default Settings | 30 days|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 30 days|
+| DC Effective Default Settings | 30 days|
+| Member Server Effective Default Settings|30 days|
+| Client Computer Effective Default Settings | 30 days|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
index d5c4b65fcc..5f03addc62 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -1,8 +1,8 @@
---
-title: Domain member Require strong (Windows 2000 or later) session key
+title: Domain member Require strong (Windows 2000 or later) session key
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Require strong (Windows 2000 or later) session key.
ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,7 +55,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
-| Server type or GPO
+| Server type or GPO
| Default value |
|--------------------------------------------|
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 8f52bd244e..2580f51ed8 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -1,8 +1,8 @@
---
-title: Trust computer and user accounts for delegation
+title: Trust computer and user accounts for delegation
description: Learn about best practices, security considerations and more for the security policy setting, Enable computer and user accounts to be trusted for delegation.
ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
+Misuse of the **Enable computer and user accounts to be trusted for delegation** user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened
after a security incident.
### Countermeasure
@@ -102,7 +102,7 @@ after a security incident.
The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there's a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
>**Note:** There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
-
+
### Potential impact
None. Not defined is the default configuration.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
index 69915eba98..b2b87b7314 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
@@ -1,8 +1,8 @@
---
-title: Enforce password history
+title: Enforce password history
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.
ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default domain policy | 24 passwords remembered|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | 0 passwords remembered|
-| Domain controller effective default settings | 24 passwords remembered|
-| Member server effective default settings | 24 passwords remembered|
-| Effective GPO default settings on client computers | 24 passwords remembered|
-
+| Default domain policy | 24 passwords remembered|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | 0 passwords remembered|
+| Domain controller effective default settings | 24 passwords remembered|
+| Member server effective default settings | 24 passwords remembered|
+| Effective GPO default settings on client computers | 24 passwords remembered|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -79,7 +79,7 @@ The longer a user uses the same password, the greater the chance that an attacke
If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
>**Note:** After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.
-
+
### Countermeasure
Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
index a119f6c131..faf39c7570 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
@@ -1,8 +1,8 @@
---
-title: Enforce user logon restrictions
+title: Enforce user logon restrictions
description: Describes the best practices, location, values, policy management, and security considerations for the Enforce user logon restrictions security policy setting.
ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy | Enabled|
+| Default Domain Policy | Enabled|
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings| Not applicable |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index bb10d2ce82..fbf329985c 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -1,8 +1,8 @@
---
-title: Force shutdown from a remote system
+title: Force shutdown from a remote system
description: Describes the best practices, location, values, policy management, and security considerations for the Force shutdown from a remote system security policy setting.
ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators
Server Operators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators
Server Operators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index 5b8810a11e..9b9ab36731 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -1,8 +1,8 @@
---
-title: Generate security audits
+title: Generate security audits
description: Describes the best practices, location, values, policy management, and security considerations for the Generate security audits security policy setting.
ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Local Service
Network Service|
-| Stand-Alone Server Default Settings | Local Service
Network Service|
-| Domain Controller Effective Default Settings | Local Service
Network Service|
-| Member Server Effective Default Settings | Local Service
Network Service|
-| Client Computer Effective Default Settings | Local Service
Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Local Service
Network Service|
+| Stand-Alone Server Default Settings | Local Service
Network Service|
+| Domain Controller Effective Default Settings | Local Service
Network Service|
+| Member Server Effective Default Settings | Local Service
Network Service|
+| Client Computer Effective Default Settings | Local Service
Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 6dcfe5687d..37573dfb33 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
appliesto:
- ✅ Windows 11
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index 698d38e82a..918c634443 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -1,8 +1,8 @@
---
-title: Impersonate a client after authentication
+title: Impersonate a client after authentication
description: Describes the best practices, location, values, policy management, and security considerations for the Impersonate a client after authentication security policy setting.
ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -65,12 +65,12 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined |
-| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
-| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
-| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
-| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
-
+| Default Domain Controller Policy| Administrators
Local Service
Network Service
Service|
+| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service
Service|
+| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Member Server Effective Default Settings | Administrators
Local Service
Network Service
Service|
+| Client Computer Effective Default Settings | Administrators
Local Service
Network Service
Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 0d6a6d694f..b383d4e733 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -1,8 +1,8 @@
---
-title: Increase a process working set
+title: Increase a process working set
description: Describes the best practices, location, values, policy management, and security considerations for the Increase a process working set security policy setting.
ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,11 +54,11 @@ The following table lists the actual and effective default policy values. Defaul
| - | - |
| Default Domain Policy| Not Defined|
| Default Domain Controller Policy | Users|
-| Stand-Alone Server Default Settings| Users|
-| Domain Controller Effective Default Settings| Users|
-| Member Server Effective Default Settings | Users|
-| Client Computer Effective Default Settings | Users|
-
+| Stand-Alone Server Default Settings| Users|
+| Domain Controller Effective Default Settings| Users|
+| Member Server Effective Default Settings | Users|
+| Client Computer Effective Default Settings | Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 1bcfcdb42e..e0afba5ecc 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -1,8 +1,8 @@
---
-title: Increase scheduling priority
+title: Increase scheduling priority
description: Describes the best practices, location, values, policy management, and security considerations for the Increase scheduling priority security policy setting.
ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 2/6/2020
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ Constant: SeIncreaseBasePriorityPrivilege
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
-
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -82,9 +82,9 @@ Verify that only Administrators and Window Manager\Window Manager Group have the
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager\Window Manager Group is the default configuration.
-> [!Warning]
-> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
->
+> [!Warning]
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
+>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index a1ee602ed9..6b6a223a3c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Display user information when the session is locked
+title: Interactive logon Display user information when the session is locked
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Display user information when the session is locked.
ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -66,7 +66,7 @@ This setting has these possible values:
For a domain sign in only, the domain\username is displayed.
The **Privacy** setting is automatically on and grayed out.
-
+
- **Blank**
Default setting.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index 1917c4b70b..6d7880e8fe 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.reviewer:
ms.author: vinpa
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index e4c4d49b0a..a13d25cd15 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Do not require CTRL+ALT+DEL
+title: Interactive logon Do not require CTRL+ALT+DEL
description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not require CTRL+ALT+DEL security policy setting.
ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index eadc6514fe..85cca7c7f1 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
index bc3ee80c44..a9c3a468db 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine account lockout threshold
+title: Interactive logon Machine account lockout threshold
description: Best practices, location, values, management, and security considerations for the security policy setting, Interactive logon Machine account lockout threshold.
ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings| Disabled|
-| DC Effective Default Settings | Disabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings| Disabled|
+| DC Effective Default Settings | Disabled|
| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled|
-
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index 40c0bcb254..499c8ea921 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Machine inactivity limit
+title: Interactive logon Machine inactivity limit
description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine inactivity limit security policy setting.
ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/18/2018
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 7f6a3535a6..9ea2643a8c 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive Logon Message text
+title: Interactive Logon Message text
description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on.
ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index fc861f5e80..f97c4515e8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Message title for users attempting to log on
+title: Interactive logon Message title for users attempting to log on
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 079531c038..60159d1dd5 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
+title: Interactive logon Number of previous logons to cache (in case domain controller is not available)
description: Best practices and more for the security policy setting, Interactive logon Number of previous logons to cache (in case domain controller is not available).
ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/27/2018
ms.technology: itpro-security
---
@@ -39,7 +39,7 @@ The system can't log you on now because the domain *DOMAIN NAME* isn't available
The value of this policy setting indicates the number of users whose sign-in information the server caches locally. If the value is 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session.
-Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
+Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by
encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations.
> [!NOTE]
@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
### Best practices
-The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
+The [Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) don't recommend configuring this setting.
### Location
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | 10 logons|
-| DC Effective Default Settings | No effect|
-| Member Server Effective Default Settings | 10 logons|
-| Client Computer Effective Default Settings| 10 logons|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | 10 logons|
+| DC Effective Default Settings | No effect|
+| Member Server Effective Default Settings | 10 logons|
+| Client Computer Effective Default Settings| 10 logons|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -105,7 +105,7 @@ Configure the **Interactive logon: Number of previous logons to cache (in case d
### Potential impact
-Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
+Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a
member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to sign in to their computers when they aren't connected to the organization's network.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index b63d35d0b2..1c2bd90367 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -1,8 +1,8 @@
---
-title: Interactive log-on prompt user to change password before expiration
+title: Interactive log-on prompt user to change password before expiration
description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the default values for this policy. Default values are
| Server type or Group Policy Object | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Five days|
-| DC Effective Default Settings | Five days |
+| DC Effective Default Settings | Five days |
| Member Server Effective Default Settings| Five days |
-| Client Computer Effective Default Settings | Five days|
-
+| Client Computer Effective Default Settings | Five days|
+
## Policy management
This section describes features and tools that you can use to manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index c418e7adeb..12c079fced 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Require Domain Controller authentication to unlock workstation
+title: Interactive logon Require Domain Controller authentication to unlock workstation
description: Best practices security considerations, and more for the policy setting, Interactive logon Require Domain Controller authentication to unlock workstation.
ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index 8d49c17278..7175af2912 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -4,11 +4,11 @@ description: "Describes the best practices, location, values, policy management,
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.reviewer:
+ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 55213f035f..4ae503eb5d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -1,8 +1,8 @@
---
-title: Interactive logon Smart card removal behavior
+title: Interactive logon Smart card removal behavior
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -67,13 +67,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | No Action|
-| DC Effective Default Settings | No Action|
-| Member Server Effective Default Settings | No Action|
-| Client Computer Effective Default Settings | No Action|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | No Action|
+| DC Effective Default Settings | No Action|
+| Member Server Effective Default Settings | No Action|
+| Client Computer Effective Default Settings | No Action|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
index b63e17c8c2..c8b07ad5e2 100644
--- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
@@ -1,8 +1,8 @@
---
-title: Kerberos Policy
+title: Kerberos Policy
description: Describes the Kerberos Policy settings and provides links to policy setting descriptions.
ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ The Kerberos version 5 authentication protocol provides the default mechanism f
These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
-The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
+The following topics provide a discussion of implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible settings vulnerabilities of each setting),
countermeasures you can take, and the potential impact for each setting.
## In this section
@@ -40,7 +40,7 @@ countermeasures you can take, and the potential impact for each setting.
| [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting. |
| [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. |
| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security |
-
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index 1e9c0d4b8b..7a97507fb3 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -1,8 +1,8 @@
---
-title: Load and unload device drivers
+title: Load and unload device drivers
description: Describes the best practices, location, values, policy management, and security considerations for the Load and unload device drivers security policy setting.
ms.assetid: 66262532-c610-470c-9792-35ff4389430f
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators|
| Domain Controller Effective Default Settings | Administrators
Print Operators |
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ This section describes how an attacker might exploit a feature or its configurat
Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.
>**Note:** You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
-
+
### Countermeasure
Don't assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, don't assign this user right to any user or group other than Domain Admins.
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index c591706f9c..6be9e7a10f 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -1,8 +1,8 @@
---
-title: Lock pages in memory
+title: Lock pages in memory
description: Describes the best practices, location, values, policy management, and security considerations for the Lock pages in memory security policy setting.
ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -35,7 +35,7 @@ Enabling this policy setting for a specific account (a user account or a process
> [!NOTE]
> By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.
-
+
Constant: SeLockMemoryPrivilege
### Possible values
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index cecd34e77c..cd62546d27 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -1,8 +1,8 @@
---
-title: Log on as a batch job
+title: Log on as a batch job
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a batch job security policy setting.
ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Performance Log Users|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Member Server Effective Default Settings | Administrators
Backup Operators
Performance Log Users|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index d1f486957c..f96d6aad98 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -1,8 +1,8 @@
---
-title: Log on as a service
+title: Log on as a service
description: Describes the best practices, location, values, policy management, and security considerations for the Log on as a service security policy setting.
ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. The po
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Network Service|
-| Member Server Effective Default Settings| Network Service|
-| Client Computer Effective Default Settings | Network Service|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Network Service|
+| Member Server Effective Default Settings| Network Service|
+| Client Computer Effective Default Settings | Network Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
+The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An
attacker who has already reached that level of access could configure the service to run with the Local System account.
### Countermeasure
@@ -93,7 +93,7 @@ By definition, the Network Service account has the **Log on as a service** user
### Potential impact
-On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
+On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to
assign the user right to the additional accounts that those components require. IIS requires this user right to be explicitly granted to the ASPNET user account.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index a2be818c7d..180e73d52d 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -1,8 +1,8 @@
---
-title: Manage auditing and security log
+title: Manage auditing and security log
description: Describes the best practices, location, values, policy management, and security considerations for the Manage auditing and security log security policy setting.
ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ Ensure that only the local Administrators group has the **Manage auditing and se
Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration.
>**Warning:** If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.
-
+
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
index bdc180ccf0..a750dcb65c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for service ticket
+title: Maximum lifetime for service ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for service ticket security policy setting.
ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 600 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| DC Effective Default Settings | 600 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 600 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| DC Effective Default Settings | 600 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 43935998f5..6dc4d1607b 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket renewal
+title: Maximum lifetime for user ticket renewal
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket renewal security policy setting.
ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 7 days|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 7 days|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 7 days|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 7 days|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
### Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -91,7 +91,7 @@ Configure the **Maximum lifetime for user ticket renewal** setting to 7 days.
### Potential impact
-Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
+Seven (7) days is the default configuration. Changing the default configuration is a tradeoff between user convenience and security. A shorter time period requires users to authenticate with a DC more often, but remote users who authenticate with a DC infrequently can be locked out of services until they reauthenticate.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
index 1d6f14a767..238e860228 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
@@ -1,8 +1,8 @@
---
-title: Maximum lifetime for user ticket
+title: Maximum lifetime for user ticket
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum lifetime for user ticket policy setting.
ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server Type or GPO | Default Value |
| - | - |
-| Default Domain Policy| 10 hours|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings | 10 hours|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 10 hours|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings | 10 hours|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 1e3180694c..a416e4543c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Maximum password age
+title: Maximum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.
ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security
The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a certain number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
>**Note:** Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.
-
+
### Possible values
- User-specified number of days between 0 and 999
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 42 days|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 42 days|
-| Domain controller effective default settings | 42 days|
-| Member server effective default settings | 42 days|
-| Effective GPO default settings on client computers| 42 days|
-
+| Default domain policy| 42 days|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 42 days|
+| Domain controller effective default settings | 42 days|
+| Member server effective default settings | 42 days|
+| Effective GPO default settings on client computers| 42 days|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -74,7 +74,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
+The longer a password exists, the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the **Maximum password age** policy setting to 0 so that users are never required to change their passwords allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
### Considerations
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index 5b2ae28406..fd26c1fd58 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -1,8 +1,8 @@
---
-title: Maximum tolerance for computer clock synchronization
+title: Maximum tolerance for computer clock synchronization
description: Best practices, location, values, policy management, and security considerations for the policy setting, Maximum tolerance for computer clock synchronization.
ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security
This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication.
-To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
+To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date.
Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any timestamp that's used in a session between the two devices is considered to be authentic.
The possible values for this Group Policy setting are:
@@ -50,13 +50,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| 5 minutes|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not applicable|
-| Domain Controller Effective Default Settings| 5 minutes|
-| Member Server Effective Default Settings | Not applicable|
-| Client Computer Effective Default Settings | Not applicable|
-
+| Default Domain Policy| 5 minutes|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not applicable|
+| Domain Controller Effective Default Settings| 5 minutes|
+| Member Server Effective Default Settings | Not applicable|
+| Client Computer Effective Default Settings | Not applicable|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index e4f7c05351..687a39281d 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -1,7 +1,7 @@
---
title: Microsoft network client Digitally sign communications (always)
description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 343e8a2eb7..a3d215db1a 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network client Send unencrypted password
+title: Microsoft network client Send unencrypted password
description: Learn about best practices and more for the security policy setting, Microsoft network client Send unencrypted password to third-party SMB servers.
ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index 72d11c51b4..e79a912300 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Amount of idle time required before suspending session
+title: Microsoft network server Amount of idle time required before suspending session
description: Best practices, security considerations, and more for the policy setting, Microsoft network server Amount of idle time required before suspending session.
ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index f8096dec04..8fcc7102c7 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Attempt S4U2Self
+title: Microsoft network server Attempt S4U2Self
description: Learn about the security policy setting, Microsoft network server Attempt S4U2Self to obtain claim information.
ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
-This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
+This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers
and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.
When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims aren't present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied.
@@ -64,13 +64,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings| Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings| Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
+None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012
and Windows 8.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 4685a285de..030123cf61 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -3,12 +3,12 @@ title: Microsoft network server Digitally sign communications (always)
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/13/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index c560912610..b7f738611b 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Disconnect clients when sign-in hours expire
+title: Microsoft network server Disconnect clients when sign-in hours expire
description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when sign-in hours expire.
ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
| DC Effective Default Settings| Enabled |
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index b0119771b5..c10cf64969 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -1,8 +1,8 @@
---
-title: Microsoft network server Server SPN target name validation level
+title: Microsoft network server Server SPN target name validation level
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Server SPN target name validation level.
ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,7 +54,7 @@ The default setting is Off.
This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
>**Note:** All Windows operating systems support a client-side SMB component and a server-side SMB component.
-
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -65,13 +65,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy | Off |
-| Default domain controller policy| Off|
-| Stand-alone server default settings | Off|
-| Domain controller effective default settings| Validation level check not implemented|
-| Member server effective default settings | Validation level check not implemented|
-| Effective GPO default settings on client computers | Validation level check not implemented|
-
+| Default domain policy | Off |
+| Default domain controller policy| Off|
+| Stand-alone server default settings | Off|
+| Domain controller effective default settings| Validation level check not implemented|
+| Member server effective default settings | Validation level check not implemented|
+| Effective GPO default settings on client computers | Validation level check not implemented|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index e42c7f62fc..67cf3aac2e 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -1,8 +1,8 @@
---
-title: Minimum password age
+title: Minimum password age
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.
ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -13,7 +13,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 11/13/2018
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Minimum password age
@@ -35,15 +35,15 @@ The **Minimum password age** policy setting determines the period of time (in da
### Best practices
-[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
+[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend setting **Minimum password age** to one day.
-Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
-Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
-For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
-If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
+Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
+Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
+For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
+If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
The minimum password age of 1 day prevents that.
-If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
+If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
Otherwise, the user won't be able to change the password until the number of days specified by **Minimum password age**.
### Location
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| 1 day|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | 0 days|
-| Domain controller effective default settings | 1 day|
-| Member server effective default settings | 1 day|
-| Effective GPO default settings on client computers| 1 day|
-
+| Default domain policy| 1 day|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | 0 days|
+| Domain controller effective default settings | 1 day|
+| Member server effective default settings | 1 day|
+| Effective GPO default settings on client computers| 1 day|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 4ef50144bc..d264ff4033 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -1,8 +1,8 @@
---
-title: Minimum password length
+title: Minimum password length
description: Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.
ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 03/30/2022
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index 0fe460d50d..e3f1d6decd 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -1,8 +1,8 @@
---
-title: Modify an object label
+title: Modify an object label
description: Describes the best practices, location, values, policy management, and security considerations for the Modify an object label security policy setting.
ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.
-The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
+The integrity label is used by the Windows Integrity Controls (WIC) feature, which was introduced in Windows Server 2008 and Windows Vista. WIC keeps lower integrity processes from modifying higher integrity processes by assigning one of six possible labels to objects on the system. Although
similar to NTFS file and folder permissions, which are discretionary controls on objects, the WIC integrity levels are mandatory controls that are put in place and enforced by the operating system. The following list describes the integrity levels from lowest to highest:
- **Untrusted** Default assignment for processes that are logged on anonymously.
@@ -62,13 +62,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -94,7 +94,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
+Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
Windows Integrity Controls and makes your system vulnerable to attacks by malicious software.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts don't have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you're attempting to relabel.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index faff714347..5a2d90eb2c 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -1,8 +1,8 @@
---
-title: Modify firmware environment values
+title: Modify firmware environment values
description: Describes the best practices, location, values, policy management, and security considerations for the Modify firmware environment values security policy setting.
ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -61,13 +61,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO |Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Adminstrators|
-| Stand-Alone Server Default Settings | Adminstrators|
-| Domain Controller Effective Default Settings | Adminstrators|
-| Member Server Effective Default Settings | Adminstrators|
-| Client Computer Effective Default Settings | Adminstrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Adminstrators|
+| Stand-Alone Server Default Settings | Adminstrators|
+| Domain Controller Effective Default Settings | Adminstrators|
+| Member Server Effective Default Settings | Adminstrators|
+| Client Computer Effective Default Settings | Adminstrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index 164da34ecf..16e357e6c1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -1,8 +1,8 @@
---
-title: Network access Allow anonymous SID/Name translation
+title: Network access Allow anonymous SID/Name translation
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Allow anonymous SID/Name translation.
ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
The default value of this setting has changed between operating systems as follows:
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index caccbb931a..9f3219cb41 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration
+title: Network access Do not allow anonymous enumeration
description: Learn about best practices and more for the security policy setting, Network access Do not allow anonymous enumeration of SAM accounts and shares.
ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 83888d29df..e737e440d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow anonymous enumeration of SAM accounts
+title: Network access Do not allow anonymous enumeration of SAM accounts
description: Describes the best practices, location, values, and security considerations for the Network access Do not allow anonymous enumeration of SAM accounts security policy setting.
ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 770a44407d..07e8b5d1cb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network access Do not allow storage of passwords and credentials for network authentication
+title: Network access Do not allow storage of passwords and credentials for network authentication
description: Learn about best practices and more for the security policy setting, Network access Do not allow storage of passwords and credentials for network authentication
ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/01/2021
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy| Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings| Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers |Disabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings| Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers |Disabled|
+
### Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -83,7 +83,7 @@ This section describes how an attacker might exploit a feature or its configurat
Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user.
>**Note:** The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.
-
+
Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. With the help of one of these utilities, an attacker can authenticate by using the overwritten value.
Overwriting the administrator's password doesn't help the attacker access data that is encrypted by using that password. Also, overwriting the password doesn't help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password doesn't help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) won't decrypt.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 618f7ffbc0..65f3d3d7c6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -1,8 +1,8 @@
---
-title: Let Everyone permissions apply to anonymous users
+title: Let Everyone permissions apply to anonymous users
description: Learn about best practices, security considerations and more for the security policy setting, Network access Let Everyone permissions apply to anonymous users.
ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index 7a1acb165d..311f70c3ef 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Named Pipes that can be accessed anonymously
+title: Network access Named Pipes that can be accessed anonymously
description: Describes best practices, security considerations and more for the security policy setting, Network access Named Pipes that can be accessed anonymously.
ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Netlogon, samr, lsarpc|
-| Stand-Alone Server Default Settings | Null|
-| DC Effective Default Settings | Netlogon, samr, lsarpc|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Netlogon, samr, lsarpc|
+| Stand-Alone Server Default Settings | Null|
+| DC Effective Default Settings | Netlogon, samr, lsarpc|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -79,15 +79,15 @@ You can restrict access over named pipes such as COMNAP and LOCATOR to help prev
| Named pipe | Purpose |
| - | - |
-| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
-| COMNODE| SNA Server named pipe.|
-| SQL\QUERY | Default named pipe for SQL Server.|
-| SPOOLSS | Named pipe for the Print Spooler service.|
-| EPMAPPER | End Point Mapper named pipe.|
-| LOCATOR | Remote Procedure Call Locator service named pipe.|
-| TrlWks | Distributed Link Tracking Client named pipe.|
-| TrkSvr | Distributed Link Tracking Server named pipe.|
-
+| COMNAP | SNABase named pipe. Systems network Architecture (SNA) is a collection of network protocols that were originally developed for IBM mainframe computers.|
+| COMNODE| SNA Server named pipe.|
+| SQL\QUERY | Default named pipe for SQL Server.|
+| SPOOLSS | Named pipe for the Print Spooler service.|
+| EPMAPPER | End Point Mapper named pipe.|
+| LOCATOR | Remote Procedure Call Locator service named pipe.|
+| TrlWks | Distributed Link Tracking Client named pipe.|
+| TrkSvr | Distributed Link Tracking Server named pipe.|
+
### Countermeasure
Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but don't specify named pipes in the text box).
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index 9c968a3f5c..12988a2e90 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths and subpaths
+title: Network access Remotely accessible registry paths and subpaths
description: Describes best practices, location, values, and security considerations for the policy setting, Network access Remotely accessible registry paths and subpaths.
ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
This policy setting determines which registry paths and subpaths are accessible when an application or process references the WinReg key to determine access permissions.
-The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
+The registry is a database for device configuration information, much of which is sensitive. A malicious user can use it to facilitate unauthorized activities. The chance of this happening is reduced by the fact that the default ACLs that are assigned throughout the registry are fairly restrictive,
and they help protect it from access by unauthorized users.
To allow remote access, you must also enable the Remote Registry service.
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\Print\\Printers
@@ -99,7 +99,7 @@ Configure the **Network access: Remotely accessible registry paths and sub-paths
Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index dd86f8a026..3a1924da9a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -1,8 +1,8 @@
---
-title: Network access Remotely accessible registry paths
+title: Network access Remotely accessible registry paths
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Remotely accessible registry paths.
ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | See the following registry key combination|
-| DC Effective Default Settings | See the following registry key combination|
-| Member Server Effective Default Settings | See the following registry key combination|
-| Client Computer Effective Default Settings | See the following registry key combination|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | See the following registry key combination|
+| DC Effective Default Settings | See the following registry key combination|
+| Member Server Effective Default Settings | See the following registry key combination|
+| Client Computer Effective Default Settings | See the following registry key combination|
+
The combination of all the following registry keys apply to the previous settings:
1. System\\CurrentControlSet\\Control\\ProductOptions
@@ -90,7 +90,7 @@ Configure the **Network access: Remotely accessible registry paths** setting to
Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
>**Note:** If you want to allow remote access, you must also enable the Remote Registry service.
-
+
## Related topics
- [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 30cbc5b78f..e45ad66787 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -1,8 +1,8 @@
---
-title: Network access Restrict anonymous access to Named Pipes and Shares
+title: Network access Restrict anonymous access to Named Pipes and Shares
description: Best practices, security considerations, and more for the security policy setting, Network access Restrict anonymous access to Named Pipes and Shares.
ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ Describes the best practices, location, values, policy management and security c
## Reference
-This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
+This policy setting enables or disables the restriction of anonymous access to only those shared folders and pipes that are named in the **Network access: Named pipes that can be accessed anonymously** and [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md) settings. The setting controls null session access to shared folders on your computers by adding RestrictNullSessAccess with the value 1 in the registry key
**HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters**. This registry value toggles null session shared folders on or off to control whether the Server service restricts unauthenticated clients' access to named resources.
Null sessions are a weakness that can be exploited through the various shared folders on the devices in your environment.
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Enabled|
-| Client Computer Effective Default Settings| Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Enabled|
+| Client Computer Effective Default Settings| Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6b65885d98..587ae7e3a5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -7,12 +7,12 @@ ms.localizationpriority: medium
ms.date: 09/17/2018
author: vinaypamnani-msft
ms.author: vinpa
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
---
# Network access: Restrict clients allowed to make remote calls to SAM
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index dc0a2dda77..57882060a6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -1,8 +1,8 @@
---
-title: Network access Shares that can be accessed anonymously
+title: Network access Shares that can be accessed anonymously
description: Learn about best practices, security considerations, and more for the security policy setting, Network access Shares that can be accessed anonymously.
ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index c11be07eab..9665aaaaf7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -1,8 +1,8 @@
---
-title: Network access Sharing and security model for local accounts
+title: Network access Sharing and security model for local accounts
description: Best practices, security considerations, and more for the security policy setting, Network access Sharing and security model for local accounts.
ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ This policy setting determines how network logons that use local accounts are au
>**Note:** This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services.
When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.
-
+
When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This privilege means that they'll probably be unable to write to shared folders. Although this restriction does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources.
### Possible values
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
-| DC Effective Default Settings | Classic (local users authenticate as themselves)|
-| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
-| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Classic (local users authenticate as themselves)|
+| DC Effective Default Settings | Classic (local users authenticate as themselves)|
+| Member Server Effective Default Settings | Classic (local users authenticate as themselves)|
+| Client Computer Effective Default Settings | Classic (local users authenticate as themselves)|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
index a946a20ae9..04167671df 100644
--- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
@@ -1,8 +1,8 @@
---
-title: Network List Manager policies
+title: Network List Manager policies
description: Network List Manager policies are security settings that configure different aspects of how networks are listed and displayed on one device or on many devices.
ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ The following policy settings are provided for Network List Manager Policies. Th
### Unidentified Networks
-This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
+This policy setting allows you to configure the **Network Location**, including the location type and the user permissions, for networks that Windows cannot identify due to a network issue or a lack of identifiable characters in the network information received by the operating system from the
network. A network location identifies the type of network that a computer is connected to and automatically sets the appropriate firewall settings for that location. You can configure the following items for this policy setting:
- **Location type**. For this item, the following options are available:
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index bdd1418a71..509602f606 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -2,7 +2,7 @@
title: "Network security: Allow Local System to use computer identity for NTLM (Windows 10)"
description: Location, values, policy management, and security considerations for the policy setting, Network security Allow Local System to use computer identity for NTLM.
ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 10/04/2021
ms.technology: itpro-security
---
@@ -34,11 +34,11 @@ When a service connects with the device identity, signing and encryption are sup
### Possible values
| Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
-| - | - | - |
+| - | - | - |
| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This behavior is the default behavior. |
| Disabled| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. This behavior is the default behavior.| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously.|
-|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
-
+|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.|
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -48,13 +48,13 @@ The following table lists the actual and effective default values for this polic
| Server type or Group Policy object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
-| Member server effective default settings | Not applicable|
-| Effective GPO default settings on client computers | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
+| Member server effective default settings | Not applicable|
+| Effective GPO default settings on client computers | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index fd87daba06..02d157f8db 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow LocalSystem NULL session fallback
+title: Network security Allow LocalSystem NULL session fallback
description: Describes the best practices, location, values, and security considerations for the Network security Allow LocalSystem NULL session fallback security policy setting.
ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
-This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
+This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local
System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session doesn't establish a unique session key for each authentication; and thus, it can't provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility.
### Possible values
@@ -38,7 +38,7 @@ System will fall back to using NULL session authentication when they transmit da
- **Disabled**
- When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
+ When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a
NULL session will still have full use of session security.
- Not defined. When this policy isn't defined, the default takes effect. This policy is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it's Disabled otherwise.
@@ -57,13 +57,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not applicable|
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not applicable|
| Member server effective default settings | Not applicable |
-| Effective GPO default settings on client computers | Not applicable|
-
+| Effective GPO default settings on client computers | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index abc5d527cd..202d37d4e5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -1,8 +1,8 @@
---
-title: Network security Allow PKU2U authentication requests to this computer to use online identities
+title: Network security Allow PKU2U authentication requests to this computer to use online identities
description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting.
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/03/2022
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When devices are configured to accept authentication requests by using online ID
> [!NOTE]
> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager.
-
+
This policy isn't configured by default on domain-joined devices. This disablement would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later.
### Possible values
@@ -61,21 +61,21 @@ The following table lists the effective default values for this policy. Default
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
-| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled|
+| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or a Microsoft Entra account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Microsoft Entra joined devices, where they're signed in with an online identity and are issued certificates by Microsoft Entra ID. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Microsoft Entra ID is used as it relies on the user's online identity and Microsoft Entra ID to authenticate.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 465adda6a7..5e1c37d2b4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -1,16 +1,16 @@
---
title: Network security Configure encryption types allowed for Kerberos
description: Best practices, location, values and security considerations for the policy setting, Network security Configure encryption types allowed for Kerberos Win7 only.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -32,7 +32,7 @@ For more information, see [KDC event ID 16 or 27 is logged if DES for Kerberos i
The following table lists and explains the allowed encryption types.
-
+
| Encryption type | Description and version support |
| - | - |
| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows 11, Windows Server 2008 R2, and later operating systems don't support DES by default. |
@@ -91,7 +91,7 @@ Don't configure this policy. This disablement will force the computers running W
### Potential impact
If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
-
+
If you do select any encryption type, you'll lower the effectiveness of encryption for Kerberos authentication but you'll improve interoperability with computers running older versions of Windows.
Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 7402fd0df1..c708a656d1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -1,8 +1,8 @@
---
-title: Network security Do not store LAN Manager hash value on next password change
+title: Network security Do not store LAN Manager hash value on next password change
description: Best practices, security considerations, and more for the security policy setting, Network security Do not store LAN Manager hash value on next password change.
ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings|Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings|Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index 99826613ed..665eee915f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -1,8 +1,8 @@
---
-title: Network security Force logoff when logon hours expire
+title: Network security Force logoff when logon hours expire
description: Best practices, location, values, policy management, and security considerations for the policy setting, Network security Force logoff when logon hours expire.
ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Disabled|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Disabled|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index c6847770d4..57246a6f27 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -1,8 +1,8 @@
---
-title: Network security LAN Manager authentication level
+title: Network security LAN Manager authentication level
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LAN Manager authentication level.
ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,18 +50,18 @@ LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it's
- Send NTLMv2 responses only. Refuse LM & NTLM
- Not Defined
-The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
+The **Network security: LAN Manager authentication level** setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the
authentication level that servers accept. The following table identifies the policy settings, describes the setting, and identifies the security level used in the corresponding registry setting if you choose to use the registry to control this setting instead of the policy setting.
| Setting | Description | Registry security level |
| - | - | - |
-| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
-| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
-| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
-| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
-| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
-| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
-
+| Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 0|
+| Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1|
+| Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2|
+| Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3|
+| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4|
+| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5|
+
### Best practices
- Best practices are dependent on your specific security and authentication requirements.
@@ -80,13 +80,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Send NTLMv2 response only|
-| DC Effective Default Settings | Send NTLMv2 response only|
-| Member Server Effective Default Settings | Send NTLMv2 response only|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Send NTLMv2 response only|
+| DC Effective Default Settings | Send NTLMv2 response only|
+| Member Server Effective Default Settings | Send NTLMv2 response only|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 3232a699e0..2199e96b47 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -1,8 +1,8 @@
---
-title: Network security LDAP client signing requirements
+title: Network security LDAP client signing requirements
description: Best practices, location, values, policy management and security considerations for the policy setting, Network security LDAP client signing requirements.
ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Negotiate signing|
-| DC Effective Default Settings | Negotiate signing|
-| Member Server Effective Default Settings | Negotiate signing|
-| Client Computer Effective Default Settings | Negotiate signing|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Negotiate signing|
+| DC Effective Default Settings | Negotiate signing|
+| Member Server Effective Default Settings | Negotiate signing|
+| Client Computer Effective Default Settings | Negotiate signing|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index cd6838a4f8..5bda79521f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) clients
description: Best practices and more for the security policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) clients.
ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 07/27/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index 701259d037..ebae59999d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
+title: Network security Minimum session security for NTLM SSP based (including secure RPC) servers
description: Best practices and security considerations for the policy setting, Network security Minimum session security for NTLM SSP based (including secure RPC) servers.
ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -51,13 +51,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Require 128-bit encryption|
-| DC Effective Default Settings | Require 128-bit encryption|
-| Member Server Effective Default Settings | Require 128-bit encryption|
-| Client Computer Effective Default Settings | Require 128-bit encryption|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Require 128-bit encryption|
+| DC Effective Default Settings | Require 128-bit encryption|
+| Member Server Effective Default Settings | Require 128-bit encryption|
+| Client Computer Effective Default Settings | Require 128-bit encryption|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 754a7cbc0e..b0e28dc0b1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
+title: Network security Restrict NTLM Add remote server exceptions for NTLM authentication
description: Best practices, security considerations, and more for the policy setting, Network security Restrict NTLM Add remote server exceptions for NTLM authentication.
ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings| Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings| Not defined|
+
## Policy management
This section describes the features and tools that are available to help you manage this policy.
@@ -90,14 +90,14 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security:
Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked.
If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM.
### Countermeasure
-When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
+When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote
servers in your environment. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index c0ebdc1ba5..b6aa571487 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Add server exceptions in this domain
+title: Network security Restrict NTLM Add server exceptions in this domain
description: Best practices, security considerations, and more for the security policy setting, Network security Restrict NTLM Add server exceptions in this domain.
ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,12 +59,12 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
| Default domain policy| Not defined |
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -89,10 +89,10 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
+When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security:
[Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request.
-If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
+If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security
weaknesses in NTLM.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index d5104ea5b7..c81152a791 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Audit incoming NTLM traffic
+title: Network security Restrict NTLM Audit incoming NTLM traffic
description: Best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM Audit incoming NTLM traffic.
ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,7 +33,7 @@ When this audit policy is enabled within Group Policy, it's enforced on any serv
When you enable this policy on a server, only authentication traffic to that server will be logged.
-When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
+When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the
authentication traffic in your environment, and when you're ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**.
### Possible values
@@ -66,13 +66,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index dbc99216c2..f79dd47f62 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM Audit NTLM authentication in this domain
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -46,7 +46,7 @@ When you enable this audit policy, it functions in the same way as the **Network
The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
- **Enable all**
-
+
The domain controller on which this policy is set will log all events for incoming NTLM traffic.
### Best practices
@@ -61,13 +61,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -90,7 +90,7 @@ There are no security audit event policies that can be configured to view output
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
-NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
+NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the
Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.
### Vulnerability
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 3a547350da..5f964c33cc 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Incoming NTLM traffic
+title: Network security Restrict NTLM Incoming NTLM traffic
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Incoming NTLM traffic.
ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -60,13 +60,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
+| Default domain policy| Not defined|
| Default domain controller policy | Not defined |
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -101,7 +101,7 @@ When it has been determined that the NTLM authentication protocol shouldn't be u
### Potential impact
-If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
+If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set **Network security: Restrict NTLM: Audit Incoming NTLM traffic** to the same option so that
you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md).
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index 61092a99fc..8b9e4f8973 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -1,13 +1,13 @@
---
title: Network security Restrict NTLM in this domain
description: Learn about best practices, security considerations and more for the security policy setting, Network Security Restrict NTLM NTLM authentication in this domain.
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.technology: itpro-security
ms.date: 12/31/2017
---
@@ -63,13 +63,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not configured|
-| Default domain controller policy | Not configured|
+| Default domain policy| Not configured|
+| Default domain controller policy | Not configured|
| Stand-alone server default settings | Not configured|
-| Domain controller effective default settings | Not configured|
-| Member server effective default settings | Not configured |
-| Client computer effective default settings | Not configured|
-
+| Domain controller effective default settings | Not configured|
+| Member server effective default settings | Not configured |
+| Client computer effective default settings | Not configured|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
@@ -100,7 +100,7 @@ Malicious attacks on NTLM authentication traffic resulting in a compromised serv
### Countermeasure
-When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
+When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage
within the domain.
### Potential impact
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 5aedc2eb5b..4869db61ec 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -1,8 +1,8 @@
---
-title: Network security Restrict NTLM Outgoing traffic
+title: Network security Restrict NTLM Outgoing traffic
description: Learn about best practices, security considerations and more for the policy setting, Network Security Restrict NTLM Outgoing NTLM traffic to remote servers.
ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/15/2022
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ Describes the best practices, location, values, management aspects, and security
The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
>**Warning:** Modifying this policy setting may affect compatibility with client computers, services, and applications.
-
+
### Possible values
- **Allow all**
@@ -65,13 +65,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not defined|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not defined|
+
## Policy management
This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 34f17b6527..a00661af55 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -8,7 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 06/07/2023
---
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index 70396092e7..1d6e578b5c 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -1,8 +1,8 @@
---
-title: Password Policy
+title: Password Policy
description: An overview of password policies for Windows and links to information for each policy setting.
ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,14 +50,14 @@ The following topics provide a discussion of password policy implementation and
| Topic | Description |
| - | - |
-| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
-| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
-| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
-| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
+| [Enforce password history](enforce-password-history.md)| Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.|
+| [Maximum password age](maximum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.|
+| [Minimum password age](minimum-password-age.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.|
+| [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.|
| [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.|
-| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
-
+| [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.|
+
## Related topics
- [Configure security policy settings](how-to-configure-security-policy-settings.md)
-
+
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index e74ff5c974..15ffdec99c 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -1,8 +1,8 @@
---
-title: Perform volume maintenance tasks
+title: Perform volume maintenance tasks
description: Describes the best practices, location, values, policy management, and security considerations for the Perform volume maintenance tasks security policy setting.
ms.assetid: b6990813-3898-43e2-8221-c9c06d893244
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| DC Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| DC Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index f77e48438c..2bdc87455f 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -1,8 +1,8 @@
---
-title: Profile single process
+title: Profile single process
description: Describes the best practices, location, values, policy management, and security considerations for the Profile single process security policy setting.
ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings| Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings| Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index 9c7b9de8c4..6be8f9269b 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -1,8 +1,8 @@
---
-title: Profile system performance
+title: Profile system performance
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Profile system performance.
ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 34e5e2b851..590b49f09b 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow automatic administrative logon
+title: Recovery console Allow automatic administrative logon
description: Best practices, location, values, policy management, and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy| Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy| Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index fdb56ca78e..08ca6beb3f 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -1,8 +1,8 @@
---
-title: Recovery console Allow floppy copy and access to all drives and folders
+title: Recovery console Allow floppy copy and access to all drives and folders
description: Best practices, security considerations, and more for the policy setting, Recovery console Allow floppy copy and access to all drives and folders.
ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index c0f395231c..253213f2c1 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -1,8 +1,8 @@
---
-title: Remove computer from docking station - security policy setting
+title: Remove computer from docking station - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -54,13 +54,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index 5079dab92d..d180d2acea 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -1,8 +1,8 @@
---
-title: Replace a process level token
+title: Replace a process level token
description: Describes the best practices, location, values, policy management, and security considerations for the Replace a process level token security policy setting.
ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
+| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Network Service
Local Service |
-| Stand-Alone Server Default Settings | Network Service
Local Service|
-| Domain Controller Effective Default Settings | Network Service
Local Service|
-| Member Server Effective Default Settings | Network Service
Local Service|
-| Client Computer Effective Default Settings | Network Service
Local Service|
-
+| Stand-Alone Server Default Settings | Network Service
Local Service|
+| Domain Controller Effective Default Settings | Network Service
Local Service|
+| Member Server Effective Default Settings | Network Service
Local Service|
+| Client Computer Effective Default Settings | Network Service
Local Service|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index ec962f77e0..44c6716d50 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -1,8 +1,8 @@
---
-title: Reset account lockout counter after
+title: Reset account lockout counter after
description: Describes the best practices, location, values, and security considerations for the Reset account lockout counter after security policy setting.
ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/02/2018
ms.technology: itpro-security
---
@@ -38,7 +38,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco
### Best practices
-Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
+Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements.
[Windows security baselines](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Not defined|
-| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not applicable|
-| Domain controller effective default settings | Not defined|
-| Member server effective default settings | Not defined|
-| Client computer effective default settings | Not applicable|
-
+| Default domain policy| Not defined|
+| Default domain controller policy | Not defined|
+| Stand-alone server default settings | Not applicable|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Client computer effective default settings | Not applicable|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index ca2b72c717..f970ac8154 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -1,8 +1,8 @@
---
-title: Restore files and directories - security policy setting
+title: Restore files and directories - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-|Default Domain Policy | |
-| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators|
-
+|Default Domain Policy | |
+| Default Domain Controller Policy| Administrators
Backup Operators
Server Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -93,7 +93,7 @@ This section describes how an attacker might exploit a feature or its configurat
An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device
>**Note:** Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
-
+
### Countermeasure
Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel.
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 7efca79530..78ea3fcb09 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Advanced security audit policy settings in brief
+title: Advanced security audit policy settings in brief
description: Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 39d6b0489e..de522cb6d3 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -1,7 +1,7 @@
---
title: Security options
description: Introduction to the Security Options settings of the local security policies plus links to more information.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.prod: windows-client
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 01/13/2023
ms.technology: itpro-security
-ms.topic: conceptual
+ms.topic: reference
---
# Security Options
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index 259ebfec01..9db7d59a20 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings reference
+title: Security policy settings reference
description: This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -33,10 +33,10 @@ Each policy setting described contains referential content such as a detailed ex
| Topic | Description |
| - | - |
-| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
-| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
-| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
-| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
+| [Account Policies](account-policies.md) | An overview of account policies in Windows and provides links to policy descriptions.|
+| [Audit Policy](audit-policy.md) | Provides information about basic audit policies that are available in Windows and links to information about each setting.|
+| [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.|
+| [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.|
| [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. |
-
-
+
+
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 397c3a1138..062aa06d3d 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -1,8 +1,8 @@
---
-title: Security policy settings
+title: Security policy settings
description: This reference topic describes the common scenarios, architecture, and processes for security settings.
ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index f6a3fe8228..def26ab7ef 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -1,8 +1,8 @@
---
-title: Shut down the system - security policy setting
+title: Shut down the system - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default policy values for the
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
-| Stand-Alone Server Default Settings | Administrators
Backup Operators|
-| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
-| Member Server Effective Default Settings | Administrators
Backup Operators|
-| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
-
+| Default Domain Policy | Not defined|
+| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators
Print Operators|
+| Stand-Alone Server Default Settings | Administrators
Backup Operators|
+| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators
Print Operators|
+| Member Server Effective Default Settings | Administrators
Backup Operators|
+| Client Computer Effective Default Settings | Administrators
Backup Operators
Users|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index a21dde7fda..672e91297b 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Allow system to be shut down without having to log on
+title: Shutdown Allow system to be shut down without having to log on
description: Best practices, security considerations, and more for the security policy setting Shutdown Allow system to be shut down without having to log on.
ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This policy setting determines whether you can shut down a device without having to sign in to Windows. When you enable it, the **Shut Down** option is available on the sign-in screen in Windows. If you disable this setting, the **Shut Down** option is removed from the screen. To use the option, the user must sign in on the device successfully and have the **Shut down the system** user right.
-Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
+Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service
condition from a local console by restarting or shutting down the server.
### Possible values
@@ -59,13 +59,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 7c6df9fb82..b40140dc0f 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -1,8 +1,8 @@
---
-title: Shutdown Clear virtual memory pagefile
+title: Shutdown Clear virtual memory pagefile
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,12 +12,12 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 08/01/2017
ms.technology: itpro-security
---
-# Shutdown: Clear virtual memory pagefile
+# Shutdown: Clear virtual memory pagefile
**Applies to**
- Windows 11
@@ -54,13 +54,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat
Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.
>**Caution:** An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
-
+
### Countermeasure
Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index adb43f0fea..6b4584688f 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -1,8 +1,8 @@
---
-title: Store passwords using reversible encryption
+title: Store passwords using reversible encryption
description: Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.
ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information.
-If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
+If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet
Information Services (IIS) also requires that you enable this policy setting.
### Possible values
@@ -42,7 +42,7 @@ Information Services (IIS) also requires that you enable this policy setting.
Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This setting presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
>**Note:** Do not enable this policy setting unless business requirements outweigh the need to protect password information.
-
+
### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
-| Default domain policy| Disabled|
-| Default domain controller policy| Disabled|
-| Stand-alone server default settings | Disabled|
-| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers | Disabled|
-
+| Default domain policy| Disabled|
+| Default domain controller policy| Disabled|
+| Stand-alone server default settings | Disabled|
+| Domain controller effective default settings | Disabled|
+| Member server effective default settings | Disabled|
+| Effective GPO default settings on client computers | Disabled|
+
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 3949729b08..6744567fe3 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -1,8 +1,8 @@
---
-title: Synchronize directory service data
+title: Synchronize directory service data
description: Describes the best practices, location, values, policy management, and security considerations for the Synchronize directory service data security policy setting.
ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| Domain Controller Effective Default Settings | Enabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| Domain Controller Effective Default Settings | Enabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index ce8f451033..597b9027a0 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Force strong key protection for user keys stored on the computer
+title: System cryptography Force strong key protection for user keys stored on the computer
description: Best practices, security considerations, and more for the policy setting, System cryptography Force strong key protection for user keys stored on the computer.
ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -52,13 +52,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings| Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings| Not defined|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 2d223e79b3..d660ac1952 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -1,8 +1,8 @@
---
-title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
+title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
description: Best practices, security considerations, and more for the policy setting System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing
ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 11/16/2018
ms.technology: itpro-security
---
@@ -27,12 +27,12 @@ This security policy reference topic for the IT professional describes the best
## Reference
-The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
+The Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software. Windows implements these certified algorithms to meet the requirements and standards for cryptographic modules for use by departments and agencies of the
United States federal government.
**TLS/SSL**
-This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
+This policy setting determines whether the TLS/SSL security provider supports only the FIPS-compliant strong cipher suite known as TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA, which means that the provider only supports the TLS protocol as a client computer and as a server, if applicable. It uses only the
Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption, only the Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing requirements.
**Encrypting File System (EFS)**
@@ -71,13 +71,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
### Operating system version differences
When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.
@@ -86,11 +86,11 @@ When this setting is enabled, BitLocker generates recovery password or recovery
| Operating systems | Applicability |
| - | - |
-| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
-| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
-
+| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.|
+| Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+| Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
@@ -117,7 +117,7 @@ Enable the **System cryptography: Use FIPS compliant algorithms for encryption,
### Potential impact
-Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
+Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool
uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices aren't configured to use the same encryption algorithms.
## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index ae93fe4482..3694fe2434 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System objects Require case insensitivity for non-Windows subsystems
+title: System objects Require case insensitivity for non-Windows subsystems
description: Best practices, security considerations and more for the security policy setting, System objects Require case insensitivity for non-Windows subsystems.
ms.assetid: 340d6769-8f33-4067-8470-1458978d1522
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -57,13 +57,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index 74bf9dee10..8358279b2d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -1,8 +1,8 @@
---
-title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
+title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links)
description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (for example, Symbolic Links).
ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -49,13 +49,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Enabled |
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index af54bf48ab..ef7ca4315a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -1,8 +1,8 @@
---
-title: System settings Optional subsystems
+title: System settings Optional subsystems
description: Describes the best practices, location, values, policy management, and security considerations for the System settings Optional subsystems security policy setting.
ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | POSIX|
-| DC Effective Default Settings | POSIX|
-| Member Server Effective Default Settings| POSIX|
-| Client Computer Effective Default Settings | POSIX|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | POSIX|
+| DC Effective Default Settings | POSIX|
+| Member Server Effective Default Settings| POSIX|
+| Client Computer Effective Default Settings | POSIX|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 81fce5ee99..fee999b57a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -1,8 +1,8 @@
---
-title: System settings Use certificate rules on Windows executables for Software Restriction Policies
+title: System settings Use certificate rules on Windows executables for Software Restriction Policies
description: Best practices and more for the security policy setting, System settings Use certificate rules on Windows executables for Software Restriction Policies.
ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -37,7 +37,7 @@ This policy setting determines whether digital certificates are processed when s
### Best practices
-- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
+- Set this policy to **Enabled**. Enabling certificate rules results in software restriction policies checking a certificate revocation list (CRL) to make sure that the software's certificate and signature are valid. When you start signed programs, this setting can decrease system performance.
You can disable CRLs by editing the software restriction policies in the desired GPO. In the **Trusted Publishers Properties** dialog box, clear the **Publisher** and **Timestamp** check boxes.
### Location
@@ -50,13 +50,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Disabled |
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index 179d04747b..39152767a9 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -1,8 +1,8 @@
---
-title: Take ownership of files or other objects
+title: Take ownership of files or other objects
description: Describes the best practices, location, values, policy management, and security considerations for the Take ownership of files or other objects security policy setting.
ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Administrators|
-| Stand-Alone Server Default Settings | Administrators|
-| Domain Controller Effective Default Settings | Administrators|
-| Member Server Effective Default Settings | Administrators|
-| Client Computer Effective Default Settings | Administrators|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Administrators|
+| Stand-Alone Server Default Settings | Administrators|
+| Domain Controller Effective Default Settings | Administrators|
+| Member Server Effective Default Settings | Administrators|
+| Client Computer Effective Default Settings | Administrators|
+
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
+Any users with the **Take ownership of files or other objects user right** can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make to that object. Such changes could result in exposure of data, corruption of data, or a
denial-of-service condition.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index d4b0a95f6a..58989112e3 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Admin Approval Mode for the Built-in Administrator account
+title: User Account Control Admin Approval Mode for the Built-in Administrator account
description: Best practices, security considerations, and more for the policy setting, User Account Control Admin Approval Mode for the Built-in Administrator account.
ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -31,7 +31,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
> [!NOTE]
> If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
-
+
### Possible values
- Enabled
@@ -49,7 +49,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Location
@@ -62,12 +62,12 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index 4d0f0eac5b..eb9a42ffeb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
+title: User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop
description: Best practices and more for the policy setting, User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop.
ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
>**Note:** This setting does not change the behavior of the UAC elevation prompt for administrators.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -39,7 +39,7 @@ Microsoft UI Automation is the current model to support accessibility requiremen
However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess.
-If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
+If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy
checks before starting an application with UIAccess privilege.
1. The application must have a digital signature that can be verified by using a digital certificate that is associated with the Trusted Root Certification Authorities store on the local computer.
@@ -78,13 +78,13 @@ The following table lists the actual and effective default values for this polic
Server type or GPO| Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index b5175062ac..8acd28314d 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
+title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode
description: Best practices and more for the security policy setting, User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode.
ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 09/08/2017
ms.technology: itpro-security
---
@@ -36,7 +36,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
Assumes that the administrator will permit an operation that requires elevation, and more consent or credentials aren't required.
**Note** Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
-
+
- **Prompt for credentials on the secure desktop**
When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@@ -60,7 +60,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
\*If you've enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**.
> [!NOTE]
-> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
+> After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt.
### Best practices
@@ -77,13 +77,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined|
+| Default Domain Policy | Not defined|
| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
-| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
-| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
-
+| Stand-Alone Server Default Settings | Prompt for consent for non-Windows binaries|
+| DC Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Member Server Effective Default Settings | Prompt for consent for non-Windows binaries|
+| Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 1d3ea2ed65..6a471c51bb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -5,7 +5,7 @@ ms.author: vinpa
ms.prod: windows-client
author: vinaypamnani-msft
manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
ms.date: 01/18/2023
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index b18e302adf..ea22f7f177 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Detect application installations and prompt for elevation
+title: User Account Control Detect application installations and prompt for elevation
description: Learn about best practices and more for the security policy setting, User Account Control Detect application installations and prompt for elevation.
ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -55,13 +55,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index e7e8643f8e..92d124a4f7 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Only elevate executables that are signed and validated
+title: User Account Control Only elevate executables that are signed and validated
description: Best practices, security considerations, and more for the security policy setting, User Account Control Only elevate executables that are signed and validated.
ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Disabled|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Disabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Disabled|
+| DC Effective Default Settings | Disabled|
+| Member Server Effective Default Settings | Disabled|
+| Client Computer Effective Default Settings | Disabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index 564d86f514..4aad366985 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -1,8 +1,8 @@
---
-title: Only elevate UIAccess app installed in secure location
+title: Only elevate UIAccess app installed in secure location
description: Learn about best practices and more for the policy setting, User Account Control Only elevate UIAccess applications that are installed in secure locations.
ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -34,7 +34,7 @@ This policy setting enforces the requirement that apps that request running with
- \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows
>**Note:** Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
-
+
**Background**
User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -75,13 +75,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 8502ded0f0..97d8752204 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 90d853997d..9059607fe2 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Switch to the secure desktop when prompting for elevation
+title: User Account Control Switch to the secure desktop when prompting for elevation
description: Best practices, security considerations, and more for the policy setting, User Account Control Switch to the secure desktop when prompting for elevation.
ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -45,7 +45,7 @@ The secure desktop’s primary difference from the user desktop is that only tru
### Best practices
-- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
+- Enable the **User Account Control: Switch to the secure desktop when prompting for elevation setting**. The secure desktop helps protect against input and output spoofing by presenting the credentials dialog box in a protected section of memory that is accessible only by trusted system
processes.
### Location
@@ -58,13 +58,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index e7bf8758a8..adb9f83c7e 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -1,8 +1,8 @@
---
-title: User Account Control Virtualize file and registry write failures to per-user locations
+title: User Account Control Virtualize file and registry write failures to per-user locations
description: Best practices, security considerations and more for the policy setting, User Account Control Virtualize file and registry write failures to per-user locations.
ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.topic: conceptual
+ms.topic: reference
ms.date: 04/19/2017
ms.technology: itpro-security
---
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value|
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Enabled|
-| DC Effective Default Settings | Enabled|
-| Member Server Effective Default Settings| Enabled|
-| Client Computer Effective Default Settings | Enabled|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 17f39e5b1f..3ca31c4fe8 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -1,8 +1,8 @@
---
-title: User Rights Assignment
+title: User Rights Assignment
description: Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
-ms.collection:
+ms.collection:
- highpri
- tier3
-ms.topic: conceptual
+ms.topic: reference
ms.date: 12/16/2021
ms.technology: itpro-security
---
@@ -29,7 +29,7 @@ ms.technology: itpro-security
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.
-Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
+Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under
**Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment**, or on the local device by using the Local Group Policy Editor (gpedit.msc).
For information about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md).
@@ -38,53 +38,53 @@ The following table links to each security policy setting and provides the const
| Group Policy Setting | Constant Name |
| - | - |
-| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
-| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
-| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
-| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
-| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
-| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
+| [Access Credential Manager as a trusted caller](access-credential-manager-as-a-trusted-caller.md) | SeTrustedCredManAccessPrivilege|
+| [Access this computer from the network](access-this-computer-from-the-network.md) | SeNetworkLogonRight|
+| [Act as part of the operating system](act-as-part-of-the-operating-system.md) | SeTcbPrivilege|
+| [Add workstations to domain](add-workstations-to-domain.md) | SeMachineAccountPrivilege|
+| [Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md) | SeIncreaseQuotaPrivilege|
+| [Allow log on locally](allow-log-on-locally.md) | SeInteractiveLogonRight|
| [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md)| SeRemoteInteractiveLogonRight|
-| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
-| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
-| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
-| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
-| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
-| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
-| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
-| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
-| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
-| [Debug programs](debug-programs.md) | SeDebugPrivilege|
+| [Back up files and directories](back-up-files-and-directories.md) | SeBackupPrivilege|
+| [Bypass traverse checking](bypass-traverse-checking.md) | SeChangeNotifyPrivilege|
+| [Change the system time](change-the-system-time.md) | SeSystemtimePrivilege|
+| [Change the time zone](change-the-time-zone.md) | SeTimeZonePrivilege|
+| [Create a pagefile](create-a-pagefile.md) | SeCreatePagefilePrivilege|
+| [Create a token object](create-a-token-object.md) | SeCreateTokenPrivilege|
+| [Create global objects](create-global-objects.md) | SeCreateGlobalPrivilege|
+| [Create permanent shared objects](create-permanent-shared-objects.md) | SeCreatePermanentPrivilege|
+| [Create symbolic links](create-symbolic-links.md) | SeCreateSymbolicLinkPrivilege|
+| [Debug programs](debug-programs.md) | SeDebugPrivilege|
| [Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md)| SeDenyNetworkLogonRight |
-| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
+| [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) | SeDenyBatchLogonRight|
| [Deny log on as a service](deny-log-on-as-a-service.md) | SeDenyServiceLogonRight |
-| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
-| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
-| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
-| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
-| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
-| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
-| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
-| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
-| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
-| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
-| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
-| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
-| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
-| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
-| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
+| [Deny log on locally](deny-log-on-locally.md) | SeDenyInteractiveLogonRight|
+| [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md)| SeDenyRemoteInteractiveLogonRight|
+| [Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)| SeEnableDelegationPrivilege|
+| [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md) | SeRemoteShutdownPrivilege|
+| [Generate security audits](generate-security-audits.md) | SeAuditPrivilege|
+| [Impersonate a client after authentication](impersonate-a-client-after-authentication.md)| SeImpersonatePrivilege|
+| [Increase a process working set](increase-a-process-working-set.md) | SeIncreaseWorkingSetPrivilege|
+| [Increase scheduling priority](increase-scheduling-priority.md) | SeIncreaseBasePriorityPrivilege|
+| [Load and unload device drivers](load-and-unload-device-drivers.md) | SeLoadDriverPrivilege|
+| [Lock pages in memory](lock-pages-in-memory.md) | SeLockMemoryPrivilege|
+| [Log on as a batch job](log-on-as-a-batch-job.md) | SeBatchLogonRight|
+| [Log on as a service](log-on-as-a-service.md) | SeServiceLogonRight|
+| [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege|
+| [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege|
+| [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege|
| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege|
-| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
-| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
-| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
-| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
-| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
+| [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege|
+| [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege|
+| [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege|
+| [Remove computer from docking station](remove-computer-from-docking-station.md) | SeUndockPrivilege|
+| [Replace a process level token](replace-a-process-level-token.md) | SeAssignPrimaryTokenPrivilege|
| [Restore files and directories](restore-files-and-directories.md) | SeRestorePrivilege |
-| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
-| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
-| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+| [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege|
+| [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege|
+| [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege|
+
-
## Related topics
- [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 1f4ad7580a..9493e41132 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 11/15/2023
+ms.date: 11/27/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -34,8 +34,9 @@ The features in this article are no longer being actively developed, and might b
> [!NOTE]
> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
-|Feature | Details and mitigation | Deprecation announced |
-| ----------- | --------------------- | ---- |
+| Feature | Details and mitigation | Deprecation announced |
+|---|---|---|
+| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install) is being deprecated and is no longer being updated. This deprecation also includes the [Windows.Security.Isolation APIs](/uwp/api/windows.security.isolation) that are used for Microsoft Defender Application Guard for Office. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 |
| Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 |
| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |