mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-22 05:43:41 +00:00
Merge remote-tracking branch 'origin/master' into asc
This commit is contained in:
Joey Caparas
@ -51,7 +51,7 @@ For information about Windows Defender Remote Credential Guard hardware and soft
|
||||
|
||||
## Application requirements
|
||||
|
||||
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
|
||||
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
|
||||
|
||||
>[!WARNING]
|
||||
> Enabling Windows Defender Credential Guard on domain controllers is not supported. <br>
|
||||
|
||||
@ -202,9 +202,9 @@ Active Directory Domain Services uses AdminSDHolder to secure privileged users a
|
||||
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
|
||||
|
||||
1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
|
||||
```dsacls "CN=AdminSDHolder,CN=System,**DC=domain,DC=com**" /g "**[domainName\keyAdminGroup]**":RPWP,msDS-KeyCredentialLink```</br>
|
||||
```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
|
||||
where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:</br>
|
||||
```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net /g "mstepdemo\Key Admins":RPWP,msDS-KeyCredentialLink```
|
||||
```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
|
||||
2. To trigger security descriptor propagation, open **ldp.exe**.
|
||||
3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
|
||||
4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
|
||||
@ -266,4 +266,4 @@ Users appreciate convenience of biometrics and administrators value the security
|
||||
- [Windows Hello and password changes](hello-and-password-changes.md)
|
||||
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
|
||||
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
|
||||
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
|
||||
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
|
||||
|
||||
@ -517,8 +517,8 @@ Sign-in the NDES server with access equivalent to _local administrator_.
|
||||
#### Configure Parameters for HTTP.SYS
|
||||
1. Open an elevated command prompt.
|
||||
2. Run the following commands <br>
|
||||
```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
|
||||
```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
|
||||
```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
|
||||
```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
|
||||
3. Restart the NDES server.
|
||||
|
||||
## Download, Install and Configure the Intune Certificate Connector
|
||||
|
||||
@ -29,7 +29,7 @@ When using a key, the on-premises environment needs an adequate distribution of
|
||||
When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
|
||||
|
||||
To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
|
||||
To deploy single sign-on for Azure AD joined devices using, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
|
||||
To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them. With W
|
||||
Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
||||
|
||||
### 2. Reduce user-visible password surface area
|
||||
With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
|
||||
With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
|
||||
|
||||
### 3. Transition into a password-less deployment
|
||||
Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where:
|
||||
|
||||
@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: Justinha
|
||||
ms.date: 11/06/2018
|
||||
ms.date: 01/12/2019
|
||||
---
|
||||
|
||||
# Overview of BitLocker Device Encryption in Windows 10
|
||||
@ -27,7 +27,6 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
|
||||
| Windows 7 | Windows 10 |
|
||||
|---|---|
|
||||
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
|
||||
| Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.<br><br>Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. |
|
||||
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
|
||||
| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
|
||||
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
|
||||
@ -58,7 +57,9 @@ With earlier versions of Windows, administrators had to enable BitLocker after W
|
||||
|
||||
## BitLocker Device Encryption
|
||||
|
||||
Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
|
||||
Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition.
|
||||
|
||||
Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
|
||||
|
||||
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: aadake
|
||||
ms.date: 12/08/2018
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# Kernel DMA Protection for Thunderbolt™ 3
|
||||
@ -38,17 +38,17 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and
|
||||
|
||||
## How Windows protects against DMA drive-by attacks
|
||||
|
||||
Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping).
|
||||
Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.
|
||||
Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
|
||||
Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping).
|
||||
Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.
|
||||
By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
|
||||
|
||||
## User experience
|
||||
|
||||
|
||||
|
||||
A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked.
|
||||
Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged.
|
||||
The devices will continue to function normally if the user locks the screen or logs out of the system.
|
||||
A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked.
|
||||
Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged.
|
||||
The peripheral will continue to function normally if the user locks the screen or logs out of the system.
|
||||
|
||||
## System compatibility
|
||||
|
||||
@ -88,7 +88,7 @@ For systems that do not support Kernel DMA Protection, please refer to the [BitL
|
||||
## Frequently asked questions
|
||||
|
||||
### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
|
||||
In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
|
||||
In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
|
||||
|
||||
### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
|
||||
No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
|
||||
@ -108,10 +108,13 @@ In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Co
|
||||
### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
|
||||
No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping.
|
||||
|
||||
### How can an enterprise enable the “External device enumeration” policy?
|
||||
The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM):
|
||||
### How can an enterprise enable the External device enumeration policy?
|
||||
The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
|
||||
|
||||
The policy can be enabled by using:
|
||||
|
||||
- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
|
||||
- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
|
||||
- Mobile Device Management (MDM): [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -17,6 +17,7 @@ ms.date: 11/29/2018
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2019
|
||||
|
||||
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
|
||||
|
||||
@ -38,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu
|
||||
|
||||
### Automatic initialization of the TPM with Windows 10
|
||||
|
||||
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
|
||||
Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
|
||||
|
||||
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
|
||||
|
||||
@ -69,18 +70,18 @@ Some things that you can check on the device are:
|
||||
- Is SecureBoot supported and enabled?
|
||||
|
||||
> [!NOTE]
|
||||
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
|
||||
## Supported versions for device health attestation
|
||||
|
||||
| TPM version | Windows 10 | Windows Server 2016 |
|
||||
|-------------|-------------|---------------------|
|
||||
| TPM 1.2 | >= ver 1607 | >= ver 1607 |
|
||||
| TPM 2.0 | X | X |
|
||||
| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 |
|
||||
|-------------|-------------|---------------------|---------------------|
|
||||
| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes |
|
||||
| TPM 2.0 | Yes | Yes | Yes |
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
|
||||
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
|
||||
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: justinha
|
||||
ms.author: justinha
|
||||
ms.date: 05/30/2018
|
||||
ms.date: 12/18/2018
|
||||
ms.localizationpriority: medium
|
||||
---
|
||||
|
||||
@ -104,7 +104,7 @@ This table provides info about the most common problems you might encounter whil
|
||||
<li>SavedGames</li>
|
||||
</ul>
|
||||
</td>
|
||||
<td>WIP isn’t turned on for employees in your organization.</td>
|
||||
<td>WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. </td>
|
||||
<td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
@ -22,8 +22,8 @@ Microsoft Intune helps you create and deploy your enterprise data protection (WI
|
||||
## In this section
|
||||
|Topic |Description |
|
||||
|------|------------|
|
||||
|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|
||||
|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.|
|
||||
|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|
||||
|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MAM (Mobile Application Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.|
|
||||
|[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|
||||
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|
||||
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
|
||||
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# 4672(S): Special privileges assigned to new logon.
|
||||
@ -18,7 +18,7 @@ ms.date: 04/19/2017
|
||||
|
||||
|
||||
<img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" />
|
||||
|
||||
</br>
|
||||
***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
|
||||
|
||||
***Event Description:***
|
||||
@ -125,7 +125,7 @@ You typically will see many of these events in the event log, because every logo
|
||||
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
|
||||
| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE |
|
||||
| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
|
||||
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
|
||||
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
|
||||
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
|
||||
| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
|
||||
| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
|
||||
|
||||
@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
---
|
||||
|
||||
# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
|
||||
@ -15,6 +14,8 @@ ms.date: 04/19/2017
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2012
|
||||
|
||||
|
||||
<img src="images/event-5031.png" alt="Event 5031 illustration" width="449" height="317" hspace="10" align="left" />
|
||||
|
||||
@ -8,56 +8,57 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
ms.author: justinha
|
||||
author: justinha
|
||||
ms.date: 11/15/2018
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# How to control USB devices and other removable media using Intune
|
||||
# How to control USB devices and other removable media using Windows Defender ATP
|
||||
|
||||
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
Windows Defender ATP provides multiple monitoring and control features for USB peripherals to help prevent threats in unauthorized peripherals from compromising your devices:
|
||||
|
||||
You can configure Intune settings to reduce threats from removable storage such as USB devices, including:
|
||||
1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
|
||||
- [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
|
||||
- The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
|
||||
- [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
|
||||
|
||||
2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
|
||||
- Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
|
||||
|
||||
- [Block unwanted removeable storage](#block-unwanted-removable-storage)
|
||||
- [Protect allowed removable storage](#protect-allowed-removable-storage)
|
||||
3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral:
|
||||
- Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
|
||||
- Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
|
||||
|
||||
Protecting allowed removeable storage requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
|
||||
We recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
|
||||
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
|
||||
You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted.
|
||||
>[!NOTE]
|
||||
>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks.
|
||||
|
||||
> [!NOTE]
|
||||
> These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For data loss prevention on Windows 10 devices, you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device.
|
||||
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
|
||||
|
||||
## Block unwanted removeable storage
|
||||
## Prevent threats from removable storage
|
||||
|
||||
Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
|
||||
|
||||
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
|
||||
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
|
||||
### Enable Windows Defender Antivirus Scanning
|
||||
|
||||
|
||||
Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
|
||||
|
||||
3. Use the following settings:
|
||||
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
|
||||
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
|
||||
|
||||
- Name: Windows 10 Device Configuration
|
||||
- Description: Block removeable storage and USB connections
|
||||
- Platform: Windows 10 and later
|
||||
- Profile type: Device restrictions
|
||||
>[!NOTE]
|
||||
>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**.
|
||||
|
||||
|
||||
<!-- Need to build out point in the precedeing note.
|
||||
-->
|
||||
|
||||
4. Click **Configure** > **General**.
|
||||
### Block untrusted and unsigned processes on USB peripherals
|
||||
|
||||
5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**.
|
||||
|
||||
|
||||
|
||||
6. Click **OK** to close **General** settings and **Device restrictions**.
|
||||
|
||||
7. Click **Create** to save the profile.
|
||||
|
||||
Alternatively, you can create a custom profile in Intune and configure [DeviceInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) policies.
|
||||
|
||||
## Protect allowed removable storage
|
||||
End-users might plug in removable devices that are infected with malware.
|
||||
To prevent infections, a company can block USB files that are unsigned or untrusted.
|
||||
Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
|
||||
This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
|
||||
With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
|
||||
Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
|
||||
|
||||
These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
|
||||
|
||||
@ -73,7 +74,7 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
|
||||
- Platform: Windows 10 or later
|
||||
- Profile type: Endpoint protection
|
||||
|
||||
|
||||
|
||||
|
||||
4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
|
||||
|
||||
@ -83,4 +84,104 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
|
||||
|
||||
6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**.
|
||||
|
||||
7. Click **Create** to save the profile.
|
||||
7. Click **Create** to save the profile.
|
||||
|
||||
### Protect against Direct Memory Access (DMA) attacks
|
||||
|
||||
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
|
||||
|
||||
1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
|
||||
|
||||
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
|
||||
|
||||
Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
|
||||
|
||||
2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
|
||||
|
||||
- [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess)
|
||||
- [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
|
||||
|
||||
|
||||
## Detect plug and play connected events
|
||||
|
||||
You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
|
||||
For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
|
||||
Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
|
||||
|
||||
## Respond to threats
|
||||
|
||||
Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
|
||||
|
||||
>[!Note]
|
||||
>Always test and refine these settings with a pilot group of users and devices first before applying them in production.
|
||||
|
||||
The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
|
||||
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
|
||||
|
||||
| Control | Description |
|
||||
|----------|-------------|
|
||||
| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
|
||||
| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
|
||||
| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
|
||||
|
||||
>[!Note]
|
||||
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
|
||||
|
||||
### Block installation and usage of removable storage
|
||||
|
||||
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
|
||||
2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
|
||||
|
||||
|
||||
|
||||
3. Use the following settings:
|
||||
|
||||
- Name: Type a name for the profile
|
||||
- Description: Type a description
|
||||
- Platform: Windows 10 and later
|
||||
- Profile type: Device restrictions
|
||||
|
||||
|
||||
|
||||
4. Click **Configure** > **General**.
|
||||
|
||||
5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only.
|
||||
|
||||
|
||||
|
||||
6. Click **OK** to close **General** settings and **Device restrictions**.
|
||||
|
||||
7. Click **Create** to save the profile.
|
||||
|
||||
### Only allow installation and usage of specifically approved peripherals
|
||||
|
||||
Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring [DeviceInstallation policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation).
|
||||
For example, this custom profile allows installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0".
|
||||
|
||||
|
||||
|
||||
Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
|
||||
|
||||
For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses).
|
||||
Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings).
|
||||
|
||||
### Prevent installation of specifically prohibited peripherals
|
||||
|
||||
Windows Defender ATP also blocks installation and usage of prohibited peripherals with a custom profile in Intune.
|
||||
For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0", and applies to USB devices with matching hardware IDs that are already installed.
|
||||
|
||||
|
||||
|
||||
For a SyncML example that prevents installation of specific device IDs, see [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids). To prevent specific device classes, see [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
|
||||
- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
|
||||
- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)
|
||||
- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
|
||||
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
|
||||
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
|
||||
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 44 KiB After Width: | Height: | Size: 44 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 38 KiB |
@ -13,9 +13,9 @@ ms.date: 08/01/2018
|
||||
# Microsoft Safety Scanner
|
||||
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
|
||||
|
||||
- [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733)
|
||||
- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733)
|
||||
|
||||
- [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732)
|
||||
- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
|
||||
|
||||
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
|
||||
|
||||
|
||||
@ -0,0 +1,8 @@
|
||||
---
|
||||
author: jasongerend
|
||||
ms.author: jgerend
|
||||
ms.date: 1/4/2019
|
||||
ms.topic: include
|
||||
ms.prod: w10
|
||||
---
|
||||
Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles.
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/2018
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
|
||||
# SMBv1 Microsoft network client: Digitally sign communications (always)
|
||||
@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
- [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/2018
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
# SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
|
||||
|
||||
@ -29,7 +29,7 @@ If server-side SMB signing is required, a client computer will not be able to es
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/201
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
|
||||
# SMB v1 Microsoft network server: Digitally sign communications (always)
|
||||
@ -33,7 +33,7 @@ If server-side SMB signing is required, a client device will not be able to esta
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: brianlic-msft
|
||||
ms.date: 06/19/2018
|
||||
ms.date: 01/04/2019
|
||||
---
|
||||
|
||||
# SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
|
||||
@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta
|
||||
|
||||
If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled.
|
||||
|
||||
Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions.
|
||||
[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)]
|
||||
|
||||
There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications:
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: jsuther1974
|
||||
ms.date: 11/28/2018
|
||||
ms.date: 01/08/2019
|
||||
---
|
||||
|
||||
# Windows Defender Application Control
|
||||
@ -38,7 +38,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
|
||||
## WDAC System Requirements
|
||||
|
||||
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016.
|
||||
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune.
|
||||
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
|
||||
Group Policy or Intune can be used to distribute WDAC policies.
|
||||
|
||||
## New and changed functionality
|
||||
|
||||
@ -25,7 +25,7 @@ You can see how an employee would use standalone mode with Application Guard.
|
||||
|
||||
**To test Application Guard in Standalone mode**
|
||||
|
||||
1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
|
||||
1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide.
|
||||
|
||||
2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
|
||||
|
||||
@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
|
||||
### Install, set up, and turn on Application Guard
|
||||
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
|
||||
|
||||
1. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
|
||||
1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide.
|
||||
|
||||
2. Restart the device and then start Microsoft Edge.
|
||||
|
||||
|
||||
@ -98,6 +98,7 @@
|
||||
|
||||
|
||||
## [Get started](get-started.md)
|
||||
### [What's new in Windows Defender ATP](whats-new-in-windows-defender-atp.md)
|
||||
### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
|
||||
### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
|
||||
### [Preview features](preview-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/16/2017
|
||||
ms.date: 12/20/2018
|
||||
---
|
||||
|
||||
# Configure HP ArcSight to pull Windows Defender ATP alerts
|
||||
@ -51,10 +51,10 @@ This section guides you in getting the necessary information to set and use the
|
||||
|
||||
You can generate these tokens from the **SIEM integration** setup section of the portal.
|
||||
|
||||
## Install and configure HP ArcSight SmartConnector
|
||||
## Install and configure HP ArcSight FlexConnector
|
||||
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
|
||||
|
||||
1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
|
||||
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
|
||||
|
||||
2. Follow the installation wizard through the following tasks:
|
||||
- Introduction
|
||||
@ -66,7 +66,7 @@ The following steps assume that you have completed all the required steps in [Be
|
||||
|
||||
You can keep the default values for each of these tasks or modify the selection to suit your requirements.
|
||||
|
||||
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example:
|
||||
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example:
|
||||
|
||||
- WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
|
||||
|
||||
|
||||
@ -0,0 +1,75 @@
|
||||
---
|
||||
title: What's new in Windows Defender ATP
|
||||
description: Lists the new features and functionality in Windows Defender ATP
|
||||
keywords: what's new in windows defender atp
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dansimp
|
||||
author: dansimp
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 01/07/2019
|
||||
---
|
||||
|
||||
# What's new in Windows Defender ATP
|
||||
**Applies to:**
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
Here are the new features in the latest release of Windows Defender ATP.
|
||||
|
||||
## Windows Defender ATP 1809
|
||||
- [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
|
||||
Controlled folder access is now supported on Windows Server 2019.
|
||||
|
||||
- [Attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
|
||||
All Attack surface reduction rules are now supported on Windows Server 2019.
|
||||
For Windows 10, version 1809 there are two new attack surface reduction rules:
|
||||
- Block Adobe Reader from creating child processes
|
||||
- Block Office communication application from creating child processes.
|
||||
|
||||
- [Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
|
||||
- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
|
||||
- Windows Defender Antivirus can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
|
||||
- [Configure CPU priority settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans.
|
||||
|
||||
|
||||
|
||||
- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)<br>
|
||||
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
|
||||
|
||||
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)<br>
|
||||
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
|
||||
- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)<br>
|
||||
Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
|
||||
- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)<br>
|
||||
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
|
||||
- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)<br>
|
||||
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
|
||||
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) <br>
|
||||
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
|
||||
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)<br>
|
||||
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
|
||||
- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)<br>
|
||||
Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
|
||||
|
||||
## Windows Defender ATP 1803
|
||||
- [Attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
|
||||
New attack surface reduction rules:
|
||||
- Use advanced protection against ransomware
|
||||
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
|
||||
- Block process creations originating from PSExec and WMI commands
|
||||
- Block untrusted and unsigned processes that run from USB
|
||||
- Block executable content from email client and webmail
|
||||
- [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
|
||||
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
|
||||
- [Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
|
||||
Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus).
|
||||
- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <BR>
|
||||
Query data using Advanced hunting in Windows Defender ATP
|
||||
- [Automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br> Use Automated investigations to investigate and remediate threats
|
||||
- [Conditional access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) <br>
|
||||
Enable conditional access to better protect users, devices, and data
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 11/27/2018
|
||||
ms.date: 12/19/2018
|
||||
---
|
||||
|
||||
# Customize attack surface reduction rules
|
||||
@ -47,7 +47,7 @@ Rule description | GUID
|
||||
-|:-:|-
|
||||
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
|
||||
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
|
||||
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
|
||||
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
|
||||
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
|
||||
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
|
||||
|
||||
Reference in New Issue
Block a user