deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into acrolinx-windows-security

Browse Source
This commit is contained in:
Shannon Leavitt
2020-11-04 16:11:42 -07:00
committed by GitHub
parent 7b13f83239 822a762022
commit f92373240b
43 changed files with 254 additions and 255 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/auditing/audit-user-device-claims.md
View File

@ -1,6 +1,6 @@
--- ---
title: Audit User/Device Claims (Windows 10) title: Audit User/Device Claims (Windows 10)
description: Audit User/Device Claims is an audit policy setting which enables you to audit security events that are generated by user and device claims. description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
@ -25,7 +25,7 @@ Audit User/Device Claims allows you to audit user and device claims information
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory. ***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
**Event volume**: **Event volume**:

4
windows/security/threat-protection/auditing/event-1105.md
View File

@ -13,7 +13,7 @@ manager: dansimp
ms.author: dansimp ms.author: dansimp
--- ---
# 1105(S): Event log automatic backup. # 1105(S): Event log automatic backup
**Applies to** **Applies to**
- Windows 10 - Windows 10
@ -71,7 +71,7 @@ This event generates, for example, if the maximum size of Security Event Log fil
***Field Descriptions:*** ***Field Descriptions:***
**Log** \[Type = UnicodeString\]: the name of the log which was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs. **Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
**File**: \[Type = FILETIME\]: full path and filename of archived log file. **File**: \[Type = FILETIME\]: full path and filename of archived log file.

4
windows/security/threat-protection/auditing/event-4618.md
View File

@ -32,7 +32,7 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field. - Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
- If a field doesnt match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.) - If a field doesnt match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are) - **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
@ -98,5 +98,5 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
For 4618(S): A monitored security event pattern has occurred. For 4618(S): A monitored security event pattern has occurred.
- This event can be invoked only manually/intentionally, it is up to you how interpret this event depends on information you put inside of it. - This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it.

40
windows/security/threat-protection/auditing/event-4625.md
View File

@ -99,7 +99,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure. - **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following: - **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO - Domain NETBIOS name example: CONTOSO
@ -111,7 +111,7 @@ This event generates on domain controllers, member servers, and workstations.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. - **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
<span id="_Ref433822321" class="anchor"></span>**Table 11: Windows Logon Types** <span id="_Ref433822321" class="anchor"></span>**Table 11: Windows Logon Types**
@ -138,7 +138,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt. - **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following: - **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO - Domain NETBIOS name example: CONTOSO
@ -154,9 +154,9 @@ This event generates on domain controllers, member servers, and workstations.
**Failure Information:** **Failure Information:**
- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value. - **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes. - **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
<span id="_Ref433822658" class="anchor"></span>**Table 12: Windows logon status codes.** <span id="_Ref433822658" class="anchor"></span>**Table 12: Windows logon status codes.**
@ -165,7 +165,7 @@ This event generates on domain controllers, member servers, and workstations.
| 0XC000005E | There are currently no logon servers available to service the logon request. | | 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account | | 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password | | 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information | | 0XC000006D | The cause is either a bad username or authentication information |
| 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). | | 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours | | 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation | | 0xC0000070 | User logon from unauthorized workstation |
@ -173,23 +173,23 @@ This event generates on domain controllers, member servers, and workstations.
| 0xC0000072 | User logon to account disabled by administrator | | 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. | | 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync | | 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine | | 0XC000015B | The user has not been granted the requested logon type (also called the *logon right*) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. | | 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. | | 0XC0000192 | An attempt was made to logon, but the **Netlogon** service was not started. |
| 0xC0000193 | User logon with expired account | | 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon | | 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk | | 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked | | 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon | | 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. | | 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. | | 0x0 | Status OK. |
> [!NOTE] > [!NOTE]
> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK. > To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.
More information: <https://dev.windows.com/en-us/downloads> More information: <https://dev.windows.com/en-us/downloads>
- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common sub-status codes listed in the “Table 12. Windows logon status codes.”. - **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”.
**Process Information:** **Process Information:**
@ -213,7 +213,7 @@ More information: <https://dev.windows.com/en-us/downloads>
- ::1 or 127.0.0.1 means localhost. - ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine. - **Source Port** \[Type = UnicodeString\]: source port that was used for logon attempt from remote machine.
- 0 for interactive logons. - 0 for interactive logons.
@ -221,7 +221,7 @@ More information: <https://dev.windows.com/en-us/downloads>
- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information. - **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: - **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** NTLM-family Authentication - **NTLM** NTLM-family Authentication
@ -231,7 +231,7 @@ More information: <https://dev.windows.com/en-us/downloads>
- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/library/cc246072.aspx> - **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/library/cc246072.aspx>
- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are: - **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
- “NTLM V1” - “NTLM V1”
@ -241,7 +241,7 @@ More information: <https://dev.windows.com/en-us/downloads>
Only populated if “**Authentication Package” = “NTLM”**. Only populated if “**Authentication Package” = “NTLM”**.
- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if **Authentication Package = Kerberos**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package. - **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations ## Security Monitoring Recommendations
@ -264,9 +264,9 @@ For 4625(F): An account failed to log on.
- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account. - If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. This is especially relevant for critical servers, administrative workstations, and other high value assets. - We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. This is especially relevant for critical servers, administrative workstations, and other high value assets. - We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly: - If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
@ -286,15 +286,15 @@ For 4625(F): An account failed to log on.
| Field | Value to monitor for | | Field | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.” <br>This is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.” <br>This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”. <br>Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”. <br>Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F “User logon outside authorized hours”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F “User logon outside authorized hours”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 “User logon from unauthorized workstation”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 “User logon to account disabled by administrator”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B “The user has not been granted the requested logon type (aka logon right) at this machine”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B “The user has not been granted the requested logon type (aka logon right) at this machine”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 “An attempt was made to logon, but the Netlogon service was not started”. <br>This is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 “An attempt was made to logon, but the Netlogon service was not started”. <br>This issue is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 “User logon with expired account”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 “User logon with expired account”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |

12
windows/security/threat-protection/auditing/event-4692.md
View File

@ -30,7 +30,7 @@ This event generates every time that a backup is attempted for the [DPAPI](https
When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password. When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the users master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key. Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the users master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example. This event also generates every time a new DPAPI Master Key is generated, for example.
@ -91,7 +91,7 @@ Failure event generates when a Master Key backup operation fails for some reason
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation. - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following: - **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO - Domain NETBIOS name example: CONTOSO
@ -107,17 +107,17 @@ Failure event generates when a Master Key backup operation fails for some reason
**Key Information:** **Key Information:**
- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -&gt; %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID. - **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -&gt; %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
- **Recovery Server** \[Type = UnicodeString\]: the name (typically DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, its typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty. - **Recovery Server** \[Type = UnicodeString\]: the name (typically DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, its typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key backup operation. - **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
For Failure events this field is typically empty. For Failure events, this field is typically empty.
**Status Information:** **Status Information:**
- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A: - **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events, this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
> \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png) > \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)

28
windows/security/threat-protection/auditing/event-4771.md
View File

@ -26,7 +26,7 @@ ms.author: dansimp
***Event Description:*** ***Event Description:***
This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesnt have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the users password has expired, or the wrong password was provided. This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesnt have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the users password has expired, or the wrong password was provided.
This event generates only on domain controllers. This event generates only on domain controllers.
@ -103,7 +103,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Network Information:** **Network Information:**
- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following: - **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Here are some examples of formats:
- **IPv6** or **IPv4** address. - **IPv6** or **IPv4** address.
@ -117,7 +117,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Additional Information:** **Additional Information:**
- **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format. - **Ticket Options**: \[Type = HexInt32\]: this set of different Ticket Flags is in hexadecimal format.
Example: Example:
@ -125,7 +125,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
- Binary view: 01000000100000010000000000010000 - Binary view: 01000000100000010000000000010000
- Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok. - Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
> **Note**&nbsp;&nbsp;In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" /> > **Note**&nbsp;&nbsp;In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
@ -146,15 +146,15 @@ The most common values:
| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. | | 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | | 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | | 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. | | 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set. |
| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. | | 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. | | 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. | | 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. | | 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. | | 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. | | 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
| 14 | Request-anonymous | KILE not use this flag. | | 14 | Request-anonymous | KILE does not use this flag. |
| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. | | 15 | Name-canonicalize | To request referrals, the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - | | 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. | | 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | | 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
@ -169,11 +169,11 @@ The most common values:
| Code | Code Name | Description | Possible causes | | Code | Code Name | Description | Possible causes |
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). | | 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired. | | 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type which was used in TGT request. - **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request.
<span id="kerberos-preauthentication-types" /> <span id="kerberos-preauthentication-types" />
## Table 5. Kerberos Pre-Authentication types. ## Table 5. Kerberos Pre-Authentication types.
@ -181,7 +181,7 @@ The most common values:
| Type | Type Name | Description | | Type | Type Name | Description |
|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | - | Logon without Pre-Authentication. | | 0 | - | Logon without Pre-Authentication. |
| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. | | 2 | PA-ENC-TIMESTAMP | This type is normal for standard password authentication. |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. | | 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. | | 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.| | 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.|
@ -193,7 +193,7 @@ The most common values:
**Certificate Information:** **Certificate Information:**
- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events. - **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificates serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events. - **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificates serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
@ -208,14 +208,14 @@ For 4771(F): Kerberos pre-authentication failed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. | | **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |
- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. - You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert. - If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert.
- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller. - All **Client Address** = ::1 means local authentication. If you know the list of accounts that should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
- All [4771](event-4771.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection. - All [4771](event-4771.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.
@ -227,5 +227,5 @@ For 4771(F): Kerberos pre-authentication failed.
| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | | **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). | | **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Failure Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. | | **Failure Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. | | **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This issue can indicate a brute-force attack on the account password, especially for highly critical accounts. |

6
windows/security/threat-protection/auditing/event-4947.md
View File

@ -90,11 +90,11 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
- **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule. - **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule.
To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: To see the unique ID of the rule, navigate to the“**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" /> <img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: - **Rule Name** \[Type = UnicodeString\]: the name of the rule that was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" /> <img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />
@ -102,5 +102,5 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified. For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
- This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally. - This event can be helpful in case you want to monitor all Firewall rules modifications that were done locally.

4
windows/security/threat-protection/auditing/event-4953.md
View File

@ -93,11 +93,11 @@ It can happen if Windows Firewall rule registry entry was corrupted.
- **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule. - **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
<img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" /> <img src="images/registry-editor-firewallrules.png" alt="Registry Editor FirewallRules key illustration" width="1412" height="422" />
- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: - **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
<img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" /> <img src="images/windows-firewall-with-advanced-security.png" alt="Windows Firewall with Advanced Security illustration" width="1082" height="363" />

6
windows/security/threat-protection/auditing/event-5056.md
View File

@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016 - Windows Server 2016
This event generates in CNG Self-Test function. This is a Cryptographic Next Generation (CNG) function. This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
For more information about Cryptographic Next Generation (CNG) visit these pages: For more information about Cryptographic Next Generation (CNG) visit these pages:
@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
- <https://www.microsoft.com/download/details.aspx?id=30688> - <https://www.microsoft.com/download/details.aspx?id=30688>
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. This event is mainly used for CNG troubleshooting.
There is no example of this event in this document. There is no example of this event in this document.
@ -40,7 +40,7 @@ There is no example of this event in this document.
***Event Schema:*** ***Event Schema:***
*A cryptographic self test was performed.* *A cryptographic self-test was performed.*
*Subject:* *Subject:*

8
windows/security/threat-protection/auditing/event-5060.md
View File

@ -1,6 +1,6 @@
--- ---
title: 5060(F) Verification operation failed. (Windows 10) title: 5060(F) Verification operation failed. (Windows 10)
description: Describes security event 5060(F) Verification operation failed. This event is generated in case of CNG verification operation failure. description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails.
ms.pagetype: security ms.pagetype: security
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -20,9 +20,9 @@ ms.author: dansimp
- Windows Server 2016 - Windows Server 2016
This event generates in case of CNG verification operation failure. This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
For more information about Cryptographic Next Generation (CNG) visit these pages: For more information about CNG, visit these pages:
- <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx> - <https://msdn.microsoft.com/library/windows/desktop/aa376214(v=vs.85).aspx>
@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
- <https://www.microsoft.com/download/details.aspx?id=30688> - <https://www.microsoft.com/download/details.aspx?id=30688>
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. This event is mainly used for CNG troubleshooting.
There is no example of this event in this document. There is no example of this event in this document.

18
windows/security/threat-protection/auditing/event-5152.md
View File

@ -128,9 +128,9 @@ This event is generated for every received network packet.
- 127.0.0.1 , ::1 - localhost - 127.0.0.1 , ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet. - **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet.
- **Protocol** \[Type = UInt32\]: number of protocol which was used. - **Protocol** \[Type = UInt32\]**:** number of the protocol that was used.
| Service | Protocol Number | | Service | Protocol Number |
|----------------------------------------------------|-----------------| |----------------------------------------------------|-----------------|
@ -152,15 +152,15 @@ This event is generated for every received network packet.
**Filter Information:** **Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet. - **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the packet.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example: To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" /> <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example: - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" /> <img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
@ -168,7 +168,7 @@ This event is generated for every received network packet.
For 5152(F): The Windows Filtering Platform blocked a packet. For 5152(F): The Windows Filtering Platform blocked a packet.
- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. - If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@ -178,13 +178,13 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges). - If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**. - If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list. - If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”** - If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17. - Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” - If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

14
windows/security/threat-protection/auditing/event-5154.md
View File

@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**: **Application Information**:
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" /> <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -103,7 +103,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- 127.0.0.1 , ::1 - localhost - 127.0.0.1 , ::1 - localhost
- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application. - **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
- **Protocol** \[Type = UInt32\]: protocol number. For example: - **Protocol** \[Type = UInt32\]: protocol number. For example:
@ -115,15 +115,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:** **Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesnt match any filters you will get value **0** in this field. - **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesnt match any filters you will get value **0** in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example: To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" /> <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example: - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" /> <img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
@ -131,7 +131,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information. - If you have anallow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”** - If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
@ -139,7 +139,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
- If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”** - If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).

16
windows/security/threat-protection/auditing/event-5156.md
View File

@ -80,7 +80,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Application Information**: **Application Information**:
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" /> <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -130,7 +130,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received. - **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
- **Protocol** \[Type = UInt32\]: number of protocol which was used. - **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number | | Service | Protocol Number |
|----------------------------------------------------|-----------------| |----------------------------------------------------|-----------------|
@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:** **Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection. - **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allowed the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example: To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" /> <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example: - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" /> <img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5156(S): The Windows Filtering Platform has permitted a connection. For 5156(S): The Windows Filtering Platform has permitted a connection.
- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@ -178,9 +178,9 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges). - If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”** - If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list. - If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”** - If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**

18
windows/security/threat-protection/auditing/event-5157.md
View File

@ -128,9 +128,9 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- 127.0.0.1 , ::1 - localhost - 127.0.0.1 , ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection. - **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
- **Protocol** \[Type = UInt32\]: number of protocol which was used. - **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number | | Service | Protocol Number |
|----------------------------------------------------|-----------------| |----------------------------------------------------|-----------------|
@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:** **Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection. - **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example: To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" /> <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example: - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" /> <img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5157(F): The Windows Filtering Platform has blocked a connection. For 5157(F): The Windows Filtering Platform has blocked a connection.
- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@ -178,13 +178,13 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If the\` computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges). - If the\` computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”** - If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list. - If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”** - If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17. - Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” - If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

14
windows/security/threat-protection/auditing/event-5158.md
View File

@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**: **Application Information**:
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" /> <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -107,7 +107,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind. - **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
- **Protocol** \[Type = UInt32\]: number of protocol which was used. - **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number | | Service | Protocol Number |
|----------------------------------------------------|-----------------| |----------------------------------------------------|-----------------|
@ -129,15 +129,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:** **Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesnt match any filters you will get value 0 in this field. - **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesnt match any filters, you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example: To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" /> <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example: - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" /> <img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />
@ -145,7 +145,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5158(S): The Windows Filtering Platform has permitted a bind to a local port. For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. - If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@ -155,7 +155,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”** - If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17. - Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” - If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

8
windows/security/threat-protection/auditing/event-5159.md
View File

@ -73,7 +73,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Application Information**: **Application Information**:
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" /> <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -127,15 +127,15 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Filter Information:** **Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesnt match any filters, you will get value 0 in this field. - **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesnt match any filters, you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**)**,** for example: To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**)**,** for example:
<img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" /> <img src="images/filters-xml-file.png" alt="Filters.xml file illustration" width="840" height="176" />
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**&lt;layerId&gt;**)**,** for example: - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find the specific substring with the required layer ID (**&lt;layerId&gt;**)**,** for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" /> <img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />

16
windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
View File

@ -1,6 +1,6 @@
--- ---
title: How to get a list of XML data name elements in <EventData> (Windows 10) title: How to get a list of XML data name elements in <EventData> (Windows 10)
description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>. description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
@ -20,15 +20,15 @@ ms.author: dansimp
The Security log uses a manifest where you can get all of the event schema. The Security log uses a manifest where you can get all of the event schema.
Run the following from an elevated PowerShell prompt: Run the following command from an elevated PowerShell prompt:
```powershell ```powershell
$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing" $secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
``` ```
The .events property is a collection of all of the events listed in the manifest on the local machine. The `.events` property is a collection of all of the events listed in the manifest on the local machine.
For each event, there is a .Template property for the XML template used for the event properties (if there are any). For each event, there is a `.Template` property for the XML template used for the event properties (if there are any).
For example: For example:
@ -90,7 +90,7 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
You can use the &lt;Template&gt; and &lt;Description&gt; to map the data name elements that appear in XML view to the names that appear in the event description. You can use the &lt;Template&gt; and &lt;Description&gt; to map the data name elements that appear in XML view to the names that appear in the event description.
The &lt;Description&gt; is just the format string (if youre used to Console.Writeline or sprintf statements) and the &lt;Template&gt; is the source of the input parameters for the &lt;Description&gt;. The &lt;Description&gt; is just the format string (if youre used to `Console.Writeline` or `sprintf` statements), and the &lt;Template&gt; is the source of the input parameters for the &lt;Description&gt;.
Using Security event 4734 as an example: Using Security event 4734 as an example:
@ -124,9 +124,9 @@ Description : A security-enabled local group was deleted.
``` ```
For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**. For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**. For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**.
A caveat to this is an oft-overlooked property of events called Version (in the &lt;SYSTEM&gt; element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. A caveat to this principle is an often overlooked property of events called Version (in the &lt;SYSTEM&gt; element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.

20
windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
View File

@ -17,22 +17,22 @@ search.appverid: met150
--- ---
# Troubleshooting malware submission errors caused by administrator block # Troubleshooting malware submission errors caused by administrator block
In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this. In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem.
## Review your settings ## Review your settings
Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected. Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If theres no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin.Go to the following section for more information. - If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If theres no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin.Go to the following section for more information.
- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).If this is set to **No** you'll need to request an AAD admin enable it. - If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).If **No** is selected, you'll need to request an Azure AD admin enable it.
## Implement Required Enterprise Application permissions ## Implement Required Enterprise Application permissions
This process requires a global or application admin in the tenant. This process requires a global or application admin in the tenant.
1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).
2. Click **Grant admin consent for organization**. 2. Select **Grant admin consent for organization**.
3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant. 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
![grant consent image](images/msi-grant-admin-consent.jpg) ![grant consent image](images/msi-grant-admin-consent.jpg)
4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds. 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
@ -59,15 +59,15 @@ This process requires that global admins go through the Enterprise customer sign
![Consent sign in flow](images/msi-microsoft-permission-required.jpg) ![Consent sign in flow](images/msi-microsoft-permission-required.jpg)
Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**. Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
All users in the tenant will now be able to use this application. All users in the tenant will now be able to use this application.
## Option 3: Delete and re-add app permissions ## Option 3: Delete and readd app permissions
If neither of these options resolve the issue, try the following steps (as an admin): If neither of these options resolve the issue, try the following steps (as an admin):
1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
and click **delete**. and select **delete**.
![Delete app permissions](images/msi-properties.png) ![Delete app permissions](images/msi-properties.png)
@ -78,7 +78,7 @@ and click **delete**.
![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png)
4. Review the permissions required by the application, and then click **Accept**. 4. Review the permissions required by the application, and then select **Accept**.
5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).

43
windows/security/threat-protection/microsoft-defender-atp/android-terms.md
View File

@ -52,7 +52,7 @@ DO NOT USE THE APPLICATION.**
1. **INSTALLATION AND USE RIGHTS.** 1. **INSTALLATION AND USE RIGHTS.**
1. **Installation and Use.** You may install and use any number of copies 1. **Installation and Use.** You may install and use any number of copies
of this application on Android enabled device or devices which you own of this application on Android enabled device or devices that you own
or control. You may use this application with your company's valid or control. You may use this application with your company's valid
subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
an online service that includes MDATP functionalities. an online service that includes MDATP functionalities.
@ -60,13 +60,13 @@ DO NOT USE THE APPLICATION.**
2. **Updates.** Updates or upgrades to MDATP may be required for full 2. **Updates.** Updates or upgrades to MDATP may be required for full
functionality. Some functionality may not be available in all countries. functionality. Some functionality may not be available in all countries.
3. **Third Party Programs.** The application may include third party 3. **Third-Party Programs.** The application may include third-party
programs that Microsoft, not the third party, licenses to you under this programs that Microsoft, not the third party, licenses to you under this
agreement. Notices, if any, for the third-party program are included for agreement. Notices, if any, for the third-party program are included for
your information only. your information only.
2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to 2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
Internet access, data transfer and other services per the terms of the data Internet access, data transfer, and other services per the terms of the data
service plan and any other agreement you have with your network operator due service plan and any other agreement you have with your network operator due
to use of the application. You are solely responsible for any network to use of the application. You are solely responsible for any network
operator charges. operator charges.
@ -92,21 +92,21 @@ DO NOT USE THE APPLICATION.**
improve Microsoft products and services and enhance your experience. improve Microsoft products and services and enhance your experience.
You may limit or control collection of some usage and performance You may limit or control collection of some usage and performance
data through your device settings. Doing so may disrupt your use of data through your device settings. Doing so may disrupt your use of
certain features of the application. For additional information on certain features of the application. For more information about
Microsoft's data collection and use, see the [Online Services Microsoft data collection and use, see the [Online Services
Terms](https://go.microsoft.com/fwlink/?linkid=2106777). Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
2. Misuse of Internet-based Services. You may not use any Internet-based 2. Misuse of Internet-based Services. You may not use any Internet-based
service in any way that could harm it or impair anyone else's use of it service in any way that could harm it or impair anyone else's use of it
or the wireless network. You may not use the service to try to gain or the wireless network. You may not use the service to try to gain
unauthorized access to any service, data, account or network by any unauthorized access to any service, data, account, or network by any
means. means.
4. **FEEDBACK.** If you give feedback about the application to Microsoft, you 4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
give to Microsoft, without charge, the right to use, share and commercialize give to Microsoft, without charge, the right to use, share, and commercialize
your feedback in any way and for any purpose. You also give to third your feedback in any way and for any purpose. You also give to third
parties, without charge, any patent rights needed for their products, parties, without charge, any patent rights needed for their products,
technologies and services to use or interface with any specific parts of a technologies, and services to use or interface with any specific parts of a
Microsoft software or service that includes the feedback. You will not give Microsoft software or service that includes the feedback. You will not give
feedback that is subject to a license that requires Microsoft to license its feedback that is subject to a license that requires Microsoft to license its
software or documentation to third parties because we include your feedback software or documentation to third parties because we include your feedback
@ -130,35 +130,34 @@ DO NOT USE THE APPLICATION.**
- publish the application for others to copy; - publish the application for others to copy;
- rent, lease or lend the application; or - rent, lease, or lend the application; or
- transfer the application or this agreement to any third party. - transfer the application or this agreement to any third party.
6. **EXPORT RESTRICTIONS.** The application is subject to United States export 6. **EXPORT RESTRICTIONS.** The application is subject to United States export
laws and regulations. You must comply with all domestic and international laws and regulations. You must comply with all domestic and international
export laws and regulations that apply to the application. These laws export laws and regulations that apply to the application. These laws
include restrictions on destinations, end users and end use. For additional include restrictions on destinations, end users, and end use. For more
information, information,
see<EFBFBD>[www.microsoft.com/exporting](https://www.microsoft.com/exporting). see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
7. **SUPPORT SERVICES.** Because this application is "as is," we may not 7. **SUPPORT SERVICES.** Because this application is "as is," we may not
provide support services for it. If you have any issues or questions about provide support services for it. If you have any issues or questions about
your use of this application, including questions about your company's your use of this application, including questions about your company's
privacy policy, please contact your company's admin. Do not contact the privacy policy, contact your company's admin. Do not contact the
application store, your network operator, device manufacturer, or Microsoft. application store, your network operator, device manufacturer, or Microsoft.
The application store provider has no obligation to furnish support or The application store provider has no obligation to furnish support or
maintenance with respect to the application. maintenance with respect to the application.
8. **APPLICATION STORE.** 8. **APPLICATION STORE.**
1. If you obtain the application through an application store (e.g., Google 1. If you obtain the application through an application store (for example, Google
Play), please review the applicable application store terms to ensure Play), review the applicable application store terms to ensure
your download and use of the application complies with such terms. your download and use of the application complies with such terms.
Please note that these Terms are between you and Microsoft and not with Note that these Terms are between you and Microsoft and not with
the application store. the application store.
2. The respective application store provider and its subsidiaries are third 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these
party beneficiaries of these Terms, and upon your acceptance of these
Terms, the application store provider(s) will have the right to directly Terms, the application store provider(s) will have the right to directly
enforce and rely upon any provision of these Terms that grants them a enforce and rely upon any provision of these Terms that grants them a
benefit or rights. benefit or rights.
@ -213,20 +212,20 @@ DO NOT USE THE APPLICATION.**
This limitation applies to: This limitation applies to:
- anything related to the application, services, content (including code) on - anything related to the application, services, content (including code) on
third party Internet sites, or third party programs; and third-party internet sites, or third-party programs; and
- claims for breach of contract, warranty, guarantee or condition; consumer - claims for breach of contract, warranty, guarantee, or condition; consumer
protection; deception; unfair competition; strict liability, negligence, protection; deception; unfair competition; strict liability, negligence,
misrepresentation, omission, trespass or other tort; violation of statute or misrepresentation, omission, trespass, or other tort; violation of statute or
regulation; or unjust enrichment; all to the extent permitted by applicable regulation; or unjust enrichment; all to the extent permitted by applicable
law. law.
It also applies even if: It also applies even if:
a. Repair, replacement or refund for the application does not fully compensate a. Repair, replacement, or refund for the application does not fully compensate
you for any losses; or you for any losses; or
b. Covered Parties knew or should have known about the possibility of the b. Covered Parties knew or should have known about the possibility of the
damages. damages.
The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages.

14
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -49,7 +49,7 @@ To get preview features for Mac, you must set up your device to be an "Insider"
1. From the JAMF console, navigate to **Computers>Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. 1. From the JAMF console, navigate to **Computers>Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
1. Create an entry withcom.microsoft.wdavas the preference domain and upload the .plist created earlier. 1. Create an entry withcom.microsoft.wdavas the preference domain and upload the `.plist` created earlier.
> [!WARNING] > [!WARNING]
> You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
@ -117,7 +117,7 @@ To get preview features for Mac, you must set up your device to be an "Insider"
1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**. 1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
1. Save the .plist created earlier as com.microsoft.wdav.xml. 1. Save the `.plist` created earlier as com.microsoft.wdav.xml.
1. Enter com.microsoft.wdav as the custom configuration profile name. 1. Enter com.microsoft.wdav as the custom configuration profile name.
@ -150,17 +150,17 @@ For versions earlier than 100.78.0, run:
To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
To verify you are running the correct version, run mdatp --health on the device. To verify you are running the correct version, run `mdatp --health` on the device.
* The required version is 100.72.15 or later. * The required version is 100.72.15 or later.
* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running defaults read com.microsoft.autoupdate2 from terminal. * If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal.
* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). * To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
* If you are not using Office for Mac, download and run the AutoUpdate tool. * If you are not using Office for Mac, download and run the AutoUpdate tool.
### A device still does not appear on Microsoft Defender Security Center ### A device still does not appear on Microsoft Defender Security Center
After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running mdatp --connectivity-test. After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`.
* Check that you enabled the early preview flag. In terminal run mdatp health and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. * Check that you enabled the early preview flag. In the terminal, run `mdatp health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).

4
windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
View File

@ -42,7 +42,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td> <td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td> <td><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td><b>Windows 10, version 1703</td> <td><b>Windows 10, version 1703</td>
<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br>This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.</p><p><b>Important:</b> Using a trustworthy browser helps ensure that these protections work as expected.</p></td> <td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br> This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.</p><p><b>Important:</b> Using a trustworthy browser helps ensure that these protections work as expected.</p></td>
</tr> </tr>
<tr> <tr>
<td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td> <td><b>Windows 10, version 2004:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><b>Windows 10, version 1703:</b><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><b>Windows 10, Version 1607 and earlier:</b><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
@ -160,7 +160,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser]
</table> </table>
## Recommended Group Policy and MDM settings for your organization ## Recommended Group Policy and MDM settings for your organization
By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
<table> <table>

14
windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
View File

@ -1,6 +1,6 @@
--- ---
title: Access Credential Manager as a trusted caller (Windows 10) title: Access Credential Manager as a trusted caller (Windows 10)
description: Describes best practices, security considerations and more for the security policy setting, Access Credential Manager as a trusted caller. description: Describes best practices, security considerations, and more for the security policy setting, Access Credential Manager as a trusted caller.
ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88
ms.reviewer: ms.reviewer:
ms.author: dansimp ms.author: dansimp
@ -22,11 +22,11 @@ ms.date: 04/19/2017
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting. This article describes the recommended practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting.
## Reference ## Reference
The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it is assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities. The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it's assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities.
Constant: SeTrustedCredManAccessPrivilege Constant: SeTrustedCredManAccessPrivilege
@ -37,7 +37,7 @@ Constant: SeTrustedCredManAccessPrivilege
### Best practices ### Best practices
- Do not modify this policy setting from the default. - Don't modify this policy setting from the default.
### Location ### Location
@ -45,6 +45,8 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
### Default values ### Default values
The following table shows the default value for the server type or Group Policy Object (GPO).
| Server type or GPO | Default value | | Server type or GPO | Default value |
| - | - | | - | - |
| Default domain policy | Not defined | | Default domain policy | Not defined |
@ -58,7 +60,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
This section describes features, tools, and guidance to help you manage this policy. This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective. A restart of the computer isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
@ -82,7 +84,7 @@ If an account is given this user right, the user of the account may create an ap
### Countermeasure ### Countermeasure
Do not define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager. Don't define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager.
### Potential impact ### Potential impact

18
windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
View File

@ -39,7 +39,7 @@ It is possible to configure the following values for the **Account lockout thres
- A user-defined number from 0 through 999 - A user-defined number from 0 through 999
- Not defined - Not defined
Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic. Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article.
### Best practices ### Best practices
@ -47,7 +47,7 @@ The threshold that you select is a balance between operational efficiency and se
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). As with other account lockout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/).
Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic. Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article.
### Location ### Location
@ -76,13 +76,13 @@ None. Changes to this policy setting become effective without a computer restart
### <a href="" id="bkmk-impleconsiderations"></a>Implementation considerations ### <a href="" id="bkmk-impleconsiderations"></a>Implementation considerations
Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example: Implementation of this policy setting depends on your operational environment. Consider threat vectors, deployed operating systems, and deployed apps. For example:
- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. You should set the account lockout threshold in consideration of the known and perceived risk of those threats. - The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. Set the account lockout threshold in consideration of the known and perceived risk of those threats.
- When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. - When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. - Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/).
@ -108,8 +108,8 @@ Because vulnerabilities can exist when this value is configured and when it is n
- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: - Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met:
- The password policy setting requires all users to have complex passwords of 8 or more characters. - The password policy setting requires all users to have complex passwords of eight or more characters.
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment. - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment.
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
@ -121,9 +121,9 @@ Because vulnerabilities can exist when this value is configured and when it is n
If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls. If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls.
If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that an malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place. If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.
If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts.
## Related topics ## Related topics
[Account Lockout Policy](account-lockout-policy.md) [Account Lockout Policy](account-lockout-policy.md)

8
windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
View File

@ -1,6 +1,6 @@
--- ---
title: Audit Audit the use of Backup and Restore privilege (Windows 10) title: "Audit: Audit the use of Backup and Restore privilege (Windows 10)"
description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. description: "Describes the best practices, location, values, and security considerations for the 'Audit: Audit the use of Backup and Restore privilege' security policy setting."
ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5
ms.reviewer: ms.reviewer:
ms.author: dansimp ms.author: dansimp
@ -65,9 +65,9 @@ None. Changes to this policy become effective without a computer restart when th
### Auditing ### Auditing
Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited. Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users back up or restore user rights, those events will not be audited.
Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This setup can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner.
Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](../auditing/audit-sensitive-privilege-use.md), which can help you manage the number of events generated. Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](../auditing/audit-sensitive-privilege-use.md), which can help you manage the number of events generated.

24
windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
View File

@ -1,6 +1,6 @@
--- ---
title: Back up files and directories - security policy setting (Windows 10) title: Back up files and directories - security policy setting (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. description: Describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
ms.reviewer: ms.reviewer:
ms.author: dansimp ms.author: dansimp
@ -22,13 +22,13 @@ ms.date: 04/19/2017
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. This article describes the recommended practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting.
## Reference ## Reference
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply. This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply.
This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system: This user right is similar to granting the following permissions to the user or group you selected on all files and folders on the system:
- Traverse Folder/Execute File - Traverse Folder/Execute File
- List Folder/Read Data - List Folder/Read Data
@ -56,8 +56,8 @@ Constant: SeBackupPrivilege
### Best practices ### Best practices
1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. 1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there's no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.
2. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. 2. If your backup software runs under specific service accounts, only these accounts (and not the IT staff) should have the user right to back up files and directories.
### Location ### Location
@ -67,7 +67,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right. By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right.
The following table lists the actual and effective default policy values. Default values are also listed on the policys property page. The following table lists the actual and effective default policy values for the server type or Group Policy Object (GPO). Default values are also listed on the policys property page.
| Server type or GPO | Default value | | Server type or GPO | Default value |
| - | - | | - | - |
@ -80,13 +80,13 @@ The following table lists the actual and effective default policy values. Defaul
## Policy management ## Policy management
A restart of the device is not required for this policy setting to be effective. A restart of the device isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
### Group Policy ### Group Policy
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: Settings are applied in the following order through a GPO, which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings 1. Local policy settings
2. Site policy settings 2. Site policy settings
@ -101,15 +101,15 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability ### Vulnerability
Users who can back up data from a device could take the backup media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set. Users who can back up data from a device to separate media could take the media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the data set.
### Countermeasure ### Countermeasure
Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you use software that backs up data under specific service accounts, only these accounts (and not the IT staff) should have the right to back up files and directories.
### Potential impact ### Potential impact
Changes in the membership of the groups that have the **Back up files and directories** user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations. Changes in the membership of the groups that have the user right to back up files and directories could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that authorized administrators can still back up files and directories.
## Related topics ## Related topics

2
windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
View File

@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security
## Reference ## Reference
Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computers Random Access Memory (RAM) to improve performance for programs and data that are used frequently. Although the file is hidden from browsing, you can manage it using the system settings. Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computers Random Access Memory (RAM) to improve performance for frequently used programs and data. Although the file is hidden from browsing, you can manage it using the system settings.
This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs). This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs).

14
windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
View File

@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security
This user right determines if users can create a symbolic link from the device they are logged on to. This user right determines if users can create a symbolic link from the device they are logged on to.
A symbolic link is a file-system object that points to another file-system object. The object that is pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. A symbolic link is a file-system object that points to another file-system object. The object that's pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links.
>**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. >**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.
Constant: SeCreateSymbolicLinkPrivilege Constant: SeCreateSymbolicLinkPrivilege
@ -40,7 +40,7 @@ Constant: SeCreateSymbolicLinkPrivilege
### Best practices ### Best practices
- This user right should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. - Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them.
### Location ### Location
@ -73,16 +73,16 @@ Any change to the user rights assignment for an account becomes effective the ne
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
1. Local policy settings - Local policy settings
2. Site policy settings - Site policy settings
3. Domain policy settings - Domain policy settings
4. OU policy settings - OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting. When a local setting is greyed out, it indicates that a GPO currently controls that setting.
### Command-line tools ### Command-line tools
This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevaluation /?** at the command prompt. This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type `fsutil behavior set symlinkevaluation /?` at the command prompt.
## Security considerations ## Security considerations

2
windows/security/threat-protection/security-policy-settings/debug-programs.md
View File

@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security
## Reference ## Reference
This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. This policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components.
Constant: SeDebugPrivilege Constant: SeDebugPrivilege

12
windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
View File

@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting.
## Reference ## Reference
@ -40,7 +40,7 @@ Constant: SeDenyBatchLogonRight
1. When you assign this user right, thoroughly test that the effect is what you intended. 1. When you assign this user right, thoroughly test that the effect is what you intended.
2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO).
3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities. 3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks. This restriction helps with business continuity when that person transitions to other positions or responsibilities.
### Location ### Location
@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
### Default values ### Default values
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policys property page. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page.
| Server type or GPO | Default value | | Server type or GPO | Default value |
| - | - | | - | - |
@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the
This section describes features and tools available to help you manage this policy. This section describes features and tools available to help you manage this policy.
A restart of the device is not required for this policy setting to be effective. A restart of the device isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
@ -73,7 +73,7 @@ This policy setting might conflict with and negate the **Log on as a batch job**
On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting.
For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting.
User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. User Rights Assignment and also correctly configured in the **Log on as a batch job** setting.
@ -100,7 +100,7 @@ Assign the **Deny log on as a batch job** user right to the local Guest account.
### Potential impact ### Potential impact
If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely. If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. Confirm that delegated tasks aren't affected adversely.
## Related topics ## Related topics

8
windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
View File

@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting.
## Reference ## Reference
@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the
This section describes features and tools available to help you manage this policy. This section describes features and tools available to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective. A restart of the computer isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
@ -89,11 +89,11 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability ### Vulnerability
Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure
services, and an attacker who has already attained that level of access could configure the service to run by using the System account. services, and an attacker who already has that level of access could configure the service to run by using the System account.
### Countermeasure ### Countermeasure
We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application. We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to log on to a service application.
### Potential impact ### Potential impact

10
windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
View File

@ -22,13 +22,13 @@ ms.date: 04/19/2017
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting.
## Reference ## Reference
This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.
Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult.
This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636).
@ -44,7 +44,7 @@ If signing is required, then LDAP simple binds not using SSL are rejected (LDAP
### Best practices ### Best practices
- It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. - We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers.
### Location ### Location
@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability ### Vulnerability
Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult.
### Countermeasure ### Countermeasure
@ -85,7 +85,7 @@ Configure the **Domain controller: LDAP server signing requirements** setting to
### Potential impact ### Potential impact
Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers. Client devices that do not support LDAP signing cannot run LDAP queries against the domain controllers.
## Related topics ## Related topics

8
windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
View File

@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security
## Reference ## Reference
This security setting determines which users are allowed to shut down a device from a remote location on the network. This allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location. This security setting determines which users are allowed to shut down a device from a remote location on the network. This setting allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location.
Constant: SeRemoteShutdownPrivilege Constant: SeRemoteShutdownPrivilege
@ -37,7 +37,7 @@ Constant: SeRemoteShutdownPrivilege
### Best practices ### Best practices
- Explicitly restrict this user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. - Explicitly restrict this user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff.
### Location ### Location
@ -91,11 +91,11 @@ Any user who can shut down a device could cause a denial-of-service condition to
### Countermeasure ### Countermeasure
Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff.
### Potential impact ### Potential impact
On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that delegated activities are not adversely affected.
## Related topics ## Related topics

10
windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
View File

@ -1,6 +1,6 @@
--- ---
title: Create a list of apps deployed to each business group (Windows 10) title: Create a list of apps deployed to each business group (Windows 10)
description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321
ms.reviewer: ms.reviewer:
ms.author: dansimp ms.author: dansimp
@ -27,7 +27,7 @@ This topic describes the process of gathering app usage requirements from each b
## Determining app usage ## Determining app usage
For each business group, determine the following: For each business group, determine the following information:
- The complete list of apps used, including different versions of an app - The complete list of apps used, including different versions of an app
- The full installation path of the app - The full installation path of the app
@ -37,12 +37,12 @@ For each business group, determine the following:
### How to perform the app usage assessment ### How to perform the app usage assessment
Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate You might already have a method in place to understand app usage for each business group. You'll need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate
Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection.
**Application inventory methods** **Application inventory methods**
Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer.
Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
@ -72,7 +72,7 @@ After you have created the list of apps, the next step is to identify the rule c
- Allow or deny - Allow or deny
- GPO name - GPO name
To do this, see the following topics: For guidance, see the following topics:
- [Select the types of rules to create](select-types-of-rules-to-create.md) - [Select the types of rules to create](select-types-of-rules-to-create.md)
- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

28
windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
View File

@ -23,9 +23,9 @@ ms.date: 09/21/2017
- Windows 10 - Windows 10
- Windows Server - Windows Server
This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps. AppLocker is effective for organizations with app restriction requirements whose environments have a simple topography and whose application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is a detailed level of control on the PCs they manage for a relatively small number of apps.
There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns. There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns.
@ -59,7 +59,7 @@ Use the following table to develop your own objectives and determine which appli
<tr class="odd"> <tr class="odd">
<td align="left"><p>Policy maintenance</p></td> <td align="left"><p>Policy maintenance</p></td>
<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td> <td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td> <td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p>Policy application</p></td> <td align="left"><p>Policy application</p></td>
@ -68,9 +68,9 @@ Use the following table to develop your own objectives and determine which appli
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td align="left"><p>Enforcement mode</p></td> <td align="left"><p>Enforcement mode</p></td>
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p> <td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.</p>
<p>SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td> <p>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td> <td align="left"><p>By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p>File types that can be controlled</p></td> <td align="left"><p>File types that can be controlled</p></td>
@ -95,7 +95,7 @@ Use the following table to develop your own objectives and determine which appli
<tr class="odd"> <tr class="odd">
<td align="left"><p>Designated file types</p></td> <td align="left"><p>Designated file types</p></td>
<td align="left"><p>SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.</p></td> <td align="left"><p>SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.</p></td>
<td align="left"><p>AppLocker does not support this. AppLocker currently supports the following file extensions:</p> <td align="left"><p>AppLocker doesn't support this. AppLocker currently supports the following file extensions:</p>
<ul> <ul>
<li><p>Executables (.exe, .com)</p></li> <li><p>Executables (.exe, .com)</p></li>
<li><p>DLLs (.ocx, .dll)</p></li> <li><p>DLLs (.ocx, .dll)</p></li>
@ -123,11 +123,11 @@ Use the following table to develop your own objectives and determine which appli
<tr class="odd"> <tr class="odd">
<td align="left"><p>Editing the hash value</p></td> <td align="left"><p>Editing the hash value</p></td>
<td align="left"><p>SRP allows you to select a file to hash.</p></td> <td align="left"><p>SRP allows you to select a file to hash.</p></td>
<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and a SHA2 flat file hash for the rest.</p></td> <td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p>Support for different security levels</p></td> <td align="left"><p>Support for different security levels</p></td>
<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges.</p> <td align="left"><p>With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td> <p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
<td align="left"><p>AppLocker does not support security levels.</p></td> <td align="left"><p>AppLocker does not support security levels.</p></td>
</tr> </tr>
@ -144,12 +144,12 @@ Use the following table to develop your own objectives and determine which appli
<tr class="odd"> <tr class="odd">
<td align="left"><p>Support for rule exceptions</p></td> <td align="left"><p>Support for rule exceptions</p></td>
<td align="left"><p>SRP does not support rule exceptions</p></td> <td align="left"><p>SRP does not support rule exceptions</p></td>
<td align="left"><p>AppLocker rules can have exceptions which allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td> <td align="left"><p>AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td>
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p>Support for audit mode</p></td> <td align="left"><p>Support for audit mode</p></td>
<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td> <td align="left"><p>SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
<td align="left"><p>AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td> <td align="left"><p>AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
</tr> </tr>
<tr class="odd"> <tr class="odd">
<td align="left"><p>Support for exporting and importing policies</p></td> <td align="left"><p>Support for exporting and importing policies</p></td>
@ -158,8 +158,8 @@ Use the following table to develop your own objectives and determine which appli
</tr> </tr>
<tr class="even"> <tr class="even">
<td align="left"><p>Rule enforcement</p></td> <td align="left"><p>Rule enforcement</p></td>
<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode which is less secure.</p></td> <td align="left"><p>Internally, SRP rules enforcement happens in user-mode, which is less secure.</p></td>
<td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.</p></td> <td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.</p></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>

16
windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
View File

@ -29,19 +29,19 @@ manager: dansimp
- Group Policy - Group Policy
You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
![The security center custom fly-out](images/security-center-custom-flyout.png) ![The security center custom fly-out](images/security-center-custom-flyout.png)
This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
![A security center notification](images/security-center-custom-notif.png) ![A security center notification](images/security-center-custom-notif.png)
Users can click on the displayed information to initiate a support request: Users can select the displayed information to initiate a support request:
- Clicking **Call** or the phone number will open Skype to start a call to the displayed number - Select **Call** or the phone number to open Skype to start a call to the displayed number.
- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email - Select **Email** or the email address to create a new email in the machine's default email app address to the displayed email.
- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address - Select **Help portal** or the website URL to open the machine's default web browser and go to the displayed address.
## Requirements ## Requirements
@ -67,12 +67,12 @@ This can only be done in Group Policy.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. 5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**: 6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
1. **Specify contact email address or Email ID** 1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID** 2. **Specify contact phone number or Skype ID**
3. **Specify contact website** 3. **Specify contact website**
7. Click **OK** after configuring each setting to save your changes. 7. Select **OK** after you configure each setting to save your changes.
>[!IMPORTANT] >[!IMPORTANT]
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. >You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.

2
windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
View File

@ -24,7 +24,7 @@ manager: dansimp
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md). The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
## Hide the Firewall & network protection section ## Hide the Firewall & network protection section

6
windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
View File

@ -25,9 +25,9 @@ manager: dansimp
The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack. In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in case of a ransomware attack.
IT administrators and IT pros can get more information and documentation about configuration from the following: IT administrators and IT pros can get more configuration information from these articles:
- [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md) - [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md)
- [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) - [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
@ -36,7 +36,7 @@ IT administrators and IT pros can get more information and documentation about c
- [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a) - [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a)
- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) - [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
You can choose to hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
## Hide the Virus & threat protection section ## Hide the Virus & threat protection section

4
windows/security/threat-protection/windows-firewall/encryption-zone.md
View File

@ -23,9 +23,9 @@ ms.date: 04/19/2017
- Windows 10 - Windows 10
- Windows Server 2016 - Windows Server 2016
Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted. To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted.
You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols.

4
windows/security/threat-protection/windows-firewall/firewall-gpos.md
View File

@ -25,6 +25,4 @@ ms.date: 04/19/2017
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
The GPO created for the example Woodgrove Bank scenario include the following: The GPO created for the example Woodgrove Bank scenario includes [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md).
- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)

4
windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
View File

@ -25,9 +25,9 @@ ms.date: 08/17/2017
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
Review each of the following topics for guidance about the kinds of information that you must gather: Review each of the following articles for guidance about the kinds of information that you must gather:
- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) - [Gathering Information about Your Conversational Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) - [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)

6
windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
View File

@ -22,14 +22,14 @@ ms.date: 08/17/2017
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
## IPsec settings ## IPsec settings
The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO: The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain. The following changes are made to encryption zone copy of the GPO:
The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations. The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This setting disables all integrity-only algorithm combinations.
## Connection security rules ## Connection security rules

4
windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
View File

@ -37,9 +37,9 @@ To create a domain isolation or server isolation design, you must understand the
## IPsec performance considerations ## IPsec performance considerations
Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This reduction is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a devices CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This configuration frees up a devices CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
## Domain isolation design ## Domain isolation design

4
windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
View File

@ -29,7 +29,7 @@ Before Windows Sandbox is installed, the dynamic base image package is stored as
## Memory management ## Memory management
Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process. Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This method is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png) ![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png)
@ -51,7 +51,7 @@ Windows Sandbox employs a unique policy that allows the virtual processors of th
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows. Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host. This feature allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png) ![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png)