From 552ffb838184fe7a559e109607e2eadc5d95b413 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:09:11 -0700 Subject: [PATCH 1/4] smb hardening --- .../keep-secure/windows-10-security-guide.md | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index fbcf34aefe..b5f748c2f1 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -355,7 +355,10 @@ Table 3. Threats and Windows 10 mitigations Windows 10 mitigation - + +

"Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users

+

Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

+

Firmware bootkits replace the firmware with malware.

All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.

@@ -395,6 +398,22 @@ Table 3. Threats and Windows 10 mitigations The sections that follow describe these improvements in more detail. +**SMB hardening improvements for SYSVOL and NETLOGON connections** + +In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). + +- **What value does this change add?** +This change reduces the likelihood of man-in-the-middle attacks. + +- **What works differently?** +If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts. + + +> **Note:** The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. + +For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215). + + **Secure hardware** Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors. From 98e240371f24c63ce292bd3a6493f6477afea795 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:47:45 -0700 Subject: [PATCH 2/4] removed colgroup --- windows/keep-secure/windows-10-security-guide.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index b5f748c2f1..91964d3da0 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -345,10 +345,6 @@ Table 3 lists specific malware threats and the mitigation that Windows 10 provi Table 3. Threats and Windows 10 mitigations ---- From 3171b1c0e75a55367db573448a42fa8ac372e5bc Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 11:48:45 -0700 Subject: [PATCH 3/4] spell out smb --- windows/keep-secure/windows-10-security-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md index 91964d3da0..586d509b57 100644 --- a/windows/keep-secure/windows-10-security-guide.md +++ b/windows/keep-secure/windows-10-security-guide.md @@ -396,7 +396,7 @@ The sections that follow describe these improvements in more detail. **SMB hardening improvements for SYSVOL and NETLOGON connections** -In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos). +In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). - **What value does this change add?** This change reduces the likelihood of man-in-the-middle attacks. From eb60deb49dc6bae0a2bc9bc633dd1846819e9760 Mon Sep 17 00:00:00 2001 From: "J. Decker" Date: Thu, 28 Apr 2016 12:03:03 -0700 Subject: [PATCH 4/4] added SM to changelist --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 3752693094..3940db84d1 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections | +|[Windows 10 security overview](windows-10-security-guide.md) |Added SMB hardening improvements for SYSVOL and NETLOGON connections | ## March 2016
Threat