Merge remote-tracking branch 'refs/remotes/origin/master' into live

2025-05-14 06:17:22 +00:00 · 2016-04-28 15:40:31 -07:00 · 2016-04-28 15:40:31 -07:00 · f9ef723329
commit f9ef723329
parent 2a984591be 25b9bf8503
2 changed files with 21 additions and 5 deletions
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |New or changed topic | Description |
 |----------------------|-------------|
 |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections |
 |[Windows 10 security overview](windows-10-security-guide.md) |Added SMB hardening improvements for SYSVOL and NETLOGON connections |
 ## March 2016
--- a/windows/keep-secure/windows-10-security-guide.md
+++ b/windows/keep-secure/windows-10-security-guide.md
@ -345,17 +345,16 @@ Table 3 lists specific malware threats and the mitigation that Windows 10 provi
 Table 3. Threats and Windows 10 mitigations
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Threat</th>
 <th align="left">Windows 10 mitigation</th>
 </tr>
 </thead>
-<tbody>
+<tbody><tr class="odd">
 <td align="left"><p>"Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users</p></td>
 <td align="left"><p>Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Firmware bootkits replace the firmware with malware.</p></td>
 <td align="left"><p>All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.</p></td>
@ -395,6 +394,22 @@ Table 3. Threats and Windows 10 mitigations
 The sections that follow describe these improvements in more detail.
 **SMB hardening improvements for SYSVOL and NETLOGON connections**
 In Windows 10 and Windows Server 2016 Technical Preview, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos).
 - **What value does this change add?**
 This change reduces the likelihood of man-in-the-middle attacks.
 - **What works differently?**
 If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts.
 > **Note:** The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values.
 For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](http://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](http://go.microsoft.com/fwlink/p/?LinkId=789215).
 **Secure hardware**
 Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors.