From 39ef4bc9a1053b5e036bbae7465a94dcd782f707 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 25 Aug 2020 16:57:10 +0500 Subject: [PATCH 01/12] Update microsoft-defender-atp-mac.md --- .../microsoft-defender-atp-mac.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 62d68dcdee..3f296b7a24 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -67,6 +67,18 @@ Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. +### Licensing requirements + +Microsoft Defender Advanced Threat Protection for Mac requires one of the following Microsoft Volume Licensing offers: + +- Microsoft 365 E5 (M365 E5) +- Microsoft 365 E5 Security +- Microsoft 365 A5 (M365 A5) + +> [!NOTE] +> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. +> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. + ### Network connections The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. From 4607899d82de69af92819cff09dd4bfd77c71cdb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 25 Aug 2020 21:16:09 +0500 Subject: [PATCH 02/12] Update linux-install-manually.md --- .../linux-install-manually.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 1746f4fcb3..b756561136 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -48,6 +48,12 @@ In order to preview new features and provide early feedback, it is recommended t ### RHEL and variants (CentOS and Oracle Linux) +- Install `yum-utils` if it isn't installed yet: + + ```bash + sudo yum install yum-utils + ``` + - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the below commands, replace *[distro]* and *[version]* with the information you've identified: @@ -71,12 +77,6 @@ In order to preview new features and provide early feedback, it is recommended t sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc ``` -- Install `yum-utils` if it isn't installed yet: - - ```bash - sudo yum install yum-utils - ``` - - Download and make usable all the metadata for the currently enabled yum repositories: ```bash @@ -328,4 +328,4 @@ When upgrading your operating system to a new major version, you must first unin ## Uninstallation -See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. \ No newline at end of file +See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. From cee429d94e43e66837ff4b4d710461b3cba52f21 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 26 Aug 2020 12:11:52 +0500 Subject: [PATCH 03/12] Update windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/microsoft-defender-atp-mac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 3f296b7a24..6526e63f1a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -76,7 +76,7 @@ Microsoft Defender Advanced Threat Protection for Mac requires one of the follow - Microsoft 365 A5 (M365 A5) > [!NOTE] -> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. +> Eligible licensed users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices. > Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed. ### Network connections From 146fb0e3db1993cd94e73d513bbcb9fabfc4a87f Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 12 Sep 2020 18:05:56 +0530 Subject: [PATCH 04/12] removed download link, added explanation as per the user report #8242 , so I removed the download link and added an explanation. --- windows/client-management/troubleshoot-tcpip-netmon.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index f708897928..ed8b6090cf 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -19,7 +19,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is > [Note] > Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide). -To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. +To get started, **run NM34_x64.exe**(we are leaving this page available for those who have downloaded the tool previously). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. ![Adapters](images/nm-adapters.png) From 3ef62e034a03c7100773f4bdffd0aa561030895d Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 18 Sep 2020 17:24:27 +0530 Subject: [PATCH 05/12] Update windows/client-management/troubleshoot-tcpip-netmon.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/troubleshoot-tcpip-netmon.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index ed8b6090cf..f9f1d95096 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -16,7 +16,7 @@ manager: dansimp In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. -> [Note] +> [!NOTE] > Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide). To get started, **run NM34_x64.exe**(we are leaving this page available for those who have downloaded the tool previously). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. From 3d7029f03d2ceadcfc1bd519dab10f70d27e0a4c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 18 Sep 2020 23:58:39 +0530 Subject: [PATCH 06/12] Update windows/client-management/troubleshoot-tcpip-netmon.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/troubleshoot-tcpip-netmon.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md index f9f1d95096..7f7855bca2 100644 --- a/windows/client-management/troubleshoot-tcpip-netmon.md +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -19,7 +19,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is > [!NOTE] > Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide). -To get started, **run NM34_x64.exe**(we are leaving this page available for those who have downloaded the tool previously). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. +To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. ![Adapters](images/nm-adapters.png) From 6571339263ff06e2be3f1e05fc31e3838d10b38f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 23 Sep 2020 11:15:05 +0500 Subject: [PATCH 07/12] Update note about CA root requirements --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 8a785dcf5f..a0855330fb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -95,8 +95,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. > [!NOTE] -> * The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. -> * If you are using a 3rd party CA, add the certificate to the NTAuth store. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. +> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. ### Enrollment Agent certificate template From a085daa017093f21ad92d2879d44ed16828a06cb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 24 Sep 2020 11:52:00 +0500 Subject: [PATCH 08/12] Update hello-hybrid-key-whfb-settings-dir-sync.md --- .../hello-hybrid-key-whfb-settings-dir-sync.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index ce98019039..d4a889088a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -39,7 +39,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 2. Click the **Users** container in the navigation pane. 3. Right-click **Key Admins** in the details pane and click **Properties**. 4. Click the **Members** tab and click **Add** -5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. +5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. ### Section Review From dbfaabe9b039eb3f19d3cee07b7ef169e33312f2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 26 Sep 2020 23:03:36 +0500 Subject: [PATCH 09/12] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-hybrid-key-whfb-settings-dir-sync.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index d4a889088a..3bd0bbe112 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -39,7 +39,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 2. Click the **Users** container in the navigation pane. 3. Right-click **Key Admins** in the details pane and click **Properties**. 4. Click the **Members** tab and click **Add** -5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account. Click **OK**. +5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. ### Section Review From fe887186cd821dda6759aa04fd584a526df5f364 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Mon, 28 Sep 2020 09:27:17 +0200 Subject: [PATCH 10/12] Update account-lockout-threshold.md Added note. --- .../security-policy-settings/account-lockout-threshold.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 3db828212a..20f886d1ec 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -87,6 +87,9 @@ For more information about Windows security baseline recommendations for account This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +> [!NOTE] +> A lockout threshold policy will apply to both local member computer users and Domain Users, in order to allow mitigation of issues as described under "Vulnerability". The Built-In Administrator account however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot logon to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also [Appendix D: Securing Built-In Administrator Accounts in Active Directory](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory). + ### Vulnerability Brute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed. From 2ad5f1b2418209f0e2e5c02010a041cffb54a2e8 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:07:15 +0200 Subject: [PATCH 11/12] Update windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../security-policy-settings/account-lockout-threshold.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 20f886d1ec..55f3b22031 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -88,7 +88,7 @@ For more information about Windows security baseline recommendations for account This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. > [!NOTE] -> A lockout threshold policy will apply to both local member computer users and Domain Users, in order to allow mitigation of issues as described under "Vulnerability". The Built-In Administrator account however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot logon to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also [Appendix D: Securing Built-In Administrator Accounts in Active Directory](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory). +> A lockout threshold policy will apply to both local member computer users and domain users, in order to allow mitigation of issues as described under "Vulnerability". The built-in Administrator account, however, whilst a highly privileged account, has a different risk profile and is excluded from this policy. This ensures there is no scenario where an administrator cannot sign in to remediate an issue. As an administrator, there are additional mitigation strategies available, such as a strong password. See also [Appendix D: Securing Built-In Administrator Accounts in Active Directory](https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory). ### Vulnerability From 919bd754123d66a41ec0207e99cac043c9daf48e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 6 Oct 2020 15:05:42 -0700 Subject: [PATCH 12/12] Applied "> [!NOTE]" --- .../account-lockout-threshold.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 55f3b22031..ab09ef2ca5 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -77,8 +77,11 @@ None. Changes to this policy setting become effective without a computer restart ### Implementation considerations Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example: + - The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. You should set the account lockout threshold in consideration of the known and perceived risk of those threats. + - When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. + - Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). @@ -95,17 +98,23 @@ This section describes how an attacker might exploit a feature or its configurat Brute force password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed sign-in attempts that can be performed. However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock every account without needing any special privileges or being authenticated in the network. -> **Note:** Offline password attacks are not countered by this policy setting. +> [!NOTE] +> Offline password attacks are not countered by this policy setting. + ### Countermeasure Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are: + - Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: + - The password policy setting requires all users to have complex passwords of 8 or more characters. - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment. + - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack. + Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems. ### Potential impact