deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/access-protection/TOC.md

17 KiB
Raw Blame History

Access protection

Access Control Overview

Dynamic Access Control Overview

Security identifiers

Security Principals

Local Accounts

Active Directory Accounts

Microsoft Accounts

Service Accounts

Active Directory Security Groups

Special Identities

Configure S/MIME for Windows 10 and Windows 10 Mobile

Enterprise Certificate Pinning

Install digital certificates on Windows 10 Mobile

Protect derived domain credentials with Credential Guard

How Credential Guard works

Credential Guard Requirements

Manage Credential Guard

Credential Guard protection limits

Considerations when using Credential Guard

Credential Guard: Additional mitigations

Credential Guard: Known issues

Protect Remote Desktop credentials with Remote Credential Guard

Smart Cards

How Smart Card Sign-in Works in Windows

Smart Card Architecture

Certificate Requirements and Enumeration

Smart Card and Remote Desktop Services

Smart Cards for Windows Service

Certificate Propagation Service

Smart Card Removal Policy Service

Smart Card Tools and Settings

Smart Cards Debugging Information

Smart Card Group Policy and Registry Settings

Smart Card Events

User Account Control

How User Account Control works

User Account Control security policy settings

User Account Control Group Policy and registry key settings

Virtual Smart Cards

Understanding and Evaluating Virtual Smart Cards

Get Started with Virtual Smart Cards: Walkthrough Guide
Use Virtual Smart Cards
Deploy Virtual Smart Cards
Evaluate Virtual Smart Card Security

Tpmvscmgr

VPN technical guide

VPN connection types

VPN routing decisions

VPN authentication options

VPN and conditional access

VPN name resolution

VPN auto-triggered profile options

VPN security features

VPN profile options

How to use single sign-on (SSO) over VPN and Wi-Fi connections

Windows 10 credential theft mitigation guide abstract

Windows Firewall with Advanced Security

Isolating Windows Store Apps on Your Network

Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012

Windows Firewall with Advanced Security Administration with Windows PowerShell

Windows Firewall with Advanced Security Design Guide

Understanding the Windows Firewall with Advanced Security Design Process

Identifying Your Windows Firewall with Advanced Security Deployment Goals

Protect Devices from Unwanted Network Traffic
Restrict Access to Only Trusted Devices
Require Encryption When Accessing Sensitive Network Resources
Restrict Access to Only Specified Users or Computers

Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design

Basic Firewall Policy Design
Domain Isolation Policy Design
Server Isolation Policy Design
Certificate-based Isolation Policy Design

Evaluating Windows Firewall with Advanced Security Design Examples

Firewall Policy Design Example
Domain Isolation Policy Design Example
Server Isolation Policy Design Example
Certificate-based Isolation Policy Design Example

Designing a Windows Firewall with Advanced Security Strategy

Gathering the Information You Need
Gathering Information about Your Current Network Infrastructure
Gathering Information about Your Active Directory Deployment
Gathering Information about Your Computers
Gathering Other Relevant Information
Determining the Trusted State of Your Computers

Planning Your Windows Firewall with Advanced Security Design

Planning Settings for a Basic Firewall Policy
Planning Domain Isolation Zones
Exemption List
Isolated Domain
Boundary Zone
Encryption Zone
Planning Server Isolation Zones
Planning Certificate-based Authentication
Documenting the Zones
Planning Group Policy Deployment for Your Isolation Zones

####### Planning Isolation Groups for the Zones ####### Planning Network Access Groups ####### Planning the GPOs ######## Firewall GPOs ######### GPO_DOMISO_Firewall ######## Isolated Domain GPOs ######### GPO_DOMISO_IsolatedDomain_Clients ######### GPO_DOMISO_IsolatedDomain_Servers ######## Boundary Zone GPOs ######### GPO_DOMISO_Boundary ######## Encryption Zone GPOs ######### GPO_DOMISO_Encryption ######## Server Isolation GPOs ####### Planning GPO Deployment

Appendix A: Sample GPO Template Files for Settings Used in this Guide

Windows Firewall with Advanced Security Deployment Guide

Planning to Deploy Windows Firewall with Advanced Security

Implementing Your Windows Firewall with Advanced Security Design Plan

Checklist: Creating Group Policy Objects

Checklist: Implementing a Basic Firewall Policy Design

Checklist: Configuring Basic Firewall Settings

Checklist: Creating Inbound Firewall Rules

Checklist: Creating Outbound Firewall Rules

Checklist: Implementing a Domain Isolation Policy Design

Checklist: Configuring Rules for the Isolated Domain
Checklist: Configuring Rules for the Boundary Zone
Checklist: Configuring Rules for the Encryption Zone
Checklist: Configuring Rules for an Isolated Server Zone

Checklist: Implementing a Standalone Server Isolation Policy Design

Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone

Checklist: Implementing a Certificate-based Isolation Policy Design

Procedures Used in This Guide

Add Production Devices to the Membership Group for a Zone
Add Test Devices to the Membership Group for a Zone
Assign Security Group Filters to the GPO
Change Rules from Request to Require Mode
Configure Authentication Methods
Configure Data Protection (Quick Mode) Settings
Configure Group Policy to Autoenroll and Deploy Certificates
Configure Key Exchange (Main Mode) Settings
Configure the Rules to Require Encryption
Configure the Windows Firewall Log
Configure the Workstation Authentication Certificate Template
Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
Confirm That Certificates Are Deployed Correctly
Copy a GPO to Create a New GPO
Create a Group Account in Active Directory
Create a Group Policy Object
Create an Authentication Exemption List Rule
Create an Authentication Request Rule
Create an Inbound ICMP Rule
Create an Inbound Port Rule
Create an Inbound Program or Service Rule
Create an Outbound Port Rule
Create an Outbound Program or Service Rule
Create Inbound Rules to Support RPC
Create WMI Filters for the GPO
Enable Predefined Inbound Rules
Enable Predefined Outbound Rules
Exempt ICMP from Authentication
Link the GPO to the Domain
Modify GPO Filters to Apply to a Different Zone or Version of Windows
Open the Group Policy Management Console to IP Security Policies
Open the Group Policy Management Console to Windows Firewall
Open the Group Policy Management Console to Windows Firewall with Advanced Security
Open Windows Firewall with Advanced Security
Restrict Server Access to Members of a Group Only
Turn on Windows Firewall and Configure Default Behavior
Verify That Network Traffic Is Authenticated

Windows Hello for Business