82 KiB
Keep Windows 10 secure
Block untrusted fonts in an enterprise
Manage identity verification using Windows Hello for Business
Implement Windows Hello for Business in your organization
Enable phone sign-in to PC or VPN
Why a PIN is better than a password
Prepare people to use Windows Hello
Windows Hello and password changes
Windows Hello errors during PIN creation
Event ID 300 - Windows Hello successfully created
Windows Hello biometrics in the enterprise
Configure S/MIME for Windows 10 and Windows 10 Mobile
Install digital certificates on Windows 10 Mobile
Device Guard deployment guide
Introduction to Device Guard: virtualization-based security and code integrity policies
Requirements and deployment planning guidelines for Device Guard
Planning and getting started on the Device Guard deployment process
Deploy Device Guard: deploy code integrity policies
Optional: Create a code signing certificate for code integrity policies
Deploy code integrity policies: policy rules and file rules
Deploy code integrity policies: steps
Deploy catalog files to support code integrity policies
Deploy Device Guard: enable virtualization-based security
Protect derived domain credentials with Credential Guard
Protect Remote Desktop credentials with Remote Credential Guard
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy
Create a Windows Information Protection (WIP) policy using Microsoft Intune
Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
Deploy your Windows Information Protection (WIP) policy
Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
General guidance and best practices for Windows Information Protection (WIP)
Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
Enlightened apps for use with Windows Information Protection (WIP)
Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
Testing scenarios for Windows Information Protection (WIP)
Limitations while using Windows Information Protection (WIP)
Use Windows Event Forwarding to help with intrusion detection
Override Process Mitigation Options to help enforce app-related security policies
VPN technical guide
VPN connection types
VPN routing decisions
VPN authentication options
VPN and conditional access
VPN name resolution
VPN auto-triggered profile options
VPN security features
VPN profile options
Windows security baselines
Security technologies
Access Control Overview
Dynamic Access Control Overview
Security identifiers
Security Principals
Local Accounts
Active Directory Accounts
Microsoft Accounts
Service Accounts
Active Directory Security Groups
Special Identities
AppLocker
Administer AppLocker
Maintain AppLocker policies
Edit an AppLocker policy
Test and update an AppLocker policy
Deploy AppLocker policies by using the enforce rules setting
Use the AppLocker Windows PowerShell cmdlets
Use AppLocker and Software Restriction Policies in the same domain
Optimize AppLocker performance
Monitor app usage with AppLocker
Manage packaged apps with AppLocker
Working with AppLocker rules
Create a rule that uses a file hash condition
Create a rule that uses a path condition
Create a rule that uses a publisher condition
Create AppLocker default rules
Add exceptions for an AppLocker rule
Create a rule for packaged apps
Delete an AppLocker rule
Edit AppLocker rules
Enable the DLL rule collection
Enforce AppLocker rules
Run the Automatically Generate Rules wizard
Working with AppLocker policies
Configure the Application Identity service
Configure an AppLocker policy for audit only
Configure an AppLocker policy for enforce rules
Display a custom URL message when users try to run a blocked app
Export an AppLocker policy from a GPO
Export an AppLocker policy to an XML file
Import an AppLocker policy from another computer
Import an AppLocker policy into a GPO
Add rules for packaged apps to existing AppLocker rule-set
Merge AppLocker policies by using Set-ApplockerPolicy
Merge AppLocker policies manually
Refresh an AppLocker policy
Test an AppLocker policy by using Test-AppLockerPolicy
AppLocker design guide
Understand AppLocker policy design decisions
Determine your application control objectives
Create a list of apps deployed to each business group
Document your app list
Select the types of rules to create
Document your AppLocker rules
Determine the Group Policy structure and rule enforcement
Understand AppLocker enforcement settings
Understand AppLocker rules and enforcement setting inheritance in Group Policy
Document the Group Policy structure and AppLocker rule enforcement
Plan for AppLocker policy management
Document your application control management processes
Create your AppLocker planning document
AppLocker deployment guide
Understand the AppLocker policy deployment process
Requirements for Deploying AppLocker Policies
Use Software Restriction Policies and AppLocker policies
Create Your AppLocker policies
Create Your AppLocker rules
Deploy the AppLocker policy into production
Use a reference device to create and maintain AppLocker policies
####### Determine which apps are digitally signed on a reference device ####### Configure the AppLocker reference device
AppLocker technical reference
What Is AppLocker?
Requirements to use AppLocker
AppLocker policy use scenarios
How AppLocker works
Understanding AppLocker rule behavior
Understanding AppLocker rule exceptions
Understanding AppLocker rule collections
Understanding AppLocker allow and deny actions on rules
Understanding AppLocker rule condition types
####### Understanding the publisher rule condition in AppLocker ####### Understanding the path rule condition in AppLocker ####### Understanding the file hash rule condition in AppLocker
Understanding AppLocker default rules
####### Executable rules in AppLocker ####### Windows Installer rules in AppLocker ####### Script rules in AppLocker ####### DLL rules in AppLocker ####### Packaged apps and packaged app installer rules in AppLocker
AppLocker architecture and components
AppLocker processes and interactions
AppLocker functions
Security considerations for AppLocker
Tools to Use with AppLocker
Using Event Viewer with AppLocker
AppLocker Settings
BitLocker
BitLocker frequently asked questions (FAQ)
Prepare your organization for BitLocker: Planning and policies
BitLocker basic deployment
BitLocker: How to deploy on Windows Server 2012 and later
BitLocker: How to enable Network Unlock
BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
BitLocker: Use BitLocker Recovery Password Viewer
BitLocker Group Policy settings
BCD settings and BitLocker
BitLocker Recovery Guide
Protect BitLocker from pre-boot attacks
Types of attacks for volume encryption keys
BitLocker Countermeasures
Choose the Right BitLocker Countermeasure
Protecting cluster shared volumes and storage area networks with BitLocker
Encrypted Hard Drive
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
Which editions of Windows support advanced audit policy configuration
Using advanced security auditing options to monitor dynamic access control objects
Monitor the central access policies that apply on a file server
Monitor the use of removable storage devices
Monitor resource attribute definitions
Monitor central access policy and rule definitions
Monitor user and device claims during sign-in
Monitor the resource attributes on files and folders
Monitor the central access policies associated with files and folders
Monitor claim types
Advanced security audit policy settings
Audit Credential Validation
####### Event 4774 S: An account was mapped for logon. ####### Event 4775 F: An account could not be mapped for logon. ####### Event 4776 S, F: The computer attempted to validate the credentials for an account. ####### Event 4777 F: The domain controller failed to validate the credentials for an account.
Audit Kerberos Authentication Service
####### Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested. ####### Event 4771 F: Kerberos pre-authentication failed. ####### Event 4772 F: A Kerberos authentication ticket request failed.
Audit Kerberos Service Ticket Operations
####### Event 4769 S, F: A Kerberos service ticket was requested. ####### Event 4770 S: A Kerberos service ticket was renewed. ####### Event 4773 F: A Kerberos service ticket request failed.
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
####### Event 4741 S: A computer account was created. ####### Event 4742 S: A computer account was changed. ####### Event 4743 S: A computer account was deleted.
Audit Distribution Group Management
####### Event 4749 S: A security-disabled global group was created. ####### Event 4750 S: A security-disabled global group was changed. ####### Event 4751 S: A member was added to a security-disabled global group. ####### Event 4752 S: A member was removed from a security-disabled global group. ####### Event 4753 S: A security-disabled global group was deleted.
Audit Other Account Management Events
####### Event 4782 S: The password hash an account was accessed. ####### Event 4793 S: The Password Policy Checking API was called.
Audit Security Group Management
####### Event 4731 S: A security-enabled local group was created. ####### Event 4732 S: A member was added to a security-enabled local group. ####### Event 4733 S: A member was removed from a security-enabled local group. ####### Event 4734 S: A security-enabled local group was deleted. ####### Event 4735 S: A security-enabled local group was changed. ####### Event 4764 S: A group’s type was changed. ####### Event 4799 S: A security-enabled local group membership was enumerated.
Audit User Account Management
####### Event 4720 S: A user account was created. ####### Event 4722 S: A user account was enabled. ####### Event 4723 S, F: An attempt was made to change an account's password. ####### Event 4724 S, F: An attempt was made to reset an account's password. ####### Event 4725 S: A user account was disabled. ####### Event 4726 S: A user account was deleted. ####### Event 4738 S: A user account was changed. ####### Event 4740 S: A user account was locked out. ####### Event 4765 S: SID History was added to an account. ####### Event 4766 F: An attempt to add SID History to an account failed. ####### Event 4767 S: A user account was unlocked. ####### Event 4780 S: The ACL was set on accounts which are members of administrators groups. ####### Event 4781 S: The name of an account was changed. ####### Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password. ####### Event 4798 S: A user's local group membership was enumerated. ####### Event 5376 S: Credential Manager credentials were backed up. ####### Event 5377 S: Credential Manager credentials were restored from a backup.
Audit DPAPI Activity
####### Event 4692 S, F: Backup of data protection master key was attempted. ####### Event 4693 S, F: Recovery of data protection master key was attempted. ####### Event 4694 S, F: Protection of auditable protected data was attempted. ####### Event 4695 S, F: Unprotection of auditable protected data was attempted.
Audit PNP Activity
####### Event 6416 S: A new external device was recognized by the System. ####### Event 6419 S: A request was made to disable a device. ####### Event 6420 S: A device was disabled. ####### Event 6421 S: A request was made to enable a device. ####### Event 6422 S: A device was enabled. ####### Event 6423 S: The installation of this device is forbidden by system policy. ####### Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.
Audit Process Creation
####### Event 4688 S: A new process has been created. ####### Event 4696 S: A primary token was assigned to process.
Audit Process Termination
####### Event 4689 S: A process has exited.
Audit RPC Events
####### Event 5712 S: A Remote Procedure Call, RPC, was attempted.
Audit Detailed Directory Service Replication
####### Event 4928 S, F: An Active Directory replica source naming context was established. ####### Event 4929 S, F: An Active Directory replica source naming context was removed. ####### Event 4930 S, F: An Active Directory replica source naming context was modified. ####### Event 4931 S, F: An Active Directory replica destination naming context was modified. ####### Event 4934 S: Attributes of an Active Directory object were replicated. ####### Event 4935 F: Replication failure begins. ####### Event 4936 S: Replication failure ends. ####### Event 4937 S: A lingering object was removed from a replica.
Audit Directory Service Access
####### Event 4662 S, F: An operation was performed on an object. ####### Event 4661 S, F: A handle to an object was requested.
Audit Directory Service Changes
####### Event 5136 S: A directory service object was modified. ####### Event 5137 S: A directory service object was created. ####### Event 5138 S: A directory service object was undeleted. ####### Event 5139 S: A directory service object was moved. ####### Event 5141 S: A directory service object was deleted.
Audit Directory Service Replication
####### Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun. ####### Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.
Audit Account Lockout
####### Event 4625 F: An account failed to log on.
Audit User/Device Claims
####### Event 4626 S: User/Device claims information.
Audit Group Membership
####### Event 4627 S: Group membership information.
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
####### Event 4634 S: An account was logged off. ####### Event 4647 S: User initiated logoff.
Audit Logon
####### Event 4624 S: An account was successfully logged on. ####### Event 4625 F: An account failed to log on. ####### Event 4648 S: A logon was attempted using explicit credentials. ####### Event 4675 S: SIDs were filtered.
Audit Network Policy Server
Audit Other Logon/Logoff Events
####### Event 4649 S: A replay attack was detected. ####### Event 4778 S: A session was reconnected to a Window Station. ####### Event 4779 S: A session was disconnected from a Window Station. ####### Event 4800 S: The workstation was locked. ####### Event 4801 S: The workstation was unlocked. ####### Event 4802 S: The screen saver was invoked. ####### Event 4803 S: The screen saver was dismissed. ####### Event 5378 F: The requested credentials delegation was disallowed by policy. ####### Event 5632 S, F: A request was made to authenticate to a wireless network. ####### Event 5633 S, F: A request was made to authenticate to a wired network.
Audit Special Logon
####### Event 4964 S: Special groups have been assigned to a new logon. ####### Event 4672 S: Special privileges assigned to new logon.
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
####### Event 5140 S, F: A network share object was accessed. ####### Event 5142 S: A network share object was added. ####### Event 5143 S: A network share object was modified. ####### Event 5144 S: A network share object was deleted. ####### Event 5168 F: SPN check for SMB/SMB2 failed.
Audit File System
####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4663 S: An attempt was made to access an object. ####### Event 4664 S: An attempt was made to create a hard link. ####### Event 4985 S: The state of a transaction has changed. ####### Event 5051: A file was virtualized. ####### Event 4670 S: Permissions on an object were changed.
Audit Filtering Platform Connection
####### Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network. ####### Event 5150: The Windows Filtering Platform blocked a packet. ####### Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet. ####### Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ####### Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ####### Event 5156 S: The Windows Filtering Platform has permitted a connection. ####### Event 5157 F: The Windows Filtering Platform has blocked a connection. ####### Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port. ####### Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.
Audit Filtering Platform Packet Drop
####### Event 5152 F: The Windows Filtering Platform blocked a packet. ####### Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Handle Manipulation
####### Event 4690 S: An attempt was made to duplicate a handle to an object.
Audit Kernel Object
####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4663 S: An attempt was made to access an object.
Audit Other Object Access Events
####### Event 4671: An application attempted to access a blocked ordinal through the TBS. ####### Event 4691 S: Indirect access to an object was requested. ####### Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. ####### Event 5149 F: The DoS attack has subsided and normal processing is being resumed. ####### Event 4698 S: A scheduled task was created. ####### Event 4699 S: A scheduled task was deleted. ####### Event 4700 S: A scheduled task was enabled. ####### Event 4701 S: A scheduled task was disabled. ####### Event 4702 S: A scheduled task was updated. ####### Event 5888 S: An object in the COM+ Catalog was modified. ####### Event 5889 S: An object was deleted from the COM+ Catalog. ####### Event 5890 S: An object was added to the COM+ Catalog.
Audit Registry
####### Event 4663 S: An attempt was made to access an object. ####### Event 4656 S, F: A handle to an object was requested. ####### Event 4658 S: The handle to an object was closed. ####### Event 4660 S: An object was deleted. ####### Event 4657 S: A registry value was modified. ####### Event 5039: A registry key was virtualized. ####### Event 4670 S: Permissions on an object were changed.
Audit Removable Storage
Audit SAM
####### Event 4661 S, F: A handle to an object was requested.
Audit Central Access Policy Staging
Audit Audit Policy Change
####### Event 4670 S: Permissions on an object were changed. ####### Event 4715 S: The audit policy, SACL, on an object was changed. ####### Event 4719 S: System audit policy was changed. ####### Event 4817 S: Auditing settings on object were changed. ####### Event 4902 S: The Per-user audit policy table was created. ####### Event 4906 S: The CrashOnAuditFail value has changed. ####### Event 4907 S: Auditing settings on object were changed. ####### Event 4908 S: Special Groups Logon table modified. ####### Event 4912 S: Per User Audit Policy was changed. ####### Event 4904 S: An attempt was made to register a security event source. ####### Event 4905 S: An attempt was made to unregister a security event source.
Audit Authentication Policy Change
####### Event 4706 S: A new trust was created to a domain. ####### Event 4707 S: A trust to a domain was removed. ####### Event 4716 S: Trusted domain information was modified. ####### Event 4713 S: Kerberos policy was changed. ####### Event 4717 S: System security access was granted to an account. ####### Event 4718 S: System security access was removed from an account. ####### Event 4739 S: Domain Policy was changed. ####### Event 4864 S: A namespace collision was detected. ####### Event 4865 S: A trusted forest information entry was added. ####### Event 4866 S: A trusted forest information entry was removed. ####### Event 4867 S: A trusted forest information entry was modified.
Audit Authorization Policy Change
####### Event 4703 S: A user right was adjusted. ####### Event 4704 S: A user right was assigned. ####### Event 4705 S: A user right was removed. ####### Event 4670 S: Permissions on an object were changed. ####### Event 4911 S: Resource attributes of the object were changed. ####### Event 4913 S: Central Access Policy on the object was changed.
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
####### Event 4944 S: The following policy was active when the Windows Firewall started. ####### Event 4945 S: A rule was listed when the Windows Firewall started. ####### Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added. ####### Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified. ####### Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted. ####### Event 4949 S: Windows Firewall settings were restored to the default values. ####### Event 4950 S: A Windows Firewall setting has changed. ####### Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall. ####### Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. ####### Event 4953 F: Windows Firewall ignored a rule because it could not be parsed. ####### Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied. ####### Event 4956 S: Windows Firewall has changed the active profile. ####### Event 4957 F: Windows Firewall did not apply the following rule. ####### Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
Audit Other Policy Change Events
####### Event 4714 S: Encrypted data recovery policy was changed. ####### Event 4819 S: Central Access Policies on the machine have been changed. ####### Event 4826 S: Boot Configuration Data loaded. ####### Event 4909: The local policy settings for the TBS were changed. ####### Event 4910: The group policy settings for the TBS were changed. ####### Event 5063 S, F: A cryptographic provider operation was attempted. ####### Event 5064 S, F: A cryptographic context operation was attempted. ####### Event 5065 S, F: A cryptographic context modification was attempted. ####### Event 5066 S, F: A cryptographic function operation was attempted. ####### Event 5067 S, F: A cryptographic function modification was attempted. ####### Event 5068 S, F: A cryptographic function provider operation was attempted. ####### Event 5069 S, F: A cryptographic function property operation was attempted. ####### Event 5070 S, F: A cryptographic function property modification was attempted. ####### Event 5447 S: A Windows Filtering Platform filter has been changed. ####### Event 6144 S: Security policy in the group policy objects has been applied successfully. ####### Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.
Audit Sensitive Privilege Use
####### Event 4673 S, F: A privileged service was called. ####### Event 4674 S, F: An operation was attempted on a privileged object. ####### Event 4985 S: The state of a transaction has changed.
Audit Non Sensitive Privilege Use
####### Event 4673 S, F: A privileged service was called. ####### Event 4674 S, F: An operation was attempted on a privileged object. ####### Event 4985 S: The state of a transaction has changed.
Audit Other Privilege Use Events
####### Event 4985 S: The state of a transaction has changed.
Audit IPsec Driver
Audit Other System Events
####### Event 5024 S: The Windows Firewall Service has started successfully. ####### Event 5025 S: The Windows Firewall Service has been stopped. ####### Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. ####### Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. ####### Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. ####### Event 5030 F: The Windows Firewall Service failed to start. ####### Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. ####### Event 5033 S: The Windows Firewall Driver has started successfully. ####### Event 5034 S: The Windows Firewall Driver was stopped. ####### Event 5035 F: The Windows Firewall Driver failed to start. ####### Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating. ####### Event 5058 S, F: Key file operation. ####### Event 5059 S, F: Key migration operation. ####### Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content. ####### Event 6401: BranchCache: Received invalid data from a peer. Data discarded. ####### Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ####### Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client. ####### Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ####### Event 6405: BranchCache: %2 instances of event id %1 occurred. ####### Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2. ####### Event 6407: 1%. ####### Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. ####### Event 6409: BranchCache: A service connection point object could not be parsed.
Audit Security State Change
####### Event 4608 S: Windows is starting up. ####### Event 4616 S: The system time was changed. ####### Event 4621 S: Administrator recovered system from CrashOnAuditFail.
Audit Security System Extension
####### Event 4610 S: An authentication package has been loaded by the Local Security Authority. ####### Event 4611 S: A trusted logon process has been registered with the Local Security Authority. ####### Event 4614 S: A notification package has been loaded by the Security Account Manager. ####### Event 4622 S: A security package has been loaded by the Local Security Authority. ####### Event 4697 S: A service was installed in the system.
Audit System Integrity
####### Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ####### Event 4615 S: Invalid use of LPC port. ####### Event 4618 S: A monitored security event pattern has occurred. ####### Event 4816 S: RPC detected an integrity violation while decrypting an incoming message. ####### Event 5038 F: Code integrity determined that the image hash of a file is not valid. ####### Event 5056 S: A cryptographic self-test was performed. ####### Event 5062 S: A kernel-mode cryptographic self-test was performed. ####### Event 5057 F: A cryptographic primitive operation failed. ####### Event 5060 F: Verification operation failed. ####### Event 5061 S, F: Cryptographic operation. ####### Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid. ####### Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.
Other Events
####### Event 1100 S: The event logging service has shut down. ####### Event 1102 S: The audit log was cleared. ####### Event 1104 S: The security log is now full. ####### Event 1105 S: Event log automatic backup. ####### Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.
Appendix A: Security monitoring recommendations for many audit events
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
####### Enforce password history ####### Maximum password age ####### Minimum password age ####### Minimum password length ####### Password must meet complexity requirements ####### Store passwords using reversible encryption
Account Lockout Policy
####### Account lockout duration ####### Account lockout threshold ####### Reset account lockout counter after
Kerberos Policy
####### Enforce user logon restrictions ####### Maximum lifetime for service ticket ####### Maximum lifetime for user ticket ####### Maximum lifetime for user ticket renewal ####### Maximum tolerance for computer clock synchronization
Audit Policy
Security Options
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use online identities
Network security: Configure encryption types allowed for Kerberos Win7 only
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
System settings: Optional subsystems
System settings: Use certificate rules on Windows executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
Advanced security audit policy settings
User Rights Assignment
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Smart Cards
How Smart Card Sign-in Works in Windows
Smart Card Architecture
Certificate Requirements and Enumeration
Smart Card and Remote Desktop Services
Smart Cards for Windows Service
Certificate Propagation Service
Smart Card Removal Policy Service
Smart Card Tools and Settings
Smart Cards Debugging Information
Smart Card Group Policy and Registry Settings
Smart Card Events
Trusted Platform Module
TPM fundamentals
TPM Group Policy settings
AD DS schema extensions to support TPM backup
Backup the TPM recovery Information to AD DS
Manage TPM commands
Manage TPM lockout
Change the TPM owner password
Initialize and configure ownership of the TPM
Switch PCR banks on TPM 2.0 devices
TPM recommendations
User Account Control
How User Account Control works
User Account Control security policy settings
User Account Control Group Policy and registry key settings
Virtual Smart Cards
Understanding and Evaluating Virtual Smart Cards
Get Started with Virtual Smart Cards: Walkthrough Guide
Use Virtual Smart Cards
Deploy Virtual Smart Cards
Evaluate Virtual Smart Card Security
Tpmvscmgr
Windows Defender Advanced Threat Protection
Minimum requirements
Data storage and privacy
Assign user access to the portal
Onboard endpoints and set up access
Configure endpoints
Configure endpoints using Group Policy
Configure endpoints using System Security Configuration Manager
Configure endpoints using Mobile Device Management tools
####### Configure endpoints using Microsoft Intune
Configure endpoints using a local script
Configure proxy and Internet settings
Troubleshoot onboarding issues
Portal overview
Use the Windows Defender ATP portal
View the Dashboard
View and organize the Alerts queue
Investigate alerts
Investigate machines
Investigate files
Investigate an IP address
Investigate a domain
Manage alerts
Windows Defender ATP settings
Configure SIEM tools to consume alerts
Configure an Azure Active Directory application for SIEM integration
Configure Splunk to consume Windows Defender ATP alerts
Configure HP ArcSight to consume Windows Defender ATP alerts
Troubleshoot Windows Defender ATP
Review events and errors on endpoints with Event Viewer
Windows Defender compatibility
Windows Defender in Windows 10
Update and manage Windows Defender in Windows 10
Configure Windows Defender in Windows 10
Windows Defender Offline in Windows 10
Use PowerShell cmdlets for Windows Defender
Enable the Block at First Sight feature in Windows 10
Configure enhanced notifications for Windows Defender in Windows 10
Run a Windows Defender scan from the command line
Detect and block Potentially Unwanted Applications with Windows Defender
Troubleshoot Windows Defender in Windows 10
Windows Firewall with Advanced Security
Isolating Windows Store Apps on Your Network
Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
Windows Firewall with Advanced Security Administration with Windows PowerShell
Windows Firewall with Advanced Security Design Guide
Understanding the Windows Firewall with Advanced Security Design Process
Identifying Your Windows Firewall with Advanced Security Deployment Goals
Protect Devices from Unwanted Network Traffic
Restrict Access to Only Trusted Devices
Require Encryption When Accessing Sensitive Network Resources
Restrict Access to Only Specified Users or Computers
Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
Basic Firewall Policy Design
Domain Isolation Policy Design
Server Isolation Policy Design
Certificate-based Isolation Policy Design
Evaluating Windows Firewall with Advanced Security Design Examples
Firewall Policy Design Example
Domain Isolation Policy Design Example
Server Isolation Policy Design Example
Certificate-based Isolation Policy Design Example
Designing a Windows Firewall with Advanced Security Strategy
Gathering the Information You Need
####### Gathering Information about Your Current Network Infrastructure ####### Gathering Information about Your Active Directory Deployment ####### Gathering Information about Your Computers ####### Gathering Other Relevant Information
Determining the Trusted State of Your Computers
Planning Your Windows Firewall with Advanced Security Design
Planning Settings for a Basic Firewall Policy
Planning Domain Isolation Zones
####### Exemption List ####### Isolated Domain ####### Boundary Zone ####### Encryption Zone
Planning Server Isolation Zones
Planning Certificate-based Authentication
Documenting the Zones
Planning Group Policy Deployment for Your Isolation Zones
####### Planning Isolation Groups for the Zones ####### Planning Network Access Groups ####### Planning the GPOs ######## Firewall GPOs ######### GPO_DOMISO_Firewall ######## Isolated Domain GPOs ######### GPO_DOMISO_IsolatedDomain_Clients ######### GPO_DOMISO_IsolatedDomain_Servers ######## Boundary Zone GPOs ######### GPO_DOMISO_Boundary ######## Encryption Zone GPOs ######### GPO_DOMISO_Encryption ######## Server Isolation GPOs ####### Planning GPO Deployment