mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 21:37:22 +00:00
56 KiB
56 KiB
Keep Windows 10 secure
Change history for Keep Windows 10 secure
Block untrusted fonts in an enterprise
Device Guard certification and compliance
Get apps to run on Device Guard-protected devices
Create a Device Guard code integrity policy based on a reference device
Manage identity verification using Microsoft Passport
Implement Microsoft Passport in your organization
Why a PIN is better than a password
Prepare people to use Microsoft Passport
Microsoft Passport and password changes
Microsoft Passport errors during PIN creation
Event ID 300 - Passport successfully created
Windows Hello biometrics in the enterprise
Configure S/MIME for Windows 10 and Windows 10 Mobile
Install digital certificates on Windows 10 Mobile
Protect derived domain credentials with Credential Guard
Protect your enterprise data using enterprise data protection (EDP)
Create an enterprise data protection (EDP) policy
Create an enterprise data protection (EDP) policy using Microsoft Intune
Add multiple apps to your enterprise data protection (EDP) Protected Apps list
Deploy your enterprise data protection (EDP) policy
Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune
Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager
General guidance and best practices for enterprise data protection (EDP)
Enlightened apps for use with enterprise data protection (EDP)
Testing scenarios for enterprise data protection (EDP)
Use Windows Event Forwarding to help with intrusion detection
VPN profile options
Security technologies
AppLocker
Administer AppLocker
Maintain AppLocker policies
Edit an AppLocker policy
Test and update an AppLocker policy
Deploy AppLocker policies by using the enforce rules setting
Use the AppLocker Windows PowerShell cmdlets
Use AppLocker and Software Restriction Policies in the same domain
Optimize AppLocker performance
Monitor app usage with AppLocker
Manage packaged apps with AppLocker
Working with AppLocker rules
Create a rule that uses a file hash condition
Create a rule that uses a path condition
Create a rule that uses a publisher condition
Create AppLocker default rules
Add exceptions for an AppLocker rule
Create a rule for packaged apps
Delete an AppLocker rule
Edit AppLocker rules
Enable the DLL rule collection
Enforce AppLocker rules
Run the Automatically Generate Rules wizard
Working with AppLocker policies
Configure the Application Identity service
Configure an AppLocker policy for audit only
Configure an AppLocker policy for enforce rules
Display a custom URL message when users try to run a blocked app
Export an AppLocker policy from a GPO
Export an AppLocker policy to an XML file
Import an AppLocker policy from another computer
Import an AppLocker policy into a GPO
Add rules for packaged apps to existing AppLocker rule-set
Merge AppLocker policies by using Set-ApplockerPolicy
Merge AppLocker policies manually
Refresh an AppLocker policy
Test an AppLocker policy by using Test-AppLockerPolicy
AppLocker design guide
Understand AppLocker policy design decisions
Determine your application control objectives
Create a list of apps deployed to each business group
Document your app list
Select the types of rules to create
Document your AppLocker rules
Determine the Group Policy structure and rule enforcement
Understand AppLocker enforcement settings
Understand AppLocker rules and enforcement setting inheritance in Group Policy
Document the Group Policy structure and AppLocker rule enforcement
Plan for AppLocker policy management
Document your application control management processes
Create your AppLocker planning document
AppLocker deployment guide
Understand the AppLocker policy deployment process
Requirements for Deploying AppLocker Policies
Use Software Restriction Policies and AppLocker policies
Create Your AppLocker policies
Create Your AppLocker rules
Deploy the AppLocker policy into production
Use a reference device to create and maintain AppLocker policies
####### Determine which apps are digitally signed on a reference device ####### Configure the AppLocker reference device
AppLocker technical reference
What Is AppLocker?
Requirements to use AppLocker
AppLocker policy use scenarios
How AppLocker works
Understanding AppLocker rule behavior
Understanding AppLocker rule exceptions
Understanding AppLocker rule collections
Understanding AppLocker allow and deny actions on rules
Understanding AppLocker rule condition types
####### Understanding the publisher rule condition in AppLocker ####### Understanding the path rule condition in AppLocker ####### Understanding the file hash rule condition in AppLocker
Understanding AppLocker default rules
####### Executable rules in AppLocker ####### Windows Installer rules in AppLocker ####### Script rules in AppLocker ####### DLL rules in AppLocker ####### Packaged apps and packaged app installer rules in AppLocker
AppLocker architecture and components
AppLocker processes and interactions
AppLocker functions
Security considerations for AppLocker
Tools to Use with AppLocker
Using Event Viewer with AppLocker
AppLocker Settings
BitLocker
BitLocker frequently asked questions (FAQ)
Prepare your organization for BitLocker: Planning and policies
BitLocker basic deployment
BitLocker: How to deploy on Windows Server 2012 and later
BitLocker: How to enable Network Unlock
BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
BitLocker: Use BitLocker Recovery Password Viewer
BitLocker Group Policy settings
BCD settings and BitLocker
BitLocker Recovery Guide
Protect BitLocker from pre-boot attacks
Types of attacks for volume encryption keys
BitLocker Countermeasures
Choose the Right BitLocker Countermeasure
Protecting cluster shared volumes and storage area networks with BitLocker
Encrypted Hard Drive
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
Which editions of Windows support advanced audit policy configuration
Using advanced security auditing options to monitor dynamic access control objects
Monitor the central access policies that apply on a file server
Monitor the use of removable storage devices
Monitor resource attribute definitions
Monitor central access policy and rule definitions
Monitor user and device claims during sign-in
Monitor the resource attributes on files and folders
Monitor the central access policies associated with files and folders
Monitor claim types
Advanced security audit policy settings
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Account Lockout
Audit User/Device Claims
Audit Group Membership
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Sensitive Privilege Use
Audit Non-Sensitive Privilege Use
Audit Other Privilege Use Events
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
####### Enforce password history ####### Maximum password age ####### Minimum password age ####### Minimum password length ####### Password must meet complexity requirements ####### Store passwords using reversible encryption
Account Lockout Policy
####### Account lockout duration ####### Account lockout threshold ####### Reset account lockout counter after
Kerberos Policy
####### Enforce user logon restrictions ####### Maximum lifetime for service ticket ####### Maximum lifetime for user ticket ####### Maximum lifetime for user ticket renewal ####### Maximum tolerance for computer clock synchronization
Audit Policy
Security Options
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use online identities
Network security: Configure encryption types allowed for Kerberos Win7 only
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
System settings: Optional subsystems
System settings: Use certificate rules on Windows executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
Advanced security audit policy settings
User Rights Assignment
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Trusted Platform Module
TPM fundamentals
TPM Group Policy settings
AD DS schema extensions to support TPM backup
Backup the TPM recovery Information to AD DS
Manage TPM commands
Manage TPM lockout
Change the TPM owner password
Initialize and configure ownership of the TPM
Switch PCR banks on TPM 2.0 devices
TPM recommendations
User Account Control
How User Account Control works
User Account Control security policy settings
User Account Control Group Policy and registry key settings
Windows Defender Advanced Threat Protection
Minimum requirements
Data storage and privacy
Onboard endpoints and set up access
Configure endpoints
Configure proxy and Internet settings
Additional configuration settings
Monitor onboarding
Troubleshoot onboarding issues
Portal overview
Use the Windows Defender ATP portal
View the Dashboard
View and organize the Alerts queue
Investigate alerts
Investigate machines
Investigate files
Investigate an IP address
Investigate a domain
Manage alerts
Windows Defender ATP settings
Troubleshoot Windows Defender ATP
Review events and errors on endpoints with Event Viewer
Windows Defender in Windows 10
Update and manage Windows Defender in Windows 10
Configure Windows Defender in Windows 10
Troubleshoot Windows Defender in Windows 10
Windows Firewall with Advanced Security
Isolating Windows Store Apps on Your Network
Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
Windows Firewall with Advanced Security Administration with Windows PowerShell
Windows Firewall with Advanced Security Design Guide
Understanding the Windows Firewall with Advanced Security Design Process
Identifying Your Windows Firewall with Advanced Security Deployment Goals
Protect Computers from Unwanted Network Traffic
Restrict Access to Only Trusted Computers
Require Encryption When Accessing Sensitive Network Resources
Restrict Access to Only Specified Users or Computers
Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design
Basic Firewall Policy Design
Domain Isolation Policy Design
Server Isolation Policy Design
Certificate-based Isolation Policy Design
Evaluating Windows Firewall with Advanced Security Design Examples
Firewall Policy Design Example
Domain Isolation Policy Design Example
Server Isolation Policy Design Example
Certificate-based Isolation Policy Design Example
Designing a Windows Firewall with Advanced Security Strategy
Gathering the Information You Need
####### Gathering Information about Your Current Network Infrastructure ####### Gathering Information about Your Active Directory Deployment ####### Gathering Information about Your Computers ####### Gathering Other Relevant Information
Determining the Trusted State of Your Computers
Planning Your Windows Firewall with Advanced Security Design
Planning Settings for a Basic Firewall Policy
Planning Domain Isolation Zones
####### Exemption List ####### Isolated Domain ####### Boundary Zone ####### Encryption Zone
Planning Server Isolation Zones
Planning Certificate-based Authentication
Documenting the Zones
Planning Group Policy Deployment for Your Isolation Zones
####### Planning Isolation Groups for the Zones ####### Planning Network Access Groups ####### Planning the GPOs ######## Firewall GPOs ######### GPO_DOMISO_Firewall ######## Isolated Domain GPOs ######### GPO_DOMISO_IsolatedDomain_Clients ######### GPO_DOMISO_IsolatedDomain_Servers ######## Boundary Zone GPOs ######### GPO_DOMISO_Boundary_WS2008 ######## Encryption Zone GPOs ######### GPO_DOMISO_Encryption_WS2008 ######## Server Isolation GPOs ####### Planning GPO Deployment