Looking for:
Windows 10 1703 download iso itar compliance training day
Therefore, the subscriber pays only for the resources that the VMs are actually using at any given time. Horizontal scaling Also known as scaling out, horizontal scaling is the addition or subtraction of virtual machines to a cluster of servers running a particular application. For example, in the case of a cloudbased web server farm, incoming user requests can be shared among multiple VMs.
If the web traffic should increase or decrease, the administrators can add or subtract VMs from the cluster, as needed. Reliability In an on-premises data center, data backup, disaster recovery, and fault tolerance are all expensive services that require additional hardware, deployment time, and administration.
A small business might require only a backup storage medium and software. IT Technet24 connections linking them. In the case of a large-scale cloud provider, however, this is exactly what their infrastructure entails. Therefore, cloud providers are in an excellent position to provide these elaborate services without the need for infrastructure upgrades, and they often can do it for fees that are much less than would be required for businesses to provide them themselves.
For example, Microsoft Azure provides the following reliability mechanisms for its cloud-based services: Azure maintains three redundant copies of all data, with one of those copies located in a separate data center. Azure provides automatic failover to a backup server to minimize downtime in the event of an outage. Azure hosts all applications on two separate server instances to minimize downtime caused by hardware failure.
Manageability Because subscribers do not have physical access to the servers hosting their cloud services, they must access them remotely. This is common for organizations with on-premises servers as well, particularly those with large data centers. It is often far more convenient for administrators to access servers from their desks than travel to a data center that might be on another floor, in another building, or even in another city. IT and reliable access to all server functions.
There are various remote management tools available for both cloud and on-premises resources, but the large third-party cloud providers typically provide a secured web-based portal that enables administrators to access all their subscription services using one interface, such as the one for Microsoft Azure shown in Figure IT Technet24 while traveling. Security Security is a major issue for any data center, which administrators typically address by concerning themselves with issues such as data loss and unauthorized access.
These are important concerns whether the data center is local or virtual. However, in the case of an on-premises data center, there is another potential attack vector: the physical. Servers and other equipment can be stolen outright, damaged by fire or other disasters or physically accessed by intruders. Therefore, there are additional security measures that might be required, such as door locks, surveillance equipment, access credentials, or even manned security checkpoints.
Cloud-based services eliminate the need for physical security, which is furnished by the provider. There is still the issue of software-based security, however, and cloud providers nearly always provide an array of controls and services that enable you to harden the security of your servers and applications to accommodate your business needs.
IT Organizations using cloud resources to implement their servers must be conscious of the fact that they are still responsible for the security and privacy of their data. For example, if an organization stores patient medical records on a cloud-based file server, the organization remains responsible for any data breaches that occur.
Therefore, contracts with cloud providers should stipulate the security policies they must maintain. Infrastructure In an on-premises data center, the administrators are responsible for all aspects of the servers and other equipment, including hardware installation and maintenance, operating system configuration and updates, and application deployment and management. Cloud-based services enable subscribers to specify which elements of the infrastructure they are responsible for maintaining.
For example, a subscriber can contract with a provider for a virtual machine running a server operating system, so that the subscriber is responsible for the entire operation and maintenance of the server. The subscriber does not have direct access to the physical hardware of the host system, of course, but he or she does have control over the virtual hardware on which the server runs, as well as all the software running on the server, including the operating system. In some situations, this is desirable, or even essential.
IT Technet24 In other situations, cloud-based services can take the form of preinstalled server platforms or applications. In this case, the subscriber might have limited access to the server or no access at all. In the case of a subscriber contracting for Microsoft Exchange Online, the provider grants the subscriber with administrative access to the Exchange Server application, but it does not grant subscriber access to the underlying operating system on which the server application is running.
For an Office subscriber, the provider grants access only to the Office applications themselves. The subscriber knows nothing about the servers on which the applications are running or their operating systems.
These options enable cloud service subscribers to exercise administrative responsibility over specific components only in situations in which their business requirements demand it. For the elements administered by the service provider, contracts typically stipulate hardware maintenance requirements and software update policies.
Alleged Disadvantages of Cloud Computing There are some IT professionals who persist in stating that cloud-based services are inferior to on-premises services. IT is more secure, more reliable, provides greater access to equipment, or suffers less downtime.
While one cannot say that the cloud is always a preferable solution, these arguments mostly date from a time when the cloud was a new and immature technology.
They have now largely been debunked by years of proven performance. There are still reasons why businesses can and should maintain on-premises data centers. For example, they might have special security requirements, or they might have already made a large investment in facilities and equipment. However, each year sees a greater percentage of servers deployed in the cloud and clients accessing cloud-based services.
Microsoft is the next step in bringing the cloud to the desktop productivity environment. SKILL 1. While some organizations might be building a Microsoft deployment from scratch, others might have existing infrastructure that they want to incorporate into a Microsoft solution. IT Technet24 to understand the various types of cloud architectures and service models. A new business or division of a business might decide to build an entirely new IT infrastructure using only cloud-based resources.
Meanwhile, a business that has already invested in a traditional IT infrastructure might use the cloud for expansions or for the addition of selected services. Organizations planning their infrastructures can use any of the three cloud architecture permutations described in the following sections. Public cloud A public cloud is a network of servers owned by a thirdparty service provider at a remote location, which provides subscribers with access to virtual machines or services through the Internet, often for a fee.
Prices are based on the resources or services you use. IT examples of public cloud service providers that organizations use to host their virtual machines and access other services. It means only that the provider furnishes services to the public by subscription, which are accessible from any location at any time via the Internet. These major players in the public cloud industry maintain thousands of servers in data centers located around the world. They can accommodate large enterprise clients by providing services on a global scale.
There are other, smaller cloud providers offering the same services, which might not be able to function on such a massive scale, but these can have their advantages as well. Because the cloud service providers are responsible for managing and maintaining the physical servers, the subscribers save a great deal of time, expense, and human resources.
IT Technet24 subscribers at the same time. For example, a physical host server at a provider site can run virtual machines belonging to different subscribers simultaneously, as shown in Figure The VMs are secured individually and functionally isolated from each other.
This is what is typically meant by a public cloud. Dedicated public cloud Subscribers contract with a third-party provider for a hardware infrastructure that is dedicated to their exclusive use. See Figure The services provided are the same as those in a shared public cloud; the only difference is the hardware the provider uses to furnish the services. Obviously, this arrangement is more expensive than a shared public cloud, but some organizations need the additional security and fault tolerance provided by having hardware dedicated to their own use.
IT Technet24 implement all or part of their productivity infrastructure. However, this is not the only function of the public cloud. When people stream movies to their televisions, use web-based banking services, access their email online, or use the Office productivity applications, they are using public cloud providers.
The difference in these cases is that the provider is furnishing specific services instead of an IT infrastructure. Private cloud A private cloud is a network of servers owned and operated by a business solely for its own use. While the services can be the same and appear identical to their end users, the primary difference is that the organization has control over the physical hardware as well.
A private cloud deployment usually works in much the same way. The organization still creates and utilizes virtual machines to run its applications in most cases, but it creates those virtual machines on physical host servers that it owns. IT Another variation on the private cloud is the hosted private cloud, in which hardware that is owned or leased by an organization is housed and managed by a thirdparty provider.
The organization has exclusive use of the hardware and avoids the expenses of building and managing a data center. They do have to pay ongoing fees to the provider, and this arrangement might not satisfy all data storage stipulations, but the overall cost is likely to be less than an on-premises private cloud. Typically, the definition of the cloud includes access to services over the Internet.
In a public cloud, both administrative and user access to the cloud resources are through the Internet. While a private cloud can provide users and administrators with access to services via the Internet, it typically does not use the Internet when the administrators and users are located at the same site as the data center housing the cloud.
When a large enterprise maintains facilities at multiple locations, users at all those facilities can access a private cloud using the Internet. However, a small- or medium-sized organization running Microsoft Business at a single location can conceivably run what is technically called a private cloud without the need for user and administrator traffic to ever leave the facility.
IT Technet24 security and privacy that a public cloud provider might not be able to meet. An organization might have government contract stipulations or legal requirements that compel them to maintain their own hardware and store sensitive data on site rather than use third-party hardware that is not subject to the same stipulations or requirements. Whether a third-party cloud provider is involved, a company is legally responsible for all the data stored on its servers. An organization might also need to run a legacy application that requires a specific hardware or software configuration that a third-party provider cannot supply.
A private cloud also provides a greater degree of customization than public cloud resources. Public cloud providers are successful because of the scale of their businesses; their services are configurable using the options that are most desired by most of their clients. They are not likely to provide access to obscure software options that only a few of their clients will need. In the case of a private cloud, an organization has access to any and all the customization options provided by the software they choose to install.
IT Exam Tip The difference between a private cloud and a dedicated public cloud is who owns and operates the hardware. Exam candidates should be aware that some documentation uses the term private cloud, instead of dedicated public cloud, to describe hardware owned and operated by a third-party provider for the exclusive use of one subscriber. The advantages of a private cloud are its disadvantages as well.
The owner of the hardware is responsible for purchasing, housing, deploying, and maintaining that hardware, which can add greatly to the overall expense, as described earlier in this chapter. There are no ongoing subscriber fees for a private cloud, as there are with a public cloud provider, but there are ongoing fees for operating a data center, including floor space, power, insurance, and personnel.
The organization is also responsible for purchasing and maintaining licenses for all the software products needed to provide the necessary services. This can include operating system licenses, application server licenses, and user licenses, as well as the cost of additional software utilities.
Typically, the overall costs of a private cloud infrastructure are higher than that of a public cloud and can be enormously higher. It is up to the organization to determine whether the advantages of the private cloud are worth the additional expense.
IT Technet24 Hybrid cloud A hybrid cloud combines the functionality of a public and a private cloud, enabling an organization to enjoy the best of both architectures. There are a variety of scenarios in which an organization might prefer to implement a hybrid cloud architecture.
If an organization has existing services implemented on its own physical hardware, it might want to maintain those services while adding others from a public cloud provider.
For example, the organization might have reached the physical capacity of its own data center and does not want to invest in a major facility expansion. An organization might also use public cloud resources to extend the capacity of its private cloud or its in-house network during temporary periods of greater need, such as seasonal business increases.
This technique, called cloudbursting, eliminates the need for the organization to pay for hardware and other resources that are only required for brief periods of time. Because it is possible to connect the public and private services, the resources can interact in any way that is necessary.
For example, a business with an ecommerce website implemented in a private cloud can add public cloud-based servers to its web server farm to accommodate the increase in traffic during its Christmas busy season.
IT Another possibility is that an organization might be subject to the type of data storage or other security requirements described in the previous section, but they do not want to build out their entire infrastructure in a private cloud.
In this scenario, the organization could conceivably deploy a database containing the sensitive data in a private cloud and use a public cloud provider for a website implementation that is linked to the database. This way, the network can comply with the storage requirements without having to go to the expense of deploying web servers and other services in the private cloud. The same is true for a variety of other services; organizations can keep their sensitive data and services in the private cloud and use the public cloud for the nonsensitive services.
Organizations can also use private cloud resources to run legacy equipment or applications, while all the other services run on a less expensive public cloud. Some cloud providers supply tools that enable administrators to manage their public and private cloud resources through a single interface.
Microsoft Azure provides Azure Active directory, for example, which enables a subscriber to use the same directory service for public and private cloud resources, so that administrators can access both with a single sign-on. IT Technet24 hybrid cloud architectures.
Cloud service models The offerings of cloud service providers are typically broken down into service models, which specify what elements of the cloud infrastructure are included with each product. A cloud infrastructure can be broken down into layers forming a stack, as shown in Figure The functions of the layers are as follows: People The users working with the application Data The information that the application creates or utilizes Application The top-level software program running on virtual machine Runtime An intermediate software layer, such as.
IT Servers The physical computers that host the virtual machines that provide cloud services Storage The hard drives and other physical components that make up the subsystem providing data storage for the physical servers Physical network The cables, routers, and other equipment that physically connect the servers to each other and to the Internet FIGURE The layers of the cloud infrastructure In an organization that uses its own on-premises servers for everything, there is no cloud involved, and the organization is obviously responsible for managing all the layers of the stack.
IT Technet24 provider manages some layers of the stack, and the organization manages the rest. This is called a shared responsibility model. Which layers are managed by the organization and which are managed by the provider depends on the service model used to furnish the cloud product.
The three basic cloud service models are described in the following sections. IaaS Infrastructure as a Service IaaS is a cloud computing model in which a cloud service provider furnishes the client with the physical computing elements: the network, the storage subsystem, the physical servers, and the hypervisor running on the servers. This provides subscribers with everything they need to create their own virtual machines and manage them by themselves.
Therefore, all the cloud infrastructure layers above the hypervisor are the responsibility of the subscriber, as shown in Figure The end result is a virtual machine that the subscriber can install, configure, and use to run applications just like a VM running on an on-premises server.
The difference is that the subscriber does not have to outfit a data center, build a network, procure a physical computer, and install the hypervisor.
Instead, the subscriber pays a regular fee for the actual resources that the VM uses. The subscriber can add memory, storage, and CPUs to the VM or remove them, as needed, and the subscriber can configure many other settings through a remote management interface. Additional resources incur additional fees, but the process of building a new server takes a matter of minutes instead of days or weeks.
IT they run, as shown earlier in Figure Therefore, the provider installs operating system updates on the physical servers, but the subscriber must install any operating system and application updates needed on the virtual machines.
Of all the cloud service models, IaaS places the greatest amount of responsibility on the subscriber, and in many instances, this is how administrators want it. By creating and configuring their own virtual machines, administrators can duplicate the environment of their on-premises servers, creating a hybrid cloudbursting infrastructure that can handle overflow traffic during a busy season.
Organizations with high traffic websites often use a dedicated web hosting service provider to run their sites. However, building the site using virtual machines furnished by a cloud service provider using the IaaS model often can be a far less expensive proposition. IT Technet24 Subscribers can also use IaaS to create a testing and development environment for applications. Rapid deployment and modification of VMs makes it possible for administrators to create multiple temporary evaluation and testing platforms and take them down just as easily.
IaaS can also provide subscribers with VMs containing massive amounts of virtual hardware resources that would be impractical to implement in onpremises servers. Large data sets and high-performance computing can require huge amounts of memory and processing power to perform the tasks required for applications, such as weather patterning, data mining, and financial modeling. The resources of a high-end cloud service provider make it far less expensive to equip VMs with the necessary virtual hardware than to build equivalent physical servers.
IT run a new application. Because the platform is accessible through the Internet like all cloud services, an organization with multiple developers working on the same project can provide them all with access to the test environment, even if they are located at different sites.
The PaaS model expands the responsibility of the cloud service provider over the IaaS model by adding the virtual network, operating system, middleware, and runtime layers, as shown in Figure The greater the responsibility of the provider, the less that of the subscriber.
The platform can also include for an extra fee additional components specified by the subscriber, such as development tools, middleware, and database management systems. The object of the PaaS model is to eliminate the need for software developers to do anything but actually develop, build, customize, test, and deploy their applications.
Serverless The fees for PaaS and IaaS virtual machines are typically based on the resources they are configured to use and the time they are running.
However, there is another cloud service model for application development, related to PaaS, called serverless computing. In serverless computing sometimes known as Function as a Service, or FaaS , the cloud provider takes on even more of the server management responsibility by dynamically allocating virtual machine resources in response to application requests or events.
Pricing is based on the VM resources as they are actually used. IT the time it is running. SaaS Software as a Service SaaS is the third tier of the cloud service model infrastructure, and in this model, the cloud provider is responsible for nearly all the layers. Only the people and data layers are left to the subscriber, as shown in Figure This means that the provider is responsible for the applications, as well as all the layers beneath. Office is an example of an SaaS product, as are Microsoft Teams and other Microsoft components.
While Office makes it possible to install its productivity applications on a client computer, it is not necessary for the user to do so. IT through the cloud. However, be sure also to understand how these elements fit in with the Microsoft product.
SUMMARY Cloud computing can provide organizations with many benefits, including economy scalability, reliability, manageability, and security. There are three basic cloud architectures: Public Cloud resources are furnished by a third-party provider on the Internet.
Private An organization provides its own cloud resources. Hybrid The public and private architectures are combined. There are three cloud service models—IaaS, PaaS, and SaaS, which specify how much of the resource management is the responsibility of the cloud provider and how much is the responsibility of the subscriber.
IT Technet24 knowledge of the topics covered in this chapter. You can find answer to this thought experiment in the next section. The incoming traffic is distributed among the servers by a loadbalancing switch. Richard, the administrator of the site, regularly monitors the website traffic and, as the holiday season approaches, he sees the traffic level rise almost to the point at which the servers are overwhelmed. There is no budget for the purchase of additional web server computers, and there is also no room for more servers in the data center.
Reading about cloud options, Richard thinks that there might be a solution there. How can Richard expand the web server farm to handle the increased traffic for the least expense by using the cloud? IT help to handle the busy season web traffic, and when the traffic levels go down, Richard can remove the VMs from the server farm until they are needed again.
IT Technet24 Chapter 2. To do this, these three components actually consist of a variety of front-end and back-end applications and services, as described in the sections of this chapter.
However, there are many Microsoft components operating beneath the immediately visible applications, which help to protect the users and their data and provide them with intelligent communication and collaboration services. Windows 10 Enterprise Windows 10 is the operating system that enables users to access both the Office productivity applications and the services provided by the other Microsoft components.
IT Technet24 plans include the Enterprise edition of Windows The Enterprise edition of Windows 10 includes security measures, deployment tools, and manageability functions that go beyond those of Windows 10 Pro, providing administrators of enterprise networks with centralized and automated protection of and control over fleets of workstations.
Some of the additional features included in Windows 10 Enterprise are described in the following sections. Security All Windows 10 editions include Windows Defender, which protects the operating system from various types of malware attacks. However, compared to Windows 10 Pro, Windows 10 Enterprise includes several enhancements to the Windows Defender software, including the following functions: Windows Defender Application Guard This enables enterprise administrators to create lists of trusted Internet sites, cloud resources, and intranet networks.
When a user accesses an untrusted site using Microsoft Edge or Internet Explorer, Windows 10 automatically creates a Hyper-V container and opens the untrusted resource within the protected environment that the container provides.
The result is that if the untrusted resource turns out to be malicious, the attacker is isolated within the container and the host computer remains protected. IT are proven otherwise.
WDAC prevents a system from running any applications, plug-ins, add-ins, and other software modules that have not been identified as trusted using a policy created with Microsoft Intune or Group Policy. ATP also protects the files in key system folders from unauthorized modification or encryption by ransomware and other attacks, applies exploit mitigation techniques to protect against known threats, enhances the network protection provided by Windows Defender SmartScreen, and performs automated real-time investigation and remediation of security breaches.
Updates Windows 10 performs system updates differently from previous Windows versions, replacing the major service packs released every few years with semi-annual feature updates. The Windows Update process is automated by default for the typical Windows user, but network administrators can still intervene in the process for the purpose of testing update releases before they are generally deployed. Microsoft provides the following tools for the administration of updates: Windows Update for Business This is a free cloud-based service that enables administrators to defer, schedule, and pause update deployments to specific workstations.
IT Technet24 service to allow the installation of updates on designated test systems only, and then deploy the updates later if no problems arise. If there are problems with particular updates, administrators can pause their deployments indefinitely. Windows Server Update Service WSUS This is a free, downloadable service that enables administrators to manage system updates internally by downloading releases to a WSUS server as they become available, testing them as needed, and then deploying them to workstations on a specific schedule.
WSUS not only enables administrators to exercise complete control over the update deployment process, it also reduces the Internet bandwidth used by the update process by downloading releases only once and then distributing them using the internal network. Administrators can install multiple WSUS servers and distribute update preferences and release schedules among them, making the system highly scalable.
While administrators can use these tools to manage updates on workstations running any version of Windows, there are additional enhancements for Windows 10 Enterprise workstations, including its manageability with the Desktop Analytics tool.
IT Upgrade Readiness Desktop Analytics collects information about Windows, Office , and other applications and drivers and analyzes it to identify any compatibility issues that might interfere with an upgrade. Update Compliance Desktop Analytics gathers Windows 10 information about the progress of operating system update deployments, as well as Windows Defender Antivirus signature and result data, Windows Update for Business configuration settings, and Delivery Optimization usage data.
After analyzing the information, Desktop Analytics reports any update compliance issues that might need administrative attention. Device Health A Desktop Analytics solution that uses the enhanced diagnostic data generated by Windows 10 to identify devices and drivers that are causing regular crashes. The tool also provides potential remediations, such as alternative driver versions or application replacements. Desktop Analytics is an enhanced version of the tool that integrates with SCCM and provides these same functions for Windows 10 Enterprise workstations.
IT Technet24 monthly quality updates, but they do not receive the semi-annual feature updates. There are LTSC feature updates made available every two to three years, but administrators can choose when or whether to install them.
This enables the LTSC system to maintain a consistent feature set throughout its life cycle, so that it remains compliant with its designated function. Management Microsoft provides many enhancements to the enterprise management environment that enable administrators to simplify the process of deploying and configuring Windows 10 Enterprise workstations.
Windows Autopilot This is a cloud-based feature that is designed to simplify and automate the process of deploying Windows 10 workstations on an enterprise network.
Instead of having to create and maintain images and drivers for every computer model, Autopilot uses cloud-based settings and policies to reconfigure the OEMinstalled operating system into a user-ready workstation, even installing applications and applying a new product key to transform Windows 10 Pro to the Windows 10 Enterprise edition.
Microsoft Application Virtualization App-V This enables Windows workstations to access Win32 applications that are actually running on servers instead of local disks.
Administrators must install the App-V server components and publish the desired applications. IT additional installation is necessary. The client does have to be activated, however; administrators can activate clients using either Group Policy settings or the Enable-App cmdlet in Windows PowerShell. Microsoft User Experience Virtualization UE-V This is the feature that enables Windows workstations to store user-customized operating system and application settings on a network share and sync them across multiple devices.
Windows 10 Business The Microsoft Business plan does not include the full Windows 10 package because the assumption is that potential deployers already have or will be purchasing computers with a Windows OEM operating system installed. However, Windows 10 is required for the enduser workstations to function with the Microsoft services, so the Microsoft Business plan does include upgrade benefits to Windows 10 Pro for computers that are currently running Windows 7 or Windows 8.
Microsoft Business also includes an enhancement called Windows 10 Business, which enables Windows 10 Pro to function with the cloudbased management and security controls in Microsoft , including Microsoft Autopilot. All of the Microsoft Enterprise and Microsoft Business plans include access to Exchange Online for all of their users. This eliminates the need for organizations to install and maintain their own on-premises Exchange servers. As with Microsoft Azure, Exchange Online uses shared servers in Microsoft data centers to host the mailboxes and other services for multiple subscribers.
The Exchange Online services available include the following: Mailboxes Each user is provided with mail storage, the amount of which is based on the Microsoft plan.
An In-Place Archive provides additional storage for mail. Exchange also supports shared mailboxes for groups of users that share responsibility for incoming mail. IT them with other users to create a unified scheduling and collaboration environment. Shared calendars Users can share their calendars for scheduling, task management, and conference room booking. Exchange Online also provides a global address book, group management, and mailbox delegation.
Exchange Online Protection EOP EOP scans incoming email for spam and malicious code and forwards, deletes, or quarantines potentially dangerous messages based on rules established by administrators.
Unified Messaging UM UM enables administrators to combine email message with voice mail, so that both message types are stored in a single mailbox for each user. UM provides standard voice mail features, including call answering, and enables users to listen to their messages from the Outlook Inbox or by using Outlook Voice Access from any telephone. Data Loss Prevention DLP DLP enables administrators to create DLP policies that protect sensitive company information by using deep content analysis to filter messaging traffic based on keywords, regular expressions, dictionary terms, and other criteria, and then take specific actions based on the type of information detected.
For example, a DLP policy can identify email messages that contain credit card numbers and either notify the sender, encrypt the messages, or block them outright. More complex policies can identify specific types of company documents and use virtual fingerprinting to identify their source. Microsoft maintains two Exchange Online subscription plans: Plan 1 that is included with Microsoft Business, and Plan 2, which has additional features and is included with Microsoft Enterprise.
The features included in each plan are listed in Table IT Windows Microsoft administrators do not have direct access to the Exchange Online servers, but they can access the Exchange Admin Center from a link in the Microsoft Admin Center to manage Exchangespecific settings using a web-based interface, as shown in Figure IT Configure mail flow options to integrate on-premises mail servers or third-party mail services into the message handling solution Enable calendar sharing with outside organizations or between users on-premises and in the cloud Manage hierarchical and offline address books, address lists, and address book policies Create and manage a public folder hierarchy for document sharing and collaboration Create and manage client access rules to restrict access to Exchange Online based on client platform, IP address, authentication type, location, and other criteria.
SharePoint Online Microsoft SharePoint is a web-based collaboration tool that was originally introduced in as an onpremises server product. SharePoint Online is the cloudbased equivalent that is included with all Microsoft plans. SharePoint Online is a service that administrators and workers can use to create websites for document management, distribution, and collaboration. At its simplest, SharePoint Online users can create a document library on the web and upload their files to it. The files are then accessible from any device that has access to the site.
As SharePoint Online is part of Office , editing a library document opens it in the appropriate Office application, whether installed on a desktop or part of Office Online.
IT Technet24 Users can share their library files with other users with varying degrees of access by assigning permissions to them. A scenario in which an organization or user wants to post documents to a library for many users to access is called a communication site.
For example, a company could use SharePoint Online to create a library of human resources documents for all employees to access. SharePoint includes customization capabilities that enable administrators to design websites with modern graphical components, as shown in Figure By creating a team site, a designated group of users can work simultaneously on documents that only they can access.
IT Technet24 maintains multiple versions of the files in a library, so that users can review the iterations of a document throughout its history. Communication sites and team sites are linked together in SharePoint Online by hub sites, which provide centralized navigation to the subordinate sites and downstream searching. The SharePoint Online service included in Microsoft can host multiple hub, collaboration, and team sites, as shown in Figure IT advantage of their security and manageability features.
The documents uploaded to SharePoint Online sites are protected against malicious code by the same antimalware engine used by Exchange, as well as Data Loss Prevention. SharePoint also can control group memberships and document permissions with user identities taken from Active Directory and Azure Active Directory.
An organization can also purchase additional storage, up to a maximum of 25 TB per site collection. An organization can create up to one million site collections.
A SharePoint Online library can have up to 30 million files and folders, although there are limitations when the number goes beyond , Individual files can be up to 15 GB in size, and SharePoint can maintain up to 50, versions of each file.
SharePoint groups can have up to 5, users, and a user can be a member of up to 5, groups. Therefore, SharePoint Online can support enormous installations that service as many as , users. Teams is a client interface that works together with the other Microsoft services to create a unified collaboration environment, as shown in Figure IT FIGURE The Microsoft Teams desktop interface The Teams client provides real-time chat and the ability to make and receive calls, but the other tools incorporated into the client are provided by other Microsoft services, as shown in Figure A channel enables its members to post text and images, as well as information from outside social media services.
Teams messaging is an independent service that does not rely on email or SMS messaging for communication. Teams also supports the transmission of private one-to-one messages between users. Video conferencing is also possible within the Teams client software. Membership and authentication in Microsoft Teams is provided by Office groups, which store their identity information in Azure Active Directory.
Teams can store their documents and other files in the cloud using OneDrive for Business. Team websites, implemented using SharePoint Online, are also accessible through the Teams client.
Group mailboxes and event and meeting scheduling are provided by Exchange Online and accessed via Outlook. To host and preserve meetings on video, Teams can use the Microsoft Stream service.
Teams is highly scalable and can support collaborative environments ranging from small workgroups to large departments to gigantic presentations, webinars, and conferences. For example, multiple vendors are working on H.
Skype for Business Online is being deprecated. Current users must switch to Microsoft Teams when their current Skype for Business Online terms expires. In achieving this end, the product incorporates two current technologies that introduce new security and access control issues: the cloud and portable computing devices. For the features highlighted in Microsoft to function as intended, users must be able to access their colleagues and their data from any location, using any device.
For the administrators of Microsoft , the users must be able to do their work securely and reliably, even when they are using devices not supplied by the company. EMS is a cloud-based management and security suite that consists of several components that were at one time separate products. Together, these components supply services to Microsoft in the following primary areas: Identity and access management Mobile device and application management Information management and protection Cybersecurity and risk management The components that make up EMS are described in the following sections.
A directory service is a database of objects, including users and computers, that provides authentication and authorization services for network resources.
IT location. Azure AD provides a Microsoft deployment with identity and access management services that extend beyond the on-premises network into the cloud. Azure AD enhances the security of the Microsoft environment by supporting multifactor authentication, which requires users to verify their identities in two or more ways, such as with a password and a biometric factor, such as a fingerprint.
Azure AD can also provide authentication and authorization services for internal resources, such as on-premises applications and services. For organizations with an existing Windows Server—based AD infrastructure, Azure AD can connect to internal domain controllers, to create a hybrid directory service solution that shares the advantages of both implementations. Need More Review? Using Intune, even operating systems that are not able to join an Active Directory domain can access protected resources.
Administrators can use Intune to create standards for the configuration of security settings that a device must meet before it can access protected resources. For example, an administrator can require that a device uses a particular type of authentication or specify that only certain applications can access company data. Intune can even ensure that sensitive data is removed from a device when an app shuts down.
This type of control enables Microsoft to maintain the security of its resources without the need for administrators to take complete control over user-owned devices. IT Azure Information Protection Azure Information Protection AIP is a system that enables users and administrators to apply labels to documents and emails that classify the information they contain.
The labels can be configured to specify how applications treat the information and, optionally, take steps to protect it. AIP can apply labels to specific documents, or it can follow rules created by administrators to identify sensitive data in any document. For example, an administrator can create a rule that identifies data patterns associated with credit card or social security numbers in a Word document as a user is creating it. When the user attempts to save the document, AIP warns the user to apply the label, as shown in Figure When a user agrees to classify a document as sensitive, the application can apply a watermark or other visual indicator, which will persist in the document wherever it is stored.
Based on the rules created by administrators, documents labeled by AIP can be protected using encryption, identity restrictions, authorization policies, and other methods.
For example, when an email message contains sensitive data, AIP can exercise control over the email client application, preventing users from clicking the Reply All or Forward button. In the same way, AIP can restrict Office documents to nonprinting or read-only status. Microsoft Advanced Threat Analytics Advanced Threat Analytics ATA is an on-premises solution that uses information gathered from a wide variety of enterprise sources and uses it to anticipate, detect, and react to security threats and attacks.
ATA receives log and event information from Windows systems, and also captures network traffic generated by security-related protocols, such as Kerberos and NTLM. Using this gathered information, ATA builds up profiles of applications, services, and users. By examining the normal behavior of these entities, ATA can detect anomalous behavior when it occurs and ascertain whether that behavior is suspicious, based on known attack patterns.
IT Technet24 ATA is one of several Microsoft technologies that uses advanced intelligence to anticipate user needs before they occur. In this case, the need is for intervention, whether automated or human, in a potentially dangerous security situation.
Microsoft has started calling these clandestine cloud apps Shadow IT, and they obviously present a security hazard. Cloud App Security is a cloud access security broker CASB product that enables Microsoft administrators to scan their networks for the cloud apps that users are accessing, assess their security vulnerability, and manage them on an ongoing basis. Cloud App Security examines traffic logs and firewall and proxy information to discover the cloud apps in use. After determining whether the apps present a danger to data, identities, or other resources, administrators can then sanction or unsanction specific apps to allow or prevent user access to them.
IT user activity. Each ATP engine is designed to use machine intelligence to prevent, detect, and respond to the security threats unique to its environment. In Azure, the primary vulnerability is the identities stored in Azure Active Directory, so the Azure ATP engine looks for anomalous user behavior and compares it to standardized patterns used by attackers. SKILL 2. For example, an organization can use Exchange Online for email and scheduling or install its own servers and run an on-premises version of Exchange.
IT Technet24 trade-off situation, there are advantages and disadvantages to both sides. Deployment A cloud-based service is always simpler to deploy than an on-premises server-based product because the service is provided to the subscriber in an installed and operational state.
There is no need to design an infrastructure, obtain hardware, or install server software. An administrator can begin to work with the service immediately after subscribing to it, creating user objects, Exchange mailboxes, or SharePoint sites that are up and running in minutes, instead of days or weeks.
Updates One significant advantage to using the cloud-based version of any of these applications or services is that they are regularly and automatically updated with the latest version of the software. Administrators are relieved of the need to download, evaluate, and deploy updates as they are released. IT products might not receive certain features at all. For an on-premises service installation, a responsible update strategy requires testing and evaluation of new software releases and might require service downtime for the actual update deployments.
Cost Cost is another decisive factor in the deployment of any of these services. Cloud-based services require the payment of a regular subscription fee, and sometimes there are additional fees for add-on features. This enables an organization to implement a service with a minimal initial outlay, as there are no hardware costs or server licenses required. Fees for cloud-based services are predictable and simplify the process of budgeting. Installing the equivalent on-premises service is a more complicated affair.
An organization obviously first must purchase the server software license and the computers on which the software will run, as well as an operating system license and client access licenses for all the users.
This can be a significant initial outlay. Depending on the requirements of the organization, there might be additional costs as well. IT Technet24 outlay cost. Backing up data and storing it also adds to the cost. There are also the issues of fault tolerance and disaster recovery to consider.
Most cloud-based services from Microsoft are supplied with a This means that the service will experience no more than 0. What infrastructure Microsoft uses to maintain that consistent performance is of no concern to the subscriber. To duplicate that performance level with on-premises servers will require redundant hardware and possibly even redundant data centers. Not every organization requires this same level of consistent performance, but even a more modest uptime guarantee will increase the expenditure for an on-premises solution.
Finally, there is the issue of the people needed to design, install, and maintain on-premises services. For example, deploying Exchange servers is not a simple matter of just installing the software and creating user accounts. Depending on the size of the organization, multiple servers might be needed at each location, and the design and configuration process can require advanced skills.
These people will be an ongoing expense throughout the life of the service. IT always cheaper than on-premises servers. In the long term, cloud-based services can reach a point where they are more expensive. Cloud service fees are ongoing and perpetual, and while expenditures for on-premises servers might begin with a large initial outlay, they can come down to a much lower level once the servers and the software have been purchased and deployed.
A comparison of the relative costs also depends on the requirements of the organization and their existing infrastructure. For a large enterprise that already maintains data centers in multiple locations with experienced personnel, deploying a new service inhouse might be relatively affordable. For a newly formed company with no existing IT infrastructure, the initial outlay for an on-premises service might be unfeasible.
Administration Compared to on-premises server administrators, who can work with server software controls directly, Microsoft administrators work with cloud services using web-based remote interfaces. IT Technet24 possible to manage configuration settings and create virtual resources, such as mailboxes and directory service objects. A: This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. This account remains disabled until Application Guard is enabled on your device.
System requirements for Windows Defender Application Specifies the pre-requisites necessary to install and use Guard Application Guard. Prepare and install Windows Defender Application Guard Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.
Testing scenarios using Windows Defender Application Guard Provides a list of suggested testing scenarios that you can use in your business or organization to test Windows Defender Application Guard Application Guard in your organization.
While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Hardware requirements Your environment needs the following hardware to run Windows Defender Application Guard.
For more info about hypervisor, see Hypervisor Specifications. One of the following virtualization extensions for VBS:. Software requirements Your environment needs the following software to run Windows Defender Application Guard. Operating system Windows 10 Enterprise edition, version or higher Windows 10 Professional edition, version or higher Windows 10 Professional for Workstations edition, version or higher Windows 10 Professional Education edition version or higher Windows 10 Education edition, version or higher.
Management system Microsoft Intune only for managed devices -OR-. Your current company-wide 3rd party mobile device management MDM solution. For info about 3rd party MDM solutions, see the documentation that came with your product. In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system’s firmware and hardware must be trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees: Protect and maintain the integrity of the system as it starts up Validate that system integrity has truly been maintained through local and remote attestation.
Maintaining the integrity of the system as it starts Static Root of Trust for Measurement SRTM With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. With Windows 10 running on modern hardware that is, Windows 8-certified or greater a hardware-based root of trust helps ensure that no unauthorized firmware or software such as a bootkit can start before the Windows bootloader. Two techniques exist to establish trust here—either maintain a list of known ‘bad’ SRTM measurements also known as a blacklist , or a list of known ‘good’ SRTM measurements also known as a whitelist.
Each option has a drawback: A list of known ‘bad’ SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle – a minor change can invalidate the entire chain of trust.
In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy. DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used: 1. Paging protection to prevent inappropriate access to code and data 2. SMM hardware supervision and attestation Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that has not been specifically assigned.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function. Validating platform integrity after Windows is running run time While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an “assume breach” mentality to even our most sophisticated security technologies.
We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals.
Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
Applies to: Windows 10 Windows Server Windows Server With thousands of new malicious files created every day, using traditional methods like antivirus solutions— signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. However, when a user runs a process, that process has the same level of access to data that the user has.
As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run.
Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware. Windows Defender Application Control WDAC can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core kernel.
Beginning with Windows 10, version , you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps such as a line-of-business application or a browser.
For more information, see Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules. It is part of Windows Defender Exploit Guard. Exploit protection is supported beginning with Windows 10, version and Windows Server , version Exploit protection works best with Windows Defender Advanced Threat Protection – which gives you detailed reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.
You can enable exploit protection on an individual machine, and then use Group Policy to distribute the XML file to multiple devices at once. When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information.
You can also enable the rules individually to customize what techniques the feature monitors. You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled. You can convert an existing EMET configuration file into exploit protection to make the migration easier and keep your existing settings. You should test exploit protection in all target use scenarios by using audit mode before deploying the configuration across a production environment or the rest of your network.
Win32K Untrusted Font. Windows versions All versions of Windows 10 starting Windows 8. Installation requirements Windows Security in Windows 10 Available only as an additional no additional installation required download and must be installed onto a Windows Defender Exploit Guard is management device built into Windows – it doesn’t require a separate tool or package for management, configuration, or deployment.
User interface Modern interface integrated with the Older, complex interface that requires Windows Security app considerable ramp-up training. Supportability Dedicated submission-based support Ends after July 31, channel[1] Part of the Windows 10 support lifecycle. Updates Ongoing updates and development of No planned updates or development new features, released twice yearly as part of the Windows 10 semi-annual update channel.
Attack surface reduction[2] Helps block known infection vectors Limited ruleset configuration only for Can configure individual rules modules no processes. Network protection[2] Helps block malicious network Not available connections. Controlled folder access[2] Helps protect important folders Not available Configurable for apps and folders. Microsoft Intune Use Intune to customize, deploy, and Not available manage configurations.
See Windows Defender Exploit Guard requirements for more details. Customizable mitigation options that are configured with exploit protection do not require Windows Defender Antivirus.
The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. Block remote images As “Load Library Check”. Certificate trust configurable certificate Windows 10 provides enterprise pinning certificate pinning. Heap spray allocation Ineffective against newer browser- based exploits; newer mitigations provide better protection See Mitigate threats by using Windows 10 security features for more information.
See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs existing EMET technology. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of Windows Defender SmartScreen to block all outbound HTTP s traffic that attempts to connect to low -reputation sources based on the domain or hostname. Network protection is supported beginning with Windows 10, version Network protection works best with Windows Defender Advanced Threat Protection, which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual alert investigation scenarios.
When network protection blocks a connection, a notification will be displayed from the Action Center. You can also use audit mode to evaluate how Network protection would impact your organization if it were enabled.
Windows 10 version or later Windows Defender AV real-time protection and cloud- delivered protection must be enabled. If you’re using audit mode, you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. Copy the XML directly. Click OK. This will create a custom view that filters to only show the following events related to network protection:.
Evaluate network protection Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created. Controlled folder access is supported on Windows Server as well as Windows 10 clients. Controlled folder access works best with Windows Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.
All apps any executable file, including. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. This is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage. A notification will appear on the computer where the app attempted to make changes to a protected folder.
The protected folders include common system folders, and you can add additional folders. You can also allow or whitelist apps to give them access to the protected folders. You can use audit mode to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at demo. Controlled folder access is supported on Windows 10, version and later and Windows Server Requirements Controlled folder access requires enabling Windows Defender Antivirus real-time protection.
If you’re using audit mode, you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. Download the Exploit Guard Evaluation Package and extract the file cfa -events. On the left panel, under Actions, click Import custom view Navigate to where you extracted cfa -events. Alternatively, copy the XML directly. This will create a custom view that filters to only show the following events related to controlled folder access:.
Evaluate controlled folder access Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
Customize controlled folder access Add additional protected folders, and allow specified apps to access protected folders. You can set attack surface reduction rules for computers running Windows 10, version or later, Windows Server or later, or Windows Server To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher.
A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in Windows Defender Advanced Threat Protection, as well as reporting and configuration capabilities in the M Security Center.
These advanced capabilities aren’t available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: Executable files and scripts used in Office apps or web mail that attempt to download or run files Obfuscated or otherwise suspicious scripts Behaviors that apps don’t usually initiate during normal day-to-day work You can use audit mode to evaluate how attack surface reduction rules would impact your organization if they were enabled.
It’s best to run all rules in audit mode first so you can understand their impact on your line-of- business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware.
By monitoring audit data and adding exclusions for necessary applications, you can deploy attack surface reduction rules without impacting productivity. Triggered rules display a notification on the device. The notification also displays in the Windows Defender Security Center and in the Microsoft securty center. For information about configuring attack surface reduction rules, see Enable attack surface reduction rules.
Review attack surface reduction events in Windows Event Viewer You can review the Windows event log to view events that are created when attack surface reduction rules fire: 1. Click Import custom view Select the file cfa -events. Attack surface reduction rules The following sections describe each of the 15 attack surface reduction rules. Block executable files from running cda-b99e- Supported unless they meet a prevalence, age, or 2ecdc07bfc25 trusted list criterion.
Use advanced protection against c1db55ab-c21abb3f- Supported ransomware ad Block credential stealing from the 9e6c4e1f-7df-ba1a- Supported Windows local security authority a39efe4b2 subsystem lsass.
Block Office communication application eb Supported from creating child processes eb1d0a1ce Block Adobe Reader from creating child baeb-4a4f-a9a1- Supported processes f0f9aa2c. Each rule description indicates which apps or file types the rule applies to.
Except where specified, attack surface reduction rules don’t apply to any other Office apps. Block executable content from email client and webmail This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook. This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload.
Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection. This rule applies to Word, Excel, and PowerPoint. Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines.
This isn’t a common line-of-business use, but line-of- business applications sometimes use scripts to download and launch installers. You can exclude scripts so they’re allowed to run. This rule detects suspicious properties within an obfuscated script. Most organizations don’t use this functionality, but might still rely on using other macro capabilities.
NOTE You must enable cloud-delivered protection to use this rule. It uses cloud-delivered protection to update its trusted list regularly. You can specify individual files or folders using folder paths or fully qualified resource names but you can’t specify which rules or exclusions apply to.
Intune name: Executables that don’t meet a prevalence, age, or trusted list criteria. SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria GUID: cda-b99e-2ecdc07bfc25 Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware.
It scans executable files entering the system to determine whether they’re trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they’re in a trusted list or exclusion list. Intune name: Advanced ransomware protection SCCM name: Use advanced protection against ransomware GUID: c1db55ab-c21abb3f-ad35 Block credential stealing from the Windows local security authority subsystem lsass.
However, some organizations can’t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority LSA.
NOTE In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app’s process open action and logs the details to the security event log. This rule can generate a lot of noise. By itself, this event log entry doesn’t necessarily indicate a malicious threat. Blocked file types include: Executable files such as.
It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against Outlook rules and forms exploits that attackers can use when a user’s credentials are compromised.
Intune name: Process creation from Office communication products beta SCCM name: Not yet available GUID: ebeb1d0a1ce Block Adobe Reader from creating child processes Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader.
This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. Feature description Windows Defender Firewall with Advanced Security is an important part of a layered security model.
By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Practical applications To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits: Reduces the risk of network security threats.
Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
Safeguards sensitive data and intellectual property. With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Extends the value of existing investments. Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required.
Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface API.
Windows Defender Antivirus includes: Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next- gen technologies that power Windows Defender Antivirus.
What’s new in Windows 10, version The block at first sight feature can now block non-portable executable files such as JS, VBS, or macros as well as executable files. It includes controlled folder access settings and ransomware recovery settings. For more information, see: Minimum hardware requirements Hardware component guidelines Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server ; however, there are some differences.
Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. Inspired by the “assume breach” mindset, Windows Defender ATP continuously collects behavioral cyber telemetry.
This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others.
The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
Security operations dashboard Explore a high level overview of detections, highlighting where response actions are needed. Incidents queue View and organize the incidents queue, and manage and investigate alerts.
Alerts queue View and organize the machine alerts queue, and manage and investigate alerts. Machines list Investigate machines with generated alerts and search for specific events over time. Take response actions Learn about the available response actions and apply them to machines and files.
The Security operations dashboard is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. From the Security operations dashboard you will see aggregated events to facilitate the identification of significant events or behaviors on a machine.
You can also drill down into granular events and low -level indicators. It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview. Active alerts You can view the overall number of active alerts from the last 30 days in your network from the tile.
Alerts are grouped into New and In progress. Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category’s queue New or In progress. For more information see, Alerts overview.
Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. Machines at risk This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile hover over each severity bar to see its label.
Click the name of the machine to see details about that machine. You can also click Machines list at the top of the tile to go directly to the Machines list, sorted by the number of active alerts. It reports how many machines require attention and helps you identify problematic machines. There are two status indicators that provide information on the number of machines that are not reporting properly to the service: Misconfigured — These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
Inactive – Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. For more information, see Check sensor state and Investigate machines. Service health The Service health tile informs you if the service is active or if there are issues. Daily machines reporting The Daily machines reporting tile shows a bar graph that represents the number of machines reporting daily in the last 30 days.
Hover over individual bars on the graph to see the exact number of machines reporting in each day. Active automated investigations You can view the overall number of automated investigations from the last 30 days in your network from the Active automated investigations tile. Investigations are grouped into Pending action, Waiting for machine, and Running. Automated investigations statistics This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
You can click on Automated investigations, Remidated investigations, and Alerts investigated to navigate to the Investigations page, filtered by the appropriate category.
This lets you see a detailed breakdown of investigations in context. Users at risk The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts. Click the user account to see details about the user account. For more information see Investigate a user account. Suspicious activities This tile shows audit events based on detections from various security components.
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals upgraded incident graph and data representations to understand and deal with complex cross-entity threats to your organization’s network.
View and organize the Incidents queue See the list of incidents and learn how to apply filters to limit the list and get a more focused view. Manage incidents Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions. Investigate incidents See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
There are several options you can choose from to customize the Incidents queue view. On the top navigation you can: Customize columns to add or remove columns Modify the number of items to view per page Select the items to show per page Batch-select the incidents to assign Navigate between pages Apply filters.
Sort and filter the incidents queue You can apply the following filters to limit the list of incidents and get a more focused view. These incidents indicate a high risk due to the severity of damage they can inflict on machines.
Medium Threats rarely observed in the organization, such as Orange anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low Threats associated with prevalent malware and hack-tools Yellow that do not necessarily indicate an advanced threat targeting the organization.
Informational Informational incidents are those that might not be Grey considered harmful to the network but might be good to keep track of. Category Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
Alerts Indicates the number of alerts associated with or part of the incidents. Machines You can limit to show only the machines at risk which are associated with incidents. Users You can limit to show only the users of the machines at risk which are associated with incidents.
Assigned to You can choose to show between unassigned incidents or those which are assigned to you. Status You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved Classification Use this filter to choose between focusing on incidents flagged as true or false incidents.
You can manage incidents by selecting an incident from the Incidents queue or the Incidents management pane. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. Selecting an incident from the Incidents queue brings up the Incident management pane where you can open the incident page for details.
Assign incidents If an incident has not been assigned yet, you can select Assign to me to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it. Change the incident status You can categorize incidents as Active, or Resolved by changing their status as your investigation progresses.
This helps you organize and manage how your team can respond to incidents. For example, your SoC analyst can review the urgent Active incidents for the day, and decide to assign them to himself for investigation.
Alternatively, your SoC analyst might set the incident as Resolved if the incident has been remediated. Classify the incident You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them. Rename incident By default, incidents are assigned with numbers.
You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification. Add comments and view the history of an incident You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section. Added comments instantly appear on the pane.
Analyze incident details Click an incident to see the Incident pane. Select Open incident page to see the incident details and related information alerts, machines, investigations, evidence, graph. Alerts You can investigate the alerts and see how they were linked together in an incident. For more information, see Investigate alerts.
Machines You can also investigate the machines that are part of, or related to, a given incident. For more information, see Investigate machines. Going through the evidence Windows Defender Advanced Threat Protection automatically investigates all the incidents’ supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more.
This helps quickly detect and block potential threats in the incident. Each of the analyzed entities will be marked as infected, remediated, or suspicious. Visualizing associated cybersecurity threats Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. Incident graph The Graph tells the story of the cybersecurity attack.
For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. The Alerts queue shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first. There are several options you can choose from to customize the alerts queue view.
On the top navigation you can: Select grouped view or list view Customize columns to add or remove columns Select the items to show per page Navigate between pages Apply filters. Sort, filter, and group the alerts queue You can apply the following filters to limit the list of alerts and get a more focused view the alerts. These alerts indicate a high risk due to the severity of damage they can inflict on machines.
Informational Informational alerts are those that might not be considered Grey harmful to the network but might be good to keep track of. The Windows Defender AV threat severity represents the absolute severity of the detected threat malware , and is assigned based on the potential risk to the individual machine, if infected.
The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. So, for example: The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as “Informational” because there was no actual damage incurred. An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as “Low” because it may have caused some damage to the individual machine but poses no organizational threat.
An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as “Medium” or “High”. Suspicious behavioral alerts which were not blocked or remediated will be ranked “Low”, “Medium” or “High” following the same organizational threat considerations.
Status You can choose to limit the list of alerts based on their status. Investigation state Corresponds to the automated investigation state. Assigned to You can choose between showing alerts that are assigned to you or automation.
Detection source Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service. OS platform Limit the alerts queue view by selecting the OS platform that you’re interested in investigating.
Associated threat Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in Threat analytics.
Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts.
A summary of new alerts is displayed in the Security operations dashboard, and you can access all alerts in the Alerts queue. You can manage alerts by selecting an alert in the Alerts queue or the Alerts related to this machine section of the machine details view. Selecting an alert in either of those places brings up the Alert management pane. Link to another incident You can create a new incident from the alert or link to an existing incident.
Assign alerts If an alert is no yet assigned, you can select Assign to me to assign the alert to yourself. Suppress alerts There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed. When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation.
The rule will only be applied on alerts that satisfy the conditions set after the rule is created. There are two contexts for a suppression rule that you can choose from: Suppress alert on this machine Suppress alert in my organization The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:. Suppress alert on this machine Alerts with the same alert title and on A security researcher is that specific machine only will be investigating a malicious script suppressed.
A developer regularly creates PowerShell scripts for their team. Suppress alert in my organization Alerts with the same alert title on any A benign administrative tool is machine will be suppressed. Suppress an alert and create a new suppression rule: Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions.
Select the alert you’d like to suppress. This brings up the Alert management pane. Select Create a suppression rule. You can create a suppression rule based on the following attributes: File hash File name – wild card supported File path – wild card supported IP URL – wild card supported 3. Select the Trigerring IOC. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue.
Alerts that are marked as hidden will be suppressed from the entire system, both on the machine’s associated alerts and from the dashboard. You can also specify to suppress the alert on a specific machine group.
Enter a rule name and a comment. Click Save. View the list of suppression rules 1. The list of suppression rules shows all the rules that users in your organization have created. For more information on managing suppression rules, see Manage suppression rules. Change the status of an alert You can categorize alerts as New, In Progress, or Resolved by changing their status as your investigation progresses.
This helps you organize and manage how your team can respond to alerts. For example, a team leader can review all New alerts, and decide to assign them to the In Progress queue for further analysis. Alternatively, the team leader might assign the alert to the Resolved queue if they know the alert is benign, coming from a machine that is irrelevant such as one belonging to a security administrator , or is being dealt with through an earlier alert.
Alert classification You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. This classification is used to monitor alert quality, and make alerts more accurate. The “determination” field defines additional fidelity for a “true positive” classification.
Add comments and view the history of an alert You can add comments and view historical events about an alert to see previous changes made to the alert. Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. Click an alert to see the alert details view and the various tiles that provide information about the alert. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
You’ll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see Automated investigations. The alert context tile shows the where, who, and when context of the alert.
As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You’ll also see a description and a set of recommended actions which you can expand. For more information about managing alerts, see Manage alerts.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the machine link from the alert view to navigate to the machine. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the Machine timeline. Alerts attributed to an adversary or actor display a colored tile with the actor’s name.
Click on the actor’s name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes TTPs and areas where they’ve been observed worldwide.
You will also see a set of recommended actions to take. Some actor profiles include a link to download a more comprehensive threat intelligence report. The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures TTPs they use, which geolocations they are active in, and finally, what recommended actions you may take.
In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. Alert process tree The Alert process tree takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page.
The Alert process tree expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
Clicking in the circle immediately to the left of the indicator displays its details. The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity’s page — while remaining on the alert page, so you never leave the current context of your investigation.
Incident graph The Incident Graph provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical mapping from the original machine and evidence expanding to show other machines in the organization where the triggering evidence was also observed.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed. Artifact timeline The Artifact timeline feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine.
This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier – without triggering an alert.
Selecting an alert detail brings up the Details pane where you’ll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can investigate files by using the search feature, clicking on a link from the Alert process tree, Incident graph, Artifact timeline, or from an event listed in the Machine timeline.
You can get information from the following sections in the file view: File details, Malware detection, Prevalence worldwide Deep analysis Alerts related to this file File in organization Most recent observed machines with file. File worldwide and Deep analysis The file details, malware detection, and prevalence worldwide sections display various attributes about the file.
For more information on how to take action on a file, see Take response action on a file. You’ll also be able to submit a file for deep analysis. Alerts related to this file The Alerts related to this file section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert’s severity, the alert’s status in the queue, and who is addressing the alert.
File in organization The File in organization section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization. Most recent observed machines with the file The Most recent observed machines with the file section allows you to specify a date range to see which machines have been observed with the file.
This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. Investigate machines Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. You can click on affected machines whenever you see them in the portal to open a detailed report about that machine.
Affected machines are identified in the following areas: The Machines list The Alerts queue The Security operations dashboard Any individual alert Any individual file details view Any IP address or domain details view When you investigate a specific machine, you’ll see: Machine details, Logged on users, Machine risk, and Machine Reporting Alerts related to this machine Machine timeline. The machine details, logged on users, machine risk, and machine reporting sections display various attributes about the machine.
Machine details The machine details tile provides information such as the domain and OS of the machine. If there’s an investigation package available on the machine, you’ll see a link that allows you to download the package.
For more information on how to take action on a machine, see Take response action on a machine. Logged on users Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: Interactive and remote interactive logins Network, batch, and system logins.
You’ll also see details such as logon types for each user account, the user group, and when the account logon occurred. For more information, see Investigate user entities. Machine risk The Machine risk tile shows the overall risk assessment of a machine. A machine’s risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels. You can influence a machine’s risk level by resolving associated alerts manually or automatically and also by suppressing an alert.
It’s also indicators of the active threats that machines could be exposed to. Azure Advanced Threat Protection If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. For more information on how to enable advanced features, see Turn on advanced features.
It also shows when the machine was first and last seen reporting to the service. Alerts related to this machine The Alerts related to this machine section provides a list of alerts that are associated with the machine.
This list is a filtered version of the Alerts queue, and shows the date when the alert’s last activity was detected, a short description of the alert, the user account associated with the alert, the alert’s severity, the alert’s status in the queue, and who is addressing the alert. You can also choose to highlight an alert from the Alerts related to this machine or from the Machine timeline section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting Select and mark events.
This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by Detections, Behaviors, or Verbose.
Machine timeline The Machine timeline section provides a chronological view of the events and associated alerts that have been observed on the machine. This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period.
Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine.
❿
❿
Windows 10 1703 download iso itar compliance training day.
This can be useful when identifying a suspicious process and its state. Use advanced protection against c1db55ab-c21abb3f- Supported ransomware ad UM provides standard voice mail features, including call answering, and enables users to listen to their messages from the Outlook Inbox or by using Outlook Voice Access from any telephone. Exchange Online Protection EOP EOP scans incoming email for spam and malicious code and forwards, deletes, or quarantines potentially dangerous messages based on rules established by administrators.❿
Windows 10 1703 download iso itar compliance training day
Update Compliance Desktop Analytics gathers Windows 10 information about the progress of operating system update deployments, as well as Windows Defender. Accuracy of contents. Whilst every effort has been made to ensure the accuracy of the information in this publication. Aditi bajaj panipat, Gre flashcards app, Add account windows 10 mail, Phlebotomus fever, Itar compliance manual examples, Avesthagen news replace.me .com/en-us/topic/windows-xp-users-are-unable-to-download-and-burn-an-iso-to-a-dvd. Kik a beduinok, Star wars hyperspace window tint, L orecchio di dioniso siracusa, Floral ornaments vector download, Coenzyme q10 side effects fatigue.
❿