Appendix M: Document Links and Recommended Reading

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

The following table contains a list of links to external documents and their URLs so that readers of hard copies of this document can access this information. The links are listed in the order they appear in the document.

Links URLs
10 Immutable Laws of Security Administration https://technet.microsoft.com/library/cc722488.aspx
Microsoft Security Compliance Manager https://technet.microsoft.com/library/cc677002.aspx
Gartner Symposium ITXPO http://www.gartner.com/technology/symposium/orlando/
2012 Data Breach Investigations Report (DBIR) http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Ten Immutable Laws of Security (Version 2.0) https://technet.microsoft.com/security/hh278941.aspx
Using Heuristic Scanning https://technet.microsoft.com/library/bb418939.aspx
Drive-by download https://www.microsoft.com/security/sir/glossary/drive-by-download-sites.aspx
Microsoft Support article 2526083 https://support.microsoft.com/kb/2526083
Microsoft Support article 814777 https://support.microsoft.com/kb/814777
Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page
Microsoft Security Development Lifecycle https://www.microsoft.com/security/sdl/default.aspx
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf
Determined Adversaries and Targeted Attacks https://www.microsoft.com/download/details.aspx?id=34793
Solution for management of built-in Administrator account's password via GPO https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789
Microsoft Support article 817433 https://support.microsoft.com/?id=817433
Microsoft Support article 973840 https://support.microsoft.com/kb/973840
Administrator account is disabled by default https://technet.microsoft.com/library/cc753450.aspx
The Administrator Accounts Security Planning Guide https://technet.microsoft.com/library/cc162797.aspx
Microsoft Windows Security Resource Kit https://www.microsoft.com/learning/en/us/book.aspx?ID=6815&locale=en-us
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide https://technet.microsoft.com/library/dd378897(WS.10).aspx
Windows Server Update Services https://technet.microsoft.com/windowsserver/bb332157
Personal Virtual Desktops https://technet.microsoft.com/library/dd759174.aspx
Read-Only Domain Controller Planning and Deployment Guide https://technet.microsoft.com/library/cc771744(WS.10).aspx
Running Domain Controllers in Hyper-V https://technet.microsoft.com/library/dd363553(v=ws.10).aspx
Hyper-V Security Guide https://www.microsoft.com/download/details.aspx?id=16650
Ask the Directory Services Team http://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
How to configure a firewall for domains and trusts https://support.microsoft.com/kb/179442
2009 Verizon Data Breach Report http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
2012 Verizon Data Breach report http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Introducing Auditing Changes in Windows 2008 http://blogs.technet.com/b/askds/archive/2007/10/19/introducing-auditing-changes-in-windows-2008.aspx
Cool Auditing Tricks in Vista and 2008 http://blogs.technet.com/b/askds/archive/2007/11/16/cool-auditing-tricks-in-vista-and-2008.aspx
Global Object Access Auditing is Magic http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx
One-Stop Shop for Auditing in Windows Server 2008 and Windows Vista http://blogs.technet.com/b/askds/archive/2008/03/27/one-stop-shop-for-auditing-in-windows-server-2008-and-windows-vista.aspx
AD DS Auditing Step-by-Step Guide https://technet.microsoft.com/library/a9c25483-89e2-4202-881c-ea8e02b4b2a5.aspx
Getting the Effective Audit Policy in Windows 7 and 2008 R2 http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Sample script http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Audit Option Type http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Advanced Security Auditing in Windows 7 and Windows Server 2008 R2 https://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx
Auditing and Compliance in Windows Server 2008 https://technet.microsoft.com/magazine/2008.03.auditing.aspx
How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 Server domain https://support.microsoft.com/kb/921469
Advanced Security Audit Policy Step-by-Step Guide https://technet.microsoft.com/library/dd408940(WS.10).aspx
Threats and Countermeasures Guide https://technet.microsoft.com/library/hh125921(v=ws.10).aspx
MaxTokenSize and Kerberos Token Bloat http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx
Authentication Mechanism Assurance https://technet.microsoft.com/library/dd391847(v=WS.10).aspx
Microsoft Data Classification Toolkit https://technet.microsoft.com/library/hh204743.aspx
Dynamic Access Control http://blogs.technet.com/b/windowsserver/archive/2012/05/22/introduction-to-windows-server-2012-dynamic-access-control.aspx
Absolute Software http://www.absolute.com/en/landing/Google/absolute-software-google/computrace-and-absolute-manage?gclid=CPPh5P6v3rMCFQtxQgodFEQAnA
Absolute Manage http://www.absolute.com/landing/Google/absolute-manage-google/it-asset-management-software
Absolute Manage MDM http://www.absolute.com/landing/Google/MDM-google/mobile-device-management
SolarWinds http://www.solarwinds.com/eminentware-products.aspx
EminentWare WSUS Extension Pack http://solarwinds-marketing.s3.amazonaws.com/solarwinds/Datasheets/EminentWare-WSUS-Extension-Pack-005-Datasheet2.pdf
EminentWare System Center Configuration Manager Extension Pack http://solarwinds-marketing.s3.amazonaws.com/solarwinds/Datasheets/EminentWare-Extension-Pack-for-CM-Datasheet-006-Revised.pdf
GFI Software http://www.gfi.com/?adv=952&loc=58&gclid=CLq9y5603rMCFal7QgodMFkAyA
GFI LanGuard http://www.gfi.com/network-security-vulnerability-scanner/?adv=952&loc=60&gclid=CP2t-7i03rMCFQuCQgodNkAA7g
Secunia http://secunia.com/
Secunia Corporate Software Inspector (CSI) http://secunia.com/products/corporate/csi/
Vulnerability Intelligence Manager http://secunia.com/vulnerability_intelligence/
eEye Digital Security http://www.wideeyesecurity.com/?gclid=CK6b0sm13rMCFad_QgodhScAiw
Retina CS Management http://www.wideeyesecurity.com/products.asp
Lumension http://www.lumension.com/?rpLeadSourceId=5009&gclid=CKuai_e13rMCFal7QgodMFkAyA
Lumension Vulnerability Management http://www.lumension.com/Solutions/Vulnerability-Management.aspx
Threats and Countermeasures Guide: User Rights https://technet.microsoft.com/library/hh125917(v=ws.10).aspx
Threats and Vulnerabilities Mitigation https://technet.microsoft.com/library/cc755181(v=ws.10).aspx
User Rights https://technet.microsoft.com/library/dd349804(v=WS.10).aspx
Access Credential Manager as a trusted caller https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_2
Access this computer from the network https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_1
Act as part of the operating system https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_3
Add workstations to domain https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_4
Adjust memory quotas for a process https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_5
Allow log on locally https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_6
Allow log on through Terminal Services https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_7
Back up files and directories https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_8
Bypass traverse checking https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_9
Change the system time https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_10
Change the time zone https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_11
Create a pagefile https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_12
Create a token object https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_13
Create global objects https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_14
Create permanent shared objects https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_15
Create symbolic links https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_16
Debug programs https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_17
Deny access to this computer from the network https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_18
Deny log on as a batch job https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_18a
Deny log on as a service https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_19
Deny log on locally https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_20
Deny log on through Terminal Services https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_21
Enable computer and user accounts to be trusted for delegation https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_22
Force shutdown from a remote system https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_23
Generate security audits https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_24
Impersonate a client after authentication https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_25
Increase a process working set https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_26
Increase scheduling priority https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_27
Load and unload device drivers https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_28
Lock pages in memory https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_29
Log on as a batch job https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_30
Log on as a service https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_31
Manage auditing and security log https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_32
Modify an object label https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_33
Modify firmware environment values https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_34
Perform volume maintenance tasks https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_35
Profile single process https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_36
Profile system performance https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_37
Remove computer from docking station https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_38
Replace a process level token https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_39
Restore files and directories https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_40
Shut down the system https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_41
Synchronize directory service data https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_42
Take ownership of files or other objects https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_43
Access Control https://msdn.microsoft.com/library/aa374860(v=VS.85).aspx
Microsoft Support article 251343 https://support.microsoft.com/kb/251343
rootDSE Modify Operations https://msdn.microsoft.com/library/cc223297.aspx
AD DS Backup and Recovery Step-by-Step Guide https://technet.microsoft.com/library/cc771290(v=ws.10).aspx
Windows Configurations for Kerberos Supported Encryption Type http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
UAC Processes and Interactions https://technet.microsoft.com/library/dd835561(v=WS.10).aspx#1
EmpowerID http://www.empowerid.com/products/authorizationservices
Role-based access control (RBAC) http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Fdomain_rbac.htm
The RBAC model http://docs.oracle.com/cd/E19082-01/819-3321/6n5i4b7ap/index.html
Active Directory-centric access control http://www.centrify.com/solutions/it-security-access-control.asp
Cyber-Ark's Privileged Identity Management (PIM) Suite http://www.cyber-ark.com/digital-vault-products/pim-suite/index.asp
Quest One http://www.quest.com/landing/?id=7370&gclid=CJnNgNyr3rMCFYp_QgodXFwA3w
Enterprise Random Password Manager (ERPM) http://www.liebsoft.com/Random_Password_Manager/
NetIQ Privileged User Manager https://www.netiq.com/products/privileged-user-manager/
CA IdentityMinder? http://awards.scmagazine.com/ca-technologies-ca-identity-manager
Description of security events in Windows Vista and in Windows Server 2008 https://support.microsoft.com/kb/947226
Description of security events in Windows 7 and in Windows Server 2008 R2 https://support.microsoft.com/kb/977519
Security Audit Events for Windows 7 https://www.microsoft.com/download/details.aspx?id=21561
Windows Server 2008 R2 and Windows 8 and Windows Server 2012 Security Event Details https://www.microsoft.com/download/details.aspx?id=35753
Georgia Tech's Emerging Cyber Threats for 2013 report http://www.gtsecuritysummit.com/report.html
Microsoft Security Intelligence Report https://www.microsoft.com/security/sir/default.aspx
Australian Government Defense Signals Directory Top 35 Mitigation Strategies http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
Cloud Computing Security Benefits https://www.microsoft.com/news/Press/2012/May12/05-14SMBSecuritySurveyPR.aspx
Applying the Principle of Least Privilege to User Accounts on Windows https://www.microsoft.com/download/details.aspx?id=4868
The Administrator Accounts Security Planning Guide https://www.microsoft.com/download/details.aspx?id=19406
Best Practice Guide for Securing Active Directory Installations for Windows Server 2003 https://www.microsoft.com/download/details.aspx?id=16755
Best Practices for Delegating Active Directory Administration for Windows Server 2003 https://www.microsoft.com/en-us/download/details.aspx?id=21678
Microsoft Support Lifecycle https://support.microsoft.com/common/international.aspx?RDPATH=%2flifecycle%2fdefault.aspx
Active Directory Technical Specification https://msdn.microsoft.com/library/cc223122(v=prot.20).aspx
Error message when nonadministrator users who have been delegated control try to join computers to a Windows Server 2003-based or a Windows Server 2008-based domain controller: "Access is denied" https://support.microsoft.com/kb/932455
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide https://technet.microsoft.com/library/dd378897(WS.10).aspx
Strict KDC Validation https://www.microsoft.com/download/details.aspx?id=6382

The following table contains a list of recommended reading that will assist you in enhancing the security of your Active Directory systems.

||
|---|
|Recommended Reading|
|Georgia Tech's Emerging Cyber Threats for 2014 Report|
|Microsoft Security Intelligence Report|
|Mitigating Pass-the-Hash (PTH) Attacks and Other Credential Theft Techniques|
|Australian Government Defense Signals Directory Top 35 Mitigation Strategies|
|2012 Data Breach Investigations Report - (Verizon, US Secret Service)|
|2009 Data Breach Investigations Report|
|Cloud Computing Security Benefits|
|Applying the Principle of Least Privilege to User Accounts on Windows|
|The Administrator Accounts Security Planning Guide|
|Best Practice Guide for Securing Active Directory Installations for Windows Server 2003|
|Best Practices for Delegating Active Directory Administration for Windows Server 2003|
|Microsoft Support Lifecycle|
|Active Directory Technical Specification - dSHeuristics information|
|Error message when nonadministrator users who have been delegated control try to join computers to a Windows Server 2003-based or a Windows Server 2008-based domain controller: "Access is denied"|
|Best Practice Guide for Securing Active Directory Installations.doc|
|Hyper-V Security Guide|
|Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide.|
|Strict KDC Validation|

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, BitLocker, Hyper-V, Internet Explorer, Windows Vista, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

? 2013 Microsoft Corporation. All rights reserved.