Driving with one eye on the mirror…
As the writers focus on upcoming releases, we also are cruisng through the readership activity of published content and listening for developing trends in how our security technologies are being used. We work the backend to help us develop the upcoming content. Examples of this are AppLocker and Kerberos.
AppLocker was introduced as the better tool over Software Restriction Policies in Windows Server 2008 R2 and Windows 7. AppLocker content was developed to provide both conceptual and procedural information before the product was widely deployed. As we hear feedback from deployments, writers update that content to promote greater success. Over the past year, here's what has been updated:
- Understanding the Publisher Rule Condition in AppLocker - https://technet.microsoft.com/en-us/library/ee460943(WS.10).aspx
- Frequently Asked Questions - https://technet.microsoft.com/en-us/library/ee619725(WS.10).aspx
- Security Considerations for AppLocker - https://technet.microsoft.com/en-us/library/ee844118(WS.10).aspx
- Troubleshooting AppLocker - https://technet.microsoft.com/en-us/library/ee791895(WS.10).aspx
- Top KBs
- 2532445 You can circumvent AppLocker rules by using an Office macro on a computer that is running Windows 7 or Windows Server 2008 R2 - https://support.microsoft.com/default.aspx?scid=kb;en-US;2532445
- 976922 The "Run only allowed Windows applications" Group Policy setting displays no entries on a computer that is running Windows Vista, Windows Server 2008, or Windows 7 - https://support.microsoft.com/default.aspx?scid=kb;en-US;976922
- 2384558 Inheritance of ownership in Group Policy Management Console does not work as expected - https://support.microsoft.com/default.aspx?scid=kb;en-US;2384558
In the case of the Windows implementation of Kerberos authentication, the basic conceptual content was written in 2005. We have been posting changes with each release in the form of What's New or What's Changed. Additionally, we add to the documentation set as issues or specific deployments are brought to light. This work for deployed releases is then evalulated for upcoming content - either folded in to the foundational doc set, updated in place, or left to stand as a one-off topic. Here's what we did last year:
- Changes in Kerberos Authentication - https://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
- Kerberos Interoperability Step-by-Step Guide for Windows Server 2003 - https://social.technet.microsoft.com/wiki/contents/articles/kerberos-interoperability-step-by-step-guide-for-windows-server-2003.aspx
- Top KBs relevant to Windows Server 2008 R2
- 978055 FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain - https://support.microsoft.com/default.aspx?scid=kb;EN-US;978055
- 975363 You are intermittently prompted for credentials or experience time-outs when you connect to Authenticated Services - https://support.microsoft.com/default.aspx?scid=kb;EN-US;975363
- 2002013 Troubleshooting Active Directory operations that fail with error 5: Access is denied - https://support.microsoft.com/default.aspx?scid=kb;en-US;2002013
Senior Technical Writer
Windows iX IT PRO Security Team