Appendix M: Document Links and Recommended Reading

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

The following table contains a list of links to external documents and their URLs so that readers of hard copies of this document can access this information. The links are listed in the order they appear in the document.

Links URLs
10 Immutable Laws of Security Administration https://technet.microsoft.com/library/cc722488.aspx
Microsoft Security Compliance Manager https://technet.microsoft.com/library/cc677002.aspx
Gartner Symposium ITXPO http://www.gartner.com/technology/symposium/orlando/
2012 Data Breach Investigations Report (DBIR) http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Ten Immutable Laws of Security (Version 2.0) https://technet.microsoft.com/security/hh278941.aspx
Using Heuristic Scanning https://technet.microsoft.com/library/bb418939.aspx
Drive-by download /windows/win32/secgloss/security-glossary
Microsoft Support article 2526083 https://support.microsoft.com/kb/2526083
Microsoft Support article 814777 https://support.microsoft.com/kb/814777
Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Main_Page
Microsoft Security Development Lifecycle /windows/security/threat-protection/msft-security-dev-lifecycle
Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques_English.pdf
Determined Adversaries and Targeted Attacks https://www.microsoft.com/download/details.aspx?id=34793
Solution for management of built-in Administrator account's password via GPO https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789
Microsoft Support article 817433 https://support.microsoft.com/?id=817433
Microsoft Support article 973840 /microsoft-365/admin/get-help-support
Administrator account is disabled by default https://technet.microsoft.com/library/cc753450.aspx
The Administrator Accounts Security Planning Guide https://technet.microsoft.com/library/cc162797.aspx
Microsoft Windows Security Resource Kit https://www.microsoft.com/learning/en/us/book.aspx?ID=6815&locale=en-us
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide https://technet.microsoft.com/library/dd378897(WS.10).aspx
Windows Server Update Services https://technet.microsoft.com/windowsserver/bb332157
Personal Virtual Desktops https://technet.microsoft.com/library/dd759174.aspx
Read-Only Domain Controller Planning and Deployment Guide https://technet.microsoft.com/library/cc771744(WS.10).aspx
Running Domain Controllers in Hyper-V https://technet.microsoft.com/library/dd363553(v=ws.10).aspx
Hyper-V Security Guide https://www.microsoft.com/download/details.aspx?id=16650
Ask the Directory Services Team https://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
How to configure a firewall for domains and trusts https://support.microsoft.com/kb/179442
2009 Verizon Data Breach Report http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
2012 Verizon Data Breach report http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Introducing Auditing Changes in Windows 2008 https://blogs.technet.com/b/askds/archive/2007/10/19/introducing-auditing-changes-in-windows-2008.aspx
Cool Auditing Tricks in Vista and 2008 https://blogs.technet.com/b/askds/archive/2007/11/16/cool-auditing-tricks-in-vista-and-2008.aspx
Global Object Access Auditing is Magic https://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx
One-Stop Shop for Auditing in Windows Server 2008 and Windows Vista https://blogs.technet.com/b/askds/archive/2008/03/27/one-stop-shop-for-auditing-in-windows-server-2008-and-windows-vista.aspx
AD DS Auditing Step-by-Step Guide https://technet.microsoft.com/library/a9c25483-89e2-4202-881c-ea8e02b4b2a5.aspx
Getting the Effective Audit Policy in Windows 7 and 2008 R2 http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Sample script http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Audit Option Type http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Auditing and Compliance in Windows Server 2008 https://technet.microsoft.com/magazine/2008.03.auditing.aspx
How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 Server domain /troubleshoot/windows-server/group-policy/configure-group-policies-set-security
Advanced Security Audit Policy Step-by-Step Guide https://technet.microsoft.com/library/dd408940(WS.10).aspx
Threats and Countermeasures Guide https://technet.microsoft.com/library/hh125921(v=ws.10).aspx
MaxTokenSize and Kerberos Token Bloat https://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx
Authentication Mechanism Assurance https://technet.microsoft.com/library/dd391847(v=WS.10).aspx
Microsoft Data Classification Toolkit https://technet.microsoft.com/library/hh204743.aspx
Dynamic Access Control https://blogs.technet.com/b/windowsserver/archive/2012/05/22/introduction-to-windows-server-2012-dynamic-access-control.aspx
Absolute Software https://www.absolute.com/company/press-releases/2009/computrace-by-absolute-software-now-supported-in-firmware-of-getac-computers/
Absolute Manage https://www.absolute.com/resources/solution-sheets/itam/
Absolute Manage MDM https://www.absolute.com/company/press-releases/2012/absolute-manage-the-first-mdm-solution-with-integrated-secure-document-distribution-and-management-for-ipads/?campaignid=983063266&adgroupid=136612784634&feeditemid=&loc_physical_ms=9003653&matchtype=&network=g&device=c&gclid=CjwKCAjwyryUBhBSEiwAGN5OCHt2V4ncG6tH-QxzCEYK-OV4yQhIOyQp-n51UZZjS87_vrK5qPcE-xoCDL8QAvD_BwE&creative=583299092096&keyword=&adposition=&utm_term=&gclid=CjwKCAjwyryUBhBSEiwAGN5OCHt2V4ncG6tH-QxzCEYK-OV4yQhIOyQp-n51UZZjS87_vrK5qPcE-xoCDL8QAvD_BwE
SolarWinds http://www.solarwinds.com/eminentware-products.aspx
EminentWare WSUS Extension Pack http://solarwinds-marketing.s3.amazonaws.com/solarwinds/Datasheets/EminentWare-WSUS-Extension-Pack-005-Datasheet2.pdf
EminentWare Configuration Manager Extension Pack http://solarwinds-marketing.s3.amazonaws.com/solarwinds/Datasheets/EminentWare-Extension-Pack-for-CM-Datasheet-006-Revised.pdf
GFI Software http://www.gfi.com/?adv=952&loc=58&gclid=CLq9y5603rMCFal7QgodMFkAyA
GFI LanGuard http://www.gfi.com/network-security-vulnerability-scanner/?adv=952&loc=60&gclid=CP2t-7i03rMCFQuCQgodNkAA7g
Secunia http://secunia.com/
Secunia Corporate Software Inspector (CSI) http://secunia.com/products/corporate/csi/
Vulnerability Intelligence Manager http://secunia.com/vulnerability_intelligence/
eEye Digital Security http://www.wideeyesecurity.com/?gclid=CK6b0sm13rMCFad_QgodhScAiw
Retina CS Management http://www.wideeyesecurity.com/products.asp
Lumension http://www.lumension.com/?rpLeadSourceId=5009&gclid=CKuai_e13rMCFal7QgodMFkAyA
Lumension Vulnerability Management http://www.lumension.com/Solutions/Vulnerability-Management.aspx
Threats and Countermeasures Guide: User Rights https://technet.microsoft.com/library/hh125917(v=ws.10).aspx
Threats and Vulnerabilities Mitigation https://technet.microsoft.com/library/cc755181(v=ws.10).aspx
User Rights https://technet.microsoft.com/library/dd349804(v=WS.10).aspx
Access Credential Manager as a trusted caller https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_2
Access this computer from the network https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_1
Act as part of the operating system https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_3
Add workstations to domain https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_4
Adjust memory quotas for a process https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_5
Allow log on locally https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_6
Allow log on through Terminal Services https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_7
Back up files and directories https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_8
Bypass traverse checking https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_9
Change the system time https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_10
Change the time zone https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_11
Create a pagefile https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_12
Create a token object https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_13
Create global objects https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_14
Create permanent shared objects https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_15
Create symbolic links https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_16
Debug programs https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_17
Deny access to this computer from the network https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_18
Deny log on as a batch job https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_18a
Deny log on as a service https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_19
Deny log on locally https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_20
Deny log on through Terminal Services https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_21
Enable computer and user accounts to be trusted for delegation https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_22
Force shutdown from a remote system https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_23
Generate security audits https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_24
Impersonate a client after authentication https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_25
Increase a process working set https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_26
Increase scheduling priority https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_27
Load and unload device drivers https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_28
Lock pages in memory https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_29
Log on as a batch job https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_30
Log on as a service https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_31
Manage auditing and security log https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_32
Modify an object label https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_33
Modify firmware environment values https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_34
Perform volume maintenance tasks https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_35
Profile single process https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_36
Profile system performance https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_37
Remove computer from docking station https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_38
Replace a process level token https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_39
Restore files and directories https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_40
Shut down the system https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_41
Synchronize directory service data https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_42
Take ownership of files or other objects https://technet.microsoft.com/library/db585464-a2be-41b1-b781-e9845182f4b6(v=ws.10)#BKMK_43
Access Control https://msdn.microsoft.com/library/aa374860(v=VS.85).aspx
Microsoft Support /microsoft-365/admin/get-help-support
rootDSE Modify Operations https://msdn.microsoft.com/library/cc223297.aspx
AD DS Backup and Recovery Step-by-Step Guide https://technet.microsoft.com/library/cc771290(v=ws.10).aspx
Windows Configurations for Kerberos Supported Encryption Type /archive/blogs/openspecification/windows-configurations-for-kerberos-supported-encryption-type
UAC Processes and Interactions https://technet.microsoft.com/library/dd835561(v=WS.10).aspx#1
EmpowerID http://www.empowerid.com/products/authorizationservices
Role-based access control (RBAC) http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Fdomain_rbac.htm
The RBAC model http://docs.oracle.com/cd/E19082-01/819-3321/6n5i4b7ap/index.html
Active Directory-centric access control http://www.centrify.com/solutions/it-security-access-control.asp
Cyber-Ark's Privileged Identity Management (PIM) Suite http://www.cyber-ark.com/digital-vault-products/pim-suite/index.asp
Quest One https://www.quest.com/products/gpoadmin/
Enterprise Random Password Manager (ERPM) http://www.liebsoft.com/Random_Password_Manager/
NetIQ Privileged User Manager https://www.netiq.com/products/privileged-user-manager/
CA IdentityMinder https://www.scmagazine.com/feature/sc-awards-2007-time-to-be-counted
Description of security events in Windows Vista and in Windows Server 2008 /windows/win32/wmisdk/event-security-constants
Description of security events in Windows 7 and in Windows Server 2008 R2 /windows/win32/win7appqual/security
Security Audit Events for Windows 7 https://www.microsoft.com/download/details.aspx?id=21561
Windows Server 2008 R2 and Windows 8 and Windows Server 2012 Security Event Details https://www.microsoft.com/download/details.aspx?id=35753
Georgia Tech's Emerging Cyber Threats for 2013 report http://www.gtsecuritysummit.com/report.html
Microsoft Security Intelligence Report /azure/defender-for-cloud/threat-intelligence-reports
Australian Government Defense Signals Directory Top 35 Mitigation Strategies http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
Cloud Computing Security Benefits /azure/defender-for-cloud/enhanced-security-features-overview
Applying the Principle of Least Privilege to User Accounts on Windows /windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
The Administrator Accounts Security Planning Guide /sharepoint/security-for-sharepoint-server/plan-for-administrative-and-service-accounts
Best Practice Guide for Securing Active Directory Installations for Windows Server 2003 /previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn487446(v=ws.11)
Best Practices for Delegating Active Directory Administration for Windows Server 2003 /azure/active-directory/external-identities/b2b-fundamentals
Microsoft Support Lifecycle https://support.microsoft.com/common/international.aspx?RDPATH=%2flifecycle%2fdefault.aspx
Active Directory Technical Specification https://msdn.microsoft.com/library/cc223122(v=prot.20).aspx
Error message when nonadministrator users who have been delegated control try to join computers to a Windows Server 2003-based or a Windows Server 2008-based domain controller: "Access is denied" https://support.microsoft.com/kb/932455
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide https://technet.microsoft.com/library/dd378897(WS.10).aspx
Strict KDC Validation https://www.microsoft.com/download/details.aspx?id=6382

The following table contains a list of recommended reading that will assist you in enhancing the security of your Active Directory systems.

Recommended Reading
Georgia Tech's Emerging Cyber Threats for 2014 Report
Microsoft Security Intelligence Report
Mitigating Pass-the-Hash (PTH) Attacks and Other Credential Theft Techniques
Australian Government Defense Signals Directory Top 35 Mitigation Strategies
2012 Data Breach Investigations Report - (Verizon, US Secret Service)
2009 Data Breach Investigations Report
Cloud Computing Security Benefits
Applying the Principle of Least Privilege to User Accounts on Windows
The Administrator Accounts Security Planning Guide
Best Practice Guide for Securing Active Directory Installations for Windows Server 2003
Best Practices for Delegating Active Directory Administration for Windows Server 2003
Microsoft Support Lifecycle
Active Directory Technical Specification - dSHeuristics information
Error message when nonadministrator users who have been delegated control try to join computers to a Windows Server 2003-based or a Windows Server 2008-based domain controller: "Access is denied"
Best Practice Guide for Securing Active Directory Installations.doc
Hyper-V Security Guide
Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide.
Strict KDC Validation

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, BitLocker, Hyper-V, Internet Explorer, Windows Vista, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

2013 Microsoft Corporation. All rights reserved.