You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
-11
Original file line number
Diff line number
Diff line change
@@ -98,17 +98,6 @@ To validate a UE-V settings location template with the UE-V template generator:
98
98
99
99
After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise.
100
100
101
-
## Next steps
102
-
103
-
## <ahref=""id="share"></a>Share settings location templates with the Template Gallery
104
-
105
-
Before you share a settings location template on the UE-V template gallery, ensure it doesn't contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company.
106
-
107
-
- Template Author Name - Specify a general, non-identifying name for the template author name or exclude this data from the template.
108
-
- Template Author Email - Specify a general, non-identifying template author email or exclude this data from the template.
109
-
110
-
Before you deploy any settings location template that you've downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment.
This event generates when a [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on a file system object is changed.
26
25
27
-
This event always generates, regardless of the object’s [SACL](/windows/win32/secauthz/access-control-lists) settings.
26
+
This event always generates, regardless of the object's [SACL](/windows/win32/secauthz/access-control-lists) settings.
28
27
29
-
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
28
+
> [!NOTE]
29
+
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -82,25 +82,25 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
82
82
83
83
-**Account Name**\[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object.
84
84
85
-
-**Account Domain**\[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
85
+
-**Account Domain**\[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following ones:
86
86
87
87
- Domain NETBIOS name example: CONTOSO
88
88
89
89
- Lowercase full domain name: contoso.local
90
90
91
91
- Uppercase full domain name: CONTOSO.LOCAL
92
92
93
-
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
93
+
- For some [well-known security principals](/windows-server/identity/ad-ds/manage/understand-security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
94
94
95
-
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
95
+
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
96
96
97
-
-**Logon ID**\[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
97
+
-**Logon ID**\[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
98
98
99
99
**Object**:
100
100
101
-
-**Object Server**\[Type = UnicodeString\]: has “**Security**” value for this event.
101
+
-**Object Server**\[Type = UnicodeString\]: has "**Security**" value for this event.
102
102
103
-
-**Object Type**\[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **“File”** for this event.
103
+
-**Object Type**\[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **"File"** for this event.
104
104
105
105
The following table contains the list of the most common **Object Types**:
106
106
@@ -118,7 +118,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
118
118
119
119
<!---->
120
120
121
-
-**Handle ID**\[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
121
+
-**Handle ID**\[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "[4663](event-4663.md)(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0".
122
122
123
123
**Process:**
124
124
@@ -128,37 +128,38 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
128
128
129
129
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
130
130
131
-
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created”**Process Information\\New Process ID** field.
131
+
You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created"**Process Information\\New Process ID** field.
132
132
133
133
-**Process Name**\[Type = UnicodeString\]**:** full path and the name of the executable for the process.
134
134
135
135
**Central Policy ID:**
136
136
137
137
-**Original Security Descriptor**\[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
138
138
139
-
SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name, you need to do the following steps:
139
+
SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is "**S-1-17-1442530252-1178042555-1247349694-2318402534**". To resolve this SID to the real Central Access Policy name, you need to do the following steps:
140
140
141
-
1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container.
141
+
1. Find Central Access Policy Active Directory object in: "CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX" Active Directory container.
4. Convert hexadecimal value to SID (string). Here you can see more information about how to perform this action: <https://social.technet.microsoft.com/Forums/scriptcenter/en-US/11585f2c-ed0d-4c2b-a2b6-ef2aa07b3745/how-to-convert-sid>.
> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
151
+
> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example "**S:AI**".
152
152
153
153
-**New Security Descriptor**\[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
154
154
155
-
> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
156
-
>
155
+
> [!NOTE]
156
+
> The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> -*O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
> -*O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
162
163
> See the list of possible values in the table below:
163
164
164
165
| Value | Description | Value | Description |
@@ -193,13 +194,13 @@ Example: D:(A;;FA;;;WD)
193
194
194
195
- entry\_type:
195
196
196
-
“D” - DACL
197
+
"D" - DACL
197
198
198
-
“S” - SACL
199
+
"S" - SACL
199
200
200
201
- inheritance\_flags:
201
202
202
-
"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
203
+
"P" - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
203
204
204
205
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set.
205
206
@@ -231,7 +232,7 @@ Example: D:(A;;FA;;;WD)
231
232
232
233
"NP" - NO PROPAGATE: only immediate children inherit this ace.
233
234
234
-
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
235
+
"IO" - INHERITANCE ONLY: ace doesn't apply to this object, but may affect children via inheritance.
235
236
236
237
"ID" - ACE IS INHERITED
237
238
@@ -262,24 +263,26 @@ Example: D:(A;;FA;;;WD)
262
263
- inherit\_object\_guid: N/A
263
264
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
264
265
265
-
For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
266
+
For more information about SDDL syntax, see these articles:
For 4913(S): Central Access Policy on the object was changed.
270
274
271
-
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
272
-
273
-
- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
275
+
> [!IMPORTANT]
276
+
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
274
277
275
-
- If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the “**Object Name**” that corresponds to the file or folder.
278
+
- If you need to monitor events related to specific Windows object types ("**Object Type**"), for example **File** or **Key**, monitor this event for the corresponding "**Object Type**."
276
279
277
-
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
280
+
- If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the "**Object Name**" that corresponds to the file or folder.
278
281
279
-
-You can monitor to see if “**Process Name**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
282
+
-If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
280
283
281
-
<!---->
284
+
- You can monitor to see if "**Process Name**" isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
282
285
283
-
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
286
+
- If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
284
287
285
-
- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in “**New Security Descriptor**” to see if it matches the expected policy.
288
+
- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in "**New Security Descriptor**" to see if it matches the expected policy.
0 commit comments