Security and Assurance
Security and compliance in datacenters, private cloud and hosting environments.
-
Add an option to require administrative password reset to honor password history
Windows supports two password APIs, change and reset. The change API honors password history, preventing users from re-using recent previous passwords. The reset API ignores password history and allows an administrator or e.g. help desk, to re-use a recent previous password. Add an option in Active Directory to force the reset API to also honor password history. The default should be that this option is disabled, an administrator CAN use a recent password, so it matches expected / current behavior. For Active Directory, this option should be available in the default domain policy and also in each password settings object…
4 votes -
Default administrator give back full control
The current setting of the Default admin that can't do primary task is a big pain for test and web environments. I don't want an extra account just to change antimallware or test a website that is running on the server.
Deligation and limiting is fine but give the option to give the build-in administrator full control but not as default.
6 votes -
PGP for Office2016/17, Exchange 2016 & Server 2016
MIT Key Server:
http://pgp.mit.edu:11371/
(users public PGP database)Eg:
Mailvelope
http://www.mailvelope.com/MICROSOFT
Please make all your Microsoft products easy to work with PGP.
external server to external server can use DKIM for PGP keys.
and allow your products to work with legit key servers like MIT. make your own key server, if you want to, but share/sync the info back to MIT server(like PGP-DNS).
allow sharing of key servers data, like mirror/sync
allow key servers to use DKIM keys to communicate to external servers.Thanks.
9 votes -
Make a SUDO equivalent for elevating to an Administrator without runas.
Runas works OK, but SUDO on Linux works well for allowing administrators to elevate for a one time only commands.
15 votes -
Make Saved Passwords a Thing of the Past (OAuth)
All throughout windows, it is very common to have to enter and save passwords, and, what's worse, when a password is changed, you have to try to remember everywhere that it was set.
A good example is inside of an Active Directory environment where you have Services that run under a specific user. If you change the user's password, then you have to go to each server and update the password.
I suggest that features like this be re-architected to take advantage of OAuth (or a similar technology) very similar to how Facebook and Twitter let you Authorize Apps.. I…
12 votes -
(Microsoft suggested idea) Help me understand who has access to what resources - Servers, Files, Databases...
In order to better control access and provide insight to my management and my auditors - I'd like to be able to monitor who has access to what resources
33 votes -
IIS Remote management as current identity aka windows integrated authentication
IIS Remote management currently does not allow to authenticate with the "current user", which should be possible with Kerberos.
This leads to the problem, that we are not able to use smartcard authentication against IIS Remote management.14 votes -
(Microsoft suggested idea) Have Office 365 DLP and Windows DLP use the same policy management
Office 365 implemented a DLP solution and Windows Server also implemented a DLP solution (File Classification Infrastructure) - would be great if we can control both using a single policy console
13 votes -
Install-AdcsEnrollmentPolicyWebService Ignores -WhatIf Parameter
The following PowerShell command should NOT configure the Enrollment Policy Web Service, because it has the -WhatIf parameter:
Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -Force -SSLCertThumbprint 'f0262dcf287f3e250d1760508c4ca87946006e1e' -KeyBasedRenewal:$false -WhatIfHowever, it does configure it. The same goes for Uninstall-AdcsEnrollmentPolicyWebService
This is bad practice for PowerShell cmdlets. It is also preventing us creating a DSC resource to configure this feature.
5 votes -
MICROSOFT AC BUS
SIR BILL GATES IS OUR IDEAL PERSON.HE IS CREATED SO MANY EASY WAY FOR OUR LIFESTYLE.OTHERWISE IF HE WILL BE CREATING A DECENT MICROSOFT AC BUS FOR ALL CLASSES PEOPLE.ITS WILL BE A BEST IMPACT FOR OUR LIFE STYLE.& WE NEED TO A LOT OF THAT BUS IN INDIA.
1 vote -
SUPERIOR MICROSOFT AROPLANE
WE ARE INDIAN&WE LOVES OUR WORLD SO MUCH.NOW,THE WORLD IS SO MUCH FAST & CLEAN.IN THIS TIME,MICROSOFT IS A GREAT WAY FOR OUR LIFESTYLE.MICROSOFT WILL BE CREATING&MAKING A LOT OF DECENT AIRPLANE FOR OUR EASIER LIFESTYLE.ITS WILL BE A BEST IMPACT FOR OUR WHOLE WORLD.THAT AIRPLANE WILL BE USING FOR PASSENGERS,CONTAIN PRODUCTS,SUPPLYING(WATER,FOOD,CLOTHES,MEDICINE,ETC)&PATIENT FOR EMERGENCY.I MEAN ITS A VARIOUS WAYS LIKE STEP 1=PASSENGER AIRPLANE,STEP 2=WATER AIRPLANE,STEP 3=PATIENT AIRPLANE,STEP 4=SUPPLYING ALL LEGAL (PRODUCTS,FOOD,MEDICINE).
1 vote -
HELPING HANDS FOR POOR CHILD&PEOPLES
NOW AT THIS TIME OUR WORLDS MANY FAMILY FACES FLOODS.THEY ARE SOMEONE RICHES BUT MANY OF THE FAMILY SO MUCH POOR.PLEASE REQUEST YOU ALL RICHEST PERSON PLEASE HELP THEM WITHIN FOOD,MEDICINE,CLOTHES,HOUSE PLEASE PLEASE PLEASE
1 vote -
xcertificateimport
When using the interactive Windows Certificates snap-in, a 3rd very important cert target store type can be selected:
One can select "my user account", "computer account" and "service account" as target for certificates.xCertificateImport currently seems to only support 2 target store types:
Location: 'LocalMachine' or 'CurrentUser'As an admin it would be very cool to be able to also use xCertificateImport to also manage service-related certificates, as there are otherwise no PowerShell means to do so and the GUI cert tool is a PITA, as its not scriptable. And there are Microsoft own services out there that needs such…
1 vote -
File Audit recording users activates not added to be audit
The security log still recording users activates not added to audit setting and recording permissions not added to be audit, like if you want to audit write only the security log still audit the read & list folder contents which is i don't need to audit and this is make the audit log huge.
1 vote -
Add ECDSA Platform Crypto Provider
Now that TPM 2.0 supports EC, the Platform Crypto Provider should support it.
4 votes -
Create a Developers Built-In Group
Create a built-in group "Developers" on Windows Server (and domain controllers) and restrict the activity of those users to compile, debug and run their applications. If the developers computer gets compromised then the damage is limited. Unfortunately the effort to restrict "developer" accounts is too error prone.
Following the convention of least privilege, application developers need not be a full blown administrators on their development machines. For example, they don't need to mange users, groups, memberships or even be able to make changes that effect everyone on the host. They do need the ability to compile and debug their software.
…
5 votes -
Fix secedit in nano server
secedit is broken in nano server (checked both TP3 and TP4) and it simply doesn't work. I have asked about it @nano server forum as well without any response so far.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/894a3a8f-64f4-4605-b1ff-9698a53814db/issues-running-secedit-on-nano-server?forum=NanoServerThere is absolutely no way to harden a nano server once it is deployed. can it be fixed? or is there new way to work with local security policy on nano server that I am unaware of?
3 votesThanks for the feedback, we are looking into some options here.
-
Rebuild Certificate Authority
The whole CA management interface feels so overdue. i know the whole certificate thing wasnt built by microsoft and it pushed into the marked real fast (relatively speaking) so a solution had to be realized quick. The whole topic is very clumsy and involves so many manual steps that it gives lots of admins around the globe headaches. It is also very hard to learn and master due to the wrong tools i think.
The certification management in exchange control panel 2013 seems a step in the right direction. I cant really tell you what to do, but im sure…
10 votes -
Provide native PowerShell cmdlets for managing local security policy
There is no way to either view or manage local security policy using PowerShell. It is possible to install a utility such as secedit.exe and make calls out to it, but this should be functionality that resides within native PowerShell cmdlets.
This would greatly ease server management, and in particular allow for viewing settings that would otherwise not be available to people without using a GUI tool.12 votes -
Enhance Dynamic Access Control (DAC)
Don't let Dynamic Access Control (DAC) wither on the vine from lack of enhancements! Add a library of PowerShell classifiers in FSRM. Make the installation of PDF and Office file iFilter DLLs a feature that is easy to install with Server Manager. Get more third-party DLP vendors on board. Include DAC features in Office 365, SharePoint 2016 and Exchange. Integrate DAC and RMS into a single easy-to-manage system. At a minimum, make some public confirmations that you are not going to let DAC die a slow death!
15 votes
- Don't see your idea?