From c013228b5d5f0262ccc3640c1a1dbddee41f38db Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 1 Mar 2019 11:01:07 -0800 Subject: [PATCH 1/4] revised script --- .../credential-guard/credential-guard-manage.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index def101e7d1..f4f22dde8a 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -12,7 +12,7 @@ ms.author: daniha manager: dansimp ms.collection: M365-identity-device-management ms.topic: article -ms.date: 09/04/2018 +ms.date: 03/01/2019 --- # Manage Windows Defender Credential Guard @@ -157,25 +157,19 @@ To disable Windows Defender Credential Guard, you can use the following set of p > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. 3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: + ``` syntax - mountvol X: /s - copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y - bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" - bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO - + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - + bcdedit /set hypervisorlaunchtype off mountvol X: /d - ``` + 2. Restart the PC. 3. Accept the prompt to disable Windows Defender Credential Guard. 4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. From 8529874eebc3b18a8f8d0d5d07b04ba20e7ad96c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 1 Mar 2019 11:15:19 -0800 Subject: [PATCH 2/4] edited metadata --- ...ow-hardware-based-root-of-trust-helps-protect-windows.md | 6 +++--- .../system-guard-secure-launch-and-smm-protection.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md index 03fbaffd0c..9f39c8f835 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -1,6 +1,6 @@ --- -title: How a hardware-based root of trust helps protect Windows 10 (Windows 10) -description: Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. +title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10) +description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb search.appverid: met150 ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha -ms.date: 02/14/2019 +ms.date: 03/01/2019 --- diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 0a5094e748..5cf7fbfead 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,12 +8,12 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: justinha -ms.date: 02/14/2019 +ms.date: 03/01/2019 --- # System Guard Secure Launch and SMM protection -This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices. The information below is presented from a client perspective. +This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 devices. The information below is presented from a client perspective. ## How to enable System Guard Secure Launch From 69b6d2155fe64488b2549b7f3402cc74d11e6fc8 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 1 Mar 2019 12:03:01 -0800 Subject: [PATCH 3/4] renamed system guard file --- windows/security/threat-protection/TOC.md | 2 +- windows/security/threat-protection/windows-defender-atp/TOC.md | 2 +- ...d-how-hardware-based-root-of-trust-helps-protect-windows.md} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename windows/security/threat-protection/windows-defender-system-guard/{how-hardware-based-root-of-trust-helps-protect-windows.md => system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md} (100%) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ff20fe850d..f90703feef 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -7,7 +7,7 @@ ##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md) ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md) ####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) -###### [System integrity](windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) +###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) ##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index a9404e4e52..59406a457e 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -5,7 +5,7 @@ #### [Hardware-based isolation](overview-hardware-based-isolation.md) ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md) ###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md) -##### [System integrity](../windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) +##### [System integrity](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) #### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md similarity index 100% rename from windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md rename to windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md From 8d110f907380fc7a6cbfe93a2d92ea5a51c18548 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 1 Mar 2019 12:19:31 -0800 Subject: [PATCH 4/4] added links --- ...sed-root-of-trust-helps-protect-windows.md | 83 +++++++++++++++++++ ...-guard-secure-launch-and-smm-protection.md | 2 +- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md new file mode 100644 index 0000000000..15efbf1a94 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md @@ -0,0 +1,83 @@ +--- +title: Windows Defender System Guard How a hardware-based root of trust helps protect Windows 10 (Windows 10) +description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits. +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: justinha +ms.date: 03/01/2019 +--- + + +# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10 + +In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. + +Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees: + +- Protect and maintain the integrity of the system as it starts up +- Validate that system integrity has truly been maintained through local and remote attestation + +## Maintaining the integrity of the system as it starts + +### Static Root of Trust for Measurement (SRTM) + +With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. +This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege. + +With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. +This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). +This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM). + +As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. +Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist). +Each option has a drawback: + +- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust. +- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow. +In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy. + +### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM) + +[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). +DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. +This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state. + + +![System Guard Secure Launch](images/system-guard-secure-launch.png) + +Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. + +### System Management Mode (SMM) protection + +System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. +Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. +SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor. +To defend against this, two techniques are used: + +1. Paging protection to prevent inappropriate access to code and data +2. SMM hardware supervision and attestation + +Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. +This prevents access to any memory that has not been specifically assigned. + +A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to. + +SMM protection is built on top of the Secure Launch technology and requires it to function. +In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with. + +## Validating platform integrity after Windows is running (run time) + +While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity. + +As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. + + +![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png) + +After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources. + diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 5cf7fbfead..73a279e7a5 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -13,7 +13,7 @@ ms.date: 03/01/2019 # System Guard Secure Launch and SMM protection -This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 devices. The information below is presented from a client perspective. +This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 devices. The information below is presented from a client perspective. ## How to enable System Guard Secure Launch