mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 19:03:46 +00:00
updates
This commit is contained in:
Paolo Matarazzo
@ -0,0 +1,66 @@
|
|||||||
|
---
|
||||||
|
title: Application and driver control
|
||||||
|
description: Windows 11 security book - Application and driver control.
|
||||||
|
ms.topic: overview
|
||||||
|
ms.date: 04/09/2024
|
||||||
|
---
|
||||||
|
|
||||||
|
# Application and driver control
|
||||||
|
|
||||||
|
Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
|
||||||
|
capabilities to build in security from the ground up to protect against breaches and malware.
|
||||||
|
|
||||||
|
## Smart App Control
|
||||||
|
|
||||||
|
Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
|
||||||
|
|
||||||
|
Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
|
||||||
|
Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
|
||||||
|
|
||||||
|
Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
|
||||||
|
|
||||||
|
## App Control for Business
|
||||||
|
|
||||||
|
Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
|
||||||
|
|
||||||
|
Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
|
||||||
|
|
||||||
|
Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
|
||||||
|
|
||||||
|
Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
|
||||||
|
|
||||||
|
## User Account Control
|
||||||
|
|
||||||
|
User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
|
||||||
|
|
||||||
|
Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>> to remotely configure UAC settings. Organizations without MDM can change settings directly
|
||||||
|
on the device.
|
||||||
|
|
||||||
|
Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
|
||||||
|
apps and prevent inadvertent changes to system settings.
|
||||||
|
|
||||||
|
Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
|
||||||
|
|
||||||
|
Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
|
||||||
|
|
||||||
|
:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
|
||||||
|
|
||||||
|
## Microsoft vulnerable driver blocklist
|
||||||
|
|
||||||
|
The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
|
||||||
@ -0,0 +1,51 @@
|
|||||||
|
---
|
||||||
|
title: Application isolation
|
||||||
|
description: Windows 11 security book - Application isolation.
|
||||||
|
ms.topic: overview
|
||||||
|
ms.date: 04/09/2024
|
||||||
|
---
|
||||||
|
|
||||||
|
# Application isolation
|
||||||
|
|
||||||
|
## Win32 app isolation
|
||||||
|
|
||||||
|
Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It is built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
|
||||||
|
|
||||||
|
Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
|
||||||
|
|
||||||
|
In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. Securable objects in this context refer to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a[Discretionary Access Control List](/windows/win32/secauthz/access-control-lists) on Windows.
|
||||||
|
|
||||||
|
To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in "learn mode" with low privileges. Instead of denying access if the capability is not present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. For more information on ACP, please refer to the [GitHub documentation page](https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md#stack-tracing---acp-stacktracewpaprofile).
|
||||||
|
|
||||||
|
To create a smooth user experience that aligns with non-isolated, native Win32 applications, two key factors should be taken into consideration:
|
||||||
|
|
||||||
|
- Approaches for accessing data and privacy information
|
||||||
|
- Integrating Win32 apps for compatibility with other Windows interfaces
|
||||||
|
|
||||||
|
The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary ([AppContainer](/windows/win32/secauthz/implementing-an-appcontainer)). The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
|
||||||
|
|
||||||
|
## Windows Sandbox
|
||||||
|
|
||||||
|
Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation using the same hardware-based Hyper-V virtualization technology without fear of lasting impact to the PC. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and cannot affect the host.
|
||||||
|
|
||||||
|
Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
|
||||||
|
- [Windows Sandbox is a new lightweight desktop environment tailored for safely
|
||||||
|
running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
|
||||||
|
|
||||||
|
## App containers
|
||||||
|
|
||||||
|
In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
|
||||||
|
|
||||||
|
Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they do not own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host is not allowed. As a result, malware or infected apps have limited footprint for escape.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Windows and app container](https://learn.microsoft.com/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
|
||||||
14
windows/security/book/application-security-root.md
Normal file
14
windows/security/book/application-security-root.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
title: Application security
|
||||||
|
description: Windows 11 security book - Application security chapter.
|
||||||
|
ms.topic: overview
|
||||||
|
ms.date: 04/09/2024
|
||||||
|
---
|
||||||
|
|
||||||
|
# Application security
|
||||||
|
|
||||||
|
:::image type="content" source="images\application-security-on.png" alt-text="Diagram of containng a list of security features." lightbox="images\application-security.png" border="false":::
|
||||||
|
|
||||||
|
Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows 11, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts so that PCs run with the least amount of privileges to prevent malicious applications from accessing sensitive resources.
|
||||||
|
|
||||||
|
In addition, organizations can control which applications run on their devices with App Control for Business (previously called Windows Defender Application Control - WDAC).
|
||||||
@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
title: Hardware root-of-trust
|
||||||
|
description: Windows 11 security book - Hardware root-of-trust.
|
||||||
|
ms.topic: overview
|
||||||
|
ms.date: 04/09/2024
|
||||||
|
---
|
||||||
|
|
||||||
|
# Hardware root-of-trust
|
||||||
|
|
||||||
|
## Trusted Platform Module (TPM)
|
||||||
|
|
||||||
|
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
|
||||||
|
- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
|
||||||
|
- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
|
||||||
|
|
||||||
|
## Microsoft Pluton security processor
|
||||||
|
|
||||||
|
The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices, including Secured-core PCs, with a hardware security processor that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
|
||||||
|
|
||||||
|
Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
|
||||||
|
|
||||||
|
As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data—even if attackers use emerging techniques like speculative execution.
|
||||||
|
|
||||||
|
Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
|
||||||
|
- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
|
||||||
@ -0,0 +1,80 @@
|
|||||||
|
---
|
||||||
|
title: Silicon assisted security
|
||||||
|
description: Windows 11 security book - Silicon assisted security.
|
||||||
|
ms.topic: overview
|
||||||
|
ms.date: 04/09/2024
|
||||||
|
---
|
||||||
|
|
||||||
|
# Silicon assisted security
|
||||||
|
|
||||||
|
In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
|
||||||
|
|
||||||
|
## Secured kernel
|
||||||
|
|
||||||
|
To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
|
||||||
|
|
||||||
|
Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
|
||||||
|
implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
|
||||||
|
|
||||||
|
Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
|
||||||
|
|
||||||
|
Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
|
||||||
|
|
||||||
|
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
|
||||||
|
- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
|
||||||
|
|
||||||
|
## Hardware-enforced stack protection
|
||||||
|
|
||||||
|
Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control- flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
|
||||||
|
|
||||||
|
Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
|
||||||
|
- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
|
||||||
|
|
||||||
|
## Kernel Direct Memory Access (DMA) protection
|
||||||
|
|
||||||
|
Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
|
||||||
|
|
||||||
|
## Secured-core PC
|
||||||
|
|
||||||
|
The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs). The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
|
||||||
|
|
||||||
|
Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. With built-in hypervisor-protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all kernel executable code is signed only by known and approved authorities. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks with kernel DMA protection.
|
||||||
|
|
||||||
|
Secured-core PCs provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks may commonly attempt to install "bootkits" or "rootkits" on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
|
||||||
|
|
||||||
|
Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
|
||||||
|
|
||||||
|
In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
|
||||||
|
|
||||||
|
System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
|
||||||
|
|
||||||
|
:::image type="content" source="images\architecture.png" alt-text="aas" lightbox="images\architecture.png" border="false":::
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
|
||||||
|
- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
|
||||||
|
|
||||||
|
## Secured-core configuration lock
|
||||||
|
|
||||||
|
In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
|
||||||
|
|
||||||
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
|
- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
|
||||||
14
windows/security/book/hardware-security-root.md
Normal file
14
windows/security/book/hardware-security-root.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
title: Hardware security
|
||||||
|
description: Windows 11 security book - Hardware security chapter.
|
||||||
|
ms.topic: overview
|
||||||
|
ms.date: 04/09/2024
|
||||||
|
---
|
||||||
|
|
||||||
|
# Hardware security
|
||||||
|
|
||||||
|
:::image type="content" source="images\hardware-on.png" alt-text="Diagram of containng a list of security features." lightbox="images\hardware.png" border="false":::
|
||||||
|
|
||||||
|
Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected. The operating system alone cannot defend against the wide range of tools and techniques cybercriminals use to compromise a computer. Once they gain a foothold, intruders can be difficult to detect as they engage in multiple nefarious activities ranging from stealing important data and credentials to implanting malware into low-level device firmware. Once malware is installed in firmware, it becomes difficult to identify and remove. These new threats call for computing hardware that is secure down to the very core, including the hardware chips and processors that store sensitive business information. With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone. Hardware-based protection can also improve the system's overall security without measurably slowing performance, compared to implementing the same capability in software.
|
||||||
|
|
||||||
|
With Windows 11, Microsoft has raised the hardware security bar to design the most secure version of Windows ever from chip to cloud. We have carefully chosen the hardware requirements and default security features based on threat intelligence, global regulatory requirements, and our own Microsoft Security team's expertise. We have worked with our chip and device manufacturing partners to integrate advanced security capabilities across software, firmware, and hardware. Through a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out of the box.
|
||||||
@ -52,6 +52,3 @@ In Windows 11, hardware and software work together to protect sensitive data fro
|
|||||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||||
|
|
||||||
- [Windows security features licensing and edition requirements](https://learn.microsoft.com/en-us/windows/security/licensing-and-edition-requirements?tabs=edition)
|
- [Windows security features licensing and edition requirements](https://learn.microsoft.com/en-us/windows/security/licensing-and-edition-requirements?tabs=edition)
|
||||||
|
|
||||||
> [!div class="nextstepaction"]
|
|
||||||
> [Chapter 1: Hardware security >](hardware-security.md)
|
|
||||||
|
|||||||
@ -1,13 +1,20 @@
|
|||||||
items:
|
items:
|
||||||
- name: "Windows 11 Security Book: Powerful security by design"
|
- name: "📘 Windows 11 Security Book: Powerful security by design"
|
||||||
items:
|
items:
|
||||||
- name: Introduction
|
- name: Introduction
|
||||||
href: index.md
|
href: index.md
|
||||||
- name: 1. Hardware security
|
- name: 1. Hardware security
|
||||||
href: hardware-security.md
|
|
||||||
- name: 2. Operating system security
|
|
||||||
href: operating-system-security-root.md
|
|
||||||
items:
|
items:
|
||||||
|
- name: Overview
|
||||||
|
href: hardware-security-root.md
|
||||||
|
- name: Hardware root-of-trust
|
||||||
|
href: hardware-security-hardware-root-of-trust.md
|
||||||
|
- name: Silicon assisted security
|
||||||
|
href: hardware-security-hardware-silicon-assisted-security,md
|
||||||
|
- name: 2. Operating system security
|
||||||
|
items:
|
||||||
|
- name: Overview
|
||||||
|
href: operating-system-security-root.md
|
||||||
- name: System security
|
- name: System security
|
||||||
href: operating-system-security-system-security.md
|
href: operating-system-security-system-security.md
|
||||||
- name: Encryption and data protection
|
- name: Encryption and data protection
|
||||||
@ -17,7 +24,13 @@ items:
|
|||||||
- name: Virus and threat protection
|
- name: Virus and threat protection
|
||||||
href: operating-system-security-virus-and-threat-protection.md
|
href: operating-system-security-virus-and-threat-protection.md
|
||||||
- name: 3. Application security
|
- name: 3. Application security
|
||||||
href: application-security.md
|
items:
|
||||||
|
- name: Overview
|
||||||
|
href: application-security-root.md
|
||||||
|
- name: Application and driver control
|
||||||
|
href: application-security-application-and-driver-control.md
|
||||||
|
- name: Application isolation
|
||||||
|
href: application-security-application-isolation.md
|
||||||
- name: 4. Identity protection
|
- name: 4. Identity protection
|
||||||
href: identity-protection.md
|
href: identity-protection.md
|
||||||
- name: 5. Privacy
|
- name: 5. Privacy
|
||||||
@ -28,7 +41,7 @@ items:
|
|||||||
href: security-foundations.md
|
href: security-foundations.md
|
||||||
- name: Conclusion
|
- name: Conclusion
|
||||||
href: conclusion.md
|
href: conclusion.md
|
||||||
- name: "Windows 11 Security Book: Powerful security by design - option 2"
|
- name: "📘 Windows 11 Security Book - option 2"
|
||||||
items:
|
items:
|
||||||
- name: Introduction
|
- name: Introduction
|
||||||
href: index.md
|
href: index.md
|
||||||
|
|||||||
Reference in New Issue
Block a user