deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-04-18 06:08:16 -04:00
parent d733525f69
commit 570995c21a
3 changed files with 280 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/book/images/learn-more.svg Normal file
View File

@ -0,0 +1,3 @@
<svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M0 2.5C0 1.11929 1.11929 0 2.5 0H14C15.3807 0 16.5 1.11929 16.5 2.5V16.75C16.5 17.1642 16.1642 17.5 15.75 17.5H1.5C1.5 18.0523 1.94772 18.5 2.5 18.5H15.75C16.1642 18.5 16.5 18.8358 16.5 19.25C16.5 19.6642 16.1642 20 15.75 20H2.5C1.11929 20 0 18.8807 0 17.5V2.5ZM8.25 6C8.8023 6 9.25 5.55228 9.25 5C9.25 4.44772 8.8023 4 8.25 4C7.6977 4 7.25 4.44772 7.25 5C7.25 5.55228 7.6977 6 8.25 6ZM7.5 7.75V12.75C7.5 13.1642 7.8358 13.5 8.25 13.5C8.6642 13.5 9 13.1642 9 12.75V7.75C9 7.33579 8.6642 7 8.25 7C7.8358 7 7.5 7.33579 7.5 7.75Z" fill="#0883D9"/>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 657 B

4
windows/security/book/index.md
View File

@ -25,13 +25,13 @@ To help businesses transform and thrive in a new era, we built Windows 11 to be
### Security by design and security by default
Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks <sup>[\[5\]](#footnote5)</sup>.
Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** <sup>[\[5\]](#footnote5)</sup>.
In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation <sup>[\[6\]](#footnote6)</sup>, token protection <sup>[\[6\]](#footnote6)</sup>, and Microsoft Intune Endpoint Privilege Management <sup>[\[7\]](#footnote7)</sup> are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
### Protect employees against evolving threats
With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11 <sup>[\[5\]](#footnote5)</sup>.
With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** <sup>[\[5\]](#footnote5)</sup>.
### Gain mission-critical application safeguards

278
windows/security/book/operating-system-security.md
View File

@ -20,7 +20,8 @@ Windows 11 is the most secure Windows yet with extensive security measures in th
- [Device health attestation](#device-health-attestation)
- [Windows security policy settings and auditing](#windows-security-policy-settings-and-auditing)
- [Assigned Access](#assigned-access)
- [Config Refresh](#config-refresh)[Windows security settings](#windows-security-settings)
- [Config Refresh](#config-refresh)
- [Windows security settings](#windows-security-settings)
### Trusted Boot (Secure Boot + Measured Boot)
@ -116,7 +117,7 @@ Learn more:
With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
Learn more: [Windows kiosks and restricted user experiences](../../configuration/assigned-access/index.md)
Learn more: [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
### Config Refresh
@ -139,7 +140,278 @@ Learn more:
## Encryption and data protection
## Network security
- [BitLocker](#bitlocker)
- [BitLocker To Go](#bitlocker-to-go)
- [Device Encryption](#device-encryption)
- [Encrypted hard drive](#encrypted-hard-drive)
- [Personal data encryption](#personal-data-encryption)
- [Email encryption](#email-encryption)
When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
### BitLocker
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>9</sup> can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune<sup>6</sup> using a configuration service provider (CSP).<sup>9</sup> BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
Learn more: [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
### BitLocker To Go
BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
Learn more: [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
### Device Encryption
Device Encryption is consumer-level device encryption that cannot be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it is possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
Learn more: [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
### Encrypted hard drive
Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full-disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
Encrypted hard drives enable:
- Smooth performance: Encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
- Strong security based in hardware: Encryption is always "on," and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There is no need
to re-encrypt data on the drive
- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
Learn more: [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
### Personal data encryption
Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
With the first release of PDE (Windows 11 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the platform release of the next Windows version, PDE for Folders will be released, this feature would require no updates to any applications and protects the contents in the Known Windows Folders from bootup till first login. This reduces the barrier for entry for customers and they will be able to get PDE security as part of the OS.
PDE requires Microsoft Entra ID.
Learn more: [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
### Email encryption
Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID)—also called a certificate—can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
These encrypted messages can be sent by a user to people within their organization as well as external contacts who have proper encryption certificates.
However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
### Network security
Windows 11 raises the bar for network security, offering comprehensive protection to help people work with confidence from almost anywhere. To help reduce an organization's attack
surface, network protection in Windows prevents people from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content.
Using reputation-based services, network protection blocks access to potentially harmful, low-reputation domains and IP addresses.
New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, as well as new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall (previously called Windows Defender Firewall) platforms offer new ways to easily configure and debug software.
In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
Learn more: [How to protect your network](/security/defender-endpoint/network-protection)
### Transport layer security (TLS)
Transport Layer Security (TLS) is the internet's most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Windows defaults to the latest protocol versions and strong cipher suites unless policies are in effect to limit them. There are many extensions available, such as client authentication for enhanced server security and session resumption for improved application performance.
TLS 1.3 is the latest version of the protocol and is enabled by default starting with Windows 11 and Windows Server 2022. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and encrypts as much of the TLS handshake as possible. The handshake is more performant, with one fewer round trip per connection on average, and supports only five strong cipher suites, which provide perfect forward secrecy and reduced operational risk.
Customers using TLS 1.3 (or Windows components that support it, including HTTP.SYS, WinInet, .NET, MsQuic, and more) will get enhanced privacy and lower latencies for their encrypted online connections. Note that if either the client or server does not support TLS 1.3, Windows will fall back to TLS 1.2.
Legacy protocol versions TLS 1.0 and 1.1 are officially deprecated and will be disabled by default in future OS versions only. This change will come to Windows Insider Preview in September 2023. Organizations and application developers are strongly encouraged to begin to identify and remove code dependencies on TLS 1.0/1.1 if they have not done so already.
Learn more:
- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
### DNS security
In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required.
Windows 11 provides Group Policy as well as programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT) and the system Hosts file, as well as resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
### Bluetooth protection
The number of Bluetooth devices connected to Windows 11 continues to increase.
Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories
and improve their day-to-day PC experience by enjoying streaming, productivity, and
gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE
Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also
implements host-based LE privacy. Windows updates help users stay current with OS and
driver security features in accordance with the Bluetooth Special Interest Group (SIG) and
Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core
industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and
software are kept up to date.
IT-managed environments have a number of Bluetooth policies (MDM, Group Policy, and
PowerShell) that can be managed through MDM tools such as Microsoft Intune<sup>9</sup>. You can
configure Windows to use Bluetooth technology while supporting the security needs of your
organization. For example, you can allow input and audio while blocking file transfer, force
encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the
most sensitive environments.
### Securing Wi-Fi connections
Windows Wi-Fi supports industry-standard authentication and encryption methods when
connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the
Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication.
The current security standard for Wi-Fi authentication is WPA3, which provides a more
secure and reliable connection method as compared to WPA2 and older security protocols.
Windows supports three WPA3 modes—WPA3 Personal, WPA3 Enterprise, and WPA3
Enterprise 192-bit Suite B.
Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-
bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server
certificate validation and TLS 1.3 for authentication using EAP-TLS authentication.
Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to
establish encrypted connections to public Wi-Fi hotspots, is also included
### 5G and eSIM
5G networks use stronger encryption and better network segmentation compared to
previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually
authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically
embedded in the device, making it much harder for attackers to tamper with. Together, 5G
and eSIM provide a strong foundation for security.
Learn more: eSIM configuration of a download serve
### Windows Firewall
Windows Firewall with Advanced Security (previously called Windows Defender Firewall) is an
important part of a layered security model. It provides host-based, two-way network traffic
filtering, blocking unauthorized traffic flowing into or out of the local device based on the
types of networks the device is connected to.
Windows Firewall in Windows 11 offers the following benefits:
* Reduces the risk of network security threats: Windows Firewall reduces the attack surface
of a device with rules that restrict or allow traffic by many properties, such as IP addresses,
ports, or program paths. This functionality increases manageability and decreases the
likelihood of a successful attack.
* Safeguards sensitive data and intellectual property: By integrating with Internet Protocol
Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, endto-end network communications. It provides scalable, tiered access to trusted network
resources, helping to enforce integrity of the data, and optionally helping to protect the
confidentiality of the data.
* Extends the value of existing investments: Because Windows Firewall is a host-based
firewall that is included with the operating system, there is no additional hardware or
software required. Windows Firewall is also designed to complement existing nonMicrosoft network security solutions through a documented application programming
interface (API).
Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior
has been integrated with Packet Monitor (pktmon), an in-box, cross-component network
diagnostic tool for Windows. Additionally, the Windows Firewall event logs have been
enhanced to ensure an audit can identify the specific filter that was responsible for any given
event. This enables analysis of firewall behavior and rich packet capture without relying on
third-party tools.
Admins can now configure additional settings through the Firewall and Firewall Rule policy
templates in the Endpoint Security node in Microsoft Intune<sup>9</sup>, leveraging the platform
support from the Firewall configuration service provider (CSP) and applying these settings to
Windows endpoints.
Learn more: [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
### Virtual private networks (VPN)
Organizations have long relied on Windows to provide reliable, secured, and manageable
virtual private network (VPN) solutions. The Windows VPN client platform includes built- in VPN
protocols, configuration support, a common VPN user interface, and programming support for
custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and
consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11, we've integrated the most commonly used VPN controls right into the
Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of
their VPN, start and stop the VPN tunnels, and with one click, go to the modern Settings app
for more control.
The Windows VPN platform connects to Microsoft Entra ID<sup>9</sup> and Conditional Access for
single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID.
The VPN platform also supports classic domain-joined authentication. It's supported by
Microsoft Intune and other modern device management (MDM) providers. The flexible VPN
profile supports both built-in protocols and custom protocols. It can configure multiple
authentication methods and can be automatically started as needed or manually started by
the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted
external sites.
With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old
version of their VPN client. VPN apps from the store will be automatically updated as needed.
Naturally, the updates are in the control of your IT admins.
The Windows VPN platform has been tuned and hardened for cloud-based VPN providers
like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface
integration, plumbing IKE traffic selectors, and server support are all built into the Windows
VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin
experience. User authentication is more consistent, and users can easily find and control
their VPN.
:::row:::
:::column:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
:::column-end:::
:::column:::
- Windows VPN technical guide
- something else
:::column-end:::
:::row-end:::
### Server Message Block file services
Server Message Block (SMB) and file services are the most common Windows workloads in
the commercial and public sector ecosystem. Users and applications rely on SMB to access
the files that run organizations of all sizes. In Windows 11, the SMB protocol has significant
security updates to meet today's threats, including AES-256 encryption, accelerated SMB
signing, Remote Directory Memory Access (RDMA) network encryption, and an entirely new
scenario, SMB over QUIC for untrusted networks.
SMB encryption provides end-to-end encryption of SMB data and protects data from
eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and
AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can
mandate the use of this more advanced security or continue to use the more compatible and
still-safe AES-128 encryption.
In Windows 11 Enterprise, Education, Pro, and Pro Workstation, SMB Direct now supports
encryption. For demanding workloads like video rendering, data science, or extremely large
files, you can now operate with the same safety as traditional Transmission Control Protocol
(TCP) and the performance of RDMA. Previously, enabling SMB encryption disabled direct
data placement, making RDMA as slow as TCP. Now, data is encrypted before placement,
leading to relatively minor performance degradation while adding packet privacy with AES-128 and AES-256 protection.
Windows 11 also introduces AES-128-GMAC for SMB signing. Windows will automatically
negotiate this better-performing cipher method when connecting to another computer that
supports it. Signing prevents common attacks like relay and spoofing, and it is required by
default when clients communicate with Active Directory domain controllers.
Finally, Windows 11 introduces SMB over QUIC, an alternative to the TCP network transport
that provides secure, reliable connectivity to edge file servers over untrusted networks like the
internet, as well as highly secure communications on internal networks. QUIC is an Internet
Engineering Task Force (IETF)-standardized protocol with many benefits when compared with
TCP, but most importantly, it always requires TLS 1.3 and encryption. SMB over QUIC offers
an SMB VPN for telecommuters, mobile device users, and high-security organizations. All
SMB traffic, including authentication and authorization within the tunnel, is never exposed
to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user
experience doesn't change. SMB over QUIC will be a game-changing feature for Windows 11
accessing Windows file servers and eventually Azure Files and third parties.
Newly installed Windows 11 Home editions that contain the February 2023 cumulative
update no longer install the SMB 1.0 client by default, meaning the Home edition now
operates like all other editions of Windows 11. SMB 1.0 is an unsafe and deprecated protocol
that Microsoft superseded by later versions of SMB starting with Windows Vista. Microsoft
began uninstalling SMB 1.0 by default in certain Windows 10 editions in 2017. No versions of
Windows 11 now install SMB 1.0 by default.
:::image type="icon" source="images/learn-more.svg" border="false"::: Learn more: File sharing using the SMB 3 protocol
### ssss
:::row:::
:::column:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
:::column-end:::
:::column:::
- Windows VPN technical guide
:::column-end:::
:::row-end:::
## Virus and threat protection