deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

metadata updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-03-09 14:38:09 -05:00
parent b68d25852b
commit 5b5d18580b
25 changed files with 189 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
windows/security/apps.md
View File

@ -1,21 +1,21 @@
---
title: Windows application security
description: Get an overview of application security in Windows 10 and Windows 11
description: Get an overview of application security in Windows
ms.reviewer:
manager: aaroncz
ms.author: dansimp
author: dansimp
ms.author: paoloma
author: paolomatarazzo
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
ms.date: 03/09/2023
ms.topic: article
---
# Windows application security
Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
Cyber-criminals regularly gain access to valuable data by hacking applications. This can include *code injection* attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
The following table summarizes the Windows security features and capabilities for apps:<br/><br/>
The following table summarizes the Windows security features and capabilities for apps:
| Security Measures | Features & Capabilities |
|:---|:---|
@ -24,3 +24,4 @@ The following table summarizes the Windows security features and capabilities fo
| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md)
| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) |
| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |

26
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -95,7 +95,7 @@ You define the bluetooth signal with more attributes in the signal element. The
|rssiMin|"*number*"|no|
|rssiMaxDelta|"*number*"|no|
#### Example
For example:
```xml
<rule schemaVersion="1.0">
@ -191,7 +191,7 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP
##### IPv6DnsServer
The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** element. For example:
The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements. For example:
```xml
<ipv6DnsServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DnsServer>
@ -199,7 +199,7 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP
##### dnsSuffix
The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** element. For example:
The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements. For example:
```xml
<dnsSuffix>corp.contoso.com</dnsSuffix>
@ -209,25 +209,23 @@ The fully qualified domain name of your organization's internal DNS suffix where
You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements don't have attributes or nested elements.
#### SSID
##### SSID
Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required. For example:
```xml
<ssid>corpnetwifi</ssid>
```
#### BSSID
##### BSSID
Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
#### Example
Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional. For example:
```xml
<bssid>12-ab-34-ff-e5-46</bssid>
```
#### Security
##### Security
Contains the type of security the client uses when connecting to the wireless network. The security element is required and must contain one of the following values:<br>
@ -240,7 +238,7 @@ Contains the type of security the client uses when connecting to the wireless ne
|WPA2-Personal| The wireless network is protected using Wi-Fi Protected Access 2, which typically uses a pre-shared key.|
|WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.|
#### Example
For example:
```xml
<security>WPA2-Enterprise</security>
@ -248,9 +246,7 @@ Contains the type of security the client uses when connecting to the wireless ne
#### TrustedRootCA
Contains the thumbprint of the trusted root certificate of the wireless network. You can use any valid trusted root certificate. The value is represented as hexadecimal string, where each byte in the string is separated by a single space. The element is optional.
#### Example
Contains the thumbprint of the trusted root certificate of the wireless network. You can use any valid trusted root certificate. The value is represented as hexadecimal string, where each byte in the string is separated by a single space. The element is optional. For example:
```xml
<trustedRootCA>a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa</trustedRootCA>
@ -259,7 +255,7 @@ Contains the thumbprint of the trusted root certificate of the wireless network.
#### Sig_quality
Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
#### Example
For example:
```xml
<sig_quality>80</sig_quality>

8
windows/security/information-protection/index.md
View File

@ -2,11 +2,11 @@
title: Information protection (Windows 10)
description: Learn more about how to protect sensitive data across your organization.
ms.prod: windows-client
author: dansimp
ms.author: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
ms.date: 10/10/2018
ms.date: 03/09/2023
ms.technology: itpro-security
---
@ -18,7 +18,7 @@ Learn more about how to secure documents and other data across your organization
|-|-|
| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt 3 ports. |
| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt&trade; 3 ports. |
| [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
| [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |

14
windows/security/information-protection/secure-the-windows-10-boot-process.md
View File

@ -2,25 +2,21 @@
title: Secure the Windows boot process
description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: paoloma
author: paolomatarazzo
manager: aaroncz
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 05/12/2022
ms.author: dansimp
ms.date: 03/09/2023
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
---
# Secure the Windows boot process
*Applies to:*
- Windows 11
- Windows 10
- Windows 8.1
The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.

7
windows/security/information-protection/tpm/tpm-fundamentals.md
View File

@ -1,13 +1,12 @@
---
title: Trusted Platform Module (TPM) fundamentals
description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
ms.reviewer:
ms.prod: windows-client
author: dansimp
ms.author: dansimp
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.topic: conceptual
ms.date: 02/22/2023
ms.date: 03/09/2023
ms.technology: itpro-security
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>

14
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -3,9 +3,9 @@ title: Unenlightened and enlightened app behavior while using Windows Informatio
description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@ -21,8 +21,8 @@ Windows Information Protection (WIP) classifies apps into two categories: enligh
To avoid the automatic encryption of data, developers can enlighten apps by adding and compiling code using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
- Dont use common controls for saving files.
- Dont use common controls for text boxes.
- Don't use common controls for saving files.
- Don't use common controls for text boxes.
- Simultaneously work on personal and corporate data (for example, contact apps that display personal and corporate data in a single view or a browser that displays personal and corporate web pages on tabs within a single instance).
We strongly suggest that the only unenlightened apps you add to your allowed apps list are Line-of-Business (LOB) apps.
@ -35,8 +35,8 @@ This table includes info about how unenlightened apps might behave, based on you
|App rule setting|Networking policy configuration|
|--- |--- |
|**Not required.** App connects to enterprise cloud resources directly, using an IP address.| **Name-based policies, without the `/*AppCompat*/` string:**<li>App is entirely blocked from both personal and enterprise cloud resources.<li>No encryption is applied.<li>App cant access local Work files.<br/><br/>**Name-based policies, using the `/*AppCompat*/` string or proxy-based policies:**<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.<li>No encryption is applied.<li>App cant access local Work files.|
|**Not required.** App connects to enterprise cloud resources, using a hostname.|<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.<li>No encryption is applied.<li>App cant access local Work files.|
|**Not required.** App connects to enterprise cloud resources directly, using an IP address.| **Name-based policies, without the `/*AppCompat*/` string:**<li>App is entirely blocked from both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can't access local Work files.<br/><br/>**Name-based policies, using the `/*AppCompat*/` string or proxy-based policies:**<li>App can access both personal and enterprise cloud resources. However, you might encounter apps using policies that restrict access to enterprise cloud resources.<li>No encryption is applied.<li>App can't access local Work files.|
|**Not required.** App connects to enterprise cloud resources, using a hostname.|<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.<li>No encryption is applied.<li>App can't access local Work files.|
|**Allow.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>Auto-encryption is applied.<li>App can access local Work files.|
|**Exempt.** App connects to enterprise cloud resources, using an IP address or a hostname.|<li>App can access both personal and enterprise cloud resources.<li>No encryption is applied.<li>App can access local Work files.|

36
windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
View File

@ -3,9 +3,9 @@ title: How to collect Windows Information Protection (WIP) audit event logs (Win
description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@ -27,7 +27,7 @@ Windows Information Protection (WIP) creates audit events in the following situa
- If an app has custom audit events.
## Collect WIP audit logs by using the Reporting configuration service provider (CSP)
Collect the WIP audit logs from your employees devices by following the guidance provided by the [Reporting configuration service provider (CSP)](/windows/client-management/mdm/reporting-csp) documentation. This topic provides info about the actual audit events.
Collect the WIP audit logs from your employee's devices by following the guidance provided by the [Reporting configuration service provider (CSP)](/windows/client-management/mdm/reporting-csp) documentation. This topic provides info about the actual audit events.
>[!Note]
>The **Data** element in the response includes the requested audit logs in an XML-encoded format.
@ -53,12 +53,12 @@ This table includes all available attributes/elements for the **Log** element. T
|Object |String |A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path. |
|DataInfo |String |Any additional info about how the work file changed:<ul><li>**A file path.** If an employee uploads a work file to a personal website by using Microsoft Edge or Internet Explorer, the file path is included here.</li><li>**Clipboard data types.** If an employee pastes work data into a personal app, the list of clipboard data types provided by the work app are included here. For more info, see the [Examples](#examples) section of this topic.</li></ul> |
|Action |Int |Provides info about what happened when the work data was shared to personal, including:<ul><li>**1.** File decrypt.</li><li>**2.** Copy to location.</li><li>**3.** Send to recipient.</li><li>**4.** Other.</li></ul> |
|FilePath |String |The file path to the file specified in the audit event. For example, the location of a file thats been decrypted by an employee or uploaded to a personal website. |
|FilePath |String |The file path to the file specified in the audit event. For example, the location of a file that's been decrypted by an employee or uploaded to a personal website. |
|SourceApplicationName |String |The source app or website. For the source app, this is the AppLocker identity. For the source website, this is the hostname. |
|SourceName |String |A string provided by the app thats logging the event. Its intended to describe the source of the work data. |
|DestinationEnterpriseID |String |The enterprise ID value for the app or website where the employee is sharing the data.<br><br>**NULL**, **Personal**, or **blank** means theres no enterprise ID because the work data was shared to a personal location. Because we dont currently support multiple enrollments, youll always see one of these values. |
|SourceName |String |A string provided by the app that's logging the event. It's intended to describe the source of the work data. |
|DestinationEnterpriseID |String |The enterprise ID value for the app or website where the employee is sharing the data.<br><br>**NULL**, **Personal**, or **blank** means there's no enterprise ID because the work data was shared to a personal location. Because we don't currently support multiple enrollments, you'll always see one of these values. |
|DestinationApplicationName |String |The destination app or website. For the destination app, this is the AppLocker identity. For the destination website, this is the hostname. |
|DestinationName |String |A string provided by the app thats logging the event. Its intended to describe the destination of the work data. |
|DestinationName |String |A string provided by the app that's logging the event. It's intended to describe the destination of the work data. |
|Application |String |The AppLocker identity for the app where the audit event happened. |
### Examples
@ -127,10 +127,10 @@ Here are a few examples of responses from the Reporting CSP.
<Justification></Justification>
<Object>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</Object>
<Action>1</Action>
<SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName>
<SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName>
<DestinationEnterpriseID>Personal</DestinationEnterpriseID>
<DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName>
<Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</Application>
<DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName>
<Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</Application>
</Log>
</User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>
@ -185,22 +185,22 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour
4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: `MMASetup-.exe /c /t:`
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
5. To deploy MSI via Intune, in installation parameters add: `/q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<WORKSPACE_ID> OPINSIGHTS_WORKSPACE_KEY=<WORKSPACE_KEY> AcceptEndUserLicenseAgreement=1`
>[!NOTE]
>Replace <WORKSPACE_ID> & <WORKSPACE_KEY> received from step 5. In installation parameters, don't place <WORKSPACE_ID> & <WORKSPACE_KEY> in quotes ("" or '').
>[!NOTE]
>Replace <WORKSPACE_ID> & <WORKSPACE_KEY> received from step 5. In installation parameters, don't place <WORKSPACE_ID> & <WORKSPACE_KEY> in quotes ("" or '').
6. After the agent is deployed, data will be received within approximately 10 minutes.
7. To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search.
***Example***
***Example***
```console
Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
```
```console
Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
```
## Additional resources
- [How to deploy app via Intune](/intune/apps-add)

8
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -3,9 +3,9 @@ title: Associate and deploy a VPN policy for Windows Information Protection (WIP
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@ -51,7 +51,7 @@ To associate your WIP policy with your organization's existing VPN policy, use t
## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
After you've created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
1. On the **App policy** blade, select your newly-created policy, select **User groups** from the menu that appears, and then select **Add user group**.

10
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
View File

@ -1,11 +1,11 @@
---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
description: After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 03/05/2019
ms.reviewer:
@ -18,7 +18,7 @@ ms.technology: itpro-security
- Windows 10, version 1607 and later
After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
## To deploy your WIP policy

6
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -4,9 +4,9 @@ description: Learn the difference between enlightened and unenlightened apps. Fi
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 05/02/2019
ms.technology: itpro-security

7
windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
View File

@ -1,12 +1,11 @@
---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.technology: itpro-security

9
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -3,12 +3,11 @@ title: Mandatory tasks and settings required to turn on Windows Information Prot
description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 05/25/2022
ms.reviewer:
ms.technology: itpro-security
---
@ -23,7 +22,7 @@ This list provides all of the tasks and settings that are required for the opera
|----|-----------|
|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it's incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](./create-and-verify-an-efs-dra-certificate.md) topic.|

7
windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
View File

@ -1,12 +1,11 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager (Windows 10)
description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.technology: itpro-security

6
windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
View File

@ -4,9 +4,9 @@ description: Microsoft Intune helps you create and deploy your enterprise data p
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 03/11/2019
ms.technology: itpro-security

7
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -3,12 +3,11 @@ title: Recommended URLs for Windows Information Protection (Windows 10)
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 03/25/2019
ms.reviewer:
ms.technology: itpro-security
---

6
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -4,9 +4,9 @@ description: A list of suggested testing scenarios that you can use to test Wind
ms.reviewer:
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 03/05/2019
ms.technology: itpro-security

8
windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
View File

@ -3,9 +3,9 @@ title: Using Outlook on the web with WIP (Windows 10)
description: Options for using Outlook on the web with Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:
@ -28,4 +28,4 @@ Because Outlook on the web can be used both personally and as part of your organ
|Add outlook.office.com and outlook.office365.com to the Cloud resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
>[!NOTE]
>These limitations dont apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employees mailbox as corporate data, regardless of how youve configured outlook.office.com in your network settings.
>These limitations don't apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee's mailbox as corporate data, regardless of how you've configured outlook.office.com in your network settings.

6
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -3,9 +3,9 @@ title: Determine the Enterprise Context of an app running in Windows Information
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.date: 02/26/2019
ms.reviewer:

26
windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
View File

@ -2,10 +2,10 @@
title: Block untrusted fonts in an enterprise (Windows 10)
description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature.
ms.reviewer:
manager: aaroncz
ms.prod: windows-client
author: dansimp
ms.author: dansimp
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.date: 08/14/2017
ms.localizationpriority: medium
ms.technology: itpro-security
@ -20,7 +20,7 @@ ms.topic: reference
> Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, weve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, we've created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
## What does this mean for me?
Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature isn't turned on.
@ -30,7 +30,7 @@ There are three ways to use this feature:
- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging.
- **Audit.** Turns on event logging, but doesnt block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
- **Audit.** Turns on event logging, but doesn't block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
> [!NOTE]
> If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
@ -40,9 +40,9 @@ There are three ways to use this feature:
## Potential reductions in functionality
After you turn on this feature, your employees might experience reduced functionality when:
- Sending a print job to a remote printer server that uses this feature and where the spooler process hasnt been excluded. In this situation, any fonts that arent already available in the servers %windir%/Fonts folder wont be used.
- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn't been excluded. In this situation, any fonts that aren't already available in the server's %windir%/Fonts folder won't be used.
- Printing using fonts provided by the installed printers graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls).
- Printing using fonts provided by the installed printer's graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls).
- Using first or third-party apps that use memory-based fonts.
@ -106,7 +106,7 @@ After you turn on this feature, or start using Audit mode, you can look at your
Blocked: true
> [!NOTE]
> Because the **FontType** is *Memory*, theres no associated **FontPath**.
> Because the **FontType** is *Memory*, there's no associated **FontPath**.
**Event Example 2 - Winlogon**<br>
Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
@ -115,7 +115,7 @@ After you turn on this feature, or start using Audit mode, you can look at your
Blocked: true
> [!NOTE]
> Because the **FontType** is *File*, theres also an associated **FontPath**.
> Because the **FontType** is *File*, there's also an associated **FontPath**.
**Event Example 3 - Internet Explorer running in Audit mode**<br>
Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
@ -124,7 +124,7 @@ After you turn on this feature, or start using Audit mode, you can look at your
Blocked: false
> [!NOTE]
> In Audit mode, the problem is recorded, but the font isnt blocked.
> In Audit mode, the problem is recorded, but the font isn't blocked.
## Fix apps having problems because of blocked fonts
Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@ -133,15 +133,15 @@ After you figure out the problematic fonts, you can try to fix your apps in two
**To fix your apps by installing the problematic fonts (recommended)**
- On each computer with the app installed, right-click on the font name and click **Install**.<p>The font should automatically install into your `%windir%/Fonts` directory. If it doesnt, youll need to manually copy the font files into the **Fonts** directory and run the installation from there.
- On each computer with the app installed, right-click on the font name and click **Install**.<p>The font should automatically install into your `%windir%/Fonts` directory. If it doesn't, you'll need to manually copy the font files into the **Fonts** directory and run the installation from there.
**To fix your apps by excluding processes**
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, you'd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
2. Add other processes that need to be excluded here, and then turn on the Blocking untrusted fonts feature, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article.
## Related content
- [Dropping the “Untrusted Font Blocking” setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/)
- [Dropping the "Untrusted Font Blocking" setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/)

8
windows/security/threat-protection/index.md
View File

@ -1,12 +1,10 @@
---
title: Windows threat protection
description: Describes the security capabilities in Windows client focused on threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: windows-client
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
ms.technology: itpro-security
ms.date: 12/31/2017

7
windows/security/threat-protection/msft-security-dev-lifecycle.md
View File

@ -2,12 +2,11 @@
title: Microsoft Security Development Lifecycle
description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development.
ms.prod: windows-client
author: dansimp
ms.author: dansimp
manager: aaroncz
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: article
ms.localizationpriority: medium
ms.reviewer:
ms.technology: itpro-security
ms.date: 12/31/2017
---

20
windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
View File

@ -1,10 +1,10 @@
---
manager: aaroncz
ms.author: dansimp
title: Override Process Mitigation Options (Windows 10)
description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
ms.prod: windows-client
author: dulcemontemayor
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.localizationpriority: medium
ms.technology: itpro-security
ms.date: 12/31/2017
@ -19,10 +19,10 @@ ms.topic: article
- Windows 10, version 1607
- Windows Server 2016
Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
Windows 10 includes Group Policy-configurable "Process Mitigation Options" that add advanced protections against memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example, malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation Options can prevent the running of the malicious code.
> [!IMPORTANT]
> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organizations required apps.
> We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization's required apps.
The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are:
@ -30,7 +30,7 @@ The Group Policy settings in this topic are related to three types of process mi
- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection).
- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware thats designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization).
To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`.
The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings.
@ -41,7 +41,7 @@ The following procedure describes how to use Group Policy to override individual
![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png)
2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where youll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you'll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
**Important**<br>For each app you want to include, you must include:
@ -53,7 +53,7 @@ The following procedure describes how to use Group Policy to override individual
![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png)
## Setting the bit field
Heres a visual representation of the bit flag locations for the various Process Mitigation Options settings:
Here's a visual representation of the bit flag locations for the various Process Mitigation Options settings:
![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png)
@ -64,11 +64,11 @@ Where the bit flags are read from right to left and are defined as:
|A |0 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)` |Turns on Data Execution Prevention (DEP) for child processes. |
|B |1 |`PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)` |Turns on DEP-ATL thunk emulation for child processes. DEP-ATL thunk emulation lets the system intercept non-executable (NX) faults that originate from the Active Template Library (ATL) thunk layer, and then emulate and handle the instructions so the process can continue to run. |
|C |2 |`PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)` |Turns on Structured Exception Handler Overwrite Protection (SEHOP) for child processes. SEHOP helps to block exploits that use the Structured Exception Handler (SEH) overwrite technique. |
|D |8 |`PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that arent dynamic base compatible. Images without the base relocation section wont be loaded if relocations are required. |
|D |8 |`PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)` |Uses the force Address Space Layout Randomization (ASLR) setting to act as though an image base collision happened at load time, forcibly rebasing images that aren't dynamic base compatible. Images without the base relocation section won't be loaded if relocations are required. |
|E |15 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)` |Turns on the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
|F |16 |`PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)` |Turns off the bottom-up randomization policy, which includes stack randomization options and causes a random location to be used as the lowest user address. |
## Example
If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, youd want to type a value of `???????????????0???????1???????1`.
If you want to turn on the **PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE** and **PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON** settings, turn off the **PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF** setting, and leave everything else as the default values, you'd want to type a value of `???????????????0???????1???????1`.

7
windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
View File

@ -3,10 +3,9 @@ title: Mitigate threats by using Windows 10 security features (Windows 10)
description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats.
ms.prod: windows-client
ms.localizationpriority: medium
author: dansimp
ms.reviewer:
manager: aaroncz
ms.author: dansimp
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.technology: itpro-security
ms.date: 12/31/2017
ms.topic: article

95
windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
View File

@ -1,14 +1,13 @@
---
title: Control the health of Windows 10-based devices (Windows 10)
description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
ms.reviewer:
manager: aaroncz
ms.author: dansimp
ms.prod: windows-client
author: dulcemontemayor
ms.date: 10/13/2017
ms.localizationpriority: medium
ms.technology: itpro-security
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.topic: conceptual
---
@ -22,7 +21,7 @@ This article details an end-to-end solution that helps you protect high-value as
## Introduction
For Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organizations applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT.
For Bring Your Own Device (BYOD) scenarios, employees bring commercially available devices to access both work-related resources and their personal data. Users want to use the device of their choice to access the organization's applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is also known as the consumerization of IT.
Users want to have the best productivity experience when accessing corporate applications and working on organization data from their devices. That means they won't tolerate being prompted to enter their work credentials each time they access an application or a file server. From a security perspective, it also means that users will manipulate corporate credentials and corporate data on unmanaged devices.
@ -36,17 +35,17 @@ Windows 10 is an important component of an end-to-end security solution that foc
## Description of a robust end-to-end security solution
Todays computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there's no doubt that malware now targets both consumers and professionals in all industries.
Today's computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there's no doubt that malware now targets both consumers and professionals in all industries.
During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary.
With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, its an easy way to breach the security network perimeter, gain access to, and then steal high-value assets.
With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it's an easy way to breach the security network perimeter, gain access to, and then steal high-value assets.
The attackers target individuals, not specifically because of who they are, but because of who they work for. An infected device will bring malware into an organization, even if the organization has hardened the perimeter of networks or has invested in its defensive posture. A defensive strategy isn't sufficient against these threats.
### A different approach
Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that its necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response.
Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that determined adversaries will successfully breach any defenses. It means that it's necessary to shift focus away from preventative security controls to detection of, and response to, security issues. The implementation of the risk management strategy, therefore, balances investment in prevention, detection, and response.
Because mobile devices are increasingly being used to access corporate information, some way to evaluate device security or health is required. This section describes how to provision device health assessment in such a way that high-value assets can be protected from unhealthy devices.
@ -54,9 +53,9 @@ Devices that are used to access corporate resources must be trusted. An efficien
:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png":::
A robust design needs to establish the users identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
A robust design needs to establish the user's identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The users device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user's device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png":::
@ -72,13 +71,13 @@ An MDM solution typically applies configuration policies and deploys software to
An MDM solution asks the device to send device health information and forward the health encrypted blob to the remote health attestation service. The remote health attestation service verifies device health data, checks that MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organizations access control policy can be invoked to grant access.
An MDM solution evaluates the health assertions and, depending on the health rules belonging to the organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that information to the identity provider so the organization's access control policy can be invoked to grant access.
Access to content is then authorized to the appropriate level of trust for whatever the health status and other conditional elements indicate.
Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow more verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, further security authentication may need to be established by querying the user to answer a phone call before access is granted.
### <a href="" id="microsoft-s-security-investments-in-windows-10"></a>Microsofts security investments in Windows 10
### <a href="" id="microsoft-s-security-investments-in-windows-10"></a>Microsoft's security investments in Windows 10
In Windows 10, there are three pillars of investments:
@ -95,7 +94,7 @@ This section is an overview that describes different parts of the end-to-end sec
| Number | Part of the solution | Description |
| - | - | - |
| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.<br/>A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organizations tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
| **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization's tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.<br/>Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that uses the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.<br/>MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.<br/>Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
| **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.<br/>For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
@ -147,13 +146,13 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
- **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot doesn't require a TPM.
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader thats signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that's signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE).
Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity didn't compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded.
> [!NOTE]
> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
> Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
- **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
@ -166,12 +165,12 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
- **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
Traditional antimalware apps dont start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
Traditional antimalware apps don't start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasnt started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If its not trusted, Windows wont load it.
ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it.
> [!NOTE]
> Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defenders mini-filter driver before shutdown or reboot.
> Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender's mini-filter driver before shutdown or reboot.
The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
@ -187,9 +186,9 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code can't be directly modified.
> [!NOTE]
> Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) blog post.
> Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) blog post.
The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. Its configurable by using a policy.
The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It's configurable by using a policy.
Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
- **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
@ -198,7 +197,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik
This attack-free state is accomplished by using Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. This accomplishment means that even if the Windows kernel is compromised, an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this unauthorized access because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
- **Health attestation.** The devices firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the devices health.
- **Health attestation.** The device's firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device's health.
Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset.
@ -249,7 +248,7 @@ The trust decision to execute code is performed by using Hyper-V Code Integrity,
Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10, kernel-mode drivers must be digitally signed.
> [!NOTE]
> Independently of activation of Device Guard Policy, Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.
> Independently of activation of Device Guard Policy, Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation ("EV") Code Signing Certificate.
With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, and traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts.
@ -258,7 +257,7 @@ Device Guard is a built-in feature of Windows 10 Enterprise that prevents the ex
- **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
- **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
At the time of this writing, and according to Microsofts latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
At the time of this writing, and according to Microsoft's latest research, more than 90 percent of malware is unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
Device Guard needs to be planned and configured to be truly effective. It isn't just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible.
@ -274,16 +273,16 @@ For more information on how to deploy Device Guard in an enterprise, see the [De
As previously described, Device Guard is a powerful way to lock down systems. Device Guard isn't intended to be used broadly and it may not always be applicable, but there are some high-interest scenarios.
Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have a well-defined software that are expected to run and dont change too frequently.
Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have a well-defined software that are expected to run and don't change too frequently.
It could also help protect Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of applications isn't going to change on a daily basis.
SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs cant be considered a “silver bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security.
SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can't be considered a "silver bullet" security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth approach to security.
To protect high-value assets, SAWs are used to make secure connections to those assets.
Similarly, on corporate fully managed workstations, where applications are installed by using a distribution tool like Microsoft Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, its difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it's difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device.
@ -308,11 +307,11 @@ Windows 10 includes tools that allow IT pros to take applications that have been
### Why are antimalware and device management solutions still necessary?
Although allowlist mechanisms are efficient at ensuring that only trusted applications can be run, they can't prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesnt protect against user mode malicious code run by exploiting vulnerabilities.
Although allowlist mechanisms are efficient at ensuring that only trusted applications can be run, they can't prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn't protect against user mode malicious code run by exploiting vulnerabilities.
Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the users knowledge.
Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user's knowledge.
Its common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them.
It's common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the operating system and kernel mode drivers that host them.
To combat these threats, patching is the single most effective control, with antimalware software forming complementary layers of defense.
@ -334,7 +333,7 @@ The following table details the hardware requirements for both virtualization-ba
|Hardware|Motivation|
|--- |--- |
|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.<p>UEFI Secure Boot ensures that the device boots only authorized code.<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”|
|UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.<p>UEFI Secure Boot ensures that the device boots only authorized code.<p>Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: "System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby"|
|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.<div class="alert">**Note:** Device Guard can be enabled without using virtualization-based security.</div>|
|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).<p>Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.|
|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.|
@ -344,7 +343,7 @@ This section presented information about several closely related controls in Win
## <a href="" id="detect-unhealthy"></a>Detect an unhealthy Windows 10-based device
As of today, many organizations only consider devices to be compliant with company policy after theyve passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with todays systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
As of today, many organizations only consider devices to be compliant with company policy after they've passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today's systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
@ -354,13 +353,13 @@ After the devices attest a trusted boot state, they can prove that they aren't r
### What is the concept of device health?
To understand the concept of device health, its important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution.
To understand the concept of device health, it's important to know traditional measures that IT pros have taken to prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation and distribution.
However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organizations resources.
However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization's resources.
The definition of device compliance will vary based on an organizations installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy.
The definition of device compliance will vary based on an organization's installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy.
The health of the device isn't binary and depends on the organizations security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by using trustworthy hardware TPM.
The health of the device isn't binary and depends on the organization's security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by using trustworthy hardware TPM.
But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision.
@ -449,7 +448,7 @@ The endorsement key acts as an identity card for the TPM. For more information,
The endorsement key is often accompanied by one or two digital certificates:
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that its a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
@ -509,11 +508,11 @@ As part of the provisioning process, Windows 10 will create an AIK with the TPM.
### Windows 10 Health Attestation CSP
Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on.
Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as "get", "set", "delete", and so on.
The following list is that of the functions performed by the Windows 10 Health Attestation CSP:
- Collects data that is used to verify a devices health status
- Collects data that is used to verify a device's health status
- Forwards the data to the Health Attestation Service
- Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
- Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification
@ -557,13 +556,13 @@ The following table presents some key items that can be reported back to MDM dep
### Use MDM and the Health Attestation Service
To make device health relevant, the MDM solution evaluates the device health report and is configured to the organizations device health requirements.
To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization's device health requirements.
A solution that uses MDM and the Health Attestation Service consists of three main parts:
1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default).
2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that its been attested.
3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it's been attested.
:::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
@ -595,21 +594,21 @@ That consequence for an unhealthy device is the purpose of conditional access co
## Control the security of a Windows 10-based device before access is granted
Todays access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organizations IT staff and systems know little about. Perhaps there's some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware?
Today's access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization's IT staff and systems know little about. Perhaps there's some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware?
The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune.
> [!NOTE]
> For the latest information on Intune and Windows 10 features support, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
The figure below shows how the Health Attestation Service is expected to work with Microsofts cloud-based Intune MDM service.
The figure below shows how the Health Attestation Service is expected to work with Microsoft's cloud-based Intune MDM service.
:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png":::
An MDM solution can then use health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the devices ability to prove that its malware free, its antimalware system is functional and up to date, the
An MDM solution can then use health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device's ability to prove that it's malware free, its antimalware system is functional and up to date, the
firewall is running, and the devices patch state is compliant.
Finally, resources can be protected by denying access to endpoints that are unable to prove theyre healthy. This feature is much needed for BYOD devices that need to access organizational resources.
Finally, resources can be protected by denying access to endpoints that are unable to prove they're healthy. This feature is much needed for BYOD devices that need to access organizational resources.
### Built-in support of MDM in Windows 10
@ -626,7 +625,7 @@ The third-party MDM server will have the same consistent first-party user experi
### <a href="" id="management-of-windows-defender-by-third-party-mdm-"></a>Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that arent domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren't domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10).
@ -642,7 +641,7 @@ If the device isn't registered, the user will get a message with instructions on
### <a href="" id="office-365-conditional-access-control-"></a>Office 365 conditional access control
Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the companys device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company's device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more
target groups.
When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services.
@ -696,7 +695,7 @@ For on-premises applications there are two options to enable conditional access
The following process describes how Azure AD conditional access works:
1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD.
2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
2. When the device boots or resumes from hibernate, a task "Tpm-HASCertRetr" is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any).
4. User logs on and the MDM agent contacts the Intune/MDM server.
5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
@ -758,7 +757,7 @@ The following list contains high-level key takeaways to improve the security pos
After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their devices identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device's identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
## Related topics

33
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -1,11 +1,10 @@
---
title: Use Windows Event Forwarding to help with intrusion detection (Windows 10)
description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
ms.reviewer:
manager: aaroncz
ms.author: dansimp
ms.prod: windows-client
author: dulcemontemayor
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.date: 02/28/2019
ms.localizationpriority: medium
ms.technology: itpro-security
@ -26,7 +25,7 @@ To accomplish this functionality, there are two different subscriptions publishe
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they're largely used for host forensic analysis.
An SEMs strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed.
An SEM's strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed.
A MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability (hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
@ -44,14 +43,14 @@ For the minimum recommended audit policy and registry system ACL settings, see [
>**Note:**  These are only minimum values need to meet what the WEF subscription selects.
From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts direction. All devices should have access to the Baseline subscription.
From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts' direction. All devices should have access to the Baseline subscription.
This system of dual subscription means you would create two base subscriptions:
- **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines.
- **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems.
Each using the respective event query below. For the Targeted subscription, enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
Each using the respective event query below. For the Targeted subscription, enabling the "read existing events" option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
In [Appendix E Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These subscriptions are annotated for query purpose and clarity. Individual &lt;Query&gt; element can be removed or edited without affecting the rest of the query.
@ -92,24 +91,24 @@ The HTTPS option is available if certificate based authentication is used, in ca
### Do WEF Clients have a separate buffer for events?
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the "buffer size", increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event Collector), there's no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream.
### What format is used for forwarded events?
WEF has two modes for forwarded events. The default is “Rendered Text” that includes the textual description of the event as you would see it in Event Viewer. This description's inclusion means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This format is compact and can more than double the event volume a single WEC server can accommodate.
WEF has two modes for forwarded events. The default is "Rendered Text" that includes the textual description of the event as you would see it in Event Viewer. This description's inclusion means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is "Events" (also sometimes referred to as "Binary" format) which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This format is compact and can more than double the event volume a single WEC server can accommodate.
A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
A subscription "testSubscription" can be configured to use the Events format through the WECUTIL utility:
``` syntax
@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime
Wecutil ss “testSubscription” /cf:Events
Wecutil ss "testSubscription" /cf:Events
```
### How frequently are WEF events delivered?
Event delivery options are part of the WEF subscription configuration parameters There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but can't be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
Event delivery options are part of the WEF subscription configuration parameters There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called "Custom" is available but can't be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
This table outlines the built-in delivery options:
@ -125,11 +124,11 @@ The primary difference is in the latency which events are sent from the client.
``` syntax
@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime
Wecutil ss “SubscriptionNameGoesHere” /cm:Custom
Wecutil ss "SubscriptionNameGoesHere" /cm:Custom
@rem set DeliveryMaxItems to 1 event
Wecutil ss “SubscriptionNameGoesHere” /dmi:1
Wecutil ss "SubscriptionNameGoesHere" /dmi:1
@rem set DeliveryMaxLatencyTime to 10 ms
Wecutil ss “SubscriptionNameGoesHere” /dmlt:10
Wecutil ss "SubscriptionNameGoesHere" /dmlt:10
```
### How do I control which devices have access to a WEF Subscription?
@ -141,7 +140,7 @@ For collector initiated subscriptions: The subscription contains the list of mac
Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
### <a href="" id="what-are-the-wec-server-s-limitations-"></a>What are the WEC servers limitations?
### <a href="" id="what-are-the-wec-server-s-limitations-"></a>What are the WEC server's limitations?
There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions.
@ -328,7 +327,7 @@ This subscription adds some possible intruder-related activity to help analyst f
- Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging improvements for in-memory attacks using Windows PowerShell.
- Includes Windows PowerShell remoting logging
- User Mode Driver Framework “Driver Loaded” event
- User Mode Driver Framework "Driver Loaded" event
- Can possibly detect a USB device loading multiple device drivers. For example, a USB\_STOR device loading the keyboard or network driver.