From 0e58601b434b7b4cc8110dd79eb0a462593b7ed4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 16 Sep 2021 16:24:10 -0700 Subject: [PATCH] cross linking TOCs --- windows/security/TOC.yml | 2 +- windows/security/threat-protection/auditing/TOC.yml | 4 +++- .../threat-protection/security-policy-settings/TOC.yml | 4 +++- .../security/threat-protection/windows-firewall/TOC.yml | 2 ++ windows/security/zero-trust-windows-device-health.md | 8 ++++++-- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 4dd99c673d..1e359ee788 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,7 +1,7 @@ - name: Windows security href: index.yml -- name: Windows and Zero Trust +- name: Zero Trust and Windows href: zero-trust-windows-device-health.md expanded: true - name: Hardware security diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml index 88646f01b0..00e500f989 100644 --- a/windows/security/threat-protection/auditing/TOC.yml +++ b/windows/security/threat-protection/auditing/TOC.yml @@ -762,4 +762,6 @@ - name: Registry (Global Object Access Auditing) href: registry-global-object-access-auditing.md - name: File System (Global Object Access Auditing) - href: file-system-global-object-access-auditing.md \ No newline at end of file + href: file-system-global-object-access-auditing.md + - name: Windows security + href: /windows/security/index.yml \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml index 8e8f9f630c..5afa3d271b 100644 --- a/windows/security/threat-protection/security-policy-settings/TOC.yml +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -346,4 +346,6 @@ - name: Synchronize directory service data href: synchronize-directory-service-data.md - name: Take ownership of files or other objects - href: take-ownership-of-files-or-other-objects.md \ No newline at end of file + href: take-ownership-of-files-or-other-objects.md + - name: Windows security + href: /windows/security/index.yml \ No newline at end of file diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml index efaa07fa4e..55e911297b 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.yml +++ b/windows/security/threat-protection/windows-firewall/TOC.yml @@ -250,3 +250,5 @@ href: quarantine.md - name: Firewall settings lost on upgrade href: firewall-settings-lost-on-upgrade.md +- name: Windows security + href: /windows/security/index.yml diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index c8c7cf6ef5..41ad5cd387 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -23,7 +23,7 @@ The [Zero Trust Principles](https://www.microsoft.com/security/business/zero-tru **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive polices, and data protection to help secure data and maintain productivity. -**Assume breach**. Assume breach operates in a manner that minimizes blast radius and segments access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. +**Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. For Windows 11, the Zero Trust concept of verify explicitly applies to the risks introduced by both devices and users. Windows 11 provides IT administrators the attestation and measurements to determine whether a device meets requirements and can be trusted. And Windows 11 works out of the box with Microsoft Intune and Azure Active Directory, so access decisions and enforcement are seamless. Plus, IT Administrators can easily customize Windows 11 to meet specific user and policy requirements for access, privacy, compliance, and more. @@ -39,7 +39,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side 1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. 2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that’s sent to the attestation service (learn more about the attestation service below). -3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). +3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). 4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. 5. The attestation service does the following: @@ -50,3 +50,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side 6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service. 7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. 8. Conditional access, along with device-compliance state then decides to grant access to protected resource or not. + +## Additional Resources + +Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/)