deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-04-18 06:33:46 -04:00
parent ce239e7c93
commit 66d8dd6b54
3 changed files with 20 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/book/hardware-security.md
View File

@ -22,7 +22,7 @@ With Windows 11, Microsoft has raised the hardware security bar to design the mo
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
Learn more:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
@ -38,7 +38,7 @@ As with other TPMs, credentials, encryption keys, and other sensitive informatio
Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
Learn more:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
@ -62,13 +62,13 @@ implements virtual trust level 1 (VTL1), which has higher privilege than the vir
Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
Learn more: [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
Learn more:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
@ -79,7 +79,7 @@ Hardware-enforced stack protection integrates software and hardware for a modern
Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
Learn more:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
@ -88,7 +88,7 @@ Learn more:
Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
Learn more: [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
### Secured-core PC
@ -106,7 +106,7 @@ System Management Mode (SMM) isolation is an execution mode in x86-based process
:::image type="content" source="images\architecture.png" alt-text="aas" lightbox="images\architecture.png" border="false":::
Learn more:
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
@ -115,7 +115,7 @@ Learn more:
In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
Learn more: [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
> [!div class="nextstepaction"]
> [Chapter 2: Operating System security >](operating-system-security.md)

2
windows/security/book/index.md
View File

@ -47,7 +47,7 @@ In Windows 11, hardware and software work together to protect sensitive data fro
:::image type="content" source="images\chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containng a list of security features." lightbox="images\chip-to-cloud.png" border="false":::
Learn more: [Windows security features licensing and edition requirements](https://learn.microsoft.com/en-us/windows/security/licensing-and-edition-requirements?tabs=edition)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows security features licensing and edition requirements](https://learn.microsoft.com/en-us/windows/security/licensing-and-edition-requirements?tabs=edition)
> [!div class="nextstepaction"]
> [Chapter 1: Hardware security >](hardware-security.md)

90
windows/security/book/operating-system-security.md
View File

@ -37,7 +37,7 @@ Tampering or malware attacks on the Windows boot sequence are blocked by the sig
For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md)
Learn more: [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
### Cryptography
@ -117,7 +117,7 @@ Learn more:
With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
Learn more: [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
### Config Refresh
@ -153,19 +153,19 @@ When people travel with their PCs, their confidential information travels with t
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>9</sup> can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune<sup>6</sup> using a configuration service provider (CSP).<sup>9</sup> BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
Learn more: [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
### BitLocker To Go
BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
Learn more: [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
### Device Encryption
Device Encryption is consumer-level device encryption that cannot be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it is possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
Learn more: [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
### Encrypted hard drive
@ -181,7 +181,7 @@ Encrypted hard drives enable:
to re-encrypt data on the drive
- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
Learn more: [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
### Personal data encryption
@ -191,7 +191,7 @@ With the first release of PDE (Windows 11 22H2), the PDE API was available, whic
PDE requires Microsoft Entra ID.
Learn more: [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
### Email encryption
@ -211,7 +211,7 @@ New DNS and TLS protocol versions strengthen the end-to-end protections needed f
In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
Learn more: [How to protect your network](/security/defender-endpoint/network-protection)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [How to protect your network](/security/defender-endpoint/network-protection)
### Transport layer security (TLS)
@ -318,7 +318,7 @@ templates in the Endpoint Security node in Microsoft Intune<sup>9</sup>, leverag
support from the Firewall configuration service provider (CSP) and applying these settings to
Windows endpoints.
Learn more: [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
### Virtual private networks (VPN)
@ -350,15 +350,7 @@ VPN platform. The integration into the Windows VPN platform leads to a simpler I
experience. User authentication is more consistent, and users can easily find and control
their VPN.
:::row:::
:::column:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
:::column-end:::
:::column:::
- Windows VPN technical guide
- something else
:::column-end:::
:::row-end:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** Windows VPN technical guide
### Server Message Block file services
Server Message Block (SMB) and file services are the most common Windows workloads in
@ -400,67 +392,7 @@ that Microsoft superseded by later versions of SMB starting with Windows Vista.
began uninstalling SMB 1.0 by default in certain Windows 10 editions in 2017. No versions of
Windows 11 now install SMB 1.0 by default.
:::image type="icon" source="images/learn-more.svg" border="false"::: Learn more: File sharing using the SMB 3 protocol
### ssss
:::row:::
:::column span="1":::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
:::column-end:::
:::column:::
- Windows VPN technical guide
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
:::column-end:::
:::column:::
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
:::image type="icon" source="images/learn-more.svg" border="false"::: #### Learn more:
:::column-end:::
:::column span="3":::
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
#### :::image type="icon" source="images/learn-more.svg" border="false"::: #### Learn more:
:::column-end:::
:::column span="3":::
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
#### :::image type="icon" source="images/learn-more.svg" border="false"::: Learn more:
:::column-end:::
:::column span="3":::
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
- Windows VPN technical guide
:::column-end:::
:::row-end:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** File sharing using the SMB 3 protocol
## Virus and threat protection