mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-29 05:37:22 +00:00
copyedits
This commit is contained in:
Justinha
parent
98eecffba5
commit
726038c9c4
@ -130,7 +130,7 @@ The following tables provide more information about the hardware, firmware, and
|
|||||||
|
|
||||||
| Protection for Improved Security | Description |
|
| Protection for Improved Security | Description |
|
||||||
|---------------------------------------------|----------------------------------------------------|
|
|---------------------------------------------|----------------------------------------------------|
|
||||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>- UEFI runtime service musty meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required in non-volitile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>- This only applies to UEFI runtime service memory, and not UEFI bootb service memory. <br>- This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>- Do not use sections that are both writeable and exceutable<br>- Do not attempt to directly modify xceutable system memory<br>- Do not use dynamic code<br><br>**Security benefits**:<br>- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware. |
|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>- UEFI runtime service must meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>- This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>- This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>- Do not use sections that are both writeable and exceutable<br>- Do not attempt to directly modify executable system memory<br>- Do not use dynamic code<br><br>**Security benefits**:<br>- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware. |
|
||||||
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
|
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
|
||||||
|
|
||||||
## Manage Credential Guard
|
## Manage Credential Guard
|
||||||
|
|||||||
@ -86,7 +86,7 @@ The following tables describes additional hardware and firmware requirements, an
|
|||||||
|
|
||||||
| Protection for Improved Security | Description |
|
| Protection for Improved Security | Description |
|
||||||
|---------------------------------------------|----------------------------------------------------|
|
|---------------------------------------------|----------------------------------------------------|
|
||||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>- UEFI runtime service musty meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required in non-volitile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>- This only applies to UEFI runtime service memory, and not UEFI bootb service memory. <br>- This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>- Do not use sections that are both writeable and exceutable<br>- Do not attempt to directly modify xceutable system memory<br>- Do not use dynamic code<br><br>**Security benefits**:<br>- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware. |
|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>- VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>- UEFI runtime service must meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>- This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>- This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>- Do not use sections that are both writeable and exceutable<br>- Do not attempt to directly modify executable system memory<br>- Do not use dynamic code<br><br>**Security benefits**:<br>- Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware. |
|
||||||
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
|
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>- Reduces the attack surface to VBS from system firmware.<br>- Blocks additional security attacks against SMM. |
|
||||||
|
|
||||||
## Device Guard deployment in different scenarios: types of devices
|
## Device Guard deployment in different scenarios: types of devices
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user