From 8466203e4e7bfc1ac708fbb997f9928f9bd8cc93 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 9 Apr 2024 08:07:50 -0400 Subject: [PATCH] Update date in conclusion.md and index.md files --- windows/security/book/application-security.md | 5 +++- windows/security/book/cloud-security.md | 5 +++- windows/security/book/conclusion.md | 2 +- windows/security/book/hardware-security.md | 5 +++- windows/security/book/identity-protection.md | 5 +++- .../book/includes/hardware-root-of-trust.md | 12 +++++----- .../includes/silicon-assisted-security.md | 24 +++++++++---------- windows/security/book/index.md | 2 +- .../book/operating-system-security.md | 5 +++- windows/security/book/security-foundations.md | 5 +++- 10 files changed, 43 insertions(+), 27 deletions(-) diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md index 6c476f99e6..2dfefeaba3 100644 --- a/windows/security/book/application-security.md +++ b/windows/security/book/application-security.md @@ -2,7 +2,10 @@ title: Application security description: Application security ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Application security + +> [!div class="nextstepaction"] +> [Next: Identity protection >](identity-protection.md) \ No newline at end of file diff --git a/windows/security/book/cloud-security.md b/windows/security/book/cloud-security.md index 7d9bbcad4b..c00ac0504b 100644 --- a/windows/security/book/cloud-security.md +++ b/windows/security/book/cloud-security.md @@ -2,7 +2,10 @@ title: Cloud security description: Cloud security ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Cloud security + +> [!div class="nextstepaction"] +> [Next: Security foundations >](security-foundations.md) \ No newline at end of file diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md index 5899cf240a..1025569d81 100644 --- a/windows/security/book/conclusion.md +++ b/windows/security/book/conclusion.md @@ -2,7 +2,7 @@ title: Conclusion description: Conclusion ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Conclusion diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md index 8873dd29e8..bdcc227d66 100644 --- a/windows/security/book/hardware-security.md +++ b/windows/security/book/hardware-security.md @@ -2,7 +2,7 @@ title: Hardware security description: Hardware security ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Hardware security @@ -16,3 +16,6 @@ With Windows 11, Microsoft has raised the hardware security bar to design the mo [!INCLUDE [hardware-root-of-trust](includes/hardware-root-of-trust.md)] [!INCLUDE [silicon-assisted-security](includes/silicon-assisted-security.md)] + +> [!div class="nextstepaction"] +> [Next: Operating System security >](operating-system-security.md) \ No newline at end of file diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md index 285f5b737e..ae37577ad1 100644 --- a/windows/security/book/identity-protection.md +++ b/windows/security/book/identity-protection.md @@ -2,7 +2,10 @@ title: Identity protection description: Identity protection ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Identity protection + +> [!div class="nextstepaction"] +> [Next: Cloud security >](cloud-security.md) \ No newline at end of file diff --git a/windows/security/book/includes/hardware-root-of-trust.md b/windows/security/book/includes/hardware-root-of-trust.md index 10a915b6a7..223482d73a 100644 --- a/windows/security/book/includes/hardware-root-of-trust.md +++ b/windows/security/book/includes/hardware-root-of-trust.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 09/18/2023 +ms.date: 04/09/2024 ms.topic: include --- @@ -15,9 +15,9 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based, Learn more: -- Windows 11 TPM specifications -- Enabling TPM 2.0 on your PC -- Trusted Platform Module technology overview +- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications) +- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c) +- [Trusted Platform Module Technology Overview](../../hardware-security/tpm/trusted-platform-module-overview.md) ### Microsoft Pluton security processor @@ -31,5 +31,5 @@ Pluton also solves the major security challenge of keeping its own security proc Learn more: -- Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs -- Microsoft Pluton security processor +- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/) +- [Microsoft Pluton security processor](../../hardware-security/pluton/microsoft-pluton-security-processor.md) diff --git a/windows/security/book/includes/silicon-assisted-security.md b/windows/security/book/includes/silicon-assisted-security.md index 99bc7bed60..47622dbfda 100644 --- a/windows/security/book/includes/silicon-assisted-security.md +++ b/windows/security/book/includes/silicon-assisted-security.md @@ -1,7 +1,7 @@ --- author: paolomatarazzo ms.author: paoloma -ms.date: 09/18/2023 +ms.date: 04/09/2024 ms.topic: include --- @@ -20,9 +20,7 @@ implements virtual trust level 1 (VTL1), which has higher privilege than the vir Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe. -Learn more: - -- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) +Learn more: [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs. @@ -30,7 +28,7 @@ With new installs of Windows 11, OS support for VBS and HVCI is turned on by def Learn more: -- Enable memory integrity +- [Enable virtualization-based protection of code integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) - [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity) ### Hardware-enforced stack protection @@ -41,15 +39,14 @@ Application code includes a program processing stack that hackers seek to corrup Learn more: -- [Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815) +- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815) +- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340) ### Kernel Direct Memory Access (DMA) protection Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work. -Learn more: - -- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt) +Learn more: [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt) ### Secured-core PC @@ -61,18 +58,19 @@ Secured-core PCs provide multiple layers of robust protection against hardware a Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements. -In Secured-core PCs, System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices such as Microsoft Surface. +In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface. -System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies -that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation. +System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation. :::image type="content" source="..\images\architecture.png" alt-text="aas" lightbox="..\architecture.png" border="false"::: Learn more: -- Dynamic Root of Trust measure and SMM isolation +- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/) - [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11) ### Secured-core configuration lock In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift. + +Learn more: [Windows 11 with config lock](/windows/client-management/mdm/config-lock) diff --git a/windows/security/book/index.md b/windows/security/book/index.md index 9e804ff455..7cff588624 100644 --- a/windows/security/book/index.md +++ b/windows/security/book/index.md @@ -2,7 +2,7 @@ title: Windows security book introduction description: Windows security book introduction ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Windows 11 Security Book diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md index d58a811c51..5b46eb3af1 100644 --- a/windows/security/book/operating-system-security.md +++ b/windows/security/book/operating-system-security.md @@ -2,7 +2,10 @@ title: Operating System security description: Operating System security ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Operating System security + +> [!div class="nextstepaction"] +> [Next: Application security >](application-security.md) \ No newline at end of file diff --git a/windows/security/book/security-foundations.md b/windows/security/book/security-foundations.md index 71dbb57a2b..e653627097 100644 --- a/windows/security/book/security-foundations.md +++ b/windows/security/book/security-foundations.md @@ -2,7 +2,10 @@ title: Security foundations description: Security foundations ms.topic: overview -ms.date: 03/12/2024 +ms.date: 04/09/2024 --- # Security foundations + +> [!div class="nextstepaction"] +> [Next: Conclusion >](conclusion.md) \ No newline at end of file