deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'dansimp-new-security-toc' of https://github.com/MicrosoftDocs/windows-docs-pr into dansimp-new-security-toc

Browse Source
This commit is contained in:
denisebmsft 2021-09-16 13:02:20 -07:00
commit a034f17fb8
3 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/TOC.yml
View File

@ -29,8 +29,8 @@
href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
- name: System Guard Secure Launch and SMM protection - name: System Guard Secure Launch and SMM protection
href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
- name: Protect derived domain credentials with Windows Defender Credential Guard - name: Enable virtualization-based protection of code integrity
href: identity-protection/credential-guard/credential-guard.md href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
- name: Kernel DMA Protection - name: Kernel DMA Protection
href: information-protection/kernel-dma-protection-for-thunderbolt.md href: information-protection/kernel-dma-protection-for-thunderbolt.md
- name: Operating system security - name: Operating system security

10
windows/security/hardware.md
View File

@ -1,6 +1,6 @@
--- ---
title: Windows hardware security title: Windows hardware security
description: Get an overview of hardware security in Windows 11 description: Get an overview of hardware security in Windows
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.author: dansimp ms.author: dansimp
@ -17,10 +17,14 @@ ms.technology: windows-sec
Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information.
These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware. These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.
With Windows 11, we have raised the hardware security baseline to design the most secure version of Windows ever. We have carefully chosen the hardware requirements and default security features based on threat intelligence and input from leading experts around the globe, including our own Microsoft Cybersecurity team. With Windows 11, we have raised the hardware security baseline to design the most secure version of Windows ever. We have carefully chosen the hardware requirements and default security features based on threat intelligence and input from leading experts around the globe, including our own Microsoft Cybersecurity team.
Though a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out-of-the box.
| Security Measures | Features & Capabilities | | Security Measures | Features & Capabilities |
|:---|:---| |:---|:---|
| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](/threat-protection/windows-defender-application-control/windows-defender-application-control.md) | | Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users. <br> A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM. <br> Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). |
| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. <br> Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation. <br> Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. <br> HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS leverages the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system. <br> Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily-accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC. <br> Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |

7
windows/security/identity-protection/configure-s-mime.md
View File

@ -1,5 +1,5 @@
--- ---
title: Configure S/MIME for Windows 10 title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
ms.reviewer: ms.reviewer:
@ -19,10 +19,11 @@ ms.date: 07/27/2017
--- ---
# Configure S/MIME for Windows 10 # Configure S/MIME for Windows
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 11
S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.