mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 21:33:38 +00:00
Merge branch 'security-book-24' of github.com:paolomatarazzo/windows-docs-pr into security-book-24
This commit is contained in:
Paolo Matarazzo
@ -19,6 +19,10 @@ Smart App Control prevents users from running malicious applications on Windows
|
||||
Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
|
||||
Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
|
||||
|
||||
We have been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their PC up to date via Windows Update every month.
|
||||
|
||||
Additionally, evaluation mode will start automatically enabling devices that the cloud AI model predicts will have a good experience with Smart App Control in the coming months, first starting with users in North America and eventually expanding to other regions. Note that enterprise-enrolled devices will still have Smart App Control disabled by default, and we recommend enterprises running line-of-business applications continue to leverage App Control for Business.
|
||||
|
||||
Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -11,7 +11,7 @@ ms.date: 04/09/2024
|
||||
|
||||
## Win32 app isolation
|
||||
|
||||
Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
|
||||
Win32 app isolation is a new security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using Visual Studio.
|
||||
|
||||
Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
|
||||
|
||||
@ -29,6 +29,8 @@ The first factor relates to implementing methods to manage access to files and p
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
|
||||
- [Learn how to adop Win32 app isolation with Visual Studio](https://github.com/microsoft/win32-app-isolation/blob/main/docs/packaging/packaging-with-visual-studio.md)
|
||||
- [Sandboxing Python with Win32 app isolation](https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/)
|
||||
|
||||
## Windows Sandbox
|
||||
|
||||
@ -42,6 +44,23 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software
|
||||
- [Windows Sandbox is a new lightweight desktop environment tailored for safely
|
||||
running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
|
||||
|
||||
## Windows Subsystem for Linux (WSL)
|
||||
Windows Subsystem for Linux (WSL) is a feature of Windows that allows you to run a Linux environment on your Windows machine, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. In Ge, we added 3 networking security features and Intune/MDM integration in WSL on Windows 11 (SV2 and Ge) for Enterprises:
|
||||
- **Hyper-V Firewall**: This new firewall setting is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows.
|
||||
|
||||
- **DNS Tunneling**: This new networking setting improves compatibility in different networking environments and makes use of virtualization features to obtain DNS information rather than a networking packet.
|
||||
|
||||
- **Auto proxy**: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it will make that proxy automatically apply to WSL distributions.
|
||||
|
||||
- **Intune/MDM setting in WSL**: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what’s running inside of your WSL distros and report them to your online MDE dashboards.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
- [Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall)
|
||||
- [DNS Tunneling](/windows/wsl/networking#dns-tunneling)
|
||||
- [Auto proxy](/windows/wsl/networking#auto-proxy)
|
||||
- [Intune/MDM setting in WSL](/windows/wsl/intune)
|
||||
|
||||
|
||||
## App containers
|
||||
|
||||
In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
|
||||
@ -51,3 +70,4 @@ Processes that run in app containers operate at a low integrity level, meaning t
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
|
||||
|
||||
|
||||
@ -35,10 +35,26 @@ In combination with Microsoft Intune, Microsoft Entra ID offers powerful securit
|
||||
|
||||
Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
|
||||
|
||||
### Microsoft Entra Private Access ###
|
||||
|
||||
Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
|
||||
|
||||
Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Private Access Proof of Concept](/entra/architecture/sse-deployment-guide-private-access).
|
||||
|
||||
### Microsoft Entra Internet Access ###
|
||||
|
||||
Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
|
||||
|
||||
Note that Microsoft Entra Private Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](/entra/architecture/sse-deployment-guide-internet-access).
|
||||
|
||||
Both these features use a new [Global Secure Access client for Windows](/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
|
||||
- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
|
||||
- [Microsoft Entra Private Access](/entra/global-secure-access/concept-private-access)
|
||||
- [Microsoft Entra Internet Access for all apps](/entra/global-secure-access/concept-private-access)
|
||||
|
||||
## Modern device management through (MDM)
|
||||
|
||||
@ -74,6 +90,8 @@ The security baseline includes policies for:
|
||||
- Setting credential requirements for passwords and PINs
|
||||
- Restricting use of legacy technology
|
||||
|
||||
The MDM security baseline has been enhanced with over 70 new settings which enable local user rights assignment, services management, and local security policies which were previously only available through Group Policy. This enable adoption of pure MDM management and closer adherence to industry standard benchmarks for security.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
|
||||
@ -126,7 +144,9 @@ Windows 11 supports the Remote Wipe configuration service provider (CSP) so that
|
||||
- Reset the device and clean the drive
|
||||
- Reset the device but persist user accounts and data
|
||||
|
||||
Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
|
||||
|
||||
## Microsoft Azure Attestation Service
|
||||
|
||||
@ -262,7 +282,7 @@ There are several ways that OneDrive for work or school is protected at rest:
|
||||
|
||||
## MDM enrollment certificate attestation
|
||||
|
||||
When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs.
|
||||
When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
|
||||
@ -6,8 +6,6 @@ ms.date: 06/17/2024
|
||||
---
|
||||
|
||||
# Conclusion
|
||||
|
||||
|
||||
We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere.
|
||||
|
||||
:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
|
||||
|
||||
@ -15,7 +15,7 @@ In addition to a modern hardware root-of-trust, there are numerous other capabil
|
||||
|
||||
To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
|
||||
|
||||
Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
|
||||
**Virtualization-based security (VBS)**, also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
|
||||
implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
|
||||
|
||||
Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
|
||||
@ -24,11 +24,11 @@ Since more privileged VTLs can enforce their own memory protections, higher VTLs
|
||||
|
||||
- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
|
||||
|
||||
Virtualization-based security enclaves, a tool to allow developers to leverage VBS by building a secure enclave within their application, which lives in secure memory.
|
||||
**Virtualization-based security enclaves**, a tool to allow developers to leverage VBS by building a secure enclave within their application, which lives in secure memory.
|
||||
|
||||
Hypervisor-enforced Paging Translation (HVPT), overall security enhancement for the system. protects linear address translations from being tampered with
|
||||
**Hypervisor-enforced Paging Translation (HVPT)**, overall security enhancement for the system. protects linear address translations from being tampered with
|
||||
|
||||
Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
|
||||
**Hypervisor-protected code integrity (HVCI)**, also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
|
||||
|
||||
With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
|
||||
|
||||
|
||||
@ -27,6 +27,8 @@ Windows has several critical processes to verify a user's identity. Verification
|
||||
|
||||
To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
|
||||
|
||||
End users have the ability to manage their LSA protection state in the Windows Security Application under Device Security -> Core Isolation -> Local Security Authority protection. It’s important to note that the enterprise policy for LSA protection will take precedence over enablement on upgrade. This ensures a seamless transition and enhanced security for all users.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
|
||||
@ -37,6 +39,8 @@ Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-back
|
||||
|
||||
By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
|
||||
|
||||
Protections are now expanded to optionally include machine account passwords for Active Directory joined devices. Administrators can enable audit mode of this capability or enforcement using Credential Guard management policy.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
|
||||
|
||||
@ -17,13 +17,6 @@ The Microsoft Security Development Lifecycle (SDL) introduces security best prac
|
||||
|
||||
A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.
|
||||
|
||||
Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz - an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft - is now available to developers around the world through GitHub as an open-source tool.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Project OneFuzz framework, an open source developer tool to find and fix bugs at scale](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)
|
||||
- [OneFuzz on GitHub](https://github.com/microsoft/onefuzz)
|
||||
|
||||
## Microsoft Offensive Research and Security Engineering
|
||||
|
||||
[Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
|
||||
|
||||
Reference in New Issue
Block a user