deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updating name to Windows Hello for Business

Browse Source
This commit is contained in:
Brian Lich 2016-11-11 09:22:30 -08:00
parent 8d5789725a
commit ac7235ee7d
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
windows/keep-secure/windows-10-security-guide.md
View File

@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
#### Introduction
Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users credentials.
- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Windows Hello for Business, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users credentials.
- [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
- [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.
@ -50,7 +50,7 @@ Table 1. Windows 10 solutions to typical access control challenges
<tr class="odd">
<td align="left"><p>Organizations frequently use passwords because the alternative methods are too complex and costly to deploy.</p>
<p>Organizations that choose password alternatives such as smart cards must purchase and manage smart card readers, smart cards, and management software. These solutions delay productivity when the MFA component is lost or damaged. Consequently, MFA solutions like smart cards tend to be used only for VPN and select assets.</p></td>
<td align="left"><p>Windows Hello on biometric-capable devices and Microsoft Passport enable simpler MFA.</p></td>
<td align="left"><p>Windows Hello on biometric-capable devices and Windows Hello for Business enable simpler MFA.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard. Windows Hello enables secure facial recognitionbased authentication.</p></td>
@ -62,7 +62,7 @@ Table 1. Windows 10 solutions to typical access control challenges
</tr>
<tr class="even">
<td align="left"><p>Users dislike typing their passwords.</p></td>
<td align="left"><p>Single sign-on (SSO) allows users to sign in once with their Microsoft Passport and get access to all corporate resources without the need to re-authenticate.</p>
<td align="left"><p>Single sign-on (SSO) allows users to sign in once with their Windows Hello for Business credentials and get access to all corporate resources without the need to re-authenticate.</p>
<p>Windows Hello enables secure fingerprint- and facial recognitionbased authentication and can be used to revalidate user presence when sensitive resources are accessed.</p></td>
</tr>
<tr class="odd">
@ -74,36 +74,36 @@ Table 1. Windows 10 solutions to typical access control challenges
 
The sections that follow describe these challenges and solutions in more detail.
### Microsoft Passport
### Windows Hello for Business
Microsoft Passport provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or Windows Hello. Microsoft Passport is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the users key material can be secured by using hardware.
Unlike smart cards, Microsoft Passport does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI for example, in secure email or VPN authentication you can use the existing infrastructure with Microsoft Passport. Microsoft Passport combines the major advantages of smart card technology deployment flexibility for virtual smart cards and robust security for physical smart cards without any of their drawbacks.
Windows Hello for Business provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or Windows Hello. Windows Hello for Business is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the users key material can be secured by using hardware.
Unlike smart cards, Windows Hello for Business does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI for example, in secure email or VPN authentication you can use the existing infrastructure with Windows Hello for Business. Windows Hello for Business combines the major advantages of smart card technology deployment flexibility for virtual smart cards and robust security for physical smart cards without any of their drawbacks.
Microsoft Passport offers three significant advantages over the current state of Windows authentication: Its more flexible, its based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail.
Windows Hello for Business offers three significant advantages over the current state of Windows authentication: Its more flexible, its based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail.
#### Its flexible
Microsoft Passport offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Microsoft Passport gives both administrators and users options to manage authentication. First and foremost, Microsoft Passport works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself.
Windows Hello for Business offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Windows Hello for Business gives both administrators and users options to manage authentication. First and foremost, Windows Hello for Business works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself.
Microsoft Passport gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Microsoft Passport enables PIN- and biometrics-based authentication through Windows Hello to securely identify users.
Windows Hello for Business gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Windows Hello for Business enables PIN- and biometrics-based authentication through Windows Hello to securely identify users.
With Microsoft Passport, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Microsoft Passport builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Microsoft Passport to your network. The choice of which users to enable for Microsoft Passport use is completely up to you you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Microsoft Passport in scenarios that call for extra protection for sensitive resources or systems.
With Windows Hello for Business, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Windows Hello for Business builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Windows Hello for Business to your network. The choice of which users to enable for Windows Hello for Business use is completely up to you you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Microsoft Passport to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Windows Hello for Business in scenarios that call for extra protection for sensitive resources or systems.
#### Its standardized
Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: The future lies with open, interoperable systems that allow secure authentication across a variety of devices, line of business (LOB) apps, and external applications and websites. To this end, a group of industry players formed FIDO, the Fast IDentity Online Alliance. The FIDO Alliance is a nonprofit organization intended to address the lack of interoperability among strong authentication devices, as well as the problems users face when they need to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.
In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Microsoft Passport technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Windows Hello for Business technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike.
#### Its effective
Microsoft Passport effectively mitigates two major security risks. First, it eliminates the use of passwords for logon and so reduces the risk that a nefarious attacker will steal and reuse the users credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Microsoft Passport uses asymmetrical key pairs, users credentials cant be stolen in cases where the identity provider or websites the user accesses have been compromised.
Windows Hello for Business effectively mitigates two major security risks. First, it eliminates the use of passwords for logon and so reduces the risk that a nefarious attacker will steal and reuse the users credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Windows Hello for Business uses asymmetrical key pairs, users credentials cant be stolen in cases where the identity provider or websites the user accesses have been compromised.
To compromise a Microsoft Passport credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the users biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks.
To compromise a Windows Hello for Business credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the users biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks.
### Windows Hello
Windows Hello is the name given to the new biometric sign-in option for Microsoft Passport. Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the users unique biometric identifier and the device itself.
Windows Hello is the name given to the new biometric sign-in option for Windows Hello for Business. Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the users unique biometric identifier and the device itself.
The users biometric data that is used for Windows Hello is considered a local gesture and consequently doesnt roam among a users devices and is not centrally stored. The biometric image of the user the sensor takes is converted into an algorithmic form that cannot be converted back into the original image that the sensor took. Devices that have TPM 2.0 encrypt the biometric data in a form that makes it unreadable if the data is ever removed from the device. If multiple users share a device, each user will be able to enroll and use Windows Hello for his or her Windows profile.
@ -451,7 +451,7 @@ Several Windows 10 security features require TPM:
* Health attestation (requires TPM 2.0 or later)
* InstantGo (requires TPM 2.0 or later)
Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Microsoft Passport.
Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Windows Hello for Business.
All of these features are covered in this document.