diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index c744876e01..ef8103d135 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: miladCA +ms.date: 06/29/2017 --- # Microsoft Surface Data Eraser diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index f64cc3d1cd..207c434259 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -2,6 +2,7 @@ title: Microsoft Surface Deployment Accelerator (Surface) description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 +ms.date: 06/29/2017 localizationpriority: high keywords: deploy, install, tool ms.prod: w10 diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index f41c92b26b..e555b82072 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -9,6 +9,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: jobotto +ms.date: 06/29/2017 --- # Microsoft Surface Dock Updater diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 266a77fc24..9714c77347 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -152,6 +152,7 @@ #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) +## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) ## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md index c664fa8066..ee84b688ce 100644 --- a/windows/threat-protection/change-history-for-threat-protection.md +++ b/windows/threat-protection/change-history-for-threat-protection.md @@ -14,7 +14,8 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc ## June 2017 |New or changed topic |Description | |---------------------|------------| -[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| +| [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New | +|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| |[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.| diff --git a/windows/threat-protection/how-hardware-based-containers-help-protect-windows.md b/windows/threat-protection/how-hardware-based-containers-help-protect-windows.md new file mode 100644 index 0000000000..8b6124f000 --- /dev/null +++ b/windows/threat-protection/how-hardware-based-containers-help-protect-windows.md @@ -0,0 +1,60 @@ +--- +title: How hardware-based containers help protect Windows 10 (Windows 10) +description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.date: 06/29/2017 +--- + +# How hardware-based containers help protect Windows 10 + +Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. +Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. + +Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesn’t protect the rest of the operating system, information on the device, other apps, or the network. +Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network. +With this, Windows can start to protect the broader range of resources. + +The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system. + +![Application Guard and System Guard](images/application-guard-and-system-guard.png) + +## What security threats do containers protect against + +Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of. +The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it. +Let’s look at how an attacker might elevate privileges and move down the stack. + +![Traditional Windows software stack](images/traditional-windows-software-stack.png) + +In desktop operating systems, those apps typically run under the context of the user’s privileges. +If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on. + +A different type of app may run under the context of an Administrator. +If attackers exploit a vulnerability in that app, they could gain Administrator privileges. +Then they can start turning off defenses. + +They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator. +Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy. +SecOps tools could report the computer as healthy when in fact it’s completely under the control of someone else. + +One way to address this threat is to use a sandbox, as smartphones do. +That puts a layer between the app layer and the Windows platform services. +Universal Windows Platform (UWP) applications work this way. +But what if a vulnerability in the sandbox exists? +The attacker can escape and take control of the system. + +## How containers help protect Windows 10 + +Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container. +The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device. + +Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised. +Anything that's running in that container will also be secure against a compromised app. +Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time. + +![Windows Defender System Guard](images/windows-defender-system-guard.png) diff --git a/windows/threat-protection/images/application-guard-and-system-guard.png b/windows/threat-protection/images/application-guard-and-system-guard.png new file mode 100644 index 0000000000..b4b883db90 Binary files /dev/null and b/windows/threat-protection/images/application-guard-and-system-guard.png differ diff --git a/windows/threat-protection/images/traditional-windows-software-stack.png b/windows/threat-protection/images/traditional-windows-software-stack.png new file mode 100644 index 0000000000..0da610c368 Binary files /dev/null and b/windows/threat-protection/images/traditional-windows-software-stack.png differ diff --git a/windows/threat-protection/images/windows-defender-system-guard.png b/windows/threat-protection/images/windows-defender-system-guard.png new file mode 100644 index 0000000000..865af86b19 Binary files /dev/null and b/windows/threat-protection/images/windows-defender-system-guard.png differ diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md index 069d8b1578..2f0931b1dc 100644 --- a/windows/threat-protection/secure-the-windows-10-boot-process.md +++ b/windows/threat-protection/secure-the-windows-10-boot-process.md @@ -8,6 +8,7 @@ ms.pagetype: security ms.sitesec: library localizationpriority: medium author: brianlic-msft +ms.date: 06/23/2017 --- # Secure the Windows 10 boot process