deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into fr-boot-image-patching

Browse Source
This commit is contained in:
Frank Rojas 2023-07-27 13:28:36 -04:00
commit beffa7e907
20 changed files with 68 additions and 358 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.openpublishing.redirection.windows-security.json
View File

@ -170,6 +170,16 @@
"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity.md",
"redirect_url": "/windows/security/identity-protection",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/hello-for-business/hello-overview.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business",
"redirect_document_id": false
},
{
"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node",
@ -645,6 +655,11 @@
"redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md",
"redirect_url": "/windows/security/identity-protection",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
"redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
@ -810,6 +825,11 @@
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/faq",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/data-protection/index.md",
"redirect_url": "/windows/security/operating-system-security/#data-protection",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system.md",
"redirect_url": "/windows/security/operating-system-security",
@ -7204,6 +7224,13 @@
"source_path": "windows/security/trusted-boot.md",
"redirect_url": "/windows/security/operating-system-security/system-security/trusted-boot",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/password-support-policy.md",
"redirect_url": "https://support.microsoft.com/help/4490115",
"redirect_document_id": false
}
]
}

2
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -29,7 +29,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
Even though local passwords are local to the device, they're less secure than a PIN, as described in the next section.
>[!NOTE]
>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](hello-overview.md#benefits-of-windows-hello).
>For details on how Hello uses asymmetric key pairs for authentication, see [Windows Hello for Business](index.md#benefits-of-windows-hello).
## PIN is backed by hardware

0
windows/security/identity-protection/hello-for-business/hello-overview.md → windows/security/identity-protection/hello-for-business/index.md
View File

110
windows/security/identity-protection/hello-for-business/index.yml
View File

@ -1,110 +0,0 @@
### YamlMime:Landing
title: Windows Hello for Business documentation
summary: Learn how to manage and deploy Windows Hello for Business.
metadata:
title: Windows Hello for Business documentation
description: Learn how to manage and deploy Windows Hello for Business.
ms.topic: landing-page
ms.date: 03/09/2023
ms.collection:
- highpri
- tier1
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card
- title: About Windows Hello For Business
linkLists:
- linkListType: overview
links:
- text: Windows Hello for Business Overview
url: hello-overview.md
- linkListType: concept
links:
- text: Passwordless Strategy
url: passwordless-strategy.md
- text: Why a PIN is better than a password
url: hello-why-pin-is-better-than-password.md
- text: Windows Hello biometrics in the enterprise
url: hello-biometrics-in-enterprise.md
- text: How Windows Hello for Business works
url: hello-how-it-works.md
- linkListType: learn
links:
- text: Technical Deep Dive - Device Registration
url: hello-how-it-works-device-registration.md
- text: Technical Deep Dive - Provisioning
url: hello-how-it-works-provisioning.md
- text: Technical Deep Dive - Authentication
url: hello-how-it-works-authentication.md
- text: Technology and Terminology
url: hello-how-it-works-technology.md
- text: Frequently Asked Questions (FAQ)
url: hello-faq.yml
# Card
- title: Configure and manage Windows Hello for Business
linkLists:
- linkListType: concept
links:
- text: Windows Hello for Business Deployment Overview
url: hello-deployment-guide.md
- text: Planning a Windows Hello for Business Deployment
url: hello-planning-guide.md
- text: Deployment Prerequisite Overview
url: hello-identity-verification.md
- linkListType: how-to-guide
links:
- text: Hybrid Cloud Kerberos Trust Deployment
url: hello-hybrid-cloud-kerberos-trust.md
- text: Hybrid Azure AD Joined Key Trust Deployment
url: hello-hybrid-key-trust.md
- text: Hybrid Azure AD Joined Certificate Trust Deployment
url: hello-hybrid-cert-trust.md
- text: On-premises SSO for Azure AD Joined Devices
url: hello-hybrid-aadj-sso.md
- text: On-premises Key Trust Deployment
url: hello-deployment-key-trust.md
- text: On-premises Certificate Trust Deployment
url: hello-deployment-cert-trust.md
- linkListType: learn
links:
- text: Manage Windows Hello for Business in your organization
url: hello-manage-in-organization.md
- text: Windows Hello and password changes
url: hello-and-password-changes.md
- text: Prepare people to use Windows Hello
url: hello-prepare-people-to-use.md
# Card
- title: Windows Hello for Business Features
linkLists:
- linkListType: how-to-guide
links:
- text: Conditional Access
url: hello-feature-conditional-access.md
- text: PIN Reset
url: hello-feature-pin-reset.md
- text: Dual Enrollment
url: hello-feature-dual-enrollment.md
- text: Dynamic Lock
url: hello-feature-dynamic-lock.md
- text: Multi-factor Unlock
url: feature-multifactor-unlock.md
- text: Remote Desktop
url: hello-feature-remote-desktop.md
# Card
- title: Windows Hello for Business Troubleshooting
linkLists:
- linkListType: how-to-guide
links:
- text: Known Deployment Issues
url: hello-deployment-issues.md
- text: Errors During PIN Creation
url: hello-errors-during-pin-creation.md

6
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -1,11 +1,9 @@
items:
- name: Windows Hello for Business documentation
href: index.yml
- name: Overview
href: index.md
- name: Concepts
expanded: true
items:
- name: Windows Hello for Business overview
href: hello-overview.md
- name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password

4
windows/security/identity-protection/hello-for-business/webauthn-apis.md
View File

@ -1,7 +1,7 @@
---
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
ms.date: 03/09/2023
ms.date: 07/27/2023
ms.topic: article
---
# WebAuthn APIs for passwordless authentication on Windows
@ -14,7 +14,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
## What does this mean?
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.

24
windows/security/identity-protection/index.md
View File

@ -1,26 +1,14 @@
---
title: Identity and access management
description: Learn more about identity and access protection technologies in Windows.
title: Windows identity protection
description: Learn more about identity protection technologies in Windows.
ms.topic: article
ms.date: 05/31/2023
ms.date: 07/27/2023
---
# Identity and access management
# Windows identity protection
Learn more about identity and access management technologies in Windows.
Learn more about identity protection technologies in Windows.
[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
| Section | Description |
|-|-|
| [Windows Hello for Business](hello-for-business/index.yml) | Windows Hello replaces passwords with strong two-factor authentication on client devices. The authentication consists of a type of user credential that is tied to a device and a biometric or PIN. |
| [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices.
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) | Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to the secrets can lead to credential theft attacks, such as *pass the hash* or *pass the ticket*. Credential Guard helps prevent such attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. |
| [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. |
| [User Account Control](../application-security/application-control/user-account-control/index.md)| Provides information about User Account Control (UAC), which helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. UAC can help block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.|
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references articles about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
| [Windows Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows. |
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |
[!INCLUDE [identity](../includes/sections/identity.md)]

46
windows/security/identity-protection/password-support-policy.md
View File

@ -1,46 +0,0 @@
---
title: Technical support policy for lost or forgotten passwords
description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
ms.topic: article
ms.date: 11/20/2019
---
# Technical support policy for lost or forgotten passwords
Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don't work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
## How to reset a password for a domain account
If you lose or forget the password for a domain account, contact your IT administrator or Helpdesk. For more information, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115).
## How to reset a password for a Microsoft account
If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action.
## How to reset a password for a local account on a Windows device
Local accounts on a device include the device's Administrator account.
### Windows 10
If you lose or forget the password for a local account on a device that runs Windows 10, see [Reset your Windows 10 local account password](https://support.microsoft.com/help/4028457).
### Windows 8.1 or Windows 7
If you lose or forget the password for a local account on a device that runs Windows 8.1 or Windows 7, see [Change or reset your Windows password](https://support.microsoft.com/help/4490115). In that article, you can select your operating system version from the **Select Product Version** menu.
## How to reset a hardware BIOS password
If you lose or forget the password for the hardware BIOS of a device, contact the device manufacturer for help and support. If you do contact the manufacturer online, make sure that you visit the manufacturer website and not the website of some third party.
## How to reset a password for an individual file
Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords.
## Using third-party password tools
Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.

42
windows/security/identity-protection/toc.yml
View File

@ -1,12 +1,10 @@
items:
- name: Overview
href: ../identity.md
- name: Windows credential theft mitigation guide
href: windows-credential-theft-mitigation-guide-abstract.md
href: index.md
- name: Passwordless sign-in
items:
- name: Windows Hello for Business 🔗
href: hello-for-business/index.yml
href: hello-for-business/index.md
- name: Windows presence sensing
href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
- name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
@ -22,30 +20,24 @@ items:
displayName: VSC
- name: Enterprise Certificate Pinning
href: enterprise-certificate-pinning.md
- name: Account Lockout Policy 🔗
href: ../threat-protection/security-policy-settings/account-lockout-policy.md
- name: Technical support policy for lost or forgotten passwords
href: password-support-policy.md
- name: Windows LAPS (Local Administrator Password Solution) 🔗
displayName: LAPS
href: /windows-server/identity/laps/laps-overview
- name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
displayName: EPP
- name: Access Control
items:
- name: Overview
href: access-control/access-control.md
displayName: ACL
- name: Local Accounts
href: access-control/local-accounts.md
- name: Security policy settings 🔗
href: ../threat-protection/security-policy-settings/security-policy-settings.md
- name: Advanced credential protection
items:
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- name: Windows LAPS (Local Administrator Password Solution) 🔗
displayName: LAPS
href: /windows-server/identity/laps/laps-overview
- name: Account Lockout Policy 🔗
href: ../threat-protection/security-policy-settings/account-lockout-policy.md
- name: Enhanced phishing protection with SmartScreen
href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
displayName: EPP
- name: Access Control
href: access-control/access-control.md
displayName: ACL/SACL
- name: Windows Defender Credential Guard
href: credential-guard/toc.yml
- name: Windows Defender Remote Credential Guard
href: remote-credential-guard.md
- name: LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- name: Local Accounts
href: access-control/local-accounts.md

58
windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
View File

@ -1,58 +0,0 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
ms.topic: conceptual
ms.date: 03/31/2023
---
# Windows Credential Theft Mitigation Guide Abstract
This article provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
- Identify high-value assets
- Protect against known and unknown threats
- Detect pass-the-hash and related attacks
- Respond to suspicious activity
- Recover from a breach
![Security stages.](images/security-stages.png)
## Attacks that steal credentials
Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk.
The types of attacks that are covered include:
- Pass the hash
- Kerberos pass the ticket
- Kerberos golden ticket and silver ticket
- Key loggers
- Shoulder surfing
## Credential protection strategies
This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers.
You'll learn how to architect a defense against credential theft:
- Establish a containment model for account privileges
- Harden and restrict administrative hosts
- Ensure that security configurations and best practices are implemented
## Technical countermeasures for credential theft
Objectives and expected outcomes are covered for each of these countermeasures:
- Use Windows 10 with Credential Guard
- Restrict and protect high-privilege domain accounts
- Restrict and protect local accounts with administrative privileges
- Restrict inbound network traffic
Many other countermeasures are also covered, such as using Microsoft Passport and Windows Hello, or multifactor authentication.
## Detecting credential attacks
This section covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.
## Responding to suspicious activity
Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.

25
windows/security/identity.md
View File

@ -1,25 +0,0 @@
---
title: Windows identity and user security
description: Get an overview of identity security in Windows 11 and Windows 10
ms.reviewer:
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
ms.prod: windows-client
ms.technology: itpro-security
ms.date: 12/31/2017
ms.topic: article
---
# Windows identity and privacy
Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations.
| Security capabilities | Description |
|:---|:---|
| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) |
| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)|
| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). |
| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). |
| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).|
| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|

0
windows/security/includes/sections/operating-system-data-protection-overview.md → windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md
View File

6
windows/security/includes/sections/operating-system.md
View File

@ -21,7 +21,7 @@ ms.topic: include
| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the Windows Security app. |
| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware. |
| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
| **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
@ -35,14 +35,14 @@ ms.topic: include
| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots. |
| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls. |
| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | |
| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
## Data Protection
## Encryption And Data Protection
| Security Measures | Features & Capabilities |
|:---|:---|

7
windows/security/index.yml
View File

@ -10,7 +10,6 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
@ -62,8 +61,6 @@ landingContent:
links:
- text: Trusted boot
url: operating-system-security\system-security\trusted-boot.md
- text: Encryption and data protection
url: operating-system-security/data-protection/index.md
- text: Windows security baselines
url: operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
- text: Virtual private network guide
@ -107,9 +104,7 @@ landingContent:
- linkListType: concept
links:
- text: Windows Hello for Business
url: identity-protection/hello-for-business/hello-overview.md
- text: Windows Credential Theft Mitigation
url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
url: identity-protection/hello-for-business/index.md
- text: Protect domain credentials
url: identity-protection/credential-guard/credential-guard.md
- text: Windows Defender Credential Guard

4
windows/security/introduction/index.md
View File

@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
1. When verified, give people and devices access to only necessary resources for the necessary amount of time
1. Use continuous analytics to drive threat detection and improve defenses
For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
### Security, by default
@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
### Secured identities
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
### Connecting to cloud services

49
windows/security/operating-system-security/data-protection/index.md
View File

@ -1,49 +0,0 @@
---
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
ms.topic: overview
ms.date: 09/22/2022
ms.reviewer: rafals
---
# Encryption and data protection in Windows client
When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
Encryption and data protection features include:
- Encrypted Hard Drive
- BitLocker
## Encrypted Hard Drive
Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Encrypted hard drives provide:
- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
## BitLocker
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
Windows consistently improves data protection by improving existing options and providing new strategies.
## Personal Data Encryption (PDE)
<!-- Max 5963468 OS 32516487 -->
(*Applies to: Windows 11, version 22H2 and later*)
[!INCLUDE [Personal Data Encryption (PDE) description](personal-data-encryption/includes/pde-description.md)]
## See also
- [Encrypted Hard Drive](encrypted-hard-drive.md)
- [BitLocker](bitlocker/index.md)
- [Personal Data Encryption (PDE)](personal-data-encryption/index.md)

2
windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
View File

@ -16,7 +16,7 @@ ms.date: 03/13/2023
### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/hello-overview.md)
- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### Not supported with PDE

6
windows/security/operating-system-security/data-protection/toc.yml
View File

@ -1,13 +1,11 @@
items:
- name: Overview
href: index.md
- name: BitLocker
href: bitlocker/toc.yml
- name: Encrypted Hard Drive
href: encrypted-hard-drive.md
- name: Personal Data Encryption (PDE)
- name: Personal data encryption (PDE)
href: personal-data-encryption/toc.yml
- name: Configure S/MIME for Windows
- name: Email Encryption (S/MIME)
href: configure-s-mime.md
- name: Windows Information Protection (WIP)
href: ../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md

4
windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
View File

@ -38,7 +38,7 @@ Requiring users to use long, complex passwords for authentication enhances netwo
### Best practices
- Set **Interactive logon: Require Windows Hello for Business or smart card** to Enabled. All users will have to use smart cards to sign in to the network, or a Windows Hello for Business method. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. For more information about password-less authentication, see [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md).
- Set **Interactive logon: Require Windows Hello for Business or smart card** to Enabled. All users will have to use smart cards to sign in to the network, or a Windows Hello for Business method. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. For more information about password-less authentication, see [Windows Hello for Business overview](../../identity-protection/hello-for-business/index.md).
### Location
@ -92,4 +92,4 @@ All users of a device with this setting enabled must use smart cards or a Window
## Related articles
- [Security Options](security-options.md)
- [Windows Hello for Business overview](../../identity-protection/hello-for-business/hello-overview.md)
- [Windows Hello for Business overview](../../identity-protection/hello-for-business/index.md)

2
windows/security/toc.yml
View File

@ -1,4 +1,4 @@
items:
- name: Windows security
href: index.yml
expanded: true