From ce153c3aa8158abf7bba18db639d1265b84d27d6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 14 Oct 2024 07:33:12 -0400 Subject: [PATCH] move content to include files --- ...security-application-and-driver-control.md | 10 ++--- ...lication-security-application-isolation.md | 10 ++--- ...vices-protect-your-personal-information.md | 8 ++-- ...-services-protect-your-work-information.md | 40 +++++++++---------- ...ardware-security-hardware-root-of-trust.md | 4 +- ...ware-security-silicon-assisted-security.md | 12 +++--- ...otection-advanced-credential-protection.md | 12 +++--- ...dentity-protection-passwordless-sign-in.md | 28 ++++++------- windows/security/book/includes/learn-more.md | 9 +++++ windows/security/book/index.md | 2 +- ...security-encryption-and-data-protection.md | 12 +++--- ...rating-system-security-network-security.md | 14 +++---- ...erating-system-security-system-security.md | 18 ++++----- ...em-security-virus-and-threat-protection.md | 12 +++--- windows/security/book/privacy-controls.md | 4 +- windows/security/book/privacy.md | 2 +- .../book/security-foundation-certification.md | 4 +- .../security-foundation-offensive-research.md | 6 +-- ...security-foundation-secure-supply-chain.md | 2 +- 19 files changed, 109 insertions(+), 100 deletions(-) create mode 100644 windows/security/book/includes/learn-more.md diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md index 03f9155e8e..563452df66 100644 --- a/windows/security/book/application-security-application-and-driver-control.md +++ b/windows/security/book/application-security-application-and-driver-control.md @@ -26,7 +26,7 @@ As a developer, to ensure that your users have a seamless experience with Smart Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 or later to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Smart App Control](/windows/apps/develop/smart-app-control/overview) @@ -40,7 +40,7 @@ Customers using Microsoft Intune to manage their devices are now able to configu Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac) - [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer) @@ -58,7 +58,7 @@ Users with standard accounts, or those using administrative accounts with UAC en Some apps require more permissions and won't work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a *full* administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works) @@ -66,7 +66,7 @@ Some apps require more permissions and won't work properly (or at all) when runn The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules) @@ -74,7 +74,7 @@ The Windows kernel is the most privileged software and is therefore a compelling It is a Microsoft fully managed end-to-end signing solution that simplifies the signing process and empowers 3rd party developers to easily build and distribute applications. This feature is currently in public preview and is part of Microsoft's commitment to an open, inclusive, and secure ecosystem. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [What is Trusted Signing](/azure/trusted-signing/overview) - [Public Preview Blog](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/trusted-signing-is-in-public-preview/ba-p/4103457) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 97d0fab16c..130c35713e 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -27,7 +27,7 @@ To create a smooth user experience that aligns with nonisolated, native Win32 ap The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Win32 app isolation][LINK-4] - [Application Capability Profiler (ACP)][LINK-5] @@ -40,7 +40,7 @@ In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows and app container][LINK-8] @@ -50,7 +50,7 @@ Windows Sandbox provides a lightweight desktop environment to safely run untrust Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Sandbox][LINK-9] @@ -66,7 +66,7 @@ With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Wind These features can be set up using a device management solution such as Microsoft Intune. Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Hyper-V Firewall][LINK-10] - [DNS Tunneling][LINK-11] @@ -78,7 +78,7 @@ These features can be set up using a device management solution such as Microsof A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Virtualization-based security enclave][LINK-15] diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md index ec1c687f3f..2478e86966 100644 --- a/windows/security/book/cloud-services-protect-your-personal-information.md +++ b/windows/security/book/cloud-services-protect-your-personal-information.md @@ -18,7 +18,7 @@ You can even go passwordless with your Microsoft Account by removing the passwor - Use Windows Hello to eliminate the password sign-in method for an even more secure experience - Use the Microsoft Authenticator app on your Android or iOS device -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [What is a Microsoft account?][LINK-1] - [Go passwordless with your Microsoft account][LINK-5] @@ -27,7 +27,7 @@ You can even go passwordless with your Microsoft Account by removing the passwor When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [How to set up, find, and lock a lost Windows device using a Microsoft Account][LINK-2] @@ -38,7 +38,7 @@ Microsoft OneDrive for personal[\[17\]](conclusion.md#footnote17) off - If a device is lost or stolen, users can quickly recover all their important files from the cloud - If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Get started with OneDrive][LINK-6] - [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware) @@ -50,7 +50,7 @@ OneDrive Personal Vault offers robust protection for the most important or sensi Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Protect your OneDrive files in Personal Vault][LINK-4] diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 52a21d0ff0..3ba92ea277 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -37,7 +37,7 @@ In combination with Microsoft Intune, Microsoft Entra ID offers powerful securit Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Entra ID documentation](/entra) - [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1) @@ -50,7 +50,7 @@ Microsoft Entra Private Access provides organizations the ability to manage and Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Entra Internet Access](/entra/global-secure-access/concept-internet-access) @@ -59,7 +59,7 @@ Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway Both Microsoft Entra Private Access and Microsoft Entra Internet Access use the *Global Secure Access client for Windows*, which secures and controls the features. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Entra Private Access](/entra/global-secure-access/concept-private-access) - [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](/entra/architecture/sse-deployment-guide-internet-access) @@ -69,7 +69,7 @@ Both Microsoft Entra Private Access and Microsoft Entra Internet Access use the Available to any organization with a Microsoft Entra ID Premium[\[9\]](conclusion.md#footnote9) `license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Enterprise State Roaming in Microsoft Entra ID](/entra/identity/devices/enterprise-state-roaming-enable) @@ -85,7 +85,7 @@ Remote attestation helps ensure that devices are compliant with security policie Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Azure Attestation overview](/azure/attestation/overview) @@ -98,7 +98,7 @@ Windows 11 built-in management features include: - The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Mobile device management overview](/windows/client-management/mdm-overview) @@ -112,7 +112,7 @@ Windows 11 supports the Remote Wipe configuration service provider (CSP) so that - Reset the device and clean the drive - Reset the device but persist user accounts and data -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Remote wipe CSP](/windows/client-management/mdm/remotewipe-csp) @@ -122,7 +122,7 @@ Every organization faces security threats. However, different organizations can A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) @@ -136,7 +136,7 @@ Organizations can cut costs while securing and managing remote devices through t Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) @@ -146,7 +146,7 @@ When a device enrolls into device management, the administrator expects it to re With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates cannot be transferred from one device to another, maintaining the integrity of the enrollment process. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation) @@ -154,7 +154,7 @@ With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certif Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Endpoint Privilege Management](/mem/intune/protect/epm-overview?formCode=MG0AV3) @@ -170,7 +170,7 @@ Microsoft Intune also has policies and settings to configure and manage the flow With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3) @@ -187,7 +187,7 @@ The security baseline includes policies for: The security baseline has been enhanced with over 70 new settings, enabling local user rights assignment, services management, and local security policies that were previously only available through group policy. This enhancement facilitates the adoption of cloud-based device management solutions and ensures closer adherence to industry-standard security benchmarks. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Intune security baseline overview](/mem/intune/protect/security-baselines) - [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all) @@ -196,7 +196,7 @@ The security baseline has been enhanced with over 70 new settings, enabling loca Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS, organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or Microsoft Entra hybrid joined devices. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows LAPS overview](/windows-server/identity/laps/laps-overview) @@ -215,7 +215,7 @@ Windows Autopilot enables you to: Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Autopilot](https://aka.ms/WindowsAutopilot) @@ -227,7 +227,7 @@ Administrators can utilize group policy or a device management solution like Mic This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Update for Business documentation](/windows/deployment/update/waas-manage-updates-wufb) @@ -237,7 +237,7 @@ Cybercriminals commonly exploit obsolete or unpatched software to infiltrate net There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact™ Study](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw) commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch) andβ€―[Windowes Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch). -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Autopatch documentation](/windows/deployment/windows-autopatch/) - [Windows updates API overview](/graph/windowsupdates-concept-overview) @@ -257,7 +257,7 @@ There are several ways that OneDrive for work or school is protected at rest: - Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities - Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1) @@ -286,7 +286,7 @@ The Universal Print secure release platform ensures user privacy, secures organi Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print) - [Data handling in Universal Print](/universal-print/data-handling) @@ -294,6 +294,6 @@ Universal Print has integrated with Administrative Units in Microsoft Entra ID t For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide) diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md index cf844c87ee..627ad8103e 100644 --- a/windows/security/book/hardware-security-hardware-root-of-trust.md +++ b/windows/security/book/hardware-security-hardware-root-of-trust.md @@ -13,7 +13,7 @@ ms.date: 09/06/2024 Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications) - [Enable TPM 2.0 on your PC](https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c) @@ -29,7 +29,7 @@ As with other TPMs, credentials, encryption keys, and other sensitive informatio Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/) - [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md) diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md index 072b7138cb..0113d67fbb 100644 --- a/windows/security/book/hardware-security-silicon-assisted-security.md +++ b/windows/security/book/hardware-security-silicon-assisted-security.md @@ -29,7 +29,7 @@ implements virtual trust level 1 (VTL1), which has higher privilege than the vir Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) - [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) @@ -40,7 +40,7 @@ Hypervisor-protected code integrity (HVCI), also called memory integrity, uses V With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity) @@ -52,7 +52,7 @@ Application code includes a program processing stack that hackers seek to corrup πŸ†• Starting in windows 11, version 24H2, **Hypervisor-enforced paging translation (HVPT)** is a security enhancement for the system. HVPT protects linear address translations from being tampered with, to protect sensitive system structures from write-what-where attacks. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815) - [Developer Guidance for hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340) @@ -61,7 +61,7 @@ Application code includes a program processing stack that hackers seek to corrup Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt) @@ -83,7 +83,7 @@ System Management Mode (SMM) isolation is an execution mode in x86-based process :::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false"::: -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) - [Firmware Attack Surface Reduction](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) @@ -95,6 +95,6 @@ In many organizations, IT administrators enforce policies on their corporate dev Configuration lock is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired Secured-core PC's state in seconds after detecting a drift. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Secured-core PC configuration lock](/windows/client-management/mdm/config-lock) diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index 29e4f6e9b5..3e7f97d3b9 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -21,7 +21,7 @@ Users have the ability to manage the LSA protection state in the Windows Securit To ensures a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Configuring additional LSA protection][LINK-2] @@ -40,7 +40,7 @@ By protecting the LSA process with Virtualization-based security, Credential Gua πŸ†• Starting in Windows 11, version 24H2, protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Protect derived domain credentials with Credential Guard][LINK-3] @@ -50,7 +50,7 @@ Remote Credential Guard helps organizations protect credentials over a Remote De Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Remote Credential Guard][LINK-4] @@ -62,7 +62,7 @@ VBS key protection enables developers to secure cryptographic keys using Virtual Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies[\[9\]](conclusion.md#footnote9) can be configured to require token protection when using sign-in tokens for specific services. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Token protection in Entra ID Conditional Access][LINK-5] @@ -76,7 +76,7 @@ New devices with Windows 11 installed will have account lockout policies that ar The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Account lockout policy][LINK-6] @@ -94,7 +94,7 @@ IT administrators can refine the application and management of access to: - Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones - Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Access control][LINK-7] diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md index 28522decd3..301072bd1c 100644 --- a/windows/security/book/identity-protection-passwordless-sign-in.md +++ b/windows/security/book/identity-protection-passwordless-sign-in.md @@ -25,7 +25,7 @@ PIN and biometric data stay on the device and can't be stored or accessed extern Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Configure Windows Hello][LINK-1] @@ -43,7 +43,7 @@ Windows devices that support biometric hardware, such as fingerprint or facial r If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Hello biometric requirements][LINK-4] @@ -57,7 +57,7 @@ Privacy is top of mind and more important than ever. Customers want to have grea Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Presence sensing][LINK-7] - [Manage presence sensing settings in Windows 11][LINK-8] @@ -78,7 +78,7 @@ Windows Hello for Business replaces the username and password by combining a sec Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust[\[13\]](conclusion.md#footnote13). This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy security keys with minimal extra setup or infrastructure. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Hello for Business overview][LINK-2] - [Enable passkeys (FIDO2) for your organization][LINK-9] @@ -89,7 +89,7 @@ The Microsoft PIN Reset Service allows users to reset their forgotten Windows He Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [PIN reset][LINK-15] @@ -99,7 +99,7 @@ For organizations that need an extra layer of sign-in security, multi-factor unl Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Multi-factor unlock][LINK-6] @@ -111,7 +111,7 @@ IT admins can configure a policy on Microsoft Entra ID joined machines so users Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows passwordless experience][LINK-3] @@ -125,7 +125,7 @@ These specialized components protect against a class of attacks that includes bi Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Hello Enhanced Sign-in Security][LINK-5] @@ -139,7 +139,7 @@ Passkeys created and saved with Windows Hello are protected by Windows Hello or πŸ”œ Coming soon in Windows 11, version 24H2, a plug-in model for 3rd party passkey providers allows users to manage their passkeys with third-party passkey managers. This model is designed to provide a seamless platform experience, whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, passkeys are protected and managed by the third-party. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Support for passkeys in Windows][LINK-10] - [Enable passkeys (FIDO2) for your organization][LINK-9] @@ -161,7 +161,7 @@ Individual users can back up their credentials to the cloud by enabling the encr Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app][LINK-11] @@ -169,7 +169,7 @@ Using this secure app for authentication and authorization enables people to be With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Web sign-in for Windows][LINK-13] @@ -177,7 +177,7 @@ With the support of web sign-in, users can sign in without a password using the Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Configure federated sign-in for Windows devices][LINK-14] @@ -197,7 +197,7 @@ When a password is used to sign in to a domain account, Windows uses the Kerbero [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/) and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Smart Card technical reference][LINK-12] @@ -207,7 +207,7 @@ As malware protection and other safeguards evolve, cybercriminals look for new w We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Enhanced phishing protection in Microsoft Defender SmartScreen][LINK-16] diff --git a/windows/security/book/includes/learn-more.md b/windows/security/book/includes/learn-more.md new file mode 100644 index 0000000000..a2bbcb527c --- /dev/null +++ b/windows/security/book/includes/learn-more.md @@ -0,0 +1,9 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 10/14/2024 +ms.topic: include +ms.service: windows-client +--- + +:::image type="icon" source="../images/learn-more.svg" border="false"::: **Learn more:** diff --git a/windows/security/book/index.md b/windows/security/book/index.md index dd91782164..ee13b44bad 100644 --- a/windows/security/book/index.md +++ b/windows/security/book/index.md @@ -51,7 +51,7 @@ In Windows 11, hardware and software work together to protect sensitive data fro :::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false"::: -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows security features licensing and edition requirements](../licensing-and-edition-requirements.md) diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md index f80957d116..1449a6ba08 100644 --- a/windows/security/book/operating-system-security-encryption-and-data-protection.md +++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md @@ -15,7 +15,7 @@ When people travel with their PCs, their confidential information travels with t BitLocker is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. BitLocker can save its recovery password to a Microsoft account for retrieval if needed. This happens automatically during the initial setup when BitLocker is enabled in OOE (Out of Box Experience) on modern devices and the user signs into their Microsoft account for the first time. Additionally, users have the option to export the recovery password if they have manually enabled BitLocker. Cloud storage on Microsoft OneDrive or Azure[\[9\]](conclusion.md#footnote9) can be used to save recovery key content. BitLocker can be managed by a device management solution like Microsoft Intune[\[6\]](conclusion.md#footnote6) using a configuration service provider (CSP)[\[9\]](conclusion.md#footnote9). BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md) @@ -23,7 +23,7 @@ BitLocker is a data protection feature that integrates with the operating system BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml) @@ -35,7 +35,7 @@ Organizations have the option to disable device encryption in favor of a full Bi πŸ†• Starting with Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby is removed. This change makes more devices eligible for both automatic and manual device encryption. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption) @@ -52,7 +52,7 @@ Encrypted hard drives enable: - Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive - Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md) @@ -64,7 +64,7 @@ The initial release of PDE in Windows 11, version 22H2, introduced a set of publ πŸ†• Starting in Windows 11, version 24H2, PDE is further enhanced with *PDE for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md) @@ -76,7 +76,7 @@ The new Outlook app included in Windows 11 supports various types of email encry When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo) - [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627) diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md index 3c39a07fb4..f668895067 100644 --- a/windows/security/book/operating-system-security-network-security.md +++ b/windows/security/book/operating-system-security-network-security.md @@ -17,7 +17,7 @@ New DNS and TLS protocol versions strengthen the end-to-end protections needed f In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [How to protect your network](/defender-endpoint/network-protection) @@ -25,7 +25,7 @@ In enterprise environments, network protection works best with Microsoft Defende Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview) - [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180) @@ -46,7 +46,7 @@ The number of Bluetooth devices connected to Windows 11 continues to increase. W IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune[\[9\]](conclusion.md#footnote9). You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Policy CSP - Bluetooth](/windows/client-management/mdm/policy-csp-bluetooth) @@ -64,7 +64,7 @@ Opportunistic Wireless Encryption (OWE), a technology that allows wireless devic 5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server) @@ -88,7 +88,7 @@ support from the Firewall configuration service provider (CSP) and applying thes Firewal. rule configuration with Package Family Name (PFN) is a new security feature introduced with the 22H2 release of Windows 11. PFN based rules enforced on an app will include processes request by the app to run on its behalf. Currently FW rules can be set on UWP apps with packageSID. However, the processes requested by the app can have different SID and hence the rules applied to the app can be bypassed. The new PFN condition feature ensures the FW rule is uniformly applied to a package and its associated processes. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md) @@ -106,7 +106,7 @@ With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows VPN technical guide](../operating-system-security/network-security/vpn/vpn-guide.md) @@ -116,7 +116,7 @@ Server Message Block (SMB) and file services are the most common Windows workloa Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11, version 24H2, adds far more security options, including required SMB signing by default, NTLM blocking, authentication rate limiting, and many others. Windows 11 24H2 is the state of the art for SMB security for organizations worldwide. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Server Message Block (SMB) protocol changes in Windows 11, version 24H2](/windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes) - [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview) diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md index 0422740fb7..ef520e16ae 100644 --- a/windows/security/book/operating-system-security-system-security.md +++ b/windows/security/book/operating-system-security-system-security.md @@ -23,7 +23,7 @@ Tampering or malware attacks on the Windows boot sequence are blocked by the sig For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md) -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md) @@ -31,7 +31,7 @@ For more information about these features and how they help prevent rootkits and Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - FIPS 140 validation @@ -45,7 +45,7 @@ Windows cryptographic modules provide low-level primitives such as: Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - Cryptography and certificate management @@ -78,7 +78,7 @@ A summary of the steps involved in attestation and Zero-Trust on a Windows devic - The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service - The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Control the health of Windows devices](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) @@ -101,7 +101,7 @@ All auditing categories are disabled when Windows is first installed. Before ena 1. Test these settings to validate your choices. 1. Develop plans for deploying and managing your audit policy. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings) - [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview) @@ -110,7 +110,7 @@ All auditing categories are disabled when Windows is first installed. Before ena Visibility and awareness of device security and health are key to any action taken. The Windows built-in security settings provide an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows security settings](https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963) - [Windows Security](../operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md) @@ -125,7 +125,7 @@ Config Refresh allows settings in the Policy configuration service provider (CSP Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Config Refresh](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/intro-to-config-refresh-a-refreshingly-new-mdm-feature/ba-p/4176921#:~:text=With%20Config%20Refresh,%20you%20can%20now) @@ -133,7 +133,7 @@ Config Refresh can also be paused for a configurable period of time, after which With Assigned Access and Shell Launcher, you can configure Windows to restrict functionality to pre-selected applications. These features are ideal for public-facing or shared devices like kiosks. Configuring a device as a kiosk is straightforward and can be done locally on the device or through a cloud-based device management solution like Microsoft Intune. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access) @@ -149,7 +149,7 @@ The benefits of Windows protected print mode include: Windows protected print mode is designed to work with Mopria certified printers only. Many existing printers are already compatible. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows protected print mode](/windows-hardware/drivers/print/modern-print-platform) - [New, modern, and secure print experience from Windows](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645) \ No newline at end of file diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md index 1d90990ad2..d3ab5c24bc 100644 --- a/windows/security/book/operating-system-security-virus-and-threat-protection.md +++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md @@ -57,7 +57,7 @@ With tamper protection, malware is prevented from taking actions such as: - Altering exclusions - Disabling notifications in the Windows Security app -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) @@ -71,7 +71,7 @@ Microsoft Defender Antivirus always-on protection is integrated with cloud-deliv :::image type="content" source="images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false"::: -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Next-generation protection with Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows). @@ -88,7 +88,7 @@ For example, an attacker might try to run an unsigned script from a USB drive or For Microsoft Edge and reducing the attack surface across applications, folders, device, network, and firewall. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction) @@ -100,7 +100,7 @@ Controlled folder access works with a list of trusted apps. Apps that are includ Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Controlled folder access](/defender-endpoint/controlled-folders) @@ -120,7 +120,7 @@ detailed investigation outcomes Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint) - [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender) @@ -135,6 +135,6 @@ You can use audit mode to evaluate how exploit protection would impact your orga Windows 11 provides configuration options for exploit protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection) \ No newline at end of file diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md index 14402be817..7470a96e32 100644 --- a/windows/security/book/privacy-controls.md +++ b/windows/security/book/privacy-controls.md @@ -11,7 +11,7 @@ ms.date: 09/06/2024 Customers can use the Microsoft Privacy dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Privacy dashboard](https://account.microsoft.com/privacy) - [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) @@ -30,6 +30,6 @@ This information helps you determine if an app is behaving as expected so that y The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration) diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md index dc882701eb..0af16ddbe6 100644 --- a/windows/security/book/privacy.md +++ b/windows/security/book/privacy.md @@ -13,6 +13,6 @@ ms.date: 09/06/2024 Privacy is becoming top of mind for organizations that want to know who is using their data and why. They also need to know how to control and manage the data that is being collected - so providing transparency and control over this personal data is essential. At Microsoft, we're focused on protecting the privacy and confidentiality of your data and only use it in a way that is consistent with your expectations. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Privacy: Your data, powering your experiences, controlled by you](https://privacy.microsoft.com/) diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md index f06010daa4..4c859d0654 100644 --- a/windows/security/book/security-foundation-certification.md +++ b/windows/security/book/security-foundation-certification.md @@ -15,7 +15,7 @@ Microsoft is committed to supporting product security standards and certificatio The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140-2 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows FIPS 140 validation][LINK-1] @@ -25,7 +25,7 @@ Common Criteria (CC) is an international standard currently maintained by nation Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Common Criteria certifications][LINK-2] diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md index e7d378fca7..49c46c78f9 100644 --- a/windows/security/book/security-foundation-offensive-research.md +++ b/windows/security/book/security-foundation-offensive-research.md @@ -19,7 +19,7 @@ To maintain accountability and keep our customers, partners, and the security co :::image type="content" source="images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="images/sfi.png" border="false"::: -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Microsoft Secure Future Initiative][LINK-6] - [September 2024 progress update on SFI][LINK-5] @@ -36,7 +36,7 @@ A range of tools and techniques - such as threat modeling, static analysis, fuzz Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [MORSE security team takes proactive approach to finding bugs][LINK-1] - [MORSE Blog][LINK-2] @@ -49,7 +49,7 @@ The goal of the Windows Insider Preview bounty program is to uncover significant Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows Insider Program][LINK-3] - [Microsoft bounty programs][LINK-4] diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md index a17dd1b896..23af3ef2cf 100644 --- a/windows/security/book/security-foundation-secure-supply-chain.md +++ b/windows/security/book/security-foundation-secure-supply-chain.md @@ -63,7 +63,7 @@ Traditionally, the task of code signing posed challenges due to the complex step Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows App SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system. -:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** +[!INCLUDE [learn-more](includes/learn-more.md)] - [Windows application development - best practices](/windows/apps/get-started/best-practices) - [Windows App SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples) \ No newline at end of file