From d888429241bfd85b08898332844a7f31a962429b Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Mon, 20 May 2019 16:45:54 -0500 Subject: [PATCH] Added hardware requirements --- .../level-3-enterprise-VIP-security.md | 16 ++++++++++++++++ .../level-4-enterprise-high-security.md | 13 +++++++++++++ .../level-5-enterprise-security.md | 9 +++++++++ 3 files changed, 38 insertions(+) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md index 9c8c264402..aa601ee685 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-VIP-security.md @@ -23,6 +23,22 @@ ms.date: 04/05/2018 Level 3 is the security configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described here. A level 3 configuration should include all the configurations from level 5 and level 4 and add the following security policies, controls, and organizational behaviors. +## Hardware + +Devices targeting Level 3 should support the following hardware features: + +- [System Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) +- [Modern Standby](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/modern-standby) +- [Discrete TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations) +- [Virtualization and HVCI Enabled](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) +- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard) +- [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) +- [DMA I/O Protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) +- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm) +- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker) +- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) +- Drivers and Firmware Distributed through Windows Update + ## Policies The policies enforced in level 3 implement strict security configuration and controls. They can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations. Microsoft recommends disciplined testing and deployment using [the rings methodology](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md index 2986d0f69e..71fca35817 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-4-enterprise-high-security.md @@ -23,6 +23,19 @@ ms.date: 04/05/2018 Level 4 is the security configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. While targeting high levels of security, these recommendations do not assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. A level 4 configuration should include all the configurations from level 5 and add the following security policies, controls, and organizational behaviors. +## Hardware + +Devices targeting Level 4 should support the following hardware features: + +- [Virtualization and HVCI Enabled](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) +- [Drivers and Apps HVCI-Ready](https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard) +- [Windows Hello](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) +- [DMA I/O Protection](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) +- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm) +- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker) +- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) +- Drivers and Firmware Distributed through Windows Update + ## Policies The policies enforced in level 4 implement more controls and a more sophisticated security diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md index 5b7819551f..9ad4a168a4 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md @@ -23,6 +23,15 @@ ms.date: 04/05/2018 Level 5 is the minimum security configuration for an enterprise device. Microsoft recommends the following configuration for level 5 devices. +## Hardware + +Devices targeting Level 5 should support the following hardware features: + +- [Trusted Platform Module (TPM) 2.0](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-tpm) +- [Bitlocker Drive Encryption](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker) +- [UEFI Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) +- Drivers and Firmware Distributed through Windows Update + ## Policies The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.