When Windows 11 was announced in late June 2021, many were excited about its improved user interface and countless PC enthusiasts were rushing to download the Windows Insider Developer Channel build of the new operating system.
However, as they quickly discovered, the new operating system has some new requirements for PCs to support new hardware and virtualization-based security features. These features are important to protect both consumer and business workloads from more sophisticated malware and to exploit the threats that are actually evolving today.
Also: Microsoft has blown up the only reason why you can’t use a Linux desktop
In fact, if you’re running the 20H2 release (Windows 10 October 2020 update), all of these features are already built into Windows 10.Deploy Group Policy as a consumer, small business, or enterprise, or Windows 10[デバイスセキュリティ]You can take advantage of these by clicking on the menu to turn it on. You don’t have to wait for Windows 11 to be released or buy a new PC.
Function 1: TPM 2.0 and secure boot
The Trusted Platform Module (TPM) is a technology designed to provide hardware-based security-related cryptography. If you have a PC manufactured within the last 5 years, your motherboard may have a TPM chip that supports version 2.0.This opens Device Manager[セキュリティデバイス]You can check by expanding. If “Trusted Platform Module 2.0” is displayed, there is no problem.
This is for Windows 10 (and Windows 11)[デバイスセキュリティ設定]”Security Processor” is displayed in the menu.
So what does the TPM actually do? It is used to generate and store system-specific encryption keys, including RSA encryption keys that are unique to the system’s TPM itself. TPM is traditionally used not only in smart cards and VPNs, but also to support the secure boot process. Measure the integrity of the OS boot code, including the firmware and individual operating system components, to ensure that they are not at risk.
There is nothing you need to do to make it work. It works unless disabled in UEFI. Organizations can choose to deploy Secure Boot to Windows 10 through Group Policy or an enterprise MDM-based solution such as Microsoft Endpoint Manager.
Most manufacturers ship their PCs with the TPM turned on, but some manufacturers have disabled it, so if it doesn’t appear in Device Manager or appears as disabled, launch the UEFI firmware settings to check. please.
If you are not ready to use the TPM on your system, simply run the following to call the utility: tpm.msc From the command line.
Function 2: Virtualization-based security (VBS) and HVCI
While TPM 2.0 has been common on many PCs for six years, the feature that makes the security rubber practically available on Windows 10 and Windows 11 is HVCI or hypervisor-protected code integrity. This is also known as memory integrity or core. Isolation that appears in the security menu of Windows devices.
Required on Windows 11, but must be turned on manually on Windows 10.[コア分離の詳細]Just click and toggle memory integrity on. It can take up to a minute for the system to turn on, as all Windows memory pages must be checked before the system can enable it.
This feature is only available on 64-bit CPUs with hardware-based virtualization extensions such as Intel’s VT-X and AMD-V. Initially implemented on server-class chips until 2005, it has been present on almost every desktop system, or Intel Generation 6 (Skylake), since at least 2015. However, you also need the Second Level Address Translation (SLAT) that resides on Intel’s VT-X2 with extended page tables (EPT) and AMD’s Rapid Virtualization Indexing (RVI).
There is an additional HVCI requirement that all I / O devices capable of direct memory access (DMA) be placed behind an I / O memory management unit (IOMMU). These are implemented on processors that support Intel VT-D or AMD-Vi instructions.
It sounds like a long list of requirements, but the important thing is that if device security says these features are present on your system, it’s okay.
Virtualization is primarily used to increase the workload density of data center servers, to separate test setups on desktops for software developers, and to run external operating systems such as Linux. Isn’t it? Okay. However, virtualization and containerization / sandboxing are increasingly being used in modern operating systems, including Windows, to provide an additional layer of security.
In Windows 10 and Windows 11, VBS (Virtualization-Based Security) uses Microsoft’s Hyper-V to create a secure memory area and isolate it from the OS. This protected area protects operating system legacy vulnerabilities (such as unupdated application code) and implements some security solutions that can thwart exploits attempting to disable those protections. will be used.
HVCI uses VBS to check all kernel mode drivers and binaries before booting to prevent unsigned drivers and system files from being loaded into system memory. Strengthen the application. These limits protect important OS resources and security assets such as user credentials. Therefore, even if malware accesses the kernel, the hypervisor can prevent the malware from executing code or accessing the secret, thus limiting the scope of the exploit and containing it.
VBS performs similar functions on application code. Check the app before it loads and launch the app only if it is from an approved code signer. This is done by assigning permissions to all pages of system memory. All of these run in a secure area of memory and provide stronger protection against kernel viruses and malware.
Think of VBS as Robocop, the kernel and app that is responsible for the new code enforcement of Windows, located in a protected memory box enabled by a virtualization-enabled CPU.
Function 3: Microsoft Defender Application Guard (MDAG)
One particular feature that many Windows users are unfamiliar with is Microsoft Defender Application Guard (MDAG).
This is another virtualization-based technology (also known as the “Krypton” Hyper-V container), which, when combined with the latest Microsoft Edge (and current versions of Chrome and Firefox with extensions), makes it possible for browsers. Create a separate memory instance. Prevent untrusted websites from endangering your system and enterprise data.
When a browser is infected with a script or malware attack, the Hyper-V container, which runs separately from the host operating system, remains isolated from critical system processes and enterprise data.
MDAG, in combination with network isolation settings configured for your environment, defines private network boundaries as defined in your company’s Group Policy.
In addition to protecting your browser sessions, MDAG can also be used with Microsoft 365 and Office to prevent Word, PowerPoint, and Excel files from accessing trusted resources such as corporate credentials and data. This feature was released for Microsoft 365 E5 customers in August 2020 as part of the public preview.
MDAG, which is part of Windows 10 Professional, Enterprise, and Educational SKUs, is a Windows 10[機能]It is enabled by a menu or a simple PowerShell command. You don’t need to turn on Hyper-V.
MDAG is primarily targeted at enterprises, but end users and small businesses can turn MDAG on using a simple script that sets Group Policy objects. This excellent video and accompanying article published on URTech.Ca details the process.
Windows 11 has a high degree of hardware security.Here’s how to get it in Windows 10 today
Source link Windows 11 has a high degree of hardware security.Here’s how to get it in Windows 10 today