데이터를 보호하고 어디에서나 액세스할 수 있도록 제로 트러스트 원칙을 핵심으로 구축하여 보호와 생산성을 유지합니다.
소개
디지털 혁신의 가속화와 원격 및 하이브리드 작업 공간의 확장은 조직, 커뮤니티 및 개인에게 새로운 기회를 제공합니다. 그 결과 업무 스타일이 바뀌었습니다. 그리고 이제 직원들은 업무가 발생하는 모든 곳에서 협업하고 생산성을 유지하기 위해 간단하고 직관적인 사용자 경험을 필요로 합니다. 그러나 액세스 및 어디서나 작업할 수 있는 기능의 확장으로 인해 새로운 위협과 위험도 발생했습니다. Microsoft가 의뢰한 Security Signals 보고서의 최신 데이터에 따르면 부사장급 이상의 보안 의사 결정권자의 75%가 하이브리드 업무로의 전환으로 인해 조직이 보안 위협에 더 취약해진다고 생각합니다.
Microsoft는 전 세계의 모든 사람과 조직이 더 많은 것을 달성할 수 있도록 권한을 부여하기 위해 열심히 노력하고 있습니다. . 우리는 고객이 보안을 유지하고 자신감을 가질 수 있도록 최선을 다하고 있습니다. 매년 보안에 10억 달러 이상을 투자하고 3,500명 이상의 전담 보안 전문가와 전 세계적으로 사용되는 약 13억 개의 Windows 10 장치를 통해 우리는 고객이 직면한 위협에 대한 깊은 통찰력을 가지고 있습니다.
고객은 어디에서나 엔드 투 엔드 보호를 제공하는 최신 보안 솔루션을 필요로 합니다. Windows 11은 하이브리드 작업의 새 시대를 위한 제로 트러스트 원칙이 적용된 빌드입니다. 제로 트러스트(Zero Trust)는 안전과 무결성이 입증될 때까지 그 어떤 사용자나 장치도 액세스할 수 없다는 전제에 기반한 보안 모델입니다. Windows 11은 칩에서 클라우드로의 고급 보호를 위해 하드웨어와 소프트웨어 모두에 내장된 새로운 요구 사항으로 보안 기준을 높입니다. . Windows 11을 통해 고객은 보안을 손상시키지 않으면서 하이브리드 생산성과 새로운 경험을 실현할 수 있습니다.
보안 의사 결정자의 약 80%는 소프트웨어만으로는 새로운 위협으로부터 보호하기에 충분하지 않다고 말합니다. 1
Windows 11에서는 하드웨어와 소프트웨어가 함께 작동하여 CPU에서 클라우드로 보호합니다. 이 간단한 다이어그램에서 보호 계층을 확인하고 아래에서 보안 우선 순위에 대한 간략한 개요를 확인하십시오.
Windows 11이 제로 트러스트 보호를 활성화하는 방법
제로 트러스트 원칙은 세 가지입니다. 먼저 명시적으로 확인합니다. 사용자 ID, 위치, 장치 상태, 서비스 또는 워크로드, 데이터 분류 및 이상을 포함하여 사용 가능한 모든 데이터 포인트를 기반으로 항상 인증 및 권한 부여합니다. 두 번째는 최소 권한 액세스를 사용하여 Just-In-Time 및 Just-Enough-Access, 위험 기반 적응형 정책 및 데이터 보호로 사용자 액세스를 제한하여 데이터와 생산성을 보호합니다. 마지막으로 위반을 가정합니다. 침해가 폭발 반경을 최소화하고 접근을 분할하는 방식으로 작동한다고 가정합니다. 종단 간 암호화를 확인하고 분석을 사용하여 가시성을 확보하여 위협 탐지 및 방어를 개선합니다.
Windows 11의 경우 검증의 제로 트러스트 원칙은 장치와 사용자 모두에 의해 발생하는 위험에 명시적으로 적용됩니다. 또한 Windows 11은 칩-클라우드 보안을 제공하여 IT 관리자가 장치가 요구 사항을 충족하고 신뢰할 수 있는지 여부를 확인할 수 있는 증명 및 측정을 제공합니다. 또한 Windows 11은 Microsoft Intune 및 Azure Active Directory와 함께 즉시 작동하므로 액세스 결정과 적용이 원활합니다. 또한 IT 관리자는 액세스, 개인 정보 보호, 규정 준수 등에 대한 특정 사용자 및 정책 요구 사항을 충족하도록 Windows 11을 쉽게 사용자 지정할 수 있습니다.
또한 개별 사용자는 하드웨어 기반 보안 및 암호 없는 보호에 대한 새로운 표준을 비롯한 강력한 보호 기능의 이점을 누릴 수 있습니다. 이제 모든 사용자는 Microsoft Authenticator 앱으로 안전한 신원 증명을 제공하고 얼굴 또는 지문으로 로그인하여 잠재적으로 위험한 암호를 대체할 수 있습니다. 2 전화나 이메일로 전송된 보안 키 또는 인증 코드입니다.
Windows 11 보안 우선 순위 개요
기본적으로 보안
설문에 응한 보안 의사 결정자의 거의 90%는 오래된 하드웨어로 인해 조직이 공격에 더 취약해지며 최신 하드웨어가 미래의 위협으로부터 보호하는 데 도움이 될 것이라고 말했습니다.
Windows 10의 혁신을 기반으로 우리는 제조업체 및 실리콘 파트너와 협력하여 진화하는 위협 환경을 충족하고 더 많은 하이브리드 작업 및 학습을 가능하게 하는 추가 하드웨어 보안 기능을 제공합니다. Windows 11의 새로운 하드웨어 보안 요구 사항 세트는 공격에 더욱 강력하고 탄력적인 기반을 구축하도록 설계되었습니다.
향상된 하드웨어 및 운영 체제 보안
칩에서 시작되는 하드웨어 기반 격리 보안을 통해 Windows 11은 운영 체제와 분리된 추가 보안 장벽 뒤에 중요한 데이터를 저장합니다. 결과적으로 암호화 키 및 사용자 자격 증명을 포함한 정보가 무단 액세스 및 변조로부터 보호됩니다. Windows 11에서 하드웨어 및 소프트웨어는 VBS(가상화 기반 보안) 및 보안 부팅이 기본 제공되고 새 CPU에서 기본적으로 활성화되어 운영 체제를 보호합니다. 나쁜 배우들이 들어와도 멀어지지 않는다. VBS는 하드웨어 가상화 기능을 사용하여 운영 체제에서 메모리의 보안 영역을 만들고 격리합니다. 이
격리된 환경은 여러 보안 솔루션을 호스팅하여 운영 체제의 취약성으로부터 보호하고 악의적인 악용을 방지합니다. 클라우드 서비스를 통한 장치 상태 증명을 통해 Windows 11은 제로 트러스트를 지원합니다.
강력한 애플리케이션 보안 및 개인 정보 보호 제어
개인 및 비즈니스 정보를 보호하고 비공개로 유지하기 위해 Windows 11에는 중요한 데이터와 코드 무결성을 보호하는 여러 계층의 응용 프로그램 보안이 있습니다. 애플리케이션 격리 및 제어, 코드 무결성, 개인 정보 제어 및 최소 권한 원칙을 통해 개발자는 처음부터 보안 및 개인 정보를 구축할 수 있습니다. 이 통합 보안은 침해 및 맬웨어로부터 보호하고 데이터를 비공개로 유지하며 IT 관리자에게 필요한 제어 기능을 제공합니다.
Windows 11에서 Microsoft Defender Application Guard 3 Hyper-V 가상화 기술을 사용하여 신뢰할 수 없는 웹 사이트와 Microsoft Office 파일을 컨테이너에 격리하고 호스트 운영 체제 및 엔터프라이즈 데이터와 분리하여 액세스할 수 없습니다. 개인 정보를 보호하기 위해 Windows 11은 또한 장치 위치와 같은 데이터를 수집하고 사용할 수 있는 앱과 기능 또는 카메라 및 마이크와 같은 리소스에 액세스할 수 있는 더 많은 제어 기능을 제공합니다.
보안 ID
암호는 사용하기 불편하고 사이버 범죄자의 주요 표적이 되며 수년 동안 디지털 보안의 중요한 부분이었습니다. Windows 11에서 사용할 수 있는 암호 없는 보호로 변경됩니다. 보안 인증 프로세스 후에 자격 증명이 하드웨어 및 소프트웨어 보안 계층 뒤에서 보호되어 사용자가 앱과 클라우드 서비스에 암호 없이 안전하게 액세스할 수 있습니다.
개별 사용자는 Microsoft 계정에서 암호를 제거하고 Microsoft
Authenticator 앱,
4
을 사용할 수 있습니다. Windows Hello,
5
FIDO2 보안 키, 스마트 카드 또는 휴대폰이나 이메일로 전송된 인증 코드. IT 관리자와 소비자는 Windows 11
장치를 암호 없는 기본 장치로 설정하여 FIDO(Fast Identity Online) 표준과 일치하는 Windows Hello와 같은 기술을 활용할 수 있습니다. Windows 11은 VBS 및 Microsoft Credential Guard와 결합된 TPM 2.0을 포함한 칩 수준 하드웨어 보안으로 자격 증명을 보호합니다.
클라우드 서비스에 연결
Windows 11 보안은 제로 트러스트를 클라우드까지 확장하여 함께 작동하는 정책, 제어, 절차 및 기술을 사용하여 어디서나 장치, 데이터, 애플리케이션 및 ID를 보호합니다. Microsoft는 네트워크에 연결하는 모든 Windows 장치가 신뢰할 수 있음을 증명하는 도구 외에도 ID, 저장소 및 액세스 관리를 위한 포괄적인 클라우드 서비스를 제공합니다. 또한 Azure Active Directory와 함께 작동하여 클라우드를 통해 애플리케이션 및 데이터에 대한 액세스를 제어하는 Microsoft Intune과 같은 최신 장치 관리(MDM) 서비스로 규정 준수 및 조건부 액세스를 시행할 수 있습니다. 6
하드웨어 보안
최신 위협에는 사용자, 데이터 및 장치를 보호하기 위해 하드웨어 보안과 소프트웨어 보안 기술 간의 강력한 연계를 통한 최신 보안이 필요합니다. 운영 체제만으로는 사이버 범죄자가 컴퓨터를 손상시키는 데 사용하는 광범위한 도구와 기술로부터 보호할 수 없습니다. 침입자는 중요한 데이터나 자격 증명을 훔치는 것부터 식별 및 제거가 어려워지는 저수준 장치 펌웨어에 맬웨어를 삽입하는 것까지 다양한 악의적인 활동에 참여하면서 탐지하기 어려울 수 있습니다. 이러한 새로운 위협은 민감한 비즈니스 정보를 저장하는 하드웨어 칩과 프로세서를 포함하여 핵심까지 안전한 컴퓨팅 하드웨어를 요구합니다. 하드웨어에 보안 기능을 구축함으로써 이전에 소프트웨어에만 존재했던
취약점의 전체 클래스를 제거할 수 있습니다. 이는 또한 소프트웨어에서 동일한 보안 기능을 구현하는 것과 비교하여 상당한 성능 향상을 제공하므로 시스템 성능에 상당한 영향을 미치지 않으면서 시스템의 전체 보안이 향상됩니다.
Windows 11을 통해 Microsoft는 하드웨어 보안 수준을 높여 가장 안전한 Windows 버전을 설계했습니다. 우리는 위협 인텔리전스와 DoD, NSA 및 영국의 NCSC와 자체 Microsoft 보안 팀을 비롯한 전 세계 최고의 전문가들의 의견을 기반으로 하드웨어 요구 사항과 기본 보안 기능을 신중하게 선택했습니다. 우리는 칩 및 장치 제조 파트너와 협력하여 소프트웨어, 펌웨어 및 하드웨어 전반에 걸쳐 고급 보안 기능을 통합하여 칩에서 클라우드까지 보호하는 긴밀한 통합을 구현했습니다.
하드웨어 루트 오브 트러스트와 실리콘 지원 보안의 강력한 조합을 통해 Windows 11은 기본 제공 하드웨어 보호 기능을 즉시 제공합니다.
하드웨어 루트 오브 트러스트
하드웨어 신뢰 기반은 하드웨어가 켜지고 펌웨어를 로드한 다음 운영 체제를 시작할 때 시스템의 무결성을 보호하고 유지하는 데 도움이 됩니다. 하드웨어 신뢰 기반은 시스템에 대한 두 가지 중요한 보안 목표를 충족합니다. 악성코드가 부트 코드를 감염시키고 그 존재를 숨길 수 없도록 시스템을 부트하는 펌웨어 및 운영 체제 코드를 안전하게 측정합니다. 하드웨어 루트 오브 트러스트는 또한 암호화 키, 데이터 및 코드를 저장하기 위해 운영 체제 및 애플리케이션과 격리된 매우 안전한 영역을 제공합니다. 이 보호 기능은 Windows 인증 스택, 싱글 사인온 토큰, Windows Hello 생체 인식 스택 및 BitLocker 볼륨 암호화 키와 같은 중요한 리소스를 보호합니다.
신뢰할 수 있는 플랫폼 모듈(TPM)
TPM은 하드웨어 기반 보안 관련 기능을 제공하고 원치 않는 변조를 방지하도록 설계되었습니다. TPM은 시스템 하드웨어, 플랫폼 소유자 및 사용자에게 보안 및 개인 정보 보호 이점을 제공합니다. Windows Hello, BitLocker, Windows Defender System Guard 및 기타 수많은 Windows 기능은 키 생성, 보안 저장소, 암호화, 부팅 무결성 측정, 증명 및 기타 수많은 기능을 위해 TPM을 사용합니다. 이러한 기능은 고객이 자신의 ID 및 데이터 보호를 강화하는 데 도움이 됩니다.
TPM 사양의 2.0 버전에는 더 강력한 암호화 알고리즘을 가능하게 하는 암호화 알고리즘 유연성 및 고객이 선호하는 대체 알고리즘을 사용할 수 있는 기능과 같은 중요한 개선 사항이 포함되어 있습니다. Windows 10부터 Microsoft의 하드웨어 인증에 따라 모든 새 Windows PC에는 TPM 2.0이 기본적으로 내장되어 활성화되어 있어야 합니다. Windows 11에서는 새 장치와 업그레이드된 장치 모두에 TPM 2.0이 있어야 합니다. 이 요구 사항은 모든 Windows 11 장치에서 보안 태세를 강화하고 이러한 장치가 하드웨어 신뢰 기반에 의존하는 미래 보안 기능의 이점을 누릴 수 있도록 합니다.
Windows 11 TPM 사양 및 PC에서 TPM 2.0 활성화에 대해 자세히 알아보세요.
Pluton 보안 프로세서
Microsoft Pluton 보안 프로세서는 칩에 보안을 제공합니다. Pluton은 진화하는 위협 환경을 해결하기 위해 최신 PC에 필요한 견고성과 유연성을 제공하기 위해 Microsoft가 실리콘 파트너와 협력하여 설계한 하드웨어 루트 오브 트러스트입니다. Pluton 디자인은 하드웨어 루트 오브 트러스트를 CPU와 동일한 실리콘 기판에 직접 내장합니다. 이 중요한 설계 원칙은 신뢰 루트가 CPU와 분리된 마더보드의 다른 개별 칩에 있을 때 공통적인 약점을 제거합니다. 약점은 루트 오브 트러스트 칩 자체는 매우 안전할 수 있지만 물리적 공격에 의해 악용될 수 있는 개별 루트 오브 트러스트와 CPU 사이의 통신 경로에 약한 링크가 있다는 것입니다.
Pluton은 TPM 2.0 산업 표준을 지원하므로 고객은 BitLocker, Windows Hello 및 Windows Defender System Guard를 비롯한 TPM에 의존하는 Windows 기능의 향상된 보안을 즉시 활용할 수 있습니다. In addition to being a TPM 2.0, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
As with other TPMs, credentials, encryption keys, and other sensitive information cannot be extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material. Pluton also includes the unique Secure Hardware Cryptography Key (SHACK) technology. SHACK helps ensure that keys are never exposed outside the protected hardware, even to the Pluton firmware itself, providing an unprecedented level of security for Windows customers.
Pluton also solves the major security challenge of keeping system firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources than can be difficult to manage, resulting in widespread update issues. Pluton provides a flexible, updateable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service benefitting from over a decade of operational experience reliably delivering updates across over a billion endpoint systems.
The Microsoft Pluton security processor will ship with select new Windows PCs starting in 2022. 7
Silicon assisted security
In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest CPUs that harden the operating system against threats such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more.
Secured kernel
Virtualization-based security (VBS) , also known as core isolation, is a critical building block in a secure system. VBS uses the CPU’s hardware virtualization instructions to create a secure region of memory isolated from the normal operating system. Windows uses this isolated VBS environment to protect security sensitive operating system functions such as the secure kernel and security assets such as authenticated user credentials. Even if malware gains access to the main OS kernel, VBS greatly limits and contains exploits because the hypervisor and virtualization hardware help prevent the malware from executing code or accessing platform secrets running within the VBS secure environment.
Hypervisor-protected code integrity (HVCI) , also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel mode code such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn’t been tampered with before it is allowed to run.
HVCI ensures that only validated code can be executed in kernel-mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
Windows 11 Secured-core PCs
The March 2021 Security Signals report shows that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
Secured-core PCs strengthen protection against advanced threats such as kernel attacks from ransomware. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup, with a hardware-enforced root of trust, stopping infections in their tracks. Virtualization-based security comes enabled by default. And with built-in hypervisor-protected code integrity that protects system memory, Secured-core PCs ensure that all operating system code is trustworthy, and executables are signed by known and approved authorities only.
Benefits of a Secured-core Windows 11 PC include:
- Powerful security capabilities integrated across software, hardware, firmware,and identity protection
- Deep integration between Microsoft, device manufacturers, and chip manufacturers to deliver powerful security capabilities that help prevent infections across software, firmware, and hardware
- Security features across the stack are enabled by default by device manufacturers helping ensure customers are secure from the start
Memory protection in Secured-core PCs
PCIe hotplug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hotplug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hotplug devices by limiting these external peripherals from being able
to directly copy memory when the user has locked their PC.
Drive-by DMA attacks typically happen quickly while the system owner isn’t present. The attacks are performed with simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs in a USB-like device and walks away with all the secrets on the machine or injects malware that gives the attacker full remote control over the PC, including the ability to bypass the lock screen.
Note, Memory access protection does not protect against DMA attacks via older ports like 1394/FireWire, PCMCIA, CardBus, or ExpressCard.Learn how to check if your PC supports Kernel DMA protection and about Kernel DMA protection requirements.
Firmware protection in Secured-core PCs
Secured-core PCs defend at the firmware level with multiple layers of protection enabled, helping ensure that devices launch safely in a hardware-controlled state.
Sophisticated malware attacks may commonly attempt to install “bootkits” or “rootkits” on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded, or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The secure boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
With thousands of PC vendors producing numerous PC models with diverse UEFI firmware components, there becomes an incredibly large number of SRTM signatures and measurements at bootup that are inherently trusted by secure boot, making it more challenging to constrain trust on any particular device to only what is needed to boot that device. Two techniques exist to constrain trust:either maintain a list of known “bad” SRTM measurements, also called a block list, which suffers from the drawback of being inherently brittle; or maintain a list of known “good” SRTM measurements, or an allow list, which is difficult to keep up-to-date at scale.
In Secured-core PCs, Windows Defender System Guard Secure Launch addresses these issues with a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system follow the normal UEFI Secure Boot process initially, but before Windows is launched the system enters a hardware-controlled trusted state that forces the CPU(s) down hardware secured code path. If a malware rootkit/bootkit bypassed UEFI Secure Boot and had been resident in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. System Management Mode (SMM) isolation complements the protections provided by DRTM by helping to reduce the attack surface from SMM, which is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that enforce restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy in effect on a system can also be reliably provided to a remote attestation service. 8
Operating System Security
Hardware-based protection is only one link in the chain of chip to cloud security. Security and privacy also depend on an OS that guards your information and PC from when it starts.
Windows 11 is the most secure Windows yet with extensive security measures in the OS designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving viruses and threats. Windows 11 enhances built-in hardware protection with OS security out-of-the-box to help keep your plan, identity, and information safe.
System security
Trusted Boot (UEFI Secure Boot + Measured Boot)
The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel’s Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with.
Trusted Boot takes over where Secure Boot leaves off. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
For more information about these features and how they help prevent rootkits and boot kits from loading during the startup process, see Secure the Windows boot process.
Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)’s Secure Boot feature.
Cryptography
Cryptography is a mathematical process to protect the user and system data, by, for example, encrypting data so that only a specific recipient can read it by using a key possessed only by that recipient. Cryptography is a basis for privacy to prevent anyone except the intended recipient from reading data, provides integrity checks to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services to protect system and user secrets.
Cryptography on Windows 11 is subject to Federal Information Processing Standards (FIPS) 140 certification. FIPS 140 certification ensures that US government approved algorithms are correctly implemented (which includes RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources.
Windows cryptographic modules provide low-level primitives such as:
- Random number generators (RNG)
- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, GCM modes of operation; RSA and DSA 2048, 3072, and 4096 key sizes; ECDSA over curves P-256, P-384, P-521
- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512)
- Signing and verification (padding support for OAEP, PSS, PKCS1)
- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF)
These are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft’s open-source cryptographic library SymCrypt. Application developers can leverage these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
Certificates
Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents, which conform to the X.509v3 formatting standard, used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) weekly. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates is stored in the CTL and can be updated by the Microsoft Third-Party Root Program. Roots in the Microsoft Third-Party Root Program are governed through annual audits to ensure compliance with industry standards. For certificate revocation, a certificate is added as an untrusted certificate to the disallowed CTL that is downloaded daily causing the untrusted certificate to be revoked globally across user devices immediately.
Windows also offer enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application’s server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Microsoft Edge or Internet Explorer.
Code signing and integrity
Code signing, while not a security feature by itself, is integral to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code signing certificate and embedding the signature into the file. This ensures that the file hasn’t been tampered with, the Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher.
All software written and published by Microsoft is code-signed to establish that Windows and Microsoft code has integrity, authenticity, and a positive reputation. Code signing is how Windows can differentiate its own code from external creators and prevents tampering when code is delivered to user devices.
The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user-mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Options ROMs, and other boot components, to ensure that it is trusted and from reputable publishers. For drivers not produced by Microsoft, external Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the Windows Hardware Compatibility Program (WHCP). This program tests externally produced drivers for hardware and Windows compatibility and ensures that they are malware-free. Lastly, user-mode code, applications, Appx/MSIX packaged apps, Windows OS component updates, driver install packages, and their signatures, are evaluated by WinVerifyTrust which relies on the Crypto API. These signatures are verified by confirming they are in the Microsoft Third-Party Root Program CTL, and thus trusted and not revoked by the certificate authority.
Device health attestation
Device health attestation and conditional access are used to grant access to corporate resources. This helps reinforce a Zero Trust paradigm that moves enterprise defenses from the static, network- based perimeters to focus on users, assets, and resources.
Conditional access evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources. Windows 11 supports remote attestation to help confirm that devices are in a good state and have not been tampered with. This helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
Information about the firmware, boot process, and software, which is cryptographically stored in the security co-processor (TPM), is used to validate the security state of the device. Attestation provides assurance of trust as it can verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. This capability helps organizations to manage access with confidence. Once the device is attested it can be granted access to resources.
Device health attestation determines:
- If the device can be trusted. This is determined with the help of a secure root-of-trust, or TPM. Devices can attest that the TPM is enabled and in the attestation flow.
- If the OS booted correctly. Many security risks can emerge during the boot process as this can be the most privileged component of the whole system.
- If the OS has the right set of security features enabled.
Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and was not tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured and Trusted boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM that functions as a hardware root of trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system’s boot, allowing relying parties to bind trust to the device and its security. As an example, Microsoft Intune integrates with Microsoft Azure Attestation to review Windows device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
A summary of the steps involved in attestation and Zero Trust on the Windows device are as follows:
- During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signatures are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates what events can be recorded and the format of each event.
- Once Windows has booted, the attestor (or verifier) requests the TPM to get the measurements stored in its PCRs alongside the measured boot log. Together these form the attestation evidence that’s sent to the Microsoft Azure Attestation Service.
- The TPM is verified by using the keys/cryptographic material available on the chipset with an Azure Certificate Service.
- The above information is sent to the Azure Attestation service to verify that the device is safe.
Microsoft Intune integrates with Microsoft Azure Attestation to review Windows device health comprehensively and connect this information with AAD conditional access – see Microsoft Azure Attestation Service section. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
Windows security policy settings and auditing
Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security settings policies are rules that you can configure on a device, or multiple devices, to control:
- User authentication to a network or device.
- Resources that users are permitted to access.
- Whether to record a user’s or group’s actions in the event log.
- Membership in a group.
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against targets that you consider high value. Auditing can help identify attacks, network vulnerabilities, and attacks against targets that you consider high value. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization.
All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy:
- Identify your most critical resources and activities.
- Identify the audit settings you need to track them.
- Assess the advantages and potential costs associated with each resource or setting.
- Test these settings to validate your choices.
- Develop plans for deploying and managing your audit policy.
Windows security app
Visibility and awareness of device security and health is key to any action taken. The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
Learn more about the Windows security app.
Encryption and data protection
When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
BitLocker
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure6 can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune6 using a configuration service provider (CSP).
BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. Windows consistently improves data protection by improving existing options and providing new strategies.
Encrypted hard drive
Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
Encrypted hard drives provide:
- Better performance:Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- Strong security based in hardware:Encryption is always “on” and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
- Ease of use:Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
- Lower cost of ownership:There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used forthe encryption process.
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
Email encryption
Email encryption (also referred to as Windows S/MIME), enables users to encrypt outgoing email messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with. These encrypted messages can be sent by a user to people within their organization as well as external contacts if they have their encryption certificates. However, recipients using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys.
Encrypted messages can be read-only by recipients who have a certificate. If an encrypted message is sent to recipient(s) whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
Learn more about configuring S/MIME for Windows.
Network security
Windows 11 raises the bar for networking security by bringing a wide array of improvements, helping people work, learn, and play from almost anywhere with confidence. New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with SMB over QUIC as well as new encryption and signing capabilities. Wi-Fi and Bluetooth advancements provide greater trust in connections to other devices. The VPN and Windows Defender Firewall platforms bring new ways to configure easily and debug quickly, ensuring IT administrators and third-party software are more effective.
Transport layer security (TLS)
Transport Layer Security (TLS) is the internet’s most deployed security protocol, encrypting data to provide a secure communication channel between two endpoints. Windows prefers the latest protocol versions and strong cipher suites by default and offers a full suite of extension applications such as client authentication for enhanced server security, or session resumption for improved application performance.
TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. Customers using TLS 1.3 (or Windows components that support it, including HTTP.SYS, WinInet, .NET, MsQUIC, and more) on Windows 11 will get more privacy and lower latencies for their encrypted online connections. Note that if the client or server application on either side of the connection does not support TLS 1.3, Windows will fall back to TLS 1.2.
DNS security
In Windows 11, the Windows DNS client supports DNS over HTTPS, an encrypted DNS protocol. This allows administrators to ensure their devices protect their name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required.
Windows 11 provides Group Policy as well as programmatic controls to configure DNS over HTTP behavior. As a result, IT administrators can extent existing security models to adopt new security models such as Zero Trust. DNS over HTTP protocol can be mandated, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTP for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use DNS over HTTP.
Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system HOSTS file, as well as resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
Bluetooth protection
The number of Bluetooth devices connected to Windows continues to increase. Windows users connect their Bluetooth headsets, mice, keyboard, and other accessories and
improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implement host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that you also ensure the firmware and/or software of your Bluetooth accessories are kept up to date.
IT-managed environments have a number of Bluetooth policies (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune. You can
configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
Securing Wi-Fi connections
Windows Wi-Fi supports industry standardized authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard developed by the Wi-Fi Alliance to provide sophisticated data encryption and better user authentication. The current security standard for Wi-Fi Authentication is WPA3 which provides a more secure and reliable connection method and replaces WPA2 and the older security protocols. Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.
WPA3 is supported in Windows 11 (WPA3 Personal and WPA3 Enterprise 192-bit Suite B) as well as OWE implementation for more security while connecting to Wi-Fi hotspots.
Windows 11 enhances Wi-Fi security by enabling additional elements of WPA3 security such as the new H2E protocol and WPA3 Enterprise Support which includes enhanced Server Cert validation and the TLS1.3 for authentication using EAP-TLS Authentication. Windows 11 provides Microsoft partners the ability to bring the best platform security on new devices.
WPA3 is now a mandatory requirement by WFA for any Wi-Fi Certification.
Windows defender firewall
Windows Defender Firewall with Advanced Security is an important part of a layered security model. It provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected.
Windows Defender Firewall in Windows 11 offers the following benefits:
- Reduces the risk of network security threats:Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
- Safeguards sensitive data and intellectual property:With its integration with Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce the integrity of the data, and optionally helping to protect the confidentiality of the data.
- Extends the value of existing investments:Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
Windows 11 makes the Windows Defender Firewall easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component
network diagnostic tool for Windows. Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
Virtual private networks (VPN)
Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.
In Windows 11 we’ve integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of
their VPN, start and stop the VPN tunnels, and with one click can go to the modern Settings app for more control.
The Windows VPN platform connects to Azure Active Directory (Azure AD) and Conditional Access for single sign-on, including multi-factor authentication (MFA) through Azure AD. The VPN platform also supports classic domain-joined authentication. It’s supported by Microsoft Intune and other mobile device management (MDM) providers. The flexible VPN profile supports both built-in protocols and custom protocols, can configure multiple authentication methods, can be automatically started as needed or manually started by the end-user, and supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
The Windows VPN platform has been tuned and hardened for cloud-based VPN providers like Azure VPN. Features like AAD auth, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The
integration into the Windows VPN platform leads to a simpler IT admin experience; user authentication is more consistent, and users can easily find and control their VPN.
SMB file services
SMB and file services are the most common Windows workload in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations large and small. In Windows 11, the SMB protocol has significant security updates to meet today’s threats, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and an entirely new scenario, SMB over QUIC for untrusted networks.
SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and
AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows will automatically negotiate this more advanced cipher method when connecting to another computer that requires it and it can also be mandated on clients.
Windows 11 Enterprise, Education, and Pro Workstation SMB Direct now support encryption. For demanding workloads like video rendering, data science, or huge files, you can now operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA slow as TCP. Data is encrypted before order, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy.
Windows 11 introduces AES-128-GMAC for SMB signing. Windows will automatically negotiate this better-performing cipher method when connecting to another computer that
supports it. Signing prevents common attacks like a relay, spoofing, and is required by default when clients communicate with Active Directory domain controllers.
Finally, Windows 11 introduces SMB over QUIC (Preview), an alternative to the TCP network transport, providing secure, reliable connectivity to edge file servers over untrusted networks like the Internet and highly secure communications on internal networks. QUIC is an IETF-standardized protocol with many benefits compared to TCP, but most importantly, it always requires TLS 1.3 and encryption. SMB over QUIC offers an “SMB VPN” for telecommuters, mobile device users, and high-security organizations. All SMB traffic, including authentication and authorization within the tunnel, is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn’t change. SMB over QUIC will be a game-changing feature for Windows 11 accessing Windows file servers and eventually Azure Files and third parties.
Virus and threat protection
Today’s cyber threat landscape is more complex than ever. This new world requires new threat prevention, detection, and response approach. Microsoft Defender Antivirus, along with many other features built into Windows 11, are at the frontlines to protect customers against current and emerging threats.
Microsoft Defender Antivirus
Microsoft Defender Antivirus is a next-generation protection solution included in Windows 10 and Windows 11. Once you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to this real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. For example, if you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. Likewise, if you uninstall the other app, Microsoft Defender Antivirus will turn back on.
Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats. Also, it detects and blocks potentially unwanted applications (PUA), which are applications that are deemed to impact your device negatively but are not considered malware. Microsoft Defender Antivirus always-on on device prevention is integrated with cloud-delivered protection, which helps ensures near-instant detection and blocking of new and emerging threats. 9
Attack surface reduction
Available in Windows and Windows Server, attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization. In addition, administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don’t usually initiate during normal day-to-day work
For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device.
For comprehensive protection, follow steps to enable hardware-based isolation for Microsoft Edge and reduce the attack surface across applications, folders, devices, networks, and firewalls.
Lean more about attack surface reduction.
Tamper Protection
Attacks like ransomware attempt to disable security features on targeted devices, such as anti-virus protection. Bad actors like to disable security features to get easier access to users’ data, install malware, or otherwise exploit users’ data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates
Learn more about tamper protection.
Network Protection
Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an additional layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation-based domains and IP addresses. Network protection works best with Microsoft Defender for Endpoint in enterprise environments, which provides detailed reporting into protection events as part of more significant investigation scenarios.
Learn more about how to protect your network.
Controlled Folder Access
You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders.
Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
Controlled folder access helps protect users’ valuable data from malicious apps and threats, such as ransomware. Learn more about controlled folder access.
Exploit protection
Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. In addition, you can enable exploit protection on an individual device and then use Group Policy to distribute the XML file to multiple devices simultaneously.
When mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the message with your company details and contact information. You can also enable the rules individually to customize which techniques feature monitors.
You can use audit mode to evaluate how to exploit protection would impact your organization if it were enabled.
Windows 11 provides configuration options for exploit protection. You can prevent users from modifying these specific options with Group Policy.
Learn more about protecting devices from exploits.
Microsoft Defender SmartScreen
Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files.
SmartScreen determines whether a site is potentially malicious by:
- Analyzing visited web pages looking for indications of suspicious behavior. If a page is suspicious, it will show a warning page to advise caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let users know that the site might be malicious.
SmartScreen also determines whether a downloaded app or app installer is potentially malicious by:
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. SmartScreen warns the user that the site might be malicious if it finds a match.
- Checking downloaded files against a list of well-known and downloaded files by many Windows users. If the file is not on that list, it shows a warning advising caution.
The app and browser control section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the Windows Defender SmartScreen documentation library.
Microsoft Defender for Endpoint
Windows E5 customers benefit from Microsoft Defender for Endpoint, an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. Organizations with a dedicated security operations team can use the rich event data and attack insights that Defender for Endpoint provides to investigate incidents. In addition, a defender for Endpoint brings together the following elements to give a complete picture of security incidents:
- Endpoint behavioral sensors:Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
- Cloud security analytics:Leveraging big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365 and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
- Threat intelligence:Microsoft’s threat intelligence is informed daily by trillions of security signals. Combined with our global team of security experts, cutting-edge artificial intelligence, and machine learning, we can see threats that others miss. Our threat intelligence helps provide unparalleled protection for our customers.
Defender for Endpoint is also part of Microsoft 365 Defender, a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Learn more about Microsoft Defender for Endpoint and Microsoft 365 Defender.
© 2021 Microsoft Corporation. All rights reserved.