Debug School

Cover image for Windows Security - Device Security
Suyash Sambhare
Suyash Sambhare

Posted on

Windows Security - Device Security

#devops #windows #security #microsoft

The purpose of the Windows Security app's device security page is to control the security measures that are integrated into your Windows device.

  • Secure-core computer: If your device is a Secured-core PC, it displays details about its features.
  • Isolation of the core: Configuring security mechanisms that safeguard the Windows kernel is possible here.
  • Information regarding the security processor, also known as the trusted platform module (TPM), is provided.
  • Secure boot: You may learn more about secure boot if it is enabled.
  • Data encryption: You can set up device encryption and other BitLocker options here by clicking on the Windows options link.
  • Hardware security capability: Evaluates the hardware security characteristics of your device.

Secured-core PC

A Secured-core PC is built to deliver superior security features right out of the box. These PCs combine hardware, firmware, and software to provide powerful security against sophisticated threats.

Core isolation

Core isolation provides security capabilities that isolate Windows core processes in memory, protecting them from malicious applications. It accomplishes this by running the fundamental operations in a virtual environment.
The functions available on the core isolation page differ based on the version of Windows you're using and the hardware components installed.

Memory integrity

Memory integrity, also known as Hypervisor-protected Code Integrity (HVCI), is a Windows security feature that prevents malicious programs from using low-level drivers to take over your computer.
A driver is a piece of software that allows the operating system (in this case, Windows) to communicate with a device (such as a keyboard or webcam). When the device wants Windows to perform something, it utilises the driver to make the request.
Memory integrity works by generating an isolated environment through hardware virtualisation.
Imagine a security guard inside a locked booth. This isolated environment (equivalent to a locked booth) prevents an attacker from tampering with the memory integrity feature. A program that wishes to run potentially harmful code must pass it through memory integrity inside that virtual booth so that it may be validated. When memory integrity ensures that the code is safe, it returns it to Windows for execution. This occurs quickly.
Without memory integrity running, the security guard stands right out in the open, making it much easier for an attacker to meddle with or sabotage the guard, allowing malicious code to sneak past and cause problems.

Kernel-mode Hardware-enforced Stack Protection

A hardware-based security feature called hardware mandated stack protection makes it more difficult for malicious software to take control of your computer by using low-level drivers.
A driver is a piece of software that enables communication between a device (such as a webcam or keyboard) and the operating system (in this case, Windows). The driver is used by the device to deliver a request to Windows for action.
The way that hardware-enforced stack protection functions is by stopping attacks that alter kernel-mode memory return addresses in order to run malicious code. A CPU with the capability to check the return addresses of executing programs is needed for this security feature.

When executing code in kernel mode, malicious programs or drivers can corrupt return addresses on the kernel-mode stack, causing regular code execution to be redirected to malicious code. On compatible CPUs, the CPU keeps a second copy of valid return addresses on a read-only shadow stack, which drivers cannot change. If the return address on the regular stack has been changed, the CPU can identify the difference by inspecting the copy of the return address on the shadow stack. When this difference happens, the computer displays a stop error, also known as a blue screen, to prevent the harmful code from being executed.
Not all drivers are compatible with this security feature, as a limited number of genuine drivers modify return addresses for non-malicious causes.
Microsoft has been working with several driver publishers to ensure that their latest drivers are compatible with hardware-enforced stack protection.
The toggle button allows you to enable or disable hardware mandated stack protection. To use hardware enforced stack protection, ensure memory integrity is enabled, and your CPU supports Intel Control-Flow Enforcement Technology or AMD Shadow Stack.
Certain programs may install a service in place of a driver during installation, installing the driver only after the program has been run. Services that are known to be connected to incompatible drivers are also listed for the purpose of more precisely identifying incompatible drivers.

Memory access protection

Also known as Kernel DMA protection, this security feature shields your device from assaults that can occur when a malicious device is inserted into a Peripheral Component Interconnect (PCI) port, such as a Thunderbolt connector.
A simple example of one of these assaults would be if a user leaves their PC for a quick coffee break, and while they are away, an attacker enters, plugs in a USB-like device, and walks away with sensitive data from the system, or injects malware that allows them to remotely control the PC.
Memory access security inhibits these types of attacks by limiting direct memory access to those devices except in exceptional situations, such as when the computer is locked, or the user is signed out.

Firmware protection

Every device has some software loaded to its read-only memory - essentially a chip on the system board - that is needed for the device's basic tasks, such as loading the operating system, which runs all of the apps we're used to utilising. Because that software is difficult (but not impossible) to modify, we call it firmware.
Because the firmware loads first and runs beneath the operating system, security tools and features that run within the operating system have a hard time detecting or protecting against it. A computer's firmware must be secure in order to protect the operating system, programs, and data stored on it.
System Guard is a collection of tools designed to prevent hackers from using malicious or untrusted firmware to start your device.
A highly privileged operating mode called System Management Mode (SMM) is usually protected to varied degrees by platforms that provide firmware protection. One of the three values is what you should anticipate; a higher number denotes a higher level of SMM protection:

  • Your device meets firmware protection version one: this offers the foundational security mitigations to help SMM resist exploitation by malware, and prevents exfiltration of secrets from the OS (including VBS)
  • Your device meets firmware protection version two: in addition to firmware protection version one, version two ensures that SMM can't disable Virtualization-based Security (VBS) and kernel DMA protections
  • Your device meets firmware protection version three: in addition to firmware protection version two, it further hardens the SMM by preventing access to certain registers that have the ability to compromise the OS (including VBS)

Local Security Authority protection

Local Security Authority (LSA) protection is a Windows security feature that helps prevent the theft of credentials needed to log into Windows.

The Local Security Authority (LSA) is a critical function in Windows that handles user authentication. Its responsibilities include verifying credentials during the login process and managing authentication tokens and tickets required to enable single sign-on for services. LSA protection helps to prevent untrusted software from running inside the LSA or accessing its memory.

To keep passwords secure, LSA protection is enabled by default on all devices. It is activated by default on new installations. Upgrades are enabled after rebooting after a 10-day review period.
If LSA protection is activated and prevents software from being loaded into the LSA service, a warning will appear indicating the blocked file. You might be possible to uninstall the software that is loading the file, or you can stop future warnings for that file if it is unable to load into LSA.

Credential Guard

The device you use for work or school will be silently logging in and using a number of resources within your company, including files, printers, apps, and other resources. In order to make that process safe and user-friendly, your computer will always have a variety of authentication tokens on it.
An attacker may be able to use one or more of such tokens to obtain access to the organisational resource (sensitive files, etc.) for which the token is intended. By placing such tokens in a secure, virtualised environment that only specific services can access when required, Credential Guard helps to safeguard those tokens.

Microsoft vulnerable driver blocklist

A driver is a piece of software that enables communication between a device (such as a webcam or keyboard) and the operating system (in this case, Windows). The driver is used by the device to deliver a request to Windows for action. Drivers have a great deal of sensitive access to your system as a result.
Drivers that evade the Windows Security Model, have known security flaws, or have been certified with certificates used to sign malware are on a blocklist in Windows 11.
The vulnerable driver blocklist will also be active if you have Windows S mode, memory integrity, or Smart App Control enabled.

Windows Security

Security processor

Information about your device's Trusted Platform Module (TPM) can be found in the Security processor settings located under the Device Security tab in the Windows Security app. The TPM is a piece of hardware that performs cryptographic operations to improve security. It's possible that your device lacks the TPM (Trusted Platform Module) hardware required for this function, or that it isn't enabled in UEFI (Unified Extensible Firmware Interface), if you don't see a Security processor entry on this page. To find out if your device supports TPM and how to enable it, check with the manufacturer.

Security processor details

This is where you’ll find info about the security processor manufacturer and version numbers, as well as about the security processor’s status.

Security processor troubleshooting

If your security processor isn't working properly, you can select the Security processor troubleshooting link to see any error messages and advanced options, or use the following shortcut:

The security processor troubleshooting page provides any relevant error messages about the TPM.

  • A firmware update is needed for your security processor (TPM): Your device's motherboard doesn't appear to support TPM currently, but a firmware update might resolve this. Check with your device's manufacturer to see if a firmware update is available and how to install it. Firmware updates are usually free.
  • TPM is disabled and requires attention: The trusted platform module is probably turned off in the system BIOS (Basic Input/Output System) or UEFI (Unified Extensible Firmware Interface). Refer to your device manufacturer's support documentation, or contact their technical support, for instructions on how to turn it on.
  • TPM storage is not available. Please clear your TPM: The clear TPM button is on this page. You'll want to make sure you have a good backup of your data before proceeding.
  • Device health attestation isn't available. Please clear your TPM: The clear TPM button is on this page. You'll want to make sure you have a good backup of your data before proceeding.
  • Device health attestation isn't supported on this device: This means the device doesn't give us enough information to determine why TPM may not be working properly on your device.
  • Your TPM isn't compatible with your firmware and may not be working properly: Check with your device's manufacturer to see if a firmware update is available and how to get and install it. Firmware updates are usually free.
  • TPM measured boot log is missing. Try restarting your device.
  • There is a problem with your TPM. Try restarting your device.

Select Clear TPM to reset your security processor to its default settings. Make sure to back up your data before you clear the TPM.

Secure boot

Secure boot prevents rootkits, a complex and deadly type of malware, from loading when your device boots. Rootkits have the same permissions as the operating system and start before it, allowing them to entirely hide themselves. Rootkits are frequently part of a larger suite of malware that can circumvent local logins, record passwords and keystrokes, transfer private files, and acquire cryptographic information.

You may need to disable secure boot to operate certain graphics cards, hardware, or operating systems, such as Linux or earlier versions of Windows.

Hardware security capability

The last section of the device security page displays information indicating the security capability of your device.

  • Your device meets the requirements for standard hardware security: This means your device supports memory integrity and core isolation and also has
    • TPM 2.0 (also referred to as your security processor)
    • Secure boot enabled
    • DEP
    • UEFI MAT
  • Your device meets the requirements for enhanced hardware security: This means that in addition to meeting all the requirements of standard hardware security, your device also has memory integrity turned on.
  • Your device has all Secured-core PC features enabled: This means that in addition to meeting all the requirements of enhanced hardware security, your device also has System Management Mode (SMM) protection turned on.
  • Standard hardware security not supported: This means that your device does not meet at least one of the requirements of standard hardware security.

Improving hardware security

If your device's security capabilities aren't what you'd like, you may need to enable certain hardware features (such as secure boot, if supported) or modify the settings in your system's BIOS. Contact the manufacturer of your device to find out what features it supports and how to enable them.

Ref: Device Security in the Windows Security App https://support.microsoft.com/en-gb/windows/device-security-in-the-windows-security-app-afa11526-de57-b1c5-599f-3a4c6a61c5e2

Top comments (0)