Website under construction


Enhanced Kernel Mode protection using Hypervisor Code Integrity



Download 13,37 Mb.
Pdf ko'rish
bet96/131
Sana27.03.2022
Hajmi13,37 Mb.
#512480
1   ...   92   93   94   95   96   97   98   99   ...   131
Bog'liq
9780735697744 Introducing Windows Server 2016 pdf

Enhanced Kernel Mode protection using Hypervisor Code Integrity 
The core functionality and protection of Device Guard begins at the hardware level. Devices that have 
processors equipped with SLAT technologies and virtualization extensions, such as Intel VT x and AMD 
V, will be able to take advantage of a Virtualization Based Security (VBS) environment that 
dramatically enhances Windows security by isolating critical Windows services from the operating 
system itself. 
Device Guard uses VBS to isolate its Hypervisor Code Integrity (HVCI) service, which makes it possible 
for Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and 
zero-day attacks. HVCI uses the processor’s functionality to force all software running in kernel mode 
to safely allocate memory. This means that after memory has been allocated, its state must be 
changed from writable to read-only or run-only. By forcing memory into these states, it helps to 
ensure that attacks are unable to inject malicious code into Kernel mode processes and drivers 
through techniques such as buffer overruns or heap spraying. 
To deliver this level of security, Device Guard has the following hardware and software requirements: 

UEFI Secure Boot (optionally with a non-Microsoft UEFI CA removed from the UEFI database) 

Virtualization support turned on by default in the system firmware (BIOS): 

Virtualization extensions (for example, Intel VT-x and AMD RVI) 

SLAT (for example, Intel EPT and AMD RVI) 

IOMMU (for example, Intel VT-d, AMD-Vi) 

110 
CHAPTER 4 | Security and identity 

UEFI BIOS configured to prevent an unauthorized user from disabling Device Guard–dependent 
hardware security features (for example, Secure Boot) 

Kernel-mode drivers signed and compatible with hypervisor-enforced code integrity 
You can deploy HVCI (aka Virtualization Based Security of Code Integrity) by using Group Policy. It is 
recommended to enable HVCI on all the servers running Windows Server 2016. For more details of 
Group Policy configuration, go to 
https://technet.microsoft.com/itpro/windows/keep-secure/deploy-
device-guard-enable-virtualization-based-security


Download 13,37 Mb.

Do'stlaringiz bilan baham:
1   ...   92   93   94   95   96   97   98   99   ...   131



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish