MICROSOFT_PRESS_EBOOK_INTRODUCING_WINDOWS_10
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
kernel-mode drivers are allowed to start. This configuration prevents antimalware software<br />
from being tampered with and allows the operating system to identify and block attempts to<br />
tamper with the boot process.<br />
■■<br />
Measured boot On devices that include a Trusted Platform Module (TPM), Windows <strong>10</strong> can<br />
perform comprehensive chain-of-integrity measurements during the boot process and store<br />
those results securely in the TPM. On subsequent startups, the system measures the operatingsystem<br />
kernel components and all boot drivers, including third-party drivers. This information<br />
can be evaluated by a remote service to confirm that those key components have not been<br />
improperly modified and to further validate a computer’s integrity before granting it access to<br />
resources, a process called remote attestation.<br />
To block malicious software after the boot process is complete, Windows <strong>10</strong> includes two signature<br />
features that will be new to any organization that is migrating directly from Windows 7:<br />
■■<br />
Windows Defender Previous Windows versions included a limited antispyware feature<br />
called Windows Defender. Beginning with Windows 8, the same name describes a full-featured<br />
antimalware program that is the successor to Microsoft Security Essentials. Windows Defender<br />
is unobtrusive in everyday use, has minimal impact on system resources, and updates both its<br />
signatures and the antimalware engine regularly. Windows Defender includes network behavior<br />
monitoring as well. If you install a different antimalware solution, Windows Defender disables<br />
its real-time protection but remains available.<br />
■■<br />
Windows SmartScreen Windows SmartScreen is a safety feature that uses application<br />
reputation-based technologies to help protect Windows users from malicious software. This<br />
browser-independent technology checks any new application before installation, blocking<br />
potentially high-risk applications that have not yet established a reputation. The Windows<br />
SmartScreen app reputation feature works with the SmartScreen feature in the default Windows<br />
browser, which also protects users from websites seeking to acquire personal information<br />
such as user names, passwords, and billing data.<br />
An all-new feature in Windows <strong>10</strong>, Credential Guard, uses virtualization-based security to isolate<br />
secrets (including domain passwords) so that only privileged system software can access them. This<br />
feature prevents common credential-theft attacks such as Pass-The-Hash and Pass-The-Ticket. Credential<br />
Guard must be enabled for each PC in an organization and works only with Windows <strong>10</strong> Enterprise<br />
edition.<br />
Windows <strong>10</strong> adds information-protection capabilities that make it possible to protect corporate<br />
data even on employee-owned devices. Network administrators can define policies that automatically<br />
encrypt sensitive information, including corporate apps, data, email, and the contents of intranet sites.<br />
Support for this encryption is built into common Windows controls, such as Open and Save dialog<br />
boxes.<br />
For tighter security, administrators can create lists of apps that are allowed to access encrypted data<br />
as well as those that are denied access—a network administrator might choose to deny access to a<br />
consumer cloud file-storage service, for example, to prevent sensitive files from being shared outside<br />
the organization.<br />
CHAPTER 1 An overview of Windows <strong>10</strong> 13