You may have heard that Microsoft has made Windows 10 more secure than any of its predecessors, packing it with security goodies. What you might not know is that some of these vaunted security features aren’t available out of the box or they require additional hardware -- you may not be getting the level of security you bargained for.
Features such as Credential Guard are available for only certain editions of Windows 10, while the advanced biometrics promised by Windows Hello require a hefty investment in third-party hardware. Windows 10 may be the most secure Windows operating system to date, but the security-savvy organization -- and individual user -- needs to keep the following hardware and Windows 10 edition requirements in mind in order to unlock the necessary features to achieve optimum security.
Note: Presently, there are four desktop editions of Windows 10 -- Home, Pro, Enterprise, and Education -- along with multiple versions of each, offering varying levels of beta and preview software. InfoWorld’s Woody Leonard breaks down whichversion of Windows 10使用。下面的Windows 10安全指南重点介绍了标准的Windows 10安装 - 没有内幕预览或长期服务处 - 包括周年更新的相关指令。
The right hardware
视窗10投下了一个大网,与那些要求不高的最低硬件要求。As long as you have the following, you’re good to upgrade from Win7/8.1 to Win10: 1GHz or faster processor, 2GB of memory (for Anniversary Update), 16GB (for 32-bit OS) or 20GB (64-bit OS) disk space, a DirectX 9 graphic card or later with WDDM 1.0 driver, and an 800-by-600-resolution (7-inch or larger screens) display. That describes pretty much any computer from the past decade.
But don’t expect your baseline machine to be fully secure, as the above minimum requirements won’t support many of the cryptography-based capabilities in Windows 10. Win10’s cryptography features require Trusted Platform Module 2.0, which provides a secure storage area for cryptographic keys and is used to encrypt passwords, authenticate smartcards, secure media playback to prevent piracy, protect VMs, and secure hardware and software updates against tampering, among other functions.
现代AMD和Intel处理器(Intel管理引擎,英特尔融合安全引擎,AMD安全处理器)已经支持TPM 2.0,所以在过去几年购买了大部分机器有必要的芯片。英特尔的vPro远程管理服务,例如,使用TPM授权远程电脑维修。但它是值得证实TPM 2.0是否在升级任何系统,特别是考虑到周年更新需要TPM 2.0支持固件或作为一个单独的物理芯片上存在。一台新PC,或者从头开始安装Windows 10系统,必须从一开始走,这是指含硬件供应商预先配备,因为它发布了一个授权密钥(EK)证书具有TPM 2.0。或者,该装置可以被配置为检索证书和它在第一次启动时存储在TPM。
Older systems that don’t support TPM 2.0 -- either because they don’t have the chip installed or are old enough that they have only TPM 1.2 -- will need to get a TPM 2.0-enabled chip installed. Otherwise, they will not be able to upgrade to Anniversary Update at all.
While some of the security features work with TPM 1.2, it’s better to get TPM 2.0 whenever possible. TPM 1.2 allows only for RSA and SHA-1 hashing algorithm, and considering the SHA-1 to SHA-2 migration is well under way, sticking with TPM 1.2 is problematic. TPM 2.0 is much more flexible, as it supports SHA-256 and elliptical curve cryptography.
Unified Extensible Firmware Interface (UEFI) BIOS is the next piece of must-have hardware for achieving the most secure Windows 10 experience. The device needs to be shipped with UEFI BIOS enabled to allow Secure Boot, which ensures that only operating system software, kernels, and kernel modules signed with a known key can be executed during boot time. Secure Boot blocks rootkits and BIOS-malware from executing malicious code. Secure Boot requires firmware that supports UEFI v2.3.1 Errata B and has the Microsoft Windows Certification Authority in the UEFI signature database. While a boon from a security perspective, Microsoft designating Secure Boot mandatory for Windows 10 has run into controversy, as it makes it harder to run unsigned Linux distributions (such as Linux Mint) on Windows 10-capable hardware.
周年更新将无法安装,除非你的设备是UEFI 2.31兼容或更高版本。