Computer security can takes two forms. Software security provides barriers and other cyber-tools that protect programs, files, and the information flow to and from a computer. Hardware security protects the machine and peripheral hardware from theft and from electronic intrusion and damage.
HARDWARE CONTROL are computer controls built into physical equipment by the manufacturer.
Originally designed as a security measure, Secure Boot is a feature of many newer EFI or UEFI machines (most common with Windows 8 PCs and laptops), which locks down the computer and prevents it from booting into anything but Windows 8. It is often necessary to disable Secure Boot to take full advantage of your PC.
Total Productive Maintenance (TPM) started as a method of physical asset management focused on maintaining and improving manufacturing machinery, in order to reduce the operating cost to an organization.
To enable this security feature on your device running Windows 10 version 1803, do the following:
- Open Windows Defender Security Center.
- Click on Device security.
- Under "Core isolation," click the Core isolation details link.
- Turn on the Memory integrity toggle switch.
Mosey on over to the Security section of your system settings, tap the line labeled "Google Play Protect," and then make sure "Scan device for security threats" is checked. (Depending on your device, you may first have to tap a gear icon in the upper-right corner of the screen in order to see that option.)
It is recommended to turn this feature on for better protection in your system. However, in case you turn it on, it might cause compatibility issue and some errors in some systems and if that happens turn it off.
Turn on Windows Defender
- Select the Start menu.
- In the search bar, type group policy.
- Select Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus.
- Scroll to the bottom of the list and select Turn off Windows Defender Antivirus.
- Select Disabled or Not configured.
- Select Apply > OK.
Enabling the Intel Software Guard Extensions (SGX)
- From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > System Options > Processor Options > Intel Software Guard Extensions (SGX) and press Enter.
- Select a setting and press Enter. Enabled. Disabled.
- Press F10.
Microsoft currently uses Arm-based chips from Qualcomm in some of its Surface PCs. It ported Windows to work on these types of chips, which have typically been used in smartphones. Apple also uses Arm technology in its processors. Other Surface models use Intel chips.
The secure chip isolates critical data like encryption keys and payment information. Even if your device is compromised, malware couldn't access this information. The secure area also throttles access to your device.
Software enabling is a one-way operation: Intel SGX cannot be disabled via software. The only ways to disable Intel SGX once it has been enabled are to do so via the BIOS: Explicitly set Intel SGX to Disabled if the BIOS provides this option.
Microsoft Pluton is a security processor that is built directly into future CPUs and will replace the existing Trusted Platform Module (TPM), a chip that's currently used to secure hardware and cryptographic keys.
What devices support Intel® SGX? Most Desktop, Mobile (6th generation Core and up) and low-end Server processors (Xeon E3 v5 and up) released since Fall 2015 support SGX. BIOS support is also required. Major vendors such as Lenovo, HP, SuperMicro, and Intel support SGX in the BIOS of some systems.
Intel® Software Guard Extensions (Intel® SGX) is a set of instructions that increases the security of application code and data, giving them more protection from disclosure or modification.
Intel Software Guard Extensions (SGX) is a set of security-related instruction codes that are built into some modern Intel central processing units (CPUs). The enclave is decrypted on the fly only within the CPU itself, and even then, only for code and data running from within the enclave itself.
Memory Integrity (also called hypervisor-protected code Integrity or HVCI), uses Microsoft's Hyper-V hypervisor to virtualise the hardware running some Windows kernel-model processes, protecting them against the injection of malicious code. In fresh installations of Windows, it was turned on by default.
Turning on the Memory integrity setting would block these incompatible drivers from loading. Because blocking these drivers might cause unwanted or unexpected behaviors, the Memory integrity setting is turned off to allow these drivers to load.
Turn On or Off Tabs in apps (Sets) in Windows Security
- Open Windows Security, and click/tap on the Device security icon. (
- Click/tap on the Core isolation details link. (
- Turn On or Off (default) Memory integrity for what you want. (
- Click/tap on Yes when prompted by UAC.
- Restart the computer to apply. (
How to turn off HVCI
- Restart the device.
- To confirm HVCI has been successfully disabled, open System Information and check Virtualization-based security Services Running, which should now have no value displayed.
Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code.
(memory management) A system to prevent one process corrupting the memory (or other resources) of any other, including the operating system.