CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' (Scored)

ProfileApplicability:

 Level 1 (L1) + Next Generation Windows Security (NG)

 Level 1 (L1) + BitLocker (BL) + Next Generation Windows Security (NG)

 Level 2 (L2) + Next Generation Windows Security (NG)

 Level 2 (L2) + BitLocker (BL) + Next Generation Windows Security (NG)

 Next Generation Windows Security (NG) - optional add-on for use in the newest hardware and configuration environments

Description:

This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services.

The recommended state for this setting is: Secure Boot and DMA Protection .

Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM.

More information on system requirements for this feature can be found at this link:

Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs

Rationale:

Secure Boot can help reduce the risk of bootloader attacks and in conjunction with DMA protections to help protect data frombeing scraped frommemory.

622 | P a g e