Preparing for security in Windows 8

Slides:



Advertisements
Similar presentations
Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Advertisements

© 2012 All rights reserved to Ceedo. Flexible Desktops. Dynamic Workplace. Ceedo Client Workspace Concept and Technology Overview Ceedo Client Workspace.
McAfee One Time Password
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Ljubomir Ivaniš CPU d.o.o.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Tony Mangefeste Senior Program Manager Microsoft Corporation SYS-462T.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.
This document is the intellectual property of Acer Inc. and may not be used, reproduced, modified, or re-utilized in any way without permission by Acer.
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Using Cryptographic ICs For Security and Product Management Misconceptions about security Network and system security Key Management The Business of Security.
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
SEC316: BitLocker™ Drive Encryption
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
BitLocker™ Drive Encryption Hardware Enhanced Data Protection
Mobility for the Enterprise
Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog:
Nishanth Lingamneni Program Manager Microsoft Corporation SYS-007T.
Michael Niehaus OS DeploymentApp Deployment Infrastructure Deployment.
Business Needs and IT Challenges How can IT maintain user productivity and protect against evolving threats How can IT reduce complexity and scale.
Tony Mangefeste Senior Program Manager SYS-005T Why UEFI? UX value prop from Day one: Fast Boot, OEM Certification, smooth transitions, etc. Secure Boot.
Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.
Session Agenda Designed to address BIOS Limitations Needed for the larger server platforms (Intel-HP Itanium) First called Intel Boot Initiative.
Week #7 Objectives: Secure Windows 7 Desktop
Tony Mangefeste Senior Program Manager Microsoft Corporation SYS-004T.
MANAGEMENT ANTIMALWARE PLATFORM Microsoft Malware Protection Center Dynamic Signature Svc Available only in Windows 8 Endpoint Protection Management.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
WCL302. OS DeploymentApp Deployment Infrastructure Deployment.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Module 15 Managing Windows Server® 2008 Backup and Restore.
4 Key Threats Internet was just growing Mail was on the verge Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering.
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK
Enhanced Storage Architecture
Are cybersecurity threats keeping you up at night? Your people go everywhere with devices, do the apps and data they need go with them? Can you adopt.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Getting it Done: Understanding the Security Features of Windows Vista Kai Axford, CISSP, MCSE-Security.
Understand Encryption LESSON 2.5_A Security Fundamentals.
User and Device Management
What is BitLocker and How Does It Work? Steve Lamb IT Pro Evangelist, Microsoft Ltd
Windows 8 tablets with Intel Core 64-bit processors Windows 8 tablets with Intel Atom 32-bit processors Windows RT tablets with ARM processors.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Windows 10 Device Health Attestation (DHA)
Using Mobile Computers Lesson 12. Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data.
1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
Chapter 6: Securing the Cloud
Trusted Computing and the Trusted Platform Module
Trusted Computing and the Trusted Platform Module
Outline What does the OS protect? Authentication for operating systems
A Fast Track into Device Guard
Outline What does the OS protect? Authentication for operating systems
Building hardware-based security with a Trusted Platform Module (TPM)
11/23/2018 3:03 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Check Point Connectra NGX R60
Delivering a secure and fast boot experience with UEFI
Intel Active Management Technology
TPM, UEFI, Trusted Boot, Secure Boot
Only Windows 10 Pro devices
Presentation transcript:

Preparing for security in Windows 8 4/7/2017 2:03 PM SYS-009T Preparing for security in Windows 8 Nishanth Lingamneni Program Manager Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Securing our mutual customers Protect and manage threats Protect sensitive data Protect access to resources Malware can compromise core operating system components which adversely impacts business and personal data IT needs to protect data in an environment with a porous network perimeter, requiring data protection by location, device and access method IT needs to address a broad segment of mobile workers who travel, work from home, work from their phones, and use hotspots around the globe

Windows 8 security investments What did our focus groups say? Protect and manage threats Protect sensitive data Protect access to resources Malware Resistance Pervasive Encryption Modern Access Control "This is the end of boot sector viruses as we know them" "Encryption is typically an afterthought, [but] this makes [encryption] part of the build process" “[This] makes it easier for users to get what they want to get to but without giving up safety"

Security & hardware

Why UEFI? Key security benefits A Windows Certification requirement Secure boot eDrive support for BitLocker Network unlock support for BitLocker WDS multicast A Windows Certification requirement Other benefits SOC support (including ARM and Intel) UX value prop from F5 day one: Fast boot, OEM Certification, no back flash, etc. Support for > 2.2 TB system disks Seamless boot (UEFI Graphics) Boot Next support (UEFI Variable Services)

Trusted Platform Module Value proposition Enables commercial-grade security via physical and virtual key isolation from OS TPM 1.2 spec: mature standard, years of deployment and hardening Improvements in TPM provisioning lowers deployment barriers TCG standard evolution: TPM 2.0* Algorithm extensibility allows for implementation and deployment in additional countries Security scenarios are compatible with TPM 1.2 or 2.0 Windows 8: TPM 2.0 support enables implementation choice Discrete TPM Firmware-based (Intel Security Engine,ARM TrustZone®) Windows Certification requirement for Connected Standby** platforms only * Microsoft refers to the TCG TPM.Next as “TPM 2.0”; For remainder of presentation, “TPM” refers to either discrete TPM or firmware-based secure execution environment. ** Connected Standby: New terminology that replaces what Microsoft called ‘Connected Standby capable’.

TPM 2.0 details Windows goals Value proposition in Windows 8 Windows TPM features, new APIs work uniformly with TPM 1.2 or TPM 2.0 Enable smooth ecosystem migration from TPM 1.2 to TPM 2.0 Value proposition in Windows 8 Improvements in TPM provisioning lowers deployment barriers Simplified design for software applications requiring TPM Security scenarios are compatible with TPM 1.2 or 2.0 Allows OEMs to preserve existing TPM investments in migrating to TPM 2.0 at their own pace with Windows 8

Hardware requirements and feature usage # Feature TPM* UEFI 1 BitLocker: Volume Encryption X 2 BitLocker: Volume Network Unlock 3 Secured Boot: Secure Boot 4 Secured Boot: ELAM 5 Measured Boot 6 Virtual Smart Cards (TPM) 7 Certificate storage (TPM Based) 8 Automatic TPM provisioning

Pervasive encryption

Broad device support Challenges Windows 8 solution Protects data from exposure or theft when device is lost, stolen, or inappropriately decommissioned Broad device support Challenges Windows volume encryption can be difficult to manage Volume encryption imposes additional expenses for end users and partners Windows 8 solution Broad support for devices and hardware: Slates, clustered server; leverages eDrives functionality Support for online recovery for nondomain-joined scenarios Frictionless user experience Improved performance, standard user support, seamless integration Reduces time to provision in mass deployment scenarios Encrypt data-only option Simplified TPM provisioning 11

Competitive encryption experience requires… Strongly recommend TPM for all systems Windows 8 supports TPM 1.2 or TPM 2.0* TCG Physical Presence Interface 1.2 TPM is required for Connected Standby platforms Intel Security Engine (Based on HW based security engine embedded in Intel SOCs) Connected Standby capable systems are likely to use TPM 2.0 ARM systems will implement TPM 2.0 features using TrustZoneTM TPM 2.0 features for other platform classes to emerge Ship with eDrive-enabled storage Windows 8 System Certification requirements UEFI 2.3.1, Class II no CSM/Class III

eDrives Challenges Windows 8 solution—eDrives Value proposition Minimize encryption impact to system performance and deployment time without introducing infrastructure changes Challenges Software encryption imposes performance overhead During initial encryption, run time, and common scenarios like startup, sleep, hibernate Exacerbated if software encryption is run on slate or low-power PCs Self-encrypting drives require a key management solution Windows 8 solution—eDrives Offloads encryption processing to hardware; mitigates impact to system performance Windows manages eDrives; no need for another key management solution to deploy eDrives Value proposition Initial encryption time eliminated. Run-time performance significantly improved eDrive-enabled systems have improved CPU utilization, battery life Systems without eDrives will use software-based encryption 13

Hardware requirements: eDrives eDrive strongly recommended for performance When present, must support IEEE 1667-TCG silo TCG-OPAL, OPAL v2 + fixed ACL + additional data store Preceding are Windows 8 System Certification requirements UEFI 2.3.1, Class II no CSM/Class III eDrive provisioned for Windows-based volume encryption eDrives on tablets: eDrive-capable eMMC and mSATA parts to be available by 2012-2013; Working with top five IHVs Looking to enforce certification requirement after Windows 8 GA, per ecosystem status 14

Network Unlock Challenges Windows 8 solution Enable IT to deploy stronger encryption protection without disrupting software patching process Network Unlock Challenges TPM + PIN is often not practical for desktops and servers protected by encryption When IT deploys a patch that requires Windows restart, desktops and servers end up waiting for PIN at boot Windows 8 solution Network Unlock and TPM + PIN are deployed to desktops and servers Windows 8 machines connect to Windows 8 WDS server, which authenticates protector PCs wired to corporate network successfully restart without waiting for PIN at boot When a PC is disconnected from, or not wired to, corporate network, PIN is required at boot 15

Hardware requirements: network unlock 4/7/2017 2:03 PM Hardware requirements: network unlock Hardware requirements TPM Windows 8 System Certification requirements UEFI 2.3.1 (supports DHCPv4, DHPCPv6) 16 ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Malware resistance

Goal: Anti-malware more effective in Windows 8 Platform integrity investments make Windows 8 the trusted platform for consumers, businesses, financial institutions, and data centers New tools, APIs, and capabilities for anti-malware products Sophisticated malware, e.g., rootkits, can be reliably detected and removed Radically reduce systems compromised by malware “[Anti-fraud security tips] do not address or provide protection against the main method used by cyber criminals to collect account credentials – malware.” Turiss, Cyber Crime Trend Report, August 2010

Malware resistance Challenges Windows 8 solution Prevent malicious tampering and changes to the hardware, operating system, and to the anti-malware software Malware resistance Challenges Growing class of pervasive malware that targets the boot path Should Windows be compromised by this type of attack, often the only plausible method to fix the problem is to reinstall the operating system Windows 8 solution Secured Boot and remediation hardens the boot process against malware from the moment of power on through the initialization of anti-malware software Measured Boot performs a comprehensive chain of measurements during the boot process that can be used to further validate the boot process beyond Secure Boot. Early Launch Anti-Malware (ELAM) can start from a known good state, as determined by Secure Boot, and continue vigilant watch over the user’s PC from that point on

Malware resistance: Secured and Measured Boot Secured Boot End-to-end boot process protection: Windows operating system loader; Windows system files and drivers Anti-malware software Ensures and prevents: A compromised operating system from starting; Software from starting before Windows Third-party software from starting before anti-malware Automatic remediation/self-healing, if compromised Measured Boot Creates comprehensive of measurements of boot execution Can offer measurements to a remote service for analysis

Verified OS loader only Secured Boot: legacy vs. modern BIOS Any OS loader OS start Legacy boot BIOS starts any OS Loader, even malware Malware may start before Windows Native UEFI Verified OS loader only OS start Modern boot The firmware enforces policy, only starts signed OS loaders OS loader enforces signature verification of Windows components Result—malware unable to change boot and OS components

Secured Boot: Early Launch Anti-Malware Windows 7 BIOS OS loader (malware) 3rd party drivers (malware) Anti-malware software start Windows logon Malware is able to start before Windows and Anti-malware Malware able to hide and remain undetected Systems can be completely compromised Windows 8 Native UEFI OS loader Anti-malware software start 3rd party drivers Windows logon Secured Boot starts Anti-malware early in the boot process Early Launch Anti-Malware (ELAM) driver is specially signed by Microsoft Windows starts ELAM software before any third-party boot drivers Malware can no longer bypass Anti-Malware inspection

Anti-malware software start Runtime Anti-malware Software Effects of Early Launch Anti-Malware Native UEFI Windows 8 OS loader Anti-malware software start 3rd party drivers Runtime Anti-malware Software Windows logon We have moved the attack surface Malware will move to attack the early boot components This is where Measured Boot comes in…

Kernel initialization Anti-malware software start Measured Boot with attestation Windows measures all components to AM software start in the Trusted Platform Module (TPM) AM software can invalidate attestation if it stops enforcing policy Enables attestation service to remotely evaluate client state using TPM measurements Windows 7 BIOS OS loader Kernel initialization 3rd party drivers Anti-malware software start Anti-malware Policy Enforcement Windows 8 UEFI OS loader Kernel initialization Anti-malware software start 3rd party drivers Attestation

Windows kernel and drivers Malware resistance: architecture 3 Measurements of components including Anti-malware software are stored in the TPM UEFI Boot Boot policy Secure Boot prevents malicious OS loader 1 TPM Windows OS loader AM policy 4 Client retrieves TPM measurements of client state on demand Windows kernel and drivers AM software 2 3rd party software Anti-malware software is started before all 3rd party software Client Health Claim Windows logon Client Attestation service

Modern access control

Modern access control Challenges Windows 8 solution Users can use their PCs to securely authenticate with websites without having to purchase additional devices Modern access control Challenges Cost of issuing tokens Complexity of deploying a public key infrastructure (PKI) Usability and user support Windows 8 solution Windows Smart Card Framework has been extended to support – This allows crypto-capable devices to present themselves and act just like Smart Cards Windows 8 exposes hardware-based security components, such as a TPM or virtual smartcard-capable device as a smart card

TPM-based authentication Enterprise Consumer Need Machine and user ID using hardware protected certificates without requiring separate devices Key scenarios User authentication for remote access Document/email signing Strong machine network authentication Need Banks must “know” their customers, using commercially available determination methods to meet FFIEC multi-authentication requirement Key scenarios User certificate bound to the TPM Stronger user authentication without the need for complex passwords or external second factor

TPM that functions as a smart card CorpNet

Summary

Summary: security investments Malware resistance Pervasive encryption Windows 8 security investments Modern access control 31

Call to action Invest in technologies Source, build, ship: UEFI, TPM, eDrives Roadmap discussions with component/firmware/ vendors, OEMs, and other partners

Further reading and documentation Event Site: http://channel9.msdn.com/Events Resources: Trusted Boot: http://msdn.microsoft.com/en-us/library/windows/hardware/br259097.aspx http://msdn.microsoft.com/en-us/windows/hardware/br259096 eDrive device guide: http://msdn.microsoft.com/en-us/library/windows/hardware/br259095.aspx

Thank You! For questions, please visit me in the Speakers Connection area following this session.

4/7/2017 2:03 PM © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.