Secure Startup Hardware-Enhanced Security Peter Biddle Product Unit Manager Windows Security Microsoft Corporation Stacy Stonich Program Manager Windows.

Slides:

Advertisements

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Advertisements

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Ljubomir Ivaniš CPU d.o.o.

Rambling on the Private Data Security

Rodney Buike IT Pro Advisor, Microsoft Canada

BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK

This presentation will take a look at to prevent your information from being discovered by and investigator.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Hardware Security: Trusted Platform Module Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources.

SECCT10: BitLocker™ Drive Encryption Deployment

WCL317 Disclaimer The information in this presentation relates to a pre-released product which may be substantially modified before it’s commercially.

BitLocker: deep details, improvements and benifits

Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.

Auxiliary Display Platform in Longhorn Andrew Fuller Lead Program Manager Mobile PC microsoft.com Microsoft Corporation.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Data Encryption Overview South Seas Corporation Jared Owensby.

Security and Policy Enforcement Mark Gibson Dave Northey

SEC316: BitLocker™ Drive Encryption

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

BitLocker™ Drive Encryption Hardware Enhanced Data Protection

Mobility for the Enterprise

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

Hybrid Hard Drives with Non-Volatile Flash and Longhorn Jack Creasey Program Manager Hardware Innovation Group Microsoft Corporation.

WDK Driver Test Manager. Outline HCT and the history of driver testing Problems to solve Goals of the WDK Driver Test Manager (DTM) Automated Deployment.

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows Media DRM Device Porting Kit Review Scott Plette Program Manager Media Technology Group microsoft.com Microsoft Corporation.

Windows 7 Windows Server 2008 R2 VirtualizationVirtualization Heterogeneous Server Environment Inventory Linux, Unix & VMware Windows 7 & Server 2008.

File System and Full Volume Encryption Sachin Patel CSE 590TU 3/9/2006.

Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog:

New Document Lifecycle Opportunities N. Gregg Brown Lead Program Manager Digital Documents microsoft.com Microsoft Corporation.

Windows Server Licensing

eScan Total Security Suite with Cloud Security

Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.

Microsoft ® Official Course Module 8 Securing Windows 8 Desktops.

PCIe Trusted Configuration Space

Session Agenda Designed to address BIOS Limitations Needed for the larger server platforms (Intel-HP Itanium) First called Intel Boot Initiative.

Trusted Computing BY: Sam Ranjbari Billy J. Garcia.

Unified EFI Update Tony Pierce President United EFI Forum microsoft.com.

Windows Longhorn Logo Program “To lead tomorrow, start today” Susanne Peterson Director Windows Client Business Group microsoft.com Microsoft.

Chapter Fourteen Windows XP Professional Fault Tolerance.

How To Build Hardware Support For Secure Startup

Troubleshooting Windows Vista Security Chapter 4.

Module 15 Managing Windows Server® 2008 Backup and Restore.

Microsoft Virtual Server: Overview and Roadmap Mike Neil Product Unit Manager Windows Virtualization microsoft.com Microsoft Corporation.

Microsoft Management Seminar Series SMS 2003 Change Management.

Error Management Solutions Synergy With WHEA John Strange Software Design Engineer Core OS microsoft.com Microsoft Corporation.

Network Location Awareness Vision And Scenarios Tracey Yao Program Manager Windows Wireless Networking microsoft.com Microsoft Corporation.

(ITI310) By Eng. BASSEM ALSAID SESSION 2: Server Configuration & Administration Notes SAT 31-Oct-2015.

Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)

The Next Generation Designed for Windows Logo Program: An Introduction Jon Morris Program Manager Windows Logo Program microsoft.com Microsoft.

CSC190 Introduction to Computing Operating Systems and Utility Programs.

Goodbye SMI - ACPI and Graphics Driver/System Firmware Interface Paul Blinzer Staff Engineer ATI Research, Inc.

Understand Encryption LESSON 2.5_A Security Fundamentals.

May 25 – June 15, Technical Overview Bruce Cowper IT Pro Advisor Microsoft Canada Damir Bersinic IT Pro Advisor Microsoft.

Lesson 18: Configuring Security for Mobile Devices MOAC : Configuring Windows 8.1.

What is BitLocker and How Does It Work? Steve Lamb IT Pro Evangelist, Microsoft Ltd

Data-Tech Guardian Endpoint Security Suite. Guardian Endpoint Security Suite secures All Things Mobile TM from one management console.

Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.

Protecting PHI & PII 12/30/2017 6:45 AM

Chapter Objectives In this chapter, you will learn:

Trusted Computing and the Trusted Platform Module

Hardware security: The use of a Trusted Platform Module

Trusted Computing and the Trusted Platform Module

Outline What does the OS protect? Authentication for operating systems

Outline What does the OS protect? Authentication for operating systems

CONFIGURING HARDWARE DEVICE & START UP PROCESS

Building hardware-based security with a Trusted Platform Module (TPM)

Implementing Client Security on Windows 2000 and Windows XP Level 150

Presentation transcript:

Secure Startup Hardware-Enhanced Security Peter Biddle Product Unit Manager Windows Security Microsoft Corporation Stacy Stonich Program Manager Windows Security Microsoft Corporation

A large multi-national company who wishes to remain anonymous told us that they lose an average of one corporate laptop per day in the taxicabs of just one US city…

Session Outline Problem: Easily Stolen Data Current situation Customer pain Solution: Full Volume Encryption (FVE) What it provides The feature in action Demo Architectural Details Value Add Recovery Scenarios Wrap up Q & A

Session Goals Attendees should leave this session with: A better understanding of Secure Startup Knowledge of where to find resources for how to build platforms that support this feature An understanding of how they can add hardware and software support to the feature

Current Situation Password recovery programs are widely available that enable offline attacks which can circumvent Windows XP data security mechanisms Offline attacks expose core system keys that allow for the compromise of secured data Hundreds of thousands of laptops are lost every year

Customer Pain Difficult to protect the data on lost or stolen laptops Corporate networks can be attacked via lost or stolen machines User data stored on hard disk may be tampered with without a user knowing User data from encrypted files may be disclosed to others during runtime Compromise of users’ encrypted data can occur Machine data cannot truly be erased

Industry Data “Dutch public prosecutor … was condemned yesterday for putting his old PC out with the trash. It contained sensitive information about criminal investigations in Amsterdam, and also his address, credit card number, social security number and personal tax files.” – The Register, Oct 8, 2004 “Hurried travelers have left as many as 62,000 mobiles, 2,900 laptops and 1,300 PDAs in London taxis over the past six months.” – BBC, August 2001 “An estimated 11,300 laptop computers, 31,400 handheld computers and 200,000 mobile telephones were left in taxis around the world during the last six months … passengers had lost three times more handheld computers in the second half of 2004 than in 2001” – CNN, January 24, 2005

Secure Startup Technology providing higher security through use of Trusted Platform Module (TPM) Addresses the lost or stolen laptop scenarios with TPM-rooted boot integrity and encryption Provides secure system startup, full hard drive encryption, and TPM services Attackers are stopped from using software tools to get at data Secure Startup gives you stronger security on your Windows codenamed “Longhorn” client systems, even when the system is in unauthorized hands or is running a different or exploiting OS. Secure Startup does this by preventing a thief who boots another OS or runs a hacking tool from breaking Longhorn file and system protections.

Secure Startup Benefits Security Timeline

Disk Layout Encrypted OS Volume contains: Encrypted OS Encrypted page file Encrypted temp files Encrypted data Encrypted hibernation file System Partition contains: Boot utilities (Unencrypted, ~50MB) MBR

Secure Startup Architecture Static Root of Trust Measurement of early boot components

Secure Startup Architecture Static Root of Trust Measurement of BIOS

Demo

Full Volume Encryption Value Add Encryption of the hibernation file protects against user allowing laptop to hibernate with sensitive docs open and then having the laptop stolen and docs at the fingertips of thieves Full volume encryption enhances the security value of all registry, config files, paging files and hibernation files stored on the fully encrypted volume Simply destroying the key allows for the safe disposal of corporate hardware/computer assets without fear of residual sensitive data

Recovery Scenarios Broken Hardware Recovery Scenario User swaps the hard drive into a new machine because laptop screen is broken from a drop Attack Detected Recovery Scenario Virus makes modifications to the Boot loader Recovery password (known by the user or retrieved from a repository by an administrator) Recovery can occur ‘in the field’ Windows operation continue as normal Automated escrow of the keys and recovery passwords (i.e. to an AD) to allow for centralized storage and management of recovery mechanisms Optionally, recovery keys can be written to media – such as a USB device

Secure Startup Recovery

Requirements Hardware requirements to support Secure Startup Trusted Platform Module (TPM) v1.2 Provides platform integrity measurement and reporting Requires platform support for TPM Interface (TIS) See Firmware (Conventional or EFI BIOS) – TCG compliant Establishes chain of trust for pre-OS boot Must support TCG specified Static Root Trust Measurement (SRTM) See

Call to Action Firmware Make sure INT 1A Subfunction BBh calls behave correctly as documented by TCG (Trusted Computing Group) - even if no TPM Hardware Make sure Secure Startup works with TPM 1.2's Disk utilities TPM not required to test Secure Startup for application compatibility. Work with MS to make encrypted volumes work with low level utilities

Community Resources Windows Hardware & Driver Central (WHDC) Technical Communities Non-Microsoft Community Sites Microsoft Public Newsgroups Technical Chats and Webcasts Microsoft Blogs

Additional Resources Web Resources Whitepapers Related Sessions How to Build Hardware Support for Secure Startup Non-Microsoft Community Sites Questions? Send mail to

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.