Nishanth Lingamneni Program Manager Microsoft Corporation SYS-009T.
-
Upload
damaris-gidden -
Category
Documents
-
view
240 -
download
1
Transcript of Nishanth Lingamneni Program Manager Microsoft Corporation SYS-009T.
Nishanth LingamneniProgram ManagerMicrosoft Corporation
SYS-009T
Preparing for security in Windows 8
Protect and manage threats
Protect sensitive
data
Protect access to resources
IT needs to protect data in an environment with a porous network perimeter, requiring data protection by location, device and access method
Securing our mutual customersMalware can compromise core operating system components which adversely impacts business and personal data
IT needs to address a broad segment of mobile workers who travel, work from home, work from their phones, and use hotspots around the globe
Malware Resistance
Pervasive Encryption
Modern Access Control
Windows 8 security investments What did our
focus groups say?"This is the end of boot
sector viruses as we know them"
"Encryption is typically an afterthought, [but]
this makes [encryption] part of the build process"
“[This] makes it easier for users to get what they
want to get to but without giving up safety"
Protect and manage threats
Protect sensitive
data
Protect access to resources
Security & hardware
Why UEFI?• Key security benefits• Secure boot • eDrive support for BitLocker • Network unlock support for BitLocker• WDS multicast
• A Windows Certification requirement• Other benefits• SOC support (including ARM and Intel) • UX value prop from F5 day one:
• Fast boot, OEM Certification, no back flash, etc.• Support for > 2.2 TB system disks • Seamless boot (UEFI Graphics)• Boot Next support (UEFI Variable Services)
Trusted Platform Module• Value proposition
• Enables commercial-grade security via physical and virtual key isolation from OS
• TPM 1.2 spec: mature standard, years of deployment and hardening• Improvements in TPM provisioning lowers deployment barriers
• TCG standard evolution: TPM 2.0*• Algorithm extensibility allows for implementation and deployment in additional
countries• Security scenarios are compatible with TPM 1.2 or 2.0
• Windows 8: TPM 2.0 support enables implementation choice• Discrete TPM• Firmware-based (Intel Security Engine,ARM TrustZone®)
• Windows Certification requirement for Connected Standby** platforms only* Microsoft refers to the TCG TPM.Next as “TPM 2.0”; For remainder of presentation, “TPM” refers to either discrete TPM or firmware-based secure execution environment.** Connected Standby: New terminology that replaces what Microsoft called ‘Connected Standby capable’.
TPM 2.0 details
• Windows goals• Windows TPM features, new APIs work uniformly with
TPM 1.2 or TPM 2.0• Enable smooth ecosystem migration from TPM 1.2 to
TPM 2.0• Value proposition in Windows 8• Improvements in TPM provisioning lowers deployment
barriers• Simplified design for software applications requiring TPM • Security scenarios are compatible with TPM 1.2 or 2.0• Allows OEMs to preserve existing TPM investments in migrating
to TPM 2.0 at their own pace with Windows 8
Hardware requirements and feature usage
# Feature TPM* UEFI
1 BitLocker: Volume Encryption X X
2 BitLocker: Volume Network Unlock X X
3 Secured Boot: Secure Boot X
4 Secured Boot: ELAM X
5 Measured Boot X X
6 Virtual Smart Cards (TPM) X X
7 Certificate storage (TPM Based) X X
8 Automatic TPM provisioning X X
Pervasive encryption
Broad device support
• Challenges• Windows volume encryption can be difficult to manage• Volume encryption imposes additional expenses for end users
and partners• Windows 8 solution
• Broad support for devices and hardware: • Slates, clustered server; leverages eDrives functionality
• Support for online recovery for nondomain-joined scenarios• Frictionless user experience
• Improved performance, standard user support, seamless integration• Reduces time to provision in mass deployment scenarios
• Encrypt data-only option• Simplified TPM provisioning
Protects data from exposure or theft when device is lost, stolen, or inappropriately decommissioned
11
Competitive encryption experience requires…• Strongly recommend TPM for all systems• Windows 8 supports TPM 1.2 or TPM 2.0*
• TCG Physical Presence Interface 1.2• TPM is required for Connected Standby platforms
• Intel Security Engine (Based on HW based security engine embedded in Intel SOCs)• Connected Standby capable systems are likely to use TPM 2.0• ARM systems will implement TPM 2.0 features using TrustZoneTM
• TPM 2.0 features for other platform classes to emerge
• Ship with eDrive-enabled storage• Windows 8 System Certification requirements
• UEFI 2.3.1, Class II no CSM/Class III
eDrives
• Challenges• Software encryption imposes performance overhead
• During initial encryption, run time, and common scenarios like startup, sleep, hibernate• Exacerbated if software encryption is run on slate or low-power PCs
• Self-encrypting drives require a key management solution• Windows 8 solution—eDrives
• Offloads encryption processing to hardware; mitigates impact to system performance
• Windows manages eDrives; no need for another key management solution to deploy eDrives
• Value proposition• Initial encryption time eliminated. Run-time performance significantly
improved• eDrive-enabled systems have improved CPU utilization, battery life
• Systems without eDrives will use software-based encryption
Minimize encryption impact to system performance and deployment time without introducing infrastructure changes
13
Hardware requirements: eDrives
• Hardware requirements• eDrive strongly recommended for performance • When present, must support
• IEEE 1667-TCG silo• TCG-OPAL, OPAL v2 + fixed ACL + additional data store• Preceding are Windows 8 System Certification requirements
• UEFI 2.3.1, Class II no CSM/Class III• eDrive provisioned for Windows-based volume encryption
• eDrives on tablets:• eDrive-capable eMMC and mSATA parts to be available by 2012-2013;
Working with top five IHVs• Looking to enforce certification requirement after Windows 8 GA, per
ecosystem status14
Network Unlock
• Challenges• TPM + PIN is often not practical for desktops and servers
protected by encryption• When IT deploys a patch that requires Windows restart,
desktops and servers end up waiting for PIN at boot• Windows 8 solution
• Network Unlock and TPM + PIN are deployed to desktops and servers
• Windows 8 machines connect to Windows 8 WDS server, which authenticates protector
• PCs wired to corporate network successfully restart without waiting for PIN at boot
• When a PC is disconnected from, or not wired to, corporate network, PIN is required at boot
Enable IT to deploy stronger encryption protection without disrupting software patching process
15
Hardware requirements: network unlock
• Hardware requirements• TPM
• Windows 8 System Certification requirements• UEFI 2.3.1 (supports DHCPv4, DHPCPv6)
16
Malware resistance
Goal: Anti-malware more effective in Windows 8
• Platform integrity investments make Windows 8 the trusted platform for consumers, businesses, financial institutions, and data centers
• New tools, APIs, and capabilities for anti-malware products
• Sophisticated malware, e.g., rootkits, can be reliably detected and removed
• Radically reduce systems compromised by malware
“[Anti-fraud security tips] do not address or provide protection against the main method used by cyber criminals to collect account credentials – malware.”
Turiss, Cyber Crime Trend Report, August 2010
Malware resistance
• Challenges• Growing class of pervasive malware that targets the boot path• Should Windows be compromised by this type of attack, often the
only plausible method to fix the problem is to reinstall the operating system
• Windows 8 solution• Secured Boot and remediation hardens the boot process against
malware from the moment of power on through the initialization of anti-malware software
• Measured Boot performs a comprehensive chain of measurements during the boot process that can be used to further validate the boot process beyond Secure Boot.
• Early Launch Anti-Malware (ELAM) can start from a known good state, as determined by Secure Boot, and continue vigilant watch over the user’s PC from that point on
Prevent malicious tampering and changes to the hardware, operating system, and to the anti-malware software
Malware resistance: Secured and Measured Boot
Secured Boot• End-to-end boot process protection:
• Windows operating system loader; Windows system files and drivers
• Anti-malware software • Ensures and prevents:
• A compromised operating system from starting; • Software from starting before Windows• Third-party software from starting before anti-malware
• Automatic remediation/self-healing, if compromisedMeasured Boot• Creates comprehensive of measurements of boot execution• Can offer measurements to a remote service for analysis
Secured Boot: legacy vs. modern
BIOS Any OS loader OS startLegacy boot
Native UEFI Verified OS loader only OS startModern boot
• BIOS starts any OS Loader, even malware• Malware may start before Windows
• The firmware enforces policy, only starts signed OS loaders
• OS loader enforces signature verification of Windows components
• Result—malware unable to change boot and OS components
Secured Boot: Early Launch Anti-Malware
Windows 7BIOS OS loader
(malware)3rd party drivers
(malware)Anti-malware software start
Windows 8
Native UEFIWindows 8OS loader
Anti-malware software start 3rd party drivers
• Malware is able to start before Windows and Anti-malware• Malware able to hide and remain undetected• Systems can be completely compromised
• Secured Boot starts Anti-malware early in the boot process• Early Launch Anti-Malware (ELAM) driver is specially signed by
Microsoft• Windows starts ELAM software before any third-party boot
drivers• Malware can no longer bypass Anti-Malware inspection
Effects of Early Launch Anti-Malware
• Malware will move to attack the early boot components• This is where Measured Boot comes in…
We have moved the attack surface
Native UEFI
Windows 8
OS loader
Anti-malware software
start
3rd party drivers
Runtime Anti-
malware Software
Windows logon
Measured Boot with attestation
Windows 8UEFI
Windows 8OS loader
Kernel initialization Anti-malware software start
Windows 7
BIOS OS loader Kernel initialization
3rd party driversAnti-malware
Policy Enforcement
• Windows measures all components to AM software start in the Trusted Platform Module (TPM)
• AM software can invalidate attestation if it stops enforcing policy
• Enables attestation service to remotely evaluate client state using TPM measurements
Malware resistance: architecture
Windows OS loader
UEFI Boot
Windows kernel and drivers AM software
Anti-malware software is started before all 3rd party software
Boot policy
AM policy
3rd party software
Secure Boot prevents malicious OS loader
1
2
TPM3
Measurements of components including Anti-malware software are stored in the TPM
Client Attestation service
4
Client retrieves TPM measurements of client state on demand
Client Health Claim
Windows logon
Modern access control
Modern access control
• Challenges• Cost of issuing tokens• Complexity of deploying a public key infrastructure (PKI)• Usability and user support
• Windows 8 solution• Windows Smart Card Framework has been extended to support – This
allows crypto-capable devices to present themselves and act just like Smart Cards• Windows 8 exposes hardware-based security components, such as a TPM or
virtual smartcard-capable device as a smart card
Users can use their PCs to securely authenticate with websites without having to purchase additional devices
ENTERPRISE
Need Machine and user ID using
hardware protected certificates without requiring separate devices
Key scenarios User authentication for remote
access Document/email signing Strong machine network
authentication
CONSUMER
Need Banks must “know” their
customers, using commercially available determination methods to meet FFIEC multi-authentication requirement
Key scenarios User certificate bound to the
TPM Stronger user authentication
without the need for complex passwords or external second factor
TPM-based authentication
TPM that functions as a smart card
CorpNet
Summary
Summary: security investments Malware resistance
Modern access control
Pervasive encryption
31
Windows 8 security investments
Call to action
• Invest in technologies• Source, build, ship: UEFI, TPM, eDrives• Roadmap discussions with
component/firmware/ vendors, OEMs, and other partners
Further reading and documentationEvent Site:• http://channel9.msdn.com/EventsResources:• Trusted Boot:• http://msdn.microsoft.com/en-us/library/windows/ha
rdware/br259097.aspx
• http://msdn.microsoft.com/en-us/windows/hardware/br259096
• eDrive device guide:• http://msdn.microsoft.com/en-us/library/windows/ha
rdware/br259095.aspx
Thank You!
For questions, please visit me in the Speakers Connection area following this session.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.