and Resources from Threats Chris Hallum Senior Product Manager Windows Client Security Microsoft Corporation WCAB210 Agenda Investment Areas fro Windows 8 Securing the Core Securing the Boot ID: 775919
Download Presentation The PPT/PDF document " Securing Windows 8 Clients " is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Slide2Securing Windows 8 Clients and Resources from Threats
Chris HallumSenior Product ManagerWindows Client SecurityMicrosoft Corporation
WCA-B210
Slide3Agenda
Investment Areas fro Windows 8
Securing the Core
Securing the
Boot
Securing the Resources
Windows 8 Security - How did we do?
Windows
8.1
Security -
Better with Blue!
Slide44
Key ThreatsInternet was just growingMail was on the verge
Key ThreatsMelissa (1999), Love Letter (2000)Mainly leveraging social engineering
Key ThreatsCode Red and Nimda (2001), Blaster (2003), Slammer (2003)9/11Mainly exploiting buffer overflowsScript kiddiesTime from patch to exploit: Several days to weeks
Key ThreatsZotob (2005)Attacks «moving up the stack» (Summer of Office 0-day)RootkitsExploitation of Buffer OverflowsScript KiddiesRaise of PhishingUser running as Admin
Key ThreatsOrganized CrimeBotnetsIdentity TheftConficker (2008)Time from patch to exploit: days
Key ThreatsOrganized Crime, potential state actorsSophisticated Targeted AttacksOperation Aurora (2009)Stuxnet (2010)
Windows 95-
Windows XPLogon (Ctrl+Alt+Del)Access ControlUser ProfilesSecurity PolicyEncrypting File System (File Based)Smartcard and PKI SupportWindows Update
Windows XP SP2Address Space Layout Randomization (ASLR)Data Execution Prevention (DEP)Security Development Lifecycle (SDL)Auto Update on by DefaultFirewall on by DefaultWindows Security CenterWPA Support
Windows VistaBitlockerPatchguardImproved ASLR and DEPFull SDLUser Account ControlInternet Explorer Smart Screen FilterDigital Right ManagementFirewall improvementsSigned Device Driver RequirementsTPM SupportWindows Integrity LevelsSecure “by default” configuration (Windows features and IE)
Windows 7Improved ASLR and DEPFull SDLImproved IPSec stackManaged Service AccountsImproved User Account Control Enhanced AuditingInternet Explorer Smart Screen FilterAppLockerBitLocker to GoWindows Biometric ServiceWindows Action CenterWindows Defender
Windows 8UEFI (Secure Boot)Firmware Based TPMTrusted Boot (w/ELAM)Measured Boot and Remote Attestation SupportSignificant Improvements to ASLR and DEPAppContainerWindows StoreInternet Explorer 10 (Plugin-less and Enhanced Protected Modes)Application Reputation moved into Core OSBitLocker: Encrypted Hard Drive and Used Disk Space Only Encryption SupportVirtual SmartcardPicture Password, PINDynamic Access ControlBuilt-in Anti-Virus
1995
2001
2004
2007
2009
2012
Slide5Windows 8 Investment Areas
Modern Access ControlSecuring the Sign-InSecure Access to Resources
Protect Sensitive Data
Securing Data With Encryption
Malware Resistance
Securing the Boot
Securing the Code and Core
Securing the Desktop
Trustworthy Hardware
Universal Extensible Firmware Interface (UEFI )
Trusted Platform Module (TPM)
Slide6Passwords aren’t good enough anymore
Access to resources is just based on authentication, not device health/integrity
Malware can compromise PC before starting Windows
Malware can hide from Anti-Malware software
Vulnerabilities can be minimized but not completely eliminated
Challenges
Slide7Secure Hardware
Slide8What is UEFI?An interface built on top of and replaces some aspects of traditional BIOSLike BIOS it hands control of the pre-boot environment to an OSKey Benefits Architecture-independentEnables device initialization and operation (mouse, pre-os apps, menus)Key Security Benefits: Secure Boot, Encrypted Hard Drives, Network Unlock for BitLockerA Windows Certification Requirement (UEFI 2.3.1)
Universal Extensible Firmware Interface (UEFI)
Slide9Trusted Platform Module 2.0
TPM Value PropositionEnables commercial-grade security via physical and virtual key isolation from OSTPM 1.2 spec: mature standard, years of deployment and hardeningImprovements in TPM provisioning lowers deployment barriersTCG Standard evolution: TPM 2.0*Algorithm extensibility allows for implementation and deployment in additional countriesSecurity scenarios are compatible with TPM 1.2 or 2.0Windows 8: TPM 2.0 support enables implementation choiceDiscrete or Firmware-based (ARM TrustZone® ; Intel’s Platform Trust Technology (PTT))Windows Certification Requirement for Connected Standby* Microsoft refers to the TCG TPM.Next as “TPM 2.0”.
Slide10Hardware Requirement and Feature Usage
#
Features
TPM 1.2/2.0
UEFI 2.3.1
1
BitLocker: Volume Encryption
X
2
BitLocker: Volume Network Unlock
X
X
3
Trusted Boot: Secure Boot
X
4
Trusted Boot: ELAM
X
5
Measured Boot
X
6
Virtual Smart Cards
X
7
Certificate Storage (Hardware Bound)
X
8
Address Space Layout Randomization (ASLR)
X
9
Visual Studio Compiler
X
10
More…
Slide11Securing the Core
Slide12Securing the Code and Core
Preventing vulnerabilities before they’re writtenSecurity Development Lifecycle (SDL)Tools - Threat Models, Code Analyzers, Fuzzers, Visual Studio, …Impact - Microsoft products not in Top 10 vulnerabilities list – Kaspersky (Q3 2012 Report)
Reduce the ability to exploit vulnerabilities
Many exploit mitigation features vastly improved - ASLR, DEP, Windows Heap
Chris
Valasek
from a senior security researcher at
Coverity
said:
“the security advancements from Windows XP to Windows 7 are leaps and bounds.. the advancements from version 7 to 8 are just as great.”
“I wouldn’t want to be tasked with creating a heap exploit for Windows 8.”
Slide13Securing the Boot
Slide14UEFI Secure Boot: Legacy vs. Modern
Legacy Boot
Modern Boot
BIOS Starts any OS Loader, even malwareMalware may starts before Windows
The firmware enforces policy, only starts signed OS loadersOS loader enforces signature verification of Windows components. If fails Trusted Boot triggers remediation.Result - Malware unable to change boot and OS components
Slide15Securing and Maintaining UEFI
UEFI is Secure by DesignUEFI Firmware, Drivers, Applications, and Loaders must be trusted (i.e.: signed)UEFI Database lists trusted and untrusted Keys, CA’s, and Image HashesSecured RollBack feature prevents rollback to insecure versionUntrusted (unsigned) Option ROMs (containing firmware) can not runMaintaining UEFI with Windows UpdateUpdates to UEFI Firmware, Drivers, Applications, and LoadersRevocation process for signatures and image hashesUEFI RemediationUEFI able to execute UEFI firmware integrity check and self-remediate
Slide16Securing the Remainder of the Boot Process
Windows 7
Windows 8
Malware is able to boot before Windows and Anti-malware
Malware able to hide and remain undetected
Systems can be compromised before AM starts
Trusted Boot protects boot process after OS Loader startup
Secures Windows system files (e.g.: kernel) and drivers
Starts and protects ELAM based AM software
Automatic remediation/self healing if compromised
Slide17Securing the Sign-In
Slide18New Sign-In Options / Varying Security
Passwords, PIN, and Picture PasswordPIN and Picture Password Both are easy to use sign in option for Touch devicesPicture password offers a secure (blog) personal sign-in experience, easy to remember
LengthPINPassword (a-z)Password (complex)Picture Password11026n/a2,5542100676n/a1,581,77331,00017,57681,1201,155,509,083410,000456,9764,218,2405100,00011,881,376182,790,40061,000,000308,915,7767,128,825,600 710,000,0008,031,810,176259,489,251,840 8100,000,000208,827,064,5768,995,627,397,120
Mitigating AttacksAccount Lockout Policy - “Account lockout threshold” + “Account lockout duration”Security Option Policy - “Interactive logon: Machine account lockout threshold”
Slide19But how secure are these options?
Passwords and 1FA no longer adequate Wired - Kill the Password: Why a String of Characters Can’t Protect Us Anymore – Mat HonanEmail addresses have become universal usernames making them a single point of failureBasic personal info is enough to trick customer service agents into revealing more sensitive informationMalicious users use information on one service to gain entry into anotherHacked email accounts enables malicious users to reset your pw on other sites (e.g.: Your investment acct)
Need to move to Multi-Factor Authentication (e.g.: VSC’s)
Easy to deploy and cost effective way to enable strong multi-factor
auth
Provides a secure, seamless, and always ready experience for end users
Deployment at scale requires a management solution.
Intercedes
MyID
solution was first to market and was available at launch.
Slide20Securing after Sign-In
Slide21Securing the System Post Boot
Protecting the system
and data with an anti-malware solution
Windows Defender,
is a
comprehensive Anti-Malware
Solution (
R
ecent Criticism
/
Response
)
System Center Endpoint Protection (SCEP)
provides a manageable Microsoft solution
Reducing
the surface area of attacks with Windows
Firewall
Provides firewalling and packet filtering functions
Improved to support new technologies
Manageable with System Center Endpoint Protection (SCEP)
Slide22Trustworthy apps from the Windows StoreISV onboarding and app screening processCommunity based ratings and reviewsPowerful apps that are inherently more secureSandboxed apps (AppContainer); Secures system, apps, and data from malicious appsApps run with low privilege. Limited system accessControlled access to other apps. Contracts and extensions provide controlled interopAccess to user data with user approval only
Securing
the System Post Boot
Slide23Securing the System Post Boot
Internet Explorer 9 – Smart Screen
Helps detect phishing sites and malicious downloads
Has blocked >1.5B malware and >150M phishing attacks
Internet Explorer 10 – Smart Screen
Application Reputation has been moved into core
Protects users of regardless of browser, mail, IM,
etc
client
Internet Explorer 10 – Enhanced Protected Mode
Difficult to exploit due to ASLR
Tabs and Process Isolation
Requires user interaction to gain access to user data
Do Not Track (DNT) capability
Slide24Securing Access To Resources
Slide25Traditional Access Control Access based on an Access Control List that defines rights and auditing policyAccess is granted based entirely on successful authentication of the userThe Challenge Good at making sure the right users get accessUnable to prevent compromised devices from getting access to resourcesModern Access ControlAdds vetting of a devices security state to the access decision making processLeverages Windows 8 Measured Boot, Remote Attestation, Enhanced Access Control, …
Device Health Based Access Control
Slide26Scenarios, Challenges, and Current State
Scenarios
Secure Access to Corporate Resources Secure Transactions and Banking
Protection of Digital
Content More
…
Challenges
Remote Attestation components will be delivered by 3
rd
party ISV’s
Current Windows 8 deployments not pervasive enough
Mixed Windows environments (Windows XP, 7, and 8)
Current State
Tier 1 ISV’s very interested but not yet committed to delivering solutions, waiting…
Near terms solutions will need to come from Microsoft Services and Solution Integrators
Slide27Modern Access Control Components
Windows 8’s Measured Boot (MB)
Measurements are secured and protected by the system’s Trusted Platform Module (TPM)
Automatically enabled when TPM is
present
3rd Party Remote Attestation Service and Client
Remote Attestation Client communicates with Remote
Attestation
service
Service analyzes data on request. Compares data vs. known good MB values and other policy requirements
Service issues security health determination via Health Claim; Becomes part of the users Kerberos ticket
Access Control Policy
Windows Access Control policy doesn’t natively support claims, However…
Dynamic Access Control and SharePoint do. Claim support can be added through extensibility
Slide28Step 7
Step 1
Step 2
Step 6
Step 4
Step 3
Step 5
Device Registration & Periodic Refresh of Health Data
Attestation & Verified Access to Secure Resources
Periodic refresh of attestation data
BYOD - Unmanaged Device Proof-of-Concept Flow
Step 1:
User registers personal device
Step 2:
Portal redirects new device to
ADFS
Step 3:
User
auths
with domain
creds
Step 4:
ADFS
extension
doesn’t find user/device
info in Attestation Server
Step 5: Client agent installed on device
Step 6: Agent sends device health data
Step 7: Agent enroll vSC for logon cert
Step 1: User tries to access project site
Step 2: Project site needs device claims
Step 3: Device requests claims from extension running on ADFS server
Step 4: ADFS extension verifies device information from Attestation Server
Step 5: ADFS issues claims token
Step 6: Device uses claims token to gain access to documents on project site
Step 1
Step 2
Step 3
Step 5
Step 6
Slide29JW Secure Inc. (http://www.jwsecure.com) General Dynamics C4 Systems (http://www.gdc4s.com) ID Data/Web (http://www.iddataweb.com)DMI (http://www.dminc.com)
Vendor's who can help
Slide30How did Windows 8 Security do?
Slide31Measuring Windows 8 Security Success
The largest investments that we’ve ever made are producing great results!
Slide32Windows 8.1 SecurityGetting Better with Blue!
Slide33Revolution of Modern Threats
There are two types of enterprises in the U.S.
Those who realize they’ve been hacked.
Those who haven’t yet realized they’ve been hacked.
Slide34Revolution of Modern Threats
There are
threats that are familiar and
those that are modern.
Slide35Revolution of Modern Threats
Familiar
Modern
Script Kitties; Cybercrime
Cyber-espionage; Cyber-warfare
Cybercriminals
State sponsored actions; Unlimited resources
Attacks on fortune 500
Organizations in all sectors getting targeted
Software solutions
Hardware rooted trust the only way
Secure the perimeter
Assume breach. Protect at all levels
Hoping I don‘t get hacked
You will be hacked. How well did you mitigate?
Slide36Provable PC Health
The Challenge UEFI and Trusted Boot very effective, no promises Malware still able to hide by turn off defensesNo great way for devices to vet themselvesOpportunitiesRemote Attestation API’s available for Boot Integrity Security StatusAdoptionISV’s not delivering Remote Attestation servicesIS’s building for niche well funded customersOur Goal in BlueDeliver Remote Health Analysis service for WindowsProvide remediation and notification services
Slide37Introducing Provable PC Health
Secure Data Client send periodic heartbeat with state dataMeasured BootAction Center StatusCloud service consumes data and analyzes itIf issue is detected cloud sends message to Client with remediation recommendationClient responds to recommendationMachine RemediationAccount Remediation
Windows Cloud Service
Windows Client
Analysis and Response
1
2
3
4a
4b
Machine
Remediation
Account
Remediation
Slide38Enhancements to Windows Defender and Internet Explorer
Windows Defender
Malware almost always designed to talk to world, that’s their weakness
Adding high performance behavior monitoring
Identifies malicious patterns of behavior based (
file, registry, process, thread, network
)
Activity log sent to cloud for analysis, signatures may be issued later
Internet Explorer
Malicious websites attempt to exploit
vulns
in binary extensions (e.g.: ActiveX)
Binary extensions are executed immediately bypassing AM
API available that enables AM solutions to scan before execution
Slide39Mitigation Technologies
Protected Process Hardening
Pass the Hash
Slide40Related content
Breakout Sessions
WCA-B370R - What’s New in Blue Security (Repeat Session)WCA-B210 - Securing Windows 8 Client and Resources from ThreatsWCA-B201 - What’s new with BitLocker and MBAM 2.0ATC-B301 – What passwords do when nobody is lookingATC-B314 - The Inside Man – Surviving the Ultimate Cyber ThreatATC-B307 - Hackers (Not) Halted
Find Me Later At Windows Security BoothMonday, 6/3: 10:15am - 12:15pmTuesday, 6/4: 12:15pm - 2:30pmThursday, 6/6: 10:45am - 12:45p
Slide41Windows Track Resources
Windows Enterprise:
windows.com/enterprise
Windows Springboard: windows.com/ITpro
Microsoft Desktop Optimization Package (MDOP): microsoft.com/mdop
Desktop Virtualization (DV): microsoft.com/dv
Windows To Go:
microsoft.com/windows/wtg
Outlook.com:
tryoutlook.com
Slide42msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
Slide43System Center 2012 Configuration Managerhttp://technet.microsoft.com/en-us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33Windows Intunehttp://www.microsoft.com/en-us/windows/windowsintune/try-and-buyWindows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server Windows Server 2012 VDI and Remote Desktop Serviceshttp://technet.microsoft.com/en-us/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33http://www.microsoft.com/en-us/server-cloud/windows-server/virtual-desktop-infrastructure.aspx More Resources:microsoft.com/workstylemicrosoft.com/server-cloud/user-device-management
For More Information
Slide44Evaluate this session
Scan
this QR code to evaluate this session.
Required Slide
*delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
Slide45© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.