WCL286: Windows 8 Malware Resistence

This was a REALLY great session on the significant advances Microsoft has made in Windows 8 to increase its security posture. They claim whole classes of attacks have been mitigated by a combination of Windows 8 and hardware features such as UEFI and TPM. There are other security features that don’t rely on the very latest hardware, such as much stronger ASLR and DEP for OS components. Although not specifically mentioned in this session, Windows Server 2012 is built on the same code base so many of the features mentioned below apply to WS 2012 too.

Note, if you are thinking of virtualizing Windos 8 for VDI, there is no hypervisor that can virtualize a TPM module. So you will not get a lot of the benefits of trusted boot, measured boot, and remote attestation that you get with physical Windows 8 instances on appropriate hardware. So if you will be using Windows 8 for VDI, make sure you understand what security features you cannot take advantage of and how the loss of those features will affect your security posture.

One cool scenario that is possible with a physical Windows 8 instance, UEFI, TPM and Windows Server 2012 file server is the ability of the file server to validate the health claim of the Win8 client before it allows access to the file share. The validation utilizes the very secure boot process, measured boot, and other features to ensure an extremely high degree of confidence that the OS has not been tampered with and is trusted. But this remote attestation is only available on physical Windows 8 clients with a UEFI and a TPM. So VDI implemenations will not be able to use this powerful security feature.

The speakers had a lot of jam packed slides, so I didn’t get all of the information written down. If you have access to the recorded session on Channel 9 or MyTechNet, I strongly urge you to listen as it will be a well spent 75 minutes, if you value security in the enterprise.

Session Summary:

  • Windows 8 Investments in client security
    • Protect and Manage threats
    • Protect Sensitive data
    • Protect Access to Resources
    • Microsoft spent more on security in Windows 8 than any previous OS
    • “Groundbreaking” malware resistence
    • Pervasive device encryption
    • Modernized Access Control – Virtualized smart cards (no longer need a physical card); Dynamic access control
  • Challenges that we can face in combating malware
    • Vulnerabilities can be minimzied but not completely eliminated
    • Malware can compromise a PC before it starts
    • Malware can compromise anti-malware by tampering or starting
    • Malware can hide from anti-malware software
    • Anti-virus is always playing catch-up with latest malware
  • Secure Hardware
    • Why UEFI?
      • What is UEFI? An interface that is built on top of and replaces the legacy BIOS
      • Key benefits: Architecture-independent
      • Key security features: Secure boot, encrypted drive support for Bitlocker, Network unlock support for Bitlocker
      • Windows certification requirement on Windows 8 certified devices
    • Trusted Platform Module 2.0
      • TPM value proposition – Enables commercial-grade security via physical and virtual key isoloation
      • TCG standard evoluation: TPM 2.0
        • Algorithm extensible allows deployment in additional countries (China, Russia)
      • Windows 8 TPM support enables implemention choice
        • Discrete TPM
        • Firmware-based (Intel’s Platform Trust Technology)
    • Feature Usage of TPM in Windows 8
      • Bitlocker: volume encryption
      • Bitlocker: Volume network unlock
      • Measured boot
      • Virtual smart cards
      • …More
  • Securing the Code and Core
    • Preventing vulnerabilities – Software Development Lifecycle
    • Tools: Thread modeling, Static Code Analysis, Fuzzers
    • Reduce the ability to exploit vulnerabilities
      • Analyzed telemetry to determine requirements
      • Add mitigations to reduce the impact of exploits
      • ASLR, DEP, Windows Heap, process integrity levels. ASLR has been VASTLY improved in Windows 8 (higher entropy), applied to a broader memory space and to critical OS. DEP has been greatly increased as well, and now OS has much broader DEP protection.
      • MS says the IQ of an attacker will need to be much higher to combat these new security enhancements. Quite different from what’s in Windows 7.
  • Securing the Boot
    • Legacy boot: BIOS, OS Loader (Malware), OS Start
    • UEFI Secure Boot: Native UEFI, Verified OS Loader Only, OS Start
      • The firmware enforces policy, only starts signed OS loaders
      • OS loader enforces signature vertification of Windows components.
    • Securing and Maintaining UEFI
      • UEFI is secure by design
        • UEFI firmware, drivers, applications and loaders must be signed
        • UEFI database lists trusted and untrusted keys, CAs and image hashes
        • Secured rollback feature prevents rollback to insecure version
        • Untrusted option ROMs can not run
      • Maintaining UEF with Windows Update
        • Updates to UEFI firwmare, drivers, applications and loaders
        • Revocation process for signatures and iamges hashes
      • UEFI remediation
        • UEFI able to execute UEFI firmware integrity check and self-remediate
        • UEFI able to recover Windows boot manager if integrity checks fail
    • Trusted and Measured Boot
      • Trusted Boot
        • End to end boot process protection
          • Windows operating system loader
          • Windows system files and drivers
          • Anti-malware software
        • Ensures and prevents
          • A compromised OS from starting
          • Software from starting before Windows
          • 3rd party software starting before anti-malware
        • Automatic remediation/self healing if compromised
      • Measured Boot
        • Creates comphrehnsive set of measusrements based on trusted boot execution
        • Can offer measurements to a remote attestation service for analysis
      • Trusted Boot: Early Load anti-malware
        • Windows 7 Legacy Bios -> OS Loader (malware) -> 3rd party drivers (malware) -> Anti-malware start -> Windows logon
        • Windows 8: Native UEFI -> Windows 8 OS Loader (signed) -> Anti-malware start (signed) -> 3rd party drivers -> Windows Logon
        • Secure boot loads anti-malware early in the boot process
        • Runs WinRE in the background and does extensive remediation checks and pulls trusted binaries out of the trusted store. No prompts, no user interaction used. Completely automated.
      • Measured Boot
        • Windows 7: Bios (measured)-> MBR & Boot sector (measured)-> OS Loader (measured) -> Kernel initialization -> 3rd party drivers -> anti-malware software start
          • Measurements of some boot components evaluated as part of boot
          • Only enabled when bitlocker has been provisioned
        • Windows 8: UEFI (measured) -> Windows 8 OS Loader (measured)-> Windows Kernel & Drivers (measured) -> Anti-malware software (measured) -> 3rd party drivers -> Remote attestation
          • Measures all boot components
          • Measurements are stored in a TPM
          • Remote attestation is now available
        • Remote attestation allows allows a file server (for example) to validate only trusted computers with a health claim can gain access.
    • Secureing After the Boot
      • Protecting the system from know and unknown threats
        • Windows Defender is now a full fledged product
        • Protects against full range of malware, not just adware or malware
        • Real-time active protection
        • High performance
        • Optimized for the user experience
      • System Center Endpoint Protection (SCEP) adds managemanility
        • Shares same anti-malware engine with Windows defender
    • Securing the System Post Boot – Metro Apps
      • Windows store contains Trustworthy Apps
        • ISV onboarding and app screening process
        • Community based ratings and reviews
      • Installation
        • Handled completely by the OS
        • Discrete and private location for each app
      • Application capabilities
        • Run with low provilege
        • Access to Resources
        • Contracts – Apps can advertise their service to other apps or OS
    • Internet Explorer 10 – Smart Screen
      • Application reputation has been moved into core
      • Protects users regardless of browser, mail, IE, etc. client
    • Internet Explorer 10 – Enhanced protected Mode
      • Difficult to exploit due to ASLR
      • Tabs and Process Isolation
      • Requires user interaction to gain access to user data
      • Do Not Track (DNT) capability
  • Windows Editions and Device Considerations
    • All Windows editions editions contain basic new security features (trusted boot, smartscreen, etc.) but other features like Bitlocker are only on Professional and higher
    • Windows RT always uses device encryption powered by Bitlocker
    • Windows 8 certified devices will have UEFI, and need TPM 2.3.1 for secure boot
Print Friendly, PDF & Email

Related Posts

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments