TechEd: Windows 8 and 8.1 Security Enhancements (WCA-B210)

June 5, 2013
in Security, Windows 8

This session covered new security features in Windows 8, and at the end, some of the new features in Windows 8.1. It was an excellent session, with a very well organized presenter. It was a firehose of information, but clearly laid out and easy to take notes from. The bottom line is that Windows 8 is much more secure than Windows 7, with malware infection rates per 1000 machines 3x-8x lower than Windows 7. Windows 8.1 builds on that foundation, and adds even more features to catch vulnerabilities such as those presented by the Flame malware. It also greatly extends biometric authentication with native support, and with partner hardware, greatly enhances the biometic experience.

Although not mentioned in this session, the combination of Hyper-V 2012 R2 and Windows 8.1 for VDI could be compelling for organizations concerned with high security. Since Hyper-V supports UEFI native booting and secure boot, you can now (with third party add-ons designed for Government/defense industry) provide remote attestation and assured device health for VDI. You could even go as far as bitlocker volumes for Hyper-V VM storage, for full encryption with virtually no overhead. The session notes below provide the name of companies gearing Windows 8 remote attestation solutions for the defense sector.

Introduction

  • Windows XP SP2 was a huge release in terms of security
  • Vista was a new security model, at the sacrifice of app compatibility
  • Windows 8 investment areas: Malware resistance, securing the boot, securing the code and core, and securing the desktop
  • Protect sensitive data – Securing data with encryption
  • Modern access control – Securing the sign-in, secure access to resources
  • Trustworthy hardware – UEFI, TPM
  • Windows 8 started the move away from passwords (virtual smart cards, TPM, multi-factor authentication, etc.)
  • Windows 8 certified hardware is much more secure (required to support UEFI, secure boot)

Challenges in preventing Malware

  • Malware could compromise the PC before Windows even starts
  • Malware can hide from anti-malware software
  • Passwords aren’t good enough

UEFI 2.3.1

  • Replacement for the traditional BIOS
  • Key benefits: Architecture-independent
  • Enables: Secure boot, encrypted HDs, network unlock for Bitlocker
  • A Windows 8+ certification requirement
  • UEFI bootloaders are being signed for some Linxus distros
  • “Encrypted harddrive” have new firmware that fully supports Windows encryption features. “Self-encrypting HDs” are legacy and not supported by Windows for key management. “Encrypted HD” models are just now starting to show up in the market, so don’t get a “SED” (self-encrypting drive).

Securing and Maintaining UEFI

  • UEFI requires firmware to be signed
  • UEFI firmware updates can come through Windows update
  • Unsigned options ROMs can not run
  • UEFI can never roll back to a previous version
  • Secure root of trust, knowing that the platform is very secure

TPM 2.0

  • Enables commercial-grade security via physical and virtual key isolation from OS
  • Intel Haswell will support a firmware-based software TPM (lowers costs for OEMs)
  • Intel Atom has built-in TPM-like functionality
  • TPM functionality will now start trickling into consumer devices
  • In 2015 MS will require all certified devices to have TPM functionality

Securing the Core

  • SDL – Secure Development Lifecycle started back in the XP SP2 era to address major security vulnerabilities
  • In Q3 2012 the Kaspersky report has no MS products in the top-10 vulnerability list
  • ASLR, DEP, Windows Heap are all much more secure than Windows 7
  • Entire sections of the Win7 core were NOT covered by DEP and ASLR
  • Windows 8 in whole has DEP and ASLR used across the code base
  • 8 bits of entropy in Win7, now 32-bit entropy in Windows 8

Securing the Boot

  • Trusted Boot – Hardens the end to end boot process
  • Protects all system boot components and the anti-malware driver (ELAM)
  • Ensures defenses are running before malware goes a chance to start
  • Automatic remediation/self healing if compromised
  • Measured boot – Comprehensive set of integrity measurements

Securing the Sign-In

  • New sign-in options with varying security
  • Passwords, pin and picture password
  • MS uses an 8 character PIN code (most companies use 6)
  • Picture passwords are not ideal in the enterprise. More a consumer feature.
  • Securing Option GPO policy (puts the device into a recovery mode if using boot locker if a brute force password attack is detected)

Securing the System Post Boot

  • Trustworthy apps from the Windows Store
  • ISV onboarding and app screening process
  • Community based ratings and reviews
  • WinRT apps are all sandboxed from the start, but the apps can talk to each other but gated between apps
  • DLLs are public and any app can call them. So the WinRT platform gates which features apps can call in other apps, to limit exploits spreading
  • IE10 – Smart screen, enhanced protected mode

Securing Resources from Unhealthy Clients

  • Traditional access control is based on ACLs and user validation (not device health)
  • Modern method in Win8: Add vetting of a device security state to the access decision making process
  • Leverages Windows 8 measured boot, remote attestation, enhanced access control (server side)
  • MS has a current solution for Government and Defense customers since ISVs have been slow to adopt (solutions out later in 2013)
  • McAfee and Symantec
  • JW Secure, General Dynamics C4 Systems, ID Data/Web, DMI are four companies to offer device attestation solutions

Win8 Security Success

  • Showed a graph of malware infections
  • Windows 8 3x less likely to be infected with malware (no malware solution present). 2.7 per 1000 impacted (Win8 x64)
  • Windows 8 6x less likely to be infected when anti-malware software is installed. 0.2 per 1000 (win8 x64)

Windows 8.1 Threat Background

  • Modern threats: cyber-espionage, cyber-warfare, state sponsored actions (unlimited resources), assume breach (protect at all levels)
  • All sectors and even suppliers are now under attack, and supply chain
  • Without UEFI you can’t protect yourself against bootkit threats
  • You are now dealing with the digital equivalent lent of Seal Team Six attacking you
  • Lockheed Martin publically stated they can protect themselves, but attackers are going against sub-contractors

What’s new in Windows 8.1

  • “Provable PC Health”
  • Utilizes free cloud MS services. MS will have a huge database of all known hashes for all MS products, certified drivers, and other products/drivers.
  • Windows client will send hash values for a large amount of system values to the cloud for verification
  • Protects against Flame-like attacks
  • Sent data is completely anonymous – Triggers machine remediation

Windows 8.1 Defender and IE 11

  • Windows Defender – Adding high performance behavior monitoring. Identifies malicious patterns of behavior based (file registry, process, threads, etc.)
  • IE 11: API available that enables anti-malware solutions to scan before execution

Windows 8.1 Demo

  • Showed a touch-based surface for biometric authentication device
  • Device injects a current into your finger to detect if the finger is alive or dead
  • Showed instantly signing in with near 100% accuracy. No swiping. Just tap the sensor and instantly get your desktop.
  • Apps can ask for biometic authentication at any time, even after you sign in. A split-second tap is all that is required.
  • Could add biometric authentication for file access to app specific files (not yet in Explorer…app specific).
Print Friendly, PDF & Email
Buy me a coffee

Related Posts

Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments