View
4
Download
0
Category
Preview:
Citation preview
| Basel
Windows 8.1 SecurityTechNet Event November 25th, 2013
Martin Weber
Technology Solution Professional
Microsoft Switzerland Ltd.
In the news…Microsoft Exposes
Scope of Botnet ThreatBy Tony Bradley, October 15, 2010
Microsoft's latest Security
Intelligence Report focuses on
the expanding threat posed by
bots and botnets.
Researchers Discover Link
Between TDSS Rootkit and
DNSchanger TrojanBy NICK BILTON , May 2, 2011
TDSS rootkit, the hard-to-remove
malware behind numerous
sophisticated attacks, appears to
have helped spread the
DNSchanger Trojan.
Windows 8 and 8.1 Security Capabilities
Securing the Sign-In
Secure Access to Resources
Securing Device with EncryptionSecuring the Boot
Securing the Code and Core
Securing the Desktop
First Class Biometric Experience
Multifactor Auth for BYOD
Trustworthy Identities and Devices
Virtual SmartCard
Provable PC Health
Improved Windows Defender
Improved Internet Explorer
Improved System Core Hardening
Pervasive Device Encryption
Selective Wipe of Corp Data
Refresh and Reset
Enhanced BitLocker Drive Encryption Protection
New Secure Boot Options
What’s New in Windows 8.1 Security
Tools for Windows 8.1 Recovery
Windows Tools & Techniques:
• System Restore
• Safe Mode and related
New Windows 8.1 Refresh and Reset capabilities
Windows 8.1 Refresh vs. Reset
Refresh: Reset:
Does not keep customizations and data
Keeps customizations and data
Keeps Windows 8.1 Apps
Does not format before reinstall Formats the drive before reinstall
Does not keep Windows 8.1 Apps
Groundbreaking Enterprise Security
Builds on Windows 7 Technologies
Enhanced BitLocker Protection
UEFI Support for Trusted Boot
Windows Defender andWindows Firewall
BitLocker Enhancements in Windows 8.1
Encryption of Full Disk or just the data at rest (aka “used Disk Space”)
Encrypt during installation
Support for eDrives, iSCSI and
Fiber Channel Drives
EFI System
Partition
(bootmgr.efi)
OS Partition
(Windows
Runtime,
User Data)
Data Partition
(User Data)WinRE
Partition
OEM
Partition
= Encrypted = Not Encrypted
Hard Disk
Recovery
Image
Partition
FVEKSRK
VMK
Trusted Platform Module 2.0 Support
New BitLocker Recovery Options
SkyDrive Recovery Key escrow is new to Windows 8.1Several recovery options
Group Policy (GPO) and BitLocker
Numerous Group Policy settings
around the unlock method
Policies for enterprise scenarios
BitLocker Protectors
Numerous protectors:• Password protector for non-TPM
• Active Directory
• Network
Network Unlock for OS Volumes Scenario:
Enables PCs connected to corporate network to boot without PIN
Simplifies patch process for servers and desktops, wake on LAN, ease of use for end users
Requirements:
UEFI 2.3.1 support for DHCPv4 and DHCPv6 Network
Key
ServerEFI DHCP
PROTOCOL
Key Request
Client Key
Secure Network
TPM
Windows RT Device Encryption
Available for Windows RT devices
Optimized for slate form factor
Complex
PINs and
FIPs
MBAM is
enterprise-level
tool for
BitLocker
Role-based
access
control
Compliance
reports
Microsoft BitLocker Administration and Monitoring: Compliance and security
UEFI Support in Windows 8.1
The new UEFI BIOS (System on a Chip – SoC) helps ensure that the computer loads only trusted operating systems.
Legacy vs. Modern, Trusted UEFI Boot Process
Windows 7 BIOSOS Loader
(Malware)
3rd Party
Drivers
(Malware)
Anti-Malware
Software
Start
Windows
Logon
Windows 8Native
UEFI
Windows 8
OS Loader
Anti-Malware
Software
Start
3rd Party
Drivers
Windows
Logon
Malware is able to boot before Windows and Anti-Malware• Malware able to hide and remain undetected
• Systems can be compromised before Anti-Malware starts
Trusted Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft
• Windows starts Anti-Malware software before any 3rd party boot drivers
• Malware can no longer bypass AM inspection
Trusting the UEFI Boot Process
Updates to UEFI are secure
(Firmware, Drivers, OS Boot Loader have to be all
digitally signed)
UEFI does self-check
Secure, Trusted and Measured Boot
Trusted boot prevents unauthorized boot loaders
Measured boot provides measurements about the boot process
Protect against the Known and the Unknown
Malware resistant by design
Familiar tools updated for Windows 8.1
Windows 8.1 Client Protection
Windows 8.1 Modern App Protection
Strong screening process for Windows Store
Low privilege and capability declaration
Discrete app containers
Summary of Security Enhancements
Familiar tools still used in Windows 8.1
DaRT and MDOP have been updated for Windows 8.1
Trusted boot and post-boot protected
BitLocker includes numerous enhancements
Recommended