Win7Security sub presentation
-
Upload
orly-palomar-jr -
Category
Documents
-
view
218 -
download
0
Transcript of Win7Security sub presentation
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 1/24
BitLocker™ DriveBitLocker™ DriveEncryption HardwareEncryption HardwareEnhanced Data ProtectionEnhanced Data Protection
Shon Eizenhoefer, Program Manager Shon Eizenhoefer, Program Manager Microsoft CorporationMicrosoft Corporation
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 2/24
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 3/24
AgendaAgenda
Security BackgroundSecurity Background
BitLocker™ Drive EncryptionBitLocker™ Drive Encryption
TPM OverviewTPM Overview
Building a BitLocker™ Capable SystemBuilding a BitLocker™ Capable System
Additional ResourcesAdditional Resources
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 4/24
BitLocker™ Drive EncryptionBitLocker™ Drive Encryption
BitLocker™ Drive Encryption gives you improved dataBitLocker™ Drive Encryption gives you improved dataprotection on your Windows Vista and Windows Server protection on your Windows Vista and Windows Server codenamed “Longhorn” systemscodenamed “Longhorn” systems
Notebooks – Often stolen, easily lost in transitNotebooks – Often stolen, easily lost in transit
Desktops – Often stolen, difficult to safely decommissionDesktops – Often stolen, difficult to safely decommission
Servers – High value targets, often kept in insecure locationsServers – High value targets, often kept in insecure locations
All three can contain very sensitive IP and customer dataAll three can contain very sensitive IP and customer data
Designed to provide a transparent user experience thatDesigned to provide a transparent user experience thatrequires little to no interaction on a protected systemrequires little to no interaction on a protected system
Prevents thieves from using another OS or softwarePrevents thieves from using another OS or softwarehacking tool to break OS file and system protectionshacking tool to break OS file and system protections
Prevents offline viewing of user data and OS filesPrevents offline viewing of user data and OS files
Provides enhanced data protection and boot validationProvides enhanced data protection and boot validation
through use of a Trusted Platform Module (TPM) v1.2through use of a Trusted Platform Module (TPM) v1.2
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 5/24
BitLocker™ And TPM FeaturesBitLocker™ And TPM Features
BitLocker™ DriveBitLocker™ DriveEncryptionEncryption
Encrypts entire volumeEncrypts entire volume
Uses Trusted PlatformUses Trusted PlatformModule (TPM) v1.2 toModule (TPM) v1.2 to
validate pre-OS componentsvalidate pre-OS componentsCustomizable protectionCustomizable protectionand authentication methodsand authentication methods
Pre-OS ProtectionPre-OS ProtectionUSB startup key, PIN, andUSB startup key, PIN, and
TPM-backed authenticationTPM-backed authenticationSingle MicrosoftSingle MicrosoftTPM Driver TPM Driver
Improved stabilityImproved stabilityand securityand security
TPM Base Services (TBS)TPM Base Services (TBS)Enables third partyEnables third partyapplicationsapplications
Active Directory BackupActive Directory Backup
Automated key backupAutomated key backupto AD server to AD server
Group Policy supportGroup Policy support
Scriptable InterfacesScriptable Interfaces
TPM managementTPM management
BitLocker™ managementBitLocker™ management
Command-line toolCommand-line tool
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 6/24
Feature Map
TPM Services ArchitectureTPM Services Architecture
(Simplified)(Simplified)
BitLocker™
TPM Admin
Tools
TPM WMI Provider
TPM Base Services
TPM Driver
Third Party
Applications
TSS*
Trusted PlatformTrusted Platform
Module (TPM)Module (TPM)
*TCG Software Stack*TCG Software Stack
Windows Vista
EnterpriseUltimate
Windows Vista
All SKUs
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 7/24
What Is A Trusted PlatformWhat Is A Trusted Platform
Module (TPM)?Module (TPM)?Smartcard-like module on the motherboardSmartcard-like module on the motherboard
Protects secretsProtects secrets
Performs cryptographic functionsPerforms cryptographic functions
RSA, SHA-1, RNGRSA, SHA-1, RNG
Meets encryption export requirementsMeets encryption export requirements
Can create, store and manage keysCan create, store and manage keys
Provides a unique Endorsement Key (EK)Provides a unique Endorsement Key (EK)
Provides a unique Storage Root Key (SRK)Provides a unique Storage Root Key (SRK)
Performs digital signature operationsPerforms digital signature operations
Holds Platform Measurements (hashes)Holds Platform Measurements (hashes)
Anchors chain of trust for keysAnchors chain of trust for keysand credentialsand credentials
Protects itself against attacksProtects itself against attacks
TPM 1.2 spec:TPM 1.2 spec:www.trustedcomputinggroup.orgwww.trustedcomputinggroup.org
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 8/24
Why Use A TPM?Why Use A TPM?
Trusted Platforms use Roots-of-TrustTrusted Platforms use Roots-of-TrustA TPM is an implementation of a Root-of-TrustA TPM is an implementation of a Root-of-Trust
A hardware Root-of-Trust has distinct advantagesA hardware Root-of-Trust has distinct advantages
Software can be hacked by SoftwareSoftware can be hacked by Software
Difficult to root trust in software that has to validate itself Difficult to root trust in software that has to validate itself Hardware can be made to be robust against attacksHardware can be made to be robust against attacks
Certified to be tamper resistantCertified to be tamper resistant
Hardware and software combined can protect root secretsHardware and software combined can protect root secretsbetter than software alonebetter than software alone
A TPM can ensure that keys and secrets are onlyA TPM can ensure that keys and secrets are onlyavailable for use when the environment is appropriateavailable for use when the environment is appropriate
Many specific hardware and software configurationsMany specific hardware and software configurations
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 9/24
BitLocker™ Drive Encryption ArchitectureBitLocker™ Drive Encryption ArchitectureStatic Root of Trust Measurement of boot componentsStatic Root of Trust Measurement of boot components
Volume Blob of Target OSunlocked
All Boot Blobsunlocked
Static OS
BootSector
BootManager Start
OSOS Loader
BootBlock
PreOS
BIOS
MBR
TPM Init
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 10/24
Disk Layout And Key StorageDisk Layout And Key Storage
OS VolumeOS Volume ContainsContainsEncrypted OSEncrypted OS
Encrypted Page FileEncrypted Page File
Encrypted Temp FilesEncrypted Temp Files
Encrypted DataEncrypted Data
Encrypted Hibernation FileEncrypted Hibernation File
Where’s the Encryption Key? Where’s the Encryption Key? 1.1. SRKSRK (Storage Root Key)(Storage Root Key)
contained in TPMcontained in TPM
2.2. SRKSRK encryptsencrypts FVEKFVEK (Full Volume(Full VolumeEncryption Key) protected byEncryption Key) protected byTPM/PIN/USB Storage DeviceTPM/PIN/USB Storage Device
3.3. FVEKFVEK stored (encrypted bystored (encrypted by SRKSRK))on hard drive in theon hard drive in the OS VolumeOS Volume
System
OS Volume
System VolumeSystem Volume Contains:Contains:
MBR, Boot manager, Boot UtilitiesMBR, Boot manager, Boot Utilities
(Unencrypted, small)(Unencrypted, small)
3
2 FVEKFVEK 1 SRKSRK
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 11/24
Internal threats are just as prevalent as external threatsInternal threats are just as prevalent as external threats
IntentionalIntentionalAccidentalAccidental TargetedTargeted
DataDataintentionallyintentionally
compromisedcompromised
Thief stealsThief stealsasset based onasset based onvalue of datavalue of data
Loss due toLoss due tocarelessnesscarelessness
System disposal or System disposal or repurposing withoutrepurposing withoutdata wipedata wipe
System physically lostSystem physically lostin transitin transit
Insider Insider access toaccess tounauthorizedunauthorizeddatadata
Offline attackOffline attackon lost/stolenon lost/stolenlaptoplaptop
Theft of branch officeTheft of branch officeserver (high value andserver (high value andvolume of data)volume of data)
Theft of executive or Theft of executive or government laptopgovernment laptop
Direct attacks withDirect attacks withspecialized hardwarespecialized hardware
Information Protection ThreatsInformation Protection Threats
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 12/24
BitLocker™ offers a spectrum of
protection, allowing an organization tocustomize according to its own needs
Spectrum of ProtectionSpectrum of Protection
TPM Only
“What it is”
Protects Against:
Most SW attacks
Vulnerable To:
Hardware attacks
User Must:
N/A
No user impact
TPM + PIN“What it is + what
you know”
Protects Against:
Many HW attacks
Vulnerable To:
Hardware attacks
User Must:
Enter PIN to boot
USB Only“What you have”
Protects Against:
HW attacks
Vulnerable To:
Stolen USB key
No boot validation
User Must:
Protect USB key
TPM + USB“What it is + what
you have”
Protects Against:
HW attacks
Vulnerable To:
Stolen USB key
User Must:
Protect USB key
EaseofDep
lo
yme
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 13/24
BitLocker™ InterfaceBitLocker™ Interface
MicrosoftMicrosoftSystem Integrity TeamSystem Integrity Team
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 14/24
BitLocker™ Recovery ScenariosBitLocker™ Recovery Scenarios
Lost/Forgotten Authentication MethodsLost/Forgotten Authentication MethodsLost USB key, user forgets PINLost USB key, user forgets PIN
Upgrade to Core FilesUpgrade to Core Files
Unanticipated change to pre-OS filesUnanticipated change to pre-OS files(BIOS upgrade, etc…)(BIOS upgrade, etc…)
Broken HardwareBroken Hardware
Hard drive moved to a new systemHard drive moved to a new systemDeliberate AttackDeliberate Attack
Modified or missing pre-OS filesModified or missing pre-OS files
(Hacked BIOS, MBR, etc…)(Hacked BIOS, MBR, etc…)
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 15/24
BitLocker™ Recovery MethodsBitLocker™ Recovery Methods
Recommended method for Recommended method for domain-joined machinesdomain-joined machines
Automate key backups through BitLocker™ SetupAutomate key backups through BitLocker™ SetupConfigure group policy to store keys in Active DirectoryConfigure group policy to store keys in Active Directory
Provides centralized storage and management of keysProvides centralized storage and management of keys
Recommended methods for nonRecommended methods for nondomain-joined machinesdomain-joined machines
Back up to a USB flash deviceBack up to a USB flash device
Back up to a web-based key storage serviceBack up to a web-based key storage service
““Windows Ultimate Extras” – Provides a free key storageWindows Ultimate Extras” – Provides a free key storageservice for home users or unmanaged environmentsservice for home users or unmanaged environments
Potential OEM or 3rd-party service for key storagePotential OEM or 3rd-party service for key storage
Back up to a fileBack up to a file
Print or record to physical mediaPrint or record to physical media
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 16/24
Platform Threats And MitigationsPlatform Threats And Mitigations
BIOS ModificationBIOS ModificationTHREAT – Lost Core Root of Trust for MeasurementTHREAT – Lost Core Root of Trust for Measurement
MITIGATION – Secure CRTM UpdateMITIGATION – Secure CRTM Update
MITIGATION – Provide extra protection with PIN or USBMITIGATION – Provide extra protection with PIN or USB
Physical MemoryPhysical MemoryTHREAT – Key exposure in physical memoryTHREAT – Key exposure in physical memory
MITIGATION – Memory Overwrite on ResetMITIGATION – Memory Overwrite on Reset
MITIGATION – Provide extra protection with PIN or USBMITIGATION – Provide extra protection with PIN or USB
Dictionary Attack Against PINDictionary Attack Against PIN
THREAT – Key exposureTHREAT – Key exposureMITIGATION – Anti-hammering countermeasuresMITIGATION – Anti-hammering countermeasures
End UsersEnd UsersTHREAT – Unsafe practices (PIN nearby, USB in laptop case)THREAT – Unsafe practices (PIN nearby, USB in laptop case)
MITIGATION – User education, corporate security policyMITIGATION – User education, corporate security policy
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 17/24
Building BitLocker™ SystemsBuilding BitLocker™ Systems
Windows Vista Logo ProgramWindows Vista Logo ProgramPerformance, quality, and feature metrics that help consumers understandPerformance, quality, and feature metrics that help consumers understandand seek out the best computing experience that Windows Vista has to offer and seek out the best computing experience that Windows Vista has to offer
http://www.microsoft.com/whdc/winlogo/hwrequirements.mspxhttp://www.microsoft.com/whdc/winlogo/hwrequirements.mspx
Trusted Platform Module –Trusted Platform Module – SYSFUND-0030SYSFUND-0030
TPM Main Specification, Version 1.2 (or later)TPM Main Specification, Version 1.2 (or later)
Memory Mapped I/O, Locality 0Memory Mapped I/O, Locality 0
https://www.trustedcomputinggroup.org/specs/TPMhttps://www.trustedcomputinggroup.org/specs/TPM
TPM PC Client Interface Specification, Version 1.2 (or later)TPM PC Client Interface Specification, Version 1.2 (or later)
https://www.trustedcomputinggroup.org/specs/PCClienthttps://www.trustedcomputinggroup.org/specs/PCClient
BIOS –BIOS – SYSFUND-0031SYSFUND-0031TCG BIOS SpecificationTCG BIOS Specification
Physical Presence Interface SpecificationPhysical Presence Interface Specification
Memory Overwrite on Reset SpecificationMemory Overwrite on Reset Specification
Immutable CRTM or Secure UpdateImmutable CRTM or Secure Update
https://www.trustedcomputinggroup.org/specs/PCClienthttps://www.trustedcomputinggroup.org/specs/PCClient
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 18/24
Building BitLocker™ SystemsBuilding BitLocker™ Systems
Hard Disk –Hard Disk – SYSFUND-0032SYSFUND-0032BitLocker™ requires at least two partitionsBitLocker™ requires at least two partitions
System partition (“Active”, NTFS, minimum 1.5GB)System partition (“Active”, NTFS, minimum 1.5GB)
OS must be installed on separate partitionOS must be installed on separate partition
OS and other partition(s) can be of any sizeOS and other partition(s) can be of any sizee-mail for more informatione-mail for more information
USB –USB – SYSFUND-0069-0070SYSFUND-0069-0070
System boot from USB 1.x and 2.x USBSystem boot from USB 1.x and 2.x USB
USB read/write in pre-OS environmentUSB read/write in pre-OS environmentFAT16, FAT32, or NTFS file systemFAT16, FAT32, or NTFS file system
e-mail for BitLocker™e-mail for BitLocker™and TPM Admin BIOS and Platform Requirementsand TPM Admin BIOS and Platform Requirements
bdeinfo @ microsoft.combdeinfo @ microsoft.com
bdeinfo @ microsoft.combdeinfo @ microsoft.com
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 19/24
Enterprise Customer NeedsEnterprise Customer Needs
Remote Deployment ConsiderationsRemote Deployment ConsiderationsThink through large-scale deployment of BitLocker™Think through large-scale deployment of BitLocker™
Provide solutions for remote initialization of TPMsProvide solutions for remote initialization of TPMs
Provide a secure BIOS update mechanismProvide a secure BIOS update mechanism
Support Encrypted Volumes in Recovery EnvironmentSupport Encrypted Volumes in Recovery Environment
Include WinRE scripting componentsInclude WinRE scripting components
Ship Systems with an Endorsement Key (EK)Ship Systems with an Endorsement Key (EK)EK generation in the field is time consumingEK generation in the field is time consuming
Industry security best practiceIndustry security best practice
TCG GuidelinesTCG Guidelines
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 20/24
Call To ActionCall To Action
Build BitLocker™-ready SystemsBuild BitLocker™-ready SystemsTPM v1.2 – Consider the deployment experience, make it easyTPM v1.2 – Consider the deployment experience, make it easy
BIOS – Don’t ship systems without secure CRTM/BIOS update!BIOS – Don’t ship systems without secure CRTM/BIOS update!
Hard Disk – Ship your platforms with two or more partitionsHard Disk – Ship your platforms with two or more partitions
USB – Verify read/write/boot from USB in pre-OS environmentUSB – Verify read/write/boot from USB in pre-OS environment
Consider Enterprise Customer NeedsConsider Enterprise Customer NeedsProvide ability to initialize TPM remotelyProvide ability to initialize TPM remotely
Ship with Endorsement Key (EK)Ship with Endorsement Key (EK)
Test Your Platforms!Test Your Platforms!
Test with latest Windows Vista releasesTest with latest Windows Vista releases
WDK test suiteWDK test suitehttp://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspxhttp://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspx
Work with us to get your reference platforms tested!Work with us to get your reference platforms tested!e-mail for more informatione-mail for more informationbdeinfo @ microsoft.combdeinfo @ microsoft.com
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 21/24
Additional ResourcesAdditional Resources
Web ResourcesWeb ResourcesSpecs and WhitepapersSpecs and Whitepapers
http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspxhttp://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx
Windows Logo Program TestingWindows Logo Program Testing
http://www.microsoft.com/whdc/GetStart/testing.mspxhttp://www.microsoft.com/whdc/GetStart/testing.mspx
TCGTCGhttp://www.trustedcomputinggroup.orghttp://www.trustedcomputinggroup.org
Related SessionsRelated Sessions
Enterprise and Server Use of Microsoft BitLocker™Enterprise and Server Use of Microsoft BitLocker™Drive Encryption (CPA027)Drive Encryption (CPA027)
Windows Vista and Windows Server Longhorn Security PlatformWindows Vista and Windows Server Longhorn Security PlatformEnhancements (CPA127)Enhancements (CPA127)
BitLocker™ Questions or IdeasBitLocker™ Questions or Ideas
BitLocker™ BlogBitLocker™ Blog
http://blogs.msdn.com/si_team/default.aspxhttp://blogs.msdn.com/si_team/default.aspx
Bdeinfo @ microsoft.comBdeinfo @ microsoft.com
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 22/24
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 23/24
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporat ion as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
8/7/2019 Win7Security sub presentation
http://slidepdf.com/reader/full/win7security-sub-presentation 24/24