Key Threats Key Threats Key Threats Key Threats Key Threats Key Threats

Internet was just growing Melissa (1999), Love Letter Code Red and Nimda Zotob (2005) Organized Crime Organized Crime, potential
Mail was on the verge (2000) (2001), Blaster (2003), Attacks moving up the Botnets state actors
Mainly leveraging social Slammer (2003) stack (Summer of Office Identity Theft Sophisticated Targeted
engineering 9/11 0-day) Conficker (2008) Attacks
Mainly exploiting buffer Rootkits Time from patch to exploit: Operation Aurora (2009)
overflows Exploitation of Buffer days Stuxnet (2010)
Script kiddies Overflows
Time from patch to exploit: Script Kiddies
Several days to weeks Raise of Phishing
User running as Admin

1995 2001 2004 2007 2009 2012

Windows 95 Windows XP Windows XP SP2 Windows Vista Windows 7 Windows 8
- Logon (Ctrl+Alt+Del) Address Space Layout Bitlocker Improved ASLR and DEP UEFI (Secure Boot)
Access Control Randomization (ASLR) Patchguard Full SDL Firmware Based TPM
User Profiles Data Execution Prevention Improved ASLR and DEP Improved IPSec stack Trusted Boot (w/ELAM)
Security Policy (DEP) Full SDL Managed Service Accounts Measured Boot and
Encrypting File System (File Security Development User Account Control Improved User Account Remote Attestation
Based) Lifecycle (SDL) Internet Explorer Smart Control Support
Smartcard and PKI Support Auto Update on by Default Screen Filter Enhanced Auditing Significant Improvements
Windows Update Firewall on by Default Digital Right Management Internet Explorer Smart to ASLR and DEP
Windows Security Center Firewall improvements Screen Filter AppContainer
WPA Support Signed Device Driver AppLocker Windows Store
Requirements BitLocker to Go Internet Explorer 10
TPM Support Windows Biometric Service (Plugin-less and Enhanced
Windows Integrity Levels Windows Action Center Protected Modes)
Secure by default Windows Defender Application Reputation
configuration (Windows moved into Core OS
features and IE) BitLocker: Encrypted Hard
Drive and Used Disk Space
Only Encryption Support
Virtual Smartcard
Picture Password, PIN
Dynamic Access Control
Built-in Anti-Virus
4
Windows 8 Investment Areas
Challenges
Universal Extensible Firmware Interface (UEFI)

An interface built on top of and replaces some aspects of traditional BIOS

Like BIOS it hands control of the pre-boot environment to an OS

Architecture-independent
Enables device initialization and operation (mouse, pre-os apps, menus)

Secure Boot, Encrypted Hard Drives, Network Unlock for BitLocker

Trusted Platform Module 2.0
Enables commercial-grade security via physical and virtual key isolation from OS
TPM 1.2 spec: mature standard, years of deployment and hardening
Improvements in TPM provisioning lowers deployment barriers

Algorithm extensibility allows for implementation and deployment in additional countries

Security scenarios are compatible with TPM 1.2 or 2.0

Discrete or Firmware-based (ARM TrustZone ; Intels Platform Trust Technology (PTT))

* Microsoft refers to the TCG TPM.Next as TPM 2.0.

# Features TPM 1.2/2.0 UEFI 2.3.1
1 BitLocker: Volume Encryption X
2 BitLocker: Volume Network Unlock X X
3 Trusted Boot: Secure Boot X
4 Trusted Boot: ELAM X
5 Measured Boot X
6 Virtual Smart Cards X
7 Certificate Storage (Hardware Bound) X
8 Address Space Layout Randomization (ASLR) X
9 Visual Studio Compiler X
10 More
Training Requirements Design Implementation Verification Release Response
 OS Loader
Legacy Boot BIOS
(Malware)
OS Start

BIOS Starts any OS Loader, even malware

Malware may starts before Windows

Verified OS Loader
Modern Boot Native UEFI
Only
OS Start

The firmware enforces policy, only starts signed OS loaders

OS loader enforces signature verification of Windows components. If fails
Trusted Boot triggers remediation.
Result - Malware unable to change boot and OS components
UEFI Firmware, Drivers, Applications, and Loaders must be trusted (i.e.: signed)
UEFI Database lists trusted and untrusted Keys, CAs, and Image Hashes
Secured RollBack feature prevents rollback to insecure version
Untrusted (unsigned) Option ROMs (containing firmware) can not run

Updates to UEFI Firmware, Drivers, Applications, and Loaders

Revocation process for signatures and image hashes

UEFI able to execute UEFI firmware integrity check and self-remediate

Windows 7
OS Loader 3rd Party Drivers Anti-Malware
BIOS Windows Logon
(Malware) (Malware) Software Start

Malware able to hide and remain undetected

Systems can be compromised before AM starts

Windows Core,
Windows 8
Windows 8
Native UEFI Kernel, Anti- 3rd Party Drivers Windows Logon
OS Loader Malware

Secures Windows system files (e.g.: kernel) and drivers

Starts and protects ELAM based AM software
Automatic remediation/self healing if compromised
PIN and Picture Password Both are easy to use sign in option for Touch devices
Picture password offers a secure (blog) personal sign-in experience, easy to remember

Length PIN Password (a-z) Password (complex) Picture Password

1 10 26 n/a 2,554
2 100 676 n/a 1,581,773
3 1,000 17,576 81,120 1,155,509,083
4 10,000 456,976 4,218,240
5 100,000 11,881,376 182,790,400
6 1,000,000 308,915,776 7,128,825,600
7 10,000,000 8,031,810,176 259,489,251,840
8 100,000,000 208,827,064,576 8,995,627,397,120

Account Lockout Policy - Account lockout threshold + Account lockout duration

Security Option Policy - Interactive logon: Machine account lockout threshold
Wired - Kill the Password: Why a String of Characters Cant Protect Us Anymore Mat Honan
Email addresses have become universal usernames making them a single point of failure
Basic personal info is enough to trick customer service agents into revealing more sensitive information
Malicious users use information on one service to gain entry into another
Hacked email accounts enables malicious users to reset your pw on other sites (e.g.: Your investment acct)

Easy to deploy and cost effective way to enable strong multi-factor auth
Provides a secure, seamless, and always ready experience for end users
Deployment at scale requires a management solution. Intercedes MyID solution was first to market and was
available at launch.
Recent Criticism Response
Access based on an Access Control List that defines rights and auditing policy
Access is granted based entirely on successful authentication of the user

Good at making sure the right users get access

Unable to prevent compromised devices from getting access to resources

Adds vetting of a devices security state to the access decision making process
Leverages Windows 8 Measured Boot, Remote Attestation, Enhanced Access Control,
Secure Access to Corporate Resources Secure Transactions and Banking
Protection of Digital Content More

Remote Attestation components will be delivered by 3rd party ISVs

Current Windows 8 deployments not pervasive enough
Mixed Windows environments (Windows XP, 7, and 8)

Tier 1 ISVs very interested but not yet committed to delivering solutions, waiting
Near terms solutions will need to come from Microsoft Services and Solution Integrators
Measurements are secured and protected by the systems Trusted Platform Module (TPM)
Automatically enabled when TPM is present

Windows 8 Windows Kernel & Anti-Malware Remote

BIOS/UEFI 3rd Party Drivers
OS Loader Drivers Software Attestation

Remote Attestation Client communicates with Remote Attestation service

Service analyzes data on request. Compares data vs. known good MB values and other policy requirements
Service issues security health determination via Health Claim; Becomes part of the users Kerberos ticket

Windows Access Control policy doesnt natively support claims, However

Dynamic Access Control and SharePoint do. Claim support can be added through extensibility
 Device Registration & Periodic Refresh of Health
Data
BYOD Step 1: User registers personal device
Registration
Portal
Step 2: Portal redirects new device to ADFS
Attestation Server Step 3: User auths with domain creds
Step 4 Step 4: ADFS extension doesnt find
Step user/device info in Attestation
Server
6
Step 5: Client agent installed on device
Step Step Step 6: Agent sends device health data
1 2 Step 7: Agent enroll vSC for logon cert
ADFS with extension
Attestation & Verified Access to Secure
Resources Step 1: User tries to access project site
Step 2: Project site needs device claims
Step 3: Device requests claims from
extension running on ADFS server
Step 4: ADFS extension verifies device
Employee s Step Step Step information from Attestation Server
1
Win8 Tablet
2 6
Step 5: ADFS issues claims token

BYOD - Unmanaged Device SharePoint Step 6: Device uses claims token to gain
access to documents on project site
Proof-of-Concept Flow
 http://www.jwsecure.com
http://www.gdc4s.com
http://www.iddataweb.com
http://www.dminc.com
There are two types of enterprises in the U.S.

Those who realize theyve been hacked.

Those who havent yet realized theyve been hacked.

There are threats that are familiar and
those that are modern.
 Familiar Modern
Script Kitties; Cybercrime Cyber-espionage; Cyber-warfare
Cybercriminals State sponsored actions; Unlimited resources
Attacks on fortune 500 Organizations in all sectors getting targeted
Software solutions Hardware rooted trust the only way
Secure the perimeter Assume breach. Protect at all levels
Hoping I dont get hacked You will be hacked. How well did you mitigate?
Provable PC Health
The Challenge
UEFI and Trusted Boot very effective, no promises
Malware still able to hide by turn off defenses
No great way for devices to vet themselves
Opportunities
Remote Attestation
APIs available for Boot Integrity Security Status
Adoption
ISVs not delivering Remote Attestation services
ISs building for niche well funded customers
Our Goal in Blue
Deliver Remote Health Analysis service for Windows
Provide remediation and notification services
Introducing Provable PC Health
Secure Data 2
1. Client send periodic heartbeat with state data
Measured Boot
Action Center Status 1 3

2. Cloud service consumes data and analyzes it

3. If issue is detected cloud sends message to
Client with remediation recommendation
4. Client responds to recommendation
a) Machine Remediation 4a 4b

b) Account Remediation
Enhancements to Windows Defender and Internet Explorer
Windows Defender
Malware almost always designed to talk to world, thats their weakness
Adding high performance behavior monitoring
Identifies malicious patterns of behavior based (file, registry, process, thread, network)
Activity log sent to cloud for analysis, signatures may be issued later

Internet Explorer
Malicious websites attempt to exploit vulns in binary extensions (e.g.: ActiveX)
Binary extensions are executed immediately bypassing AM
API available that enables AM solutions to scan before execution
Mitigation Technologies
Protected Process Hardening
Pass the Hash
Windows Enterprise: windows.com/enterprise

windows.com/ITpro

microsoft.com/mdop
microsoft.com/dv
microsoft.com/windows/wtg
tryoutlook.com
http://channel9.msdn.com/Events/TechEd www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn
For More Information
System Center 2012 Configuration Manager
http://technet.microsoft.com/en-
us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33

Windows Intune
http://www.microsoft.com/en-us/windows/windowsintune/try-and-buy

Windows Server 2012

http://www.microsoft.com/en-us/server-cloud/windows-server

Windows Server 2012 VDI and

Remote Desktop Services
http://technet.microsoft.com/en-
us/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33
http://www.microsoft.com/en-us/server-cloud/windows-server/virtual-
desktop-infrastructure.aspx

More Resources:
microsoft.com/workstyle
microsoft.com/server-cloud/user-device-management