WINDOWS 8 SECURITY
PROTECTING THE CLIENT AGAINST THREATS
Microsoft Windows 8 builds on the security features of Windows 7. It enables the enterprise to provide a secure and stable computing platform from which users can accomplish their tasks. Two primary areas are the focus of the Microsoft security approach. Those areas include the following:
1. Protect the client against threats.
2. Protect sensitive data.
3. Securing access to resource.
To help protect a client against threats, Windows 8 offers several enhancements such as Trusted Boot, Internet Explorer Smart Screen Application Reputation, and app sandboxing. The changes made to Bit Locker in Windows 8 highlight the efforts to protect sensitive data. Securing access to resources centers on Virtual Smart cards and Dynamic Access Control. The Universal Extensible Firmware Interface (UEFI) offers several key advantages over traditional computer BIOS, such as the ability to initialize devices like the mouse prior to handing off control to the operating system. UEFI also provides security enhancements such as network unlock and self-encrypting drives for Bit Locker.
BOOT OPTIONS FOR SECURITY
This section looks at two boot options: Secure Boot and Measured Boot. Secure Boot.
After the normal Power On Self Test (POST) activities, a computer hands the boot process off to a boot loader. With traditional BIOS, the boot process could be handed off to malware just as easily as a legitimate operating system. Secure Boot helps to prevent this attack vector by using databases containing pre-approved signatures and images that can be used for the computer.
NOTE Secure Boot requires UEFI 2.3.1 but does not require a Trusted Platform Module (TPM).Secure Boot uses three databases. The first database, known as the signature database (db), contains signatures and hashes of images for things like UEFI applications and operating system loaders. The second database, known as the revoked signatures database (dbx), contains images that have been revoked or are otherwise marked as untrusted. The final database used in Secure Boot is the Key Enrollment Key database (KEK), which contains keys that can be used to sign updates to the signature and revoked signatures databases. The firmware non-volatile RAM (NVRAM) is populated with these databases when the computer is manufactured. Further changes to the firmware are prevented unless the changes signed with the correct signature. A platform key, which can be used to turn off Secure Boot, is generated once the firmware has been locked. The boot sequence for Trusted Boot is as follows. This includes the steps for the UEFI Secure
Boot feature as well as the Trusted Boot process in Windows 8.
1. The platform key is queried in the signature databases.
2. If untrusted firmware is encountered, the UEFI firmware initiates recovery (specific to the computer manufacturer) to remediate the issue.
3. At this point, the UEFI Secure Boot process is complete and the Windows Boot Manager takes over. If thereof a problem with the Windows Boot Manager, a backup copy of the Windows Boot Manager is used. If the backup copy has problems, recovery is initiated specific to the computer manufacturer.
4. Once the Windows Boot Manager takes over, if a problem is noticed with vital Windows drivers or the kernel, the Windows Recovery Environment (RE) is started.
5. Early Launch Antimalware (ELAM) compliant software is loaded.
6. The remaining drivers and user processes are started.
Windows 8 can be deployed to devices that support UEFI•fs Secure Boot capability using the same
tools that you already use to deploy Windows.
Measured Boot aims to improve network health by ensuring that clients meet a certain health status before being granted access to resources. The specific scenario protected with Measured Boot surrounds the boot process itself. For example, a file server might ask the client to prove that its boot process was healthy. The client can then pass its health data to the Remote Attestation service from which a Client Health Claim will be obtained and passed to the file server in order to obtain access. Measured Boot works in conjunction with the Trusted Platform Module (TPM) to provide the measurements through Platform Configuration Registers (PCR). Included in the Measured Boot measurements is a log of all kernel components and boot-related drivers that have been loaded.
