| Basel

Windows 8.1 SecurityTechNet Event November 25th, 2013

Martin Weber

Technology Solution Professional

Microsoft Switzerland Ltd.

In the news…Microsoft Exposes

Scope of Botnet ThreatBy Tony Bradley, October 15, 2010

Microsoft's latest Security

Intelligence Report focuses on

the expanding threat posed by

bots and botnets.

Researchers Discover Link

Between TDSS Rootkit and

DNSchanger TrojanBy NICK BILTON , May 2, 2011

TDSS rootkit, the hard-to-remove

malware behind numerous

sophisticated attacks, appears to

have helped spread the

DNSchanger Trojan.

Windows 8 and 8.1 Security Capabilities

Securing the Sign-In

Secure Access to Resources

Securing Device with EncryptionSecuring the Boot

Securing the Code and Core

Securing the Desktop

First Class Biometric Experience

Multifactor Auth for BYOD

Trustworthy Identities and Devices

Virtual SmartCard

Provable PC Health

Improved Windows Defender

Improved Internet Explorer

Improved System Core Hardening

Pervasive Device Encryption

Selective Wipe of Corp Data

Refresh and Reset

Enhanced BitLocker Drive Encryption Protection

New Secure Boot Options

What’s New in Windows 8.1 Security

Tools for Windows 8.1 Recovery

Windows Tools & Techniques:

• System Restore

• Safe Mode and related

New Windows 8.1 Refresh and Reset capabilities

Windows 8.1 Refresh vs. Reset

Refresh: Reset:

Does not keep customizations and data

Keeps customizations and data

Keeps Windows 8.1 Apps

Does not format before reinstall Formats the drive before reinstall

Does not keep Windows 8.1 Apps

Groundbreaking Enterprise Security

Builds on Windows 7 Technologies

Enhanced BitLocker Protection

UEFI Support for Trusted Boot

Windows Defender andWindows Firewall

BitLocker Enhancements in Windows 8.1

Encryption of Full Disk or just the data at rest (aka “used Disk Space”)

Encrypt during installation

Support for eDrives, iSCSI and

Fiber Channel Drives

EFI System

Partition

(bootmgr.efi)

OS Partition

(Windows

Runtime,

User Data)

Data Partition

(User Data)WinRE

Partition

OEM

Partition

= Encrypted = Not Encrypted

Hard Disk

Recovery

Image

Partition

FVEKSRK

VMK

Trusted Platform Module 2.0 Support

New BitLocker Recovery Options

SkyDrive Recovery Key escrow is new to Windows 8.1Several recovery options

Group Policy (GPO) and BitLocker

Numerous Group Policy settings

around the unlock method

Policies for enterprise scenarios

BitLocker Protectors

Numerous protectors:• Password protector for non-TPM

• Active Directory

• Network

Network Unlock for OS Volumes Scenario:

Enables PCs connected to corporate network to boot without PIN

Simplifies patch process for servers and desktops, wake on LAN, ease of use for end users

Requirements:

UEFI 2.3.1 support for DHCPv4 and DHCPv6 Network

Key

ServerEFI DHCP

PROTOCOL

Key Request

Client Key

Secure Network

TPM

Windows RT Device Encryption

Available for Windows RT devices

Optimized for slate form factor

Complex

PINs and

FIPs

MBAM is

enterprise-level

tool for

BitLocker

Role-based

access

control

Compliance

reports

Microsoft BitLocker Administration and Monitoring: Compliance and security

UEFI Support in Windows 8.1

The new UEFI BIOS (System on a Chip – SoC) helps ensure that the computer loads only trusted operating systems.

Legacy vs. Modern, Trusted UEFI Boot Process

Windows 7 BIOSOS Loader

(Malware)

3rd Party

Drivers

(Malware)

Anti-Malware

Software

Start

Windows

Logon

Windows 8Native

UEFI

Windows 8

OS Loader

Anti-Malware

Software

Start

3rd Party

Drivers

Windows

Logon

Malware is able to boot before Windows and Anti-Malware• Malware able to hide and remain undetected

• Systems can be compromised before Anti-Malware starts

Trusted Boot loads Anti-Malware early in the boot process• Early Load Anti-Malware (ELAM) driver is specially signed by Microsoft

• Windows starts Anti-Malware software before any 3rd party boot drivers

• Malware can no longer bypass AM inspection

Trusting the UEFI Boot Process

Updates to UEFI are secure

(Firmware, Drivers, OS Boot Loader have to be all

digitally signed)

UEFI does self-check

Secure, Trusted and Measured Boot

Trusted boot prevents unauthorized boot loaders

Measured boot provides measurements about the boot process

Protect against the Known and the Unknown

Malware resistant by design

Familiar tools updated for Windows 8.1

Windows 8.1 Client Protection

Windows 8.1 Modern App Protection

Strong screening process for Windows Store

Low privilege and capability declaration

Discrete app containers

Summary of Security Enhancements

Familiar tools still used in Windows 8.1

DaRT and MDOP have been updated for Windows 8.1

Trusted boot and post-boot protected

BitLocker includes numerous enhancements