Hello everyone!

Thanks again for Applixure for giving me the opportunity to write a guest blog ☺ I love this topic so I fear it might end up being a long story so try to hang in there and read through!

This time I thought I’d take the opportunity to talk about the importance of choosing correct devices to build strong security.

Many years I saw people listing the requirements for their company PC’s like this:

  • Intel i5 or better
  • 2GB of RAM or more
  • 40 GB HDD or more

Everyone started to assume network connectivity and many more small details so usually the list looked at least something like that. My list has always had PXE and vPro to add as they were not always included especially with tablets. All these lists are still fine from performances (for basic office use) or manageability’s point of view – but definitely NOT security’s.

Everything depends on the OS you are running but if you buy new computers now you should aim for the following to make sure you can run Windows 10 in the future. If you are saying you won’t deploy Windows 10 (and you are not changing to OSX or Linux) you are lying. Windows 10 is to be the last OS so at some point you will go to Windows 10. The below is a list of what to make sure you have for future when you choose a hardware model. After that I’ll go through the security aspect in more detail on why.

Security

  • UEFI (goes for security, manageability and performance)
  • 64-bit hardware only! (this goes for performance as well)
  • SecureBoot
  • TPM (version 2.0 if available but minimum 1.2)
  • Processor with virtualization support + SLAT
  • Devices that don’t have Firewire, ThunderBolt or other busses that support DMA
    • With Windows 7 I’d say this is a must but with Windows 10 on a PC that has an IOMMU these devices can be used
  • Fingerprint reader or RealSense 3D camera if you want to use Windows Hello in Windows 10

Manageability

  • PXE (for IPv6 as well if possible)
  • vPro with graphical KVM ability (my personal preference as I want to be able to KVM into all PC’s without an OS)

Performance

  • SSD 120GB at least for the OS (I believe it’s silly to not buy an SSD as your users will love it)
  • 4 GB of RAM or more (that’s just my opinion)
  • Intel Skylake (6th Generation) processors were built in cooperation with Microsoft to support Windows 10 so they offer the most features for it

 

Let’s start with two basic laws of security in the Windows OS.

To have secure Windows devices you need to have the two most important things in place: Hard disk encryption and principle of Least Privilege.

The basic rule applies: If you are an admin you can disable encryption – if you don’t have encryption you get admin rights. This is why you need both.

If you don’t take my word for it I’m happy to say that both Microsoft and NSA just recently listed these on their most important recommendations as well.

To have proper disk encryption you need two things: TPM and SecureBoot. In short let’s go through these two:

TPM is a chip (or piece of code in the firmware for some 2.0 versions) that can create, manage and secure secrets. Usually it stores keys for some sort of encryption usage. TPM 1.2 is the minimum requirement for everything else except “Server based machine health attestation service” in Windows 10. Also future features are only promised to be supported if you have 2.0 TPM.

One other great thing about 2.0 is the fact that it finally has common rules for locking down. TPMs are usually secured by some authentication method like a PIN. This PIN, if guessed wrong, will lock the TPM for some time.

Now in 1.2 there are no rules on how many times it can stand incorrect guesses and how long it will stay locked – every manufacturer decides this by themselves so it’s really hard to administer. With 2.0 the rules are simple: 32 wrong guesses and it locks for 1 hour.

All the secrets inside of a TPM are protected with a hash value of your boot environment as well. So if someone changes something in your environment it locks down.
Examples would be booting a different OS, changing the UEFI or hacking your Boot Loader, MBR or Boot sector. TPM as itself is enough for most computers to protect you but you can add a PIN-code or a USB-key for extra protection as a second authenticator.

Without a TPM your OS and data in your hard disk are in no way tied to the physical device either so anyone can remove the disk and keep cracking it somewhere else on another machine. In Windows the most important thing for a TPM is to protect your BitLocker encryption. The key that is used to decrypt your hard disk on the fly is stored on the TPM. It can’t be accessed if anything in your boot environment changes.

In Windows 10 it’s also the place for the key needed to open your secrets like the new Windows Passport authentication. Windows 10 suggests you use a PIN code or Biometrics to secure your secrets. If you don’t have a TPM your key is stored in the registry which is far less secure than a TPM.

One of the protectors of a TPM in Windows 8.1 or 10 is also SecureBoot so let’s talk about that next.

SecureBoot requires UEFI and Windows 8.1 or 10. SecureBoot makes sure that only Boot Loaders signed by trusted publishers can be booted up. Mostly this means that only Microsoft signed loaders are trusted but that does include a few Linux distros as well. The most common way to crack BitLocker or other encryptions has been to freeze the computer memory and then boot with a minimal Linux kernel to read the encryption key from the memory. This is also known as the Princeton attack. This is impossible with SecureBoot as are many other forms of offline attacks.

With Windows 10 the whole structure of the OS changes in one important way.
If you have virtualization and SLAT-support you can run a Secure Kernel with an Isolated User Mode on top of it that houses protected processes known as Trustlets. These processes house secrets and keep them protected from Kernel level attacks like attacks using device drivers. It can even protect you against DMA-attacks if you have an IO-MMU (Memory Management Unit for IO-operations) in your PC.

This also blocks Pass-The-Hash attacks against domain users with a feature called Credential Guard. If you hear someone saying that it only protects against domain and not local user pass-the-hash attacks that’s true but local user Pass-The-Hash should not be an issue if you’ve done your security right – the most important thing being that no two computers have admin accounts with the same passwords. If you’ve not taken care of this yet see my blog for options at: http://blog.win-fu.com/2015/10/adminizer-still-beats-laps.html

 

The before mentioned are more just technical features to implement but the most important one, the Principle of Least privilege, is many times harder than just technically implementing it as it often involves politics and changes in the way people are used to work . Every major company working in security has finally admitted the same thing that the Microsoft documentation has stated for 15 years – you can’t keep environments clean without the end users using limited user rights. I’ve worked with hundreds of companies implementing least privilege since 2002. It was possible with Windows XP and it’s way more easier with Windows 7 and 10.

As I take part in Applixure’s operations as a technical advisor for the operating systems and security this has been one of my biggest requests to get Applixure to inventory. I love the way I can now see not only the technical details of TPM but also the way a company takes care of the principle of least privilege.

Although all the major Anti-Malware companies have said their reactive products can’t protect companies anymore in 2015/2016 everyone still agrees that reactive measures are needed on top of proactive measures. Applixure takes also this into account by displaying the current status of Anti-Malware, security updates and local firewall.

Great job guys!

Thanks for reading,
Sami