Thursday, March 2, 2017

Securing hardware

The first layer of protection for a Windows 10 device is the hardware itself. Key security features in Windows 10 (originally introduced in Windows 8.1) take advantage of modern hardware designs. Although you can install and run Windows 10 on older hardware, you’ll get best results when these two capabilities are present:

■ Unified Extensible Firmware Interface (UEFI) After 30 years, the PC BIOS has finally been retired. Its replacement is UEFI, a firmware interface that takes over the functions traditionally performed by the BIOS. UEFI plays a critical role in security with Windows 10, offering the Secure Boot capability and support for self-encrypted drives, for example. (I’ll say more about both of those features later in this chapter.) UEFI has been a requirement for original equipment manufacturers (OEMs) to certify a system or hardware device for Windows 8 or later under the Windows Hardware Certification Program (formerly known as the Windows Logo program).

■ Trusted Platform Module (TPM) A TPM is a hardware chip that supports high-grade encryption and prevents tampering with or unauthorized export of certificates and encryption keys. The TPM might be implemented as a standalone microcontroller or included as part of another component, such as a network module or a system on chip (SoC) integrated circuit. The TPM performs cryptographic operations and stores keys for BitLocker volumes and virtual smartcards. A TPM can also digitally sign data, using a private key that software can’t access. The presence of a TPM enables several key features in Windows 10, including BitLocker drive encryption, Measured Boot, and Device Guard. I discuss all of these features later in this chapter.

In addition, Windows 10 offers support for hardware devices that allows users to identify themselves using biometric information, such as a fingerprint, facial recognition, or an iris scan. Windows has had biometrics support since Windows XP. Windows 10 significantly improves the accuracy and integrity of the identification process; it also allows users to register devices as trusted, so that the biometric information becomes part of easy-to-use multifactor authentication schemes. (I discuss these features in more detail later in this chapter, in “Securing identities.”)

With the appropriate hardware support, Windows 10 can also take advantage of virtualization technologies to isolate core operating system services so that they are protected from attackers even if the Windows 10 kernel is compromised. The Hypervisor Code Integrity service ensures that all code running in kernel mode, including drivers, is working as it was designed. In addition, a new feature called Credential Guard isolates the Local Security Authority (LSA) service to protect domain credentials as well as those stored within Credential Manager.

Source of Information : Microsoft Introducing Windows 10 For IT Professionals

No comments: