O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
Key Messages: Windows 8 enhances security and recovery Three focus areas: protecting devices, protecting data, secure access Many tools are familiar to IT pros
Windows 8 represents a step forward in security. Microsoft’s goals with Windows 8 focus on protecting devices against threats, protecting sensitive data, and securing access to resources.
When it comes to Windows 8 recovery and security, you'll already be familiar with most of the tools and terminology from your experience with Windows 7. There are a few new capabilities surrounding recovery and security, though. For example, Windows 8 uses BitLocker Drive Encryption, which has been improved, and the Diagnostic and Recovery Toolset (DaRT), which carries forward from Windows 7. Many of the advanced recovery tools like Safe Mode are still available, as well. And you can use System Restore, too.
This session looks at those new capabilities and shows how Windows 8 accomplishes its security goals. As you'll see in the coming slides, Windows 8 provides a comprehensive approach to security.
Key Messages: Refresh and Reset make recovery easier BitLocker has been enhanced Client protections have been enhanced New secure boot options support UEFI
Windows 8 includes new features to refresh and reset computers so that recovery is easier and faster. A refresh keeps many user personalizations intact while reinstalling the underlying operating system. This helps lessen the time spent re-creating personalizations that a user has introduced over time to help in their work. A reset completely begins again, providing a fresh copy of the operating system while losing individualized personalizations.
BitLocker has been enhanced for Windows 8. With BitLocker in Windows 8, you can encrypt only the part of the disk that is used; alternatively, you can use full disk encryption. BitLocker in Windows 8 allows for network unlock, and PIN and password changes by a regular user. The provisioning process has also been improved with BitLocker for Windows 8. Windows 8 includes vulnerability mitigating techniques and new device protections such as SmartScreen Application Reputation and sandboxing for Windows 8 apps.
Windows 8 includes two boot options that take advantage of Unified Extensible Firmware Interface (UEFI) Secure Boot and Measured Boot. Secure Boot uses digital signatures to ensure that only trusted firmware is allowed to boot the computer. Measured Boot works in conjunction with anti-malware software and provides a log of the drivers and other items that have loaded prior to the anti-malware software taking over.
Finally, Windows 8 secures access to resources through virtual smart cards and Dynamic Access Control. These features will be addressed throughout this session.
Tools for Recovery
Key Messages: Windows 7 tools still work Boot options are used for providing recovery Refresh and Reset provide a clean installation
You're probably familiar with the tools and techniques for recovering a Windows 7 computer. Many of these tools and techniques still work with Windows 8, but Windows 8 includes new options for recovery, too.
The System Restore tool is available with Windows 8. As in Windows 7, this tool restores the computer to a previous state based on a recovery point that was created at an earlier time. Advanced recovery options are also available, and you can boot into Safe Mode, too.
Getting into Safe Mode or the Boot Options screen is a little different in Windows 8. Windows 8 starts the Boot Options screen after two unsuccessful attempts to boot, as might be the case with a power failure or a driver issue. You can also get into the Boot Options screen by manually choosing to do so from within PC Settings in Windows 8.
Two new recovery features with Windows 8 are Refresh and Reset. These features take advantage of the Windows Recovery Environment (Windows RE).
Refresh and Reset
Key Messages: Refresh keeps personalizations Reset formats and reinstalls
Refresh works to retain items such as personalizations, Windows 8 apps, and many other customizations even while installing a fresh copy of the operating system. It does so by first examining the computer for data and settings, along with Windows 8 apps, and then placing them in a safe location on the computer.
A new version of Windows 8 is installed, and then the data, settings, and apps are restored onto that new version. The great thing about this option is that you don't need to re-create all of the customizations and initial setup steps that you would with a fresh install.
That said, there are times when the computer simply needs to be set back to its original state, and this is what the Reset option is for. When a computer goes through the Reset process, no data or customizations are kept. The Reset process erases the hard drive partitions, thus also erasing both Windows and any data that's there. Once that's done, a fresh copy of Windows is installed.
Refresh and Reset: Compared
Key Message: Comparing the Refresh and Reset options
A quick comparison of the Refresh and Reset options clearly shows the difference between the two options. Refresh keeps personalizations such as the desktop background; Reset does not. Refresh keeps Windows 8 apps; Reset does not. Refresh installs a clean copy of Windows onto the drive without formatting it; Reset formats the drive before installing Windows.
Advanced Diagnostics and Recovery
Key Messages: DaRT provides the next level in recovery DaRT has been updated for Windows 8 DaRT is part of MDOP
DaRT is an advanced environment to facilitate the troubleshooting, repair, and recovery of computers. DaRT helps IT evolve from reactive to proactive in the support of desktop systems. DaRT includes several tools that help determine the root cause of issues and then help to correct those issues. DaRT contains tools such as Crash Analyzer and System Restore and other tools familiar to IT pros.
Some of the things you can do with DaRT include resetting passwords, analyzing crashes, scanning for malware, removing hotfixes, repairing system files, disabling device drivers, and wiping disks.
DaRT has been updated for Windows 8 and Windows Server 2012. DaRT 8 includes support for UEFI boot modes, and GUID partition tables are also supported so that disk-related tools such as Disk Wipe will work with those types of partitions.
DaRT is part of the Microsoft Desktop Optimization Pack (MDOP). For that reason, an organization needs to have Software Assurance in order to use DaRT. DaRT requires that you have the Windows Assessment and Deployment Kit (ADK) before you can install the recovery-related items in DaRT. The Crash Analyzer in DaRT requires the Windows 8 Debugging Tools from the Windows Driver Kit. If you're going to be creating a Windows 8 x64 ISO image, you'll need the Windows RE image from the original Windows 8 media.
A Reimagined Recovery Image Wizard
Key Messages: The Recovery Image Wizard has been reimagined The wizard can generate a PowerShell script The wizard includes advanced tools and settings for image creation
The DaRT 8 Recovery Image Wizard has been reimagined for Windows 8. Images are now built by using PowerShell cmdlets. When an administrator uses Recovery Image Wizard, the end result is a script. This script can then be customized and used from that point forward.
DaRT can also now produce 32-bit and 64-bit images without requiring the use of specific 32-bit or 64-bit computers to produce the images; they can come from the same administrative workstation. All you need is access to the source media.
The DaRT Recovery Image Wizard walks you through each step of the process and gives you the opportunity to customize which tools will be added to the recovery image. You can add advanced options such as drivers, and you can configure Windows Defender to download the latest updates.
When you create the image, you can choose whether to create a standard Windows Image, an ISO image, or a PowerShell script (or all three). DaRT 8 includes the ability to create both Windows Imaging Format (WIM)- and ISO-formatted images. The ISO-formatted images can be placed directly onto USB media, which is a change from previous versions of DaRT, with which you needed to use more than one tool to use USB media.
More Flexible Deployment Options
Key Messages: DaRT has many deployment options DaRT can create USB media
DaRT can create images that are bootable with many types of media, but it's rare to find a floppy disk on a computer these days and it's also becoming rare to see even CD or DVD drives on an information worker's computer. That said, DaRT can create bootable CD or DVD media, as well as native USB media.
Not only can DaRT images be deployed on separate media, such as a USB flash drive, but DaRT images can also be placed directly on the local disk so that the DaRT tools can be accessed through the Boot Options screen whenever they're needed. In fact, DaRT 8 includes transparent UEFI support, so UEFI isn't a concern when using DaRT 8.
Local deployment is accomplished using tools such as MDT 2012 Update 1 or System Center 2012 Configuration Manager with Service Pack 1. You can also use Windows Deployment Services to deploy DaRT as a network service.
You'll see much more about the deployment options for DaRT images shortly.
Groundbreaking Enterprise Security
Key Messages: Windows 8 builds on the tools from Windows 7 BitLocker has been improved Trusted boot works with UEFI Numerous other enhancements and improvements
Now that you’ve seen some of the powerful and flexible features for recovery available in Windows 8, it's time to look at how Windows 8 has enhanced security. Windows 8 builds on the security features in Windows 7. Tools such as BitLocker have been improved for Windows 8, and Windows Defender and Windows Firewall continue to provide security for Windows 8 computers.
Windows 8 provides a comprehensive protection framework built around protecting devices against threats, protecting sensitive data, and securing access to resources.
When it comes to protecting devices against threats, Windows 8 supports the UEFI specification. The Windows 8 boot process, known as Trusted Boot, works with UEFI's Secure Boot to provide a more secure boot process Windows 8 also greatly enhances BitLocker to add new features such as used disk space encryption, network boot, and support for Trusted Platform Module (TPM) 2.0. Windows 8 is malware-resistant by design. Windows Defender provides an in-the-box anti-malware solution.
Windows 8 includes a feature called Smart Screen Application Reputation. Smart Screen Application Reputation uses a reputation-based system to examine websites and files downloaded from the Internet. If the file or site appears to be untrusted or has a bad reputation, the user is alerted to that fact before continuing.
Windows 8 Enhancements
Key Messages: BitLocker provides encryption of data at rest BitLocker has been vastly improved for Windows 8
BitLocker provides disk encryption that helps enterprise customers achieve their goal of securing data at rest. This means preventing unauthorized access to data when a device is lost or stolen.
BitLocker has been improved from Windows 8 to add support for new technology while adding value for enterprise customers.
The next several slides look at the new features in BitLocker.
TPM 2.0 Support
Key Messages: BitLocker supports TPM 2.0 Crypto Agility is now available
BitLocker includes support for TPM 2.0, in addition to the previous support for TPM 1.2. With TPM 2.0 comes Crypto Agility, which essentially means that the encryption algorithm used by TPM can be replaced later. This might be the case if a future encryption algorithm comes out that provides more security. It also enables the choice of encryption algorithm, which means that TPM 2.0 can be used in places where its use might have been prevented before.
This support includes both discrete and firmware-based TPM. When a supported secured execution environment is used, Windows Setup will provision a firmware-based TPM.
Key Messages: Performance is improved with used disk space encryption SAN support is available with BitLocker Support for eDrives
Encrypting an entire drive partition can take quite a long time. When you’re provisioning computers, this process can really add time to the entire deployment. BitLocker in Windows 8 can encrypt only used disk space. This capability is beneficial during installation when the encryption process can take place at the same time as the installation of Windows but only to the parts of the drive being used for the install.
Used disk encryption helps with SAN disks, as well. SAN volumes tend to be big, and used disk encryption cuts down on the time needed to make the SAN volume available. BitLocker supports iSCSI and Fibre Channel storage when the host bus adapter (HBA) or external RAID hardware have met Windows certification requirements.
Another area where BitLocker has improved performance is support for encrypted drives. Microsoft has worked with hardware vendors to add support for self-encrypting eDrive technology to Windows 8. This means that encryption processing can be offloaded to hardware, which both reduces power use and increases battery life. BitLocker still manages the keys, but the initial encryption of volumes is eliminated because the encryption is provided at the hardware level.
BitLocker also supports Cluster Shared Volumes (CSV) and traditional failover disks on Windows Server clusters.
New Recovery Options
Key Messages: Several recovery options SkyDrive is new to Windows 8
BitLocker has several options for recovery, most of which are unchanged from Windows 7. This recovery provides for key backup in several locations. For example, you can store the backup key in Active Directory, store it on a USB drive, print the key, or use the Data Recovery Agent.
New to Windows 8 is the ability to escrow the recovery key on SkyDrive. This feature can be used for computers that aren't joined to the domain. The recovery password for operating system, data, and removable volumes can be escrowed to SkyDrive.
Group Policy and BitLocker
Key Messages: BitLocker works with Group Policy Numerous aspects of BitLocker are available through Group Policy
BitLocker takes advantage of Group Policy. You can set several aspects related to BitLocker and its performance within your enterprise.
There are Group Policy settings for frequently encountered enterprise scenarios. These include settings around the Unlock method and how to recover protected drives. Among the new settings is a Group Policy configuration determining whether used disk space encryption will be used.
You can use Group Policy to deny write access to volumes that aren't protected by BitLocker. The encryption strength and cipher can be set with Group Policy. As already noted, the ability to set the encryption cipher is an important aspect of BitLocker.
Group Policy can also be used to configure policies surrounding custom deployments, such as allowing access to BitLocker-protected volumes from earlier versions of Windows.
Key Messages: Numerous protectors are available for BitLocker, depending on the scenario Password protector, Active Directory protector, and network protector are all available options
There are several methods for protecting data with BitLocker. One is the password protector, which is helpful when the computer doesn't have TPM. The password protector can be used to protect operating system, data, and removable volumes alike. The password protector is used for Windows To Go devices.
Active Directory protector is another method, eligible for data and removable volumes. This protector can be used at the account or group level. The advantage is that the volume is decrypted automatically when a specific user or machine account accesses the volume.
The network protector, eligible for operating system volumes, enables automatic unlocking when a device is connected to the corporate network. This protector is especially helpful for users and IT staff alike.
The network protector simplifies the patching process. Instead of needing to manually unlock each computer , using the network protector means that the computer will be unlocked without manual intervention.
The network protector requires UEFI 2.3.1 with support for DHCPv4 and DHCPv6 within the UEFI firmware.
Windows RT Encryption
Key Messages: BitLocker is available for Windows RT Devices Optimized for slate form factor
Windows RT Devices are encrypted out of the box. BitLocker has been optimized for slate form factors by enabling a TPM-only protector. On Windows RT Devices, data is encrypted on write.
The recovery key is automatically escrowed on SkyDrive for Windows RT Devices.
Finally, Trusted Boot is used with Windows RT to ensure pre-boot integrity.
Compliance and Security
Key Messages: MBAM is an enterprise-level BitLocker tool Provides encryption compliance reporting Role-based access control splits tasks among areas
Microsoft BitLocker Administration and Monitoring (MBAM) is an enterprise-level tool for administering BitLocker deployments. MBAM, part of MDOP, helps reduce costs by simplifying the provisioning process for BitLocker.
MBAM helps with compliance and security. Using MBAM, you can generate compliance reports for encryption and IT can audit access to encryption keys.
MBAM uses role-based access control. There are several predefined roles within MBAM with different privileges. The use of role-based management within MBAM means that individuals don't need to have administrator privileges to run reports and support staff can be assigned the least privilege in order to accomplish their tasks.
MBAM supports complex PINs and supports the management of BitLocker in Federal Information Processing Standards (FIPS) mode. Additionally, BitLocker helps to prevent unauthorized access to data with single-use recovery keys.
Key Messages: Integration with Configuration Manager Automated encryption provisioning Customized reporting with SSRS
MBAM can now be integrated with Configuration Manager. Doing so moves the compliance pieces of MBAM to Configuration Manager. This means that IT staff can use a single environment for compliance reporting through Configuration Manager and don't need to jump between applications to get an enterprise-level picture of compliance.
MBAM enables the automation of encryption provisioning at the enterprise level. Organizations can also target specific encryption policies for specific devices, users, or groups.
MBAM includes several reports that can then be further customized by using SQL Server Reporting Services (SSRS).
Key Messages: Key for enterprises: Users help themselves Self-service portal for key recovery
Self-service is key to an enterprise. When users can help themselves, it means they don't need to call IT, which means more time for IT to add value to the organization. MBAM includes a self-service portal that you can customize.
The Self Service Recovery Console enables users to manage their PIN and initiate volume encryption. Users can also recover encrypted devices through the console.
IT can provide support through the Extensible Recovery Console by accessing recovery data.
Key Messages: Windows 8 supports UEFI Trusted boot is important for end-to-end security
Windows 8 supports the UEFI specification. UEFI replaces some aspects of the traditional computer BIOS but is built on top of the traditional BIOS. Both UEFI and BIOS handle the pre-boot environment of a computer and then pass control over the boot process to the operating system. UEFI offers several key advantages over the traditional boot process, however, and these will be discussed in the next slides.
UEFI is an architecture-independent way to ensure that only trusted operating systems are used after the pre-boot process is complete. UEFI is also more advanced than traditional BIOS. For example, devices such as mice are initialized within the UEFI environment.
UEFI works with BitLocker to provide encrypted drive and network unlock support, along with secure boot capabilities, which we'll describe shortly.
UEFI is a requirement for Windows certification.
Legacy vs. Modern Boot
Key Messages: Legacy boot can hand off control to untrusted boot loaders Trusted boot hands off control to only trusted loaders
Let's talk about the boot process. In the legacy boot process, the BIOS performs hardware checks and then hands execution off to the operating system loader. As we've seen, this operating system loader can be anything, even malware. This enables malware to start before the operating system starts, thus compromising everything thereafter.
With modern boot through UEFI, the firmware enforces policy, and as part of the process will start an operating system only if the OS loader has been signed by a trusted authority. The operating system loader then enforces signature verification and triggers remediation, if necessary.
Once the operating system loader boots, it can activate the Early Launch Anti-Malware (ELAM) driver. The ELAM driver is specially signed by Microsoft and is loaded prior to third-party drivers as part of the boot process.
The end result of the modern boot cycle is that malware is unable to make changes to the boot process or operating system components. UEFI hands the boot process to the trusted OS loader, which activates the ELAM driver, which then monitors the remainder of the boot process.
Key Messages: Updates to UEFI are secure UEFI can perform self-integrity checking
But how do we trust UEFI, and more important, how do we update UEFI securely? The components of UEFI—such as its firmware, drivers, applications, and OS loaders—need to be signed by a trusted authority. UEFI maintains a database of trusted keys and image hashes, along with a revocation database of untrusted keys and image hashes.
UEFI can be updated with Windows Update. Windows Update can provide updates for UEFI firmware, drivers, applications, and OS loaders. Just as important, the revocation database for keys and image hashes can also be updated.
Further, UEFI can check its own firmware by using an integrity check and can self-remediate if there are unknown changes. UEFI is also able to recover the Windows boot manager if its integrity check fails.
What It Means: Trusting Boot
Key Message: A high-level illustration of the boot process shows how all the pieces fit together
Windows 8 has added a lot of value for enterprises around the boot process, helping to make Windows 8 malware-resistant by design. It is helpful to look at the process from a high level now that you've seen its components.
UEFI works to prevent untrusted boot loaders from being loaded. UEFI hands processing directly to the Windows boot loader. This starts up the Windows kernel and drivers and loads anti-malware software. From power-on until the anti-malware software starts, there's simply no vector for untrusted software to be loaded. Once the anti-malware software takes over, it then monitors third-party drivers as part of the boot process.
Protect Against the Known and Unknown
Key Messages: Malware resistant by design Several familiar components are used for protection
Everything we've discussed so far gets us to the point of the Windows logon screen. So what happens post-boot? Windows 8 is malware-resistant by design both during boot and post-boot.
Windows 8 uses several components that are familiar to IT pros, including Windows Defender, System Center 2012 Endpoint Protection, Windows Firewall, and SmartScreen Filter.
The following slides illustrate some of the highlights of post-boot protection for Windows 8. Additionally, since the Windows Store is new for Windows 8, we'll also discuss security considerations specific to Windows 8 apps.
Key Messages: Windows Defender and Windows Firewall play key roles SmartScreen Filter has been enhanced for Windows 8
Windows Defender is central to security in Windows 8, providing a comprehensive anti-malware solution in the box with Windows 8. Windows Defender protects against a full range of malware, well beyond simple adware and spyware protection.
Windows Defender provides real-time active protection that's optimized for the user experience. For enterprises, Endpoint Protection adds manageability. Sharing the same anti-malware engine with Windows Defender, Endpoint Protection adds the Network Inspection System (NIS), which has the ability to block infections before they occur.
Windows Firewall helps reduce the surface area available for an attacker by filtering the ports available to an attacker scanning a computer. Windows Firewall has been improved for Windows 8 and is also manageable with Endpoint Protection and PowerShell.
Internet Explorer 10 has been improved with additional features in SmartScreen Filter. Not only does SmartScreen Filter protect against phishing sites and malicious downloads, but it now includes Application Reputation. Application Reputation protects users regardless of the method in which the application was downloaded.
Internet Explorer 10 also includes Enhanced Protected Mode, which isolates tabs and processes and makes it more difficult to exploit. Do Not Track capabilities are included in Internet Explorer 10, and user interaction is required in order for a web page to gain access to user data.
Windows 8 App Protection
Key Messages: Windows Store provides rigorous certification Windows 8 apps run with low privilege and must declare capabilities Apps are installed into discrete containers
Windows 8 apps offered through the Windows Store need to pass through a rigorous certification and app screening process. Part of the process in making trustworthy apps is a manual screening process by Microsoft for every app available in the Windows Store. Apps also develop their own reputation through community-based ratings and reviews.
Windows 8 apps run with low privilege, and their access to resources is limited. Access to resources, called capabilities, needs to be declared by the developer, so you always know what capabilities a given app will have. The contract aspect of apps also means that they use a standard interface to communicate with one another.
Each app is installed into its own discrete container, and all of the installation steps are handled by the operating system. This means that users can't accidentally install an app into the wrong location or have an old version alongside a new version of an app.
Key Messages: Familiar tools used for Windows 8 DaRT and BitLocker are both updated Boot and post-boot are protected
In this session, we discussed several technologies surrounding recovery and security in Windows 8. Windows 8 improves on many of the recovery and security tools that you're familiar with from Windows 7. There are key recovery features in Windows 8 that are new, including the ability to reset or refresh the computer. Many of the tools such as Safe Mode and System Restore are still there, too.
DaRT has been updated for Windows 8 with the release of DaRT 8. DaRT 8 introduces many new features for Windows 8 including the ability to deploy onto USB media, support for GUID partition tables, UEFI, and full PowerShell capabilities. DaRT offers several ways to deploy images, including manually, through MDT 2012 Update 1, or using Configuration Manager.
Security changes in Windows 8 also build on features in Windows 7. BitLocker has been updated with several new IT-friendly features that also enhance security. Support for TPM 2.0 is included in BitLocker, and the ability to encrypt only used disk space is a time-saver for deployment and usage in SAN environments. BitLocker has new protectors and recovery options, including the ability to escrow keys on SkyDrive.
Windows 8 works with UEFI to provide a trusted boot sequence that's both secure and verifiable. Once booted, the operating system uses technologies such as Windows Defender, Endpoint Protection, Windows Firewall, and SmartScreen Filter to enhance the security of the system at run time.
Windows 8 - Recuperação e Segurança
Recuperação e Segurança
Rodrigo Immaginario, CISSP
MVP: Enterprise Security
Conhecidas e Novas Ferramentas ...
Ferramentas conhecidas - Windows 7
Três áreas :
Windows 8, uma passo a frente em segurança e recuperação
• BitLocker and DaRT
• Safe Mode and System Restore
O que há de novo ?
Refresh e Reset
Enhanced BitLocker protectors
Novas opções de boot seguro
Ferramentas de Recovery
• System Restore
• Safe Mode
New Refresh and Reset
Refresh and Reset
Refreshmantém a personalização
Reset formata e reinstala
Refresh vs. Reset
• Não mantém personalização
e os dados
• Não mantém os apps
• Formata o disco antes
• Mantém personalização e os
• Mantém os apps Windows 8
• Não formata antes de reinstalar
Melhoria de Desempenho no BitLocker
Criptografia do espaço utilizado
Criptografia durante a instalação
Suporte a eDrives
Suporte a Cluster Shared Volumes (CSV)
Novas opções de Recovery no BitLocker
Several recovery options SkyDrive escrow is new to Windows 8
Group Policy e BitLocker
Novo conjunto de Políticas
Opções de Protetores BitLocker
• Password para non-TPM
• Active Directory
Disponível para DispositivosWindows RT
Otimizado (dado é criptografado na
MBAM: Conformidade e Segurança
MBAM: Reducing Costs
Users help themselves Self Service Recovery Console
Windows 8 suporta UEFI
Trusted operating system loading
Legado vs. Moderno
Legado - Boot
Moderno - Boot
Legado pode usar loaders não confiáveis
Modernos usam somente loaders confiáveis
Como confiar no UEFI
Atualização via Windows Update UEFI - self-check
O que significa: Trusting Boot
and Drivers AM Software
AM software is
all 3rd party
Measurements of components
including AM software are
stored in the TPM
Client retrieves TPM
measurements of client
and sends it to Remote
Service issues Client
Health Claim to Client
attempts to access
resource. Server requests
Client Health Claim.
Client provides Client
Health Claim. Server
reviews and grants access
to healthy clients.
Illustrating the boot process
Proteção por Padrão
Malware-resistant by design
Ferramentas conhecidas melhoradas no