UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Similar documents
TLS Client Certificate and Smart Card Logon

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

Windows Authentication Concepts

WINDOWS 10 ENTERPRISE New Security Features

Ing. Ondrej Sevecek Windows Server Product Manager GOPAS a.s.

Web Application Proxy

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Windows 10 Security & Audit

CERTIFICATES AND CRYPTOGRAPHY

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

KEY ARCHIVAL AND OCSP

Deploying Secure Boot: Key Creation and Management

Windows IoT Security. Jackie Chang Sr. Program Manager

DELLEMC. TUESDAY September 19 th 4:00PM (GMT) & 10:00AM (CST) Webinar Series Episode Nine WELCOME TO OUR ONLINE EVENTS ONLINE EVENTS

GSE/Belux Enterprise Systems Security Meeting

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Big and Bright - Security

ThinkVantage Fingerprint Software

COMPLEX CERTIFICATE POLICIES

HP Manageability Integration Kit HP Client Management Solutions

HP Manageability Integration Kit HP Client Management Solutions

benefits for customers with subscriptions in CSP

CIS 4360 Secure Computer Systems Secured System Boot

HAROLD BAELE MICROSOFT CLOUD TECHNICAL CONSULTANT MICROSOFT CERTIFIED TRAINER. New protection capabilities in Windows Server 2016

Windows 10 and the Enterprise. Craig A. Brown Prepared for: GMIS

Full file at Chapter 2: Securing and Troubleshooting Windows Vista

TPM v.s. Embedded Board. James Y

System Prep Applications A Powerful New Feature in UEFI 2.5

BIOS. Chapter The McGraw-Hill Companies, Inc. All rights reserved. Mike Meyers CompTIA A+ Guide to Managing and Troubleshooting PCs

Encrypting stored data

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

MU2b Authentication, Authorization and Accounting Questions Set 2


Pro s and con s Why pins # s, passwords, smart cards and tokens fail

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

McAfee Drive Encryption Interface Reference Guide. (McAfee epolicy Orchestrator)

Boot Process in details for (X86) Computers

Endpoint Protection with DigitalPersona Pro

Reset tpm owner password

Index. Mike Halsey and Andrew Bettany 2015 M. Halsey and A. Bettany, Windows File System Troubleshooting, DOI /

Pass-the-Hash Attacks

MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security Certified Ethical Hacker CISA.

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

BitLocker: How to enable Network Unlock

Tailoring TrustZone as SMM Equivalent

TPM 1.2 Firmware Update Guidance. for Infineon SLB9655 and SLB9660

Veritas System Recovery 16 Readme

AMD Ryzen Threadripper NVMe RAID Quick Start Guide RC Release Version 1.0

HySecure Quick Start Guide. HySecure 5.0

Securing Active Directory Administration

Pass-the-Hash Attacks. Michael Grafnetter

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

UEFI / Bios was denn das?

AMD RAID Installation Guide

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

Consultant since many years. Mainly working with defense and public sector. MCSE on Windows Server 2000 security ;-)

General Firmware Overview of Recommendations for Window OS

User. Applications. Operating System. Hardware

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

BIOS Setup. User s Guide. (For Skylake-W Platform) Rev.1.1

Attacking and Defending the Platform

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

IA32 OS START-UP UEFI FIRMWARE. CS124 Operating Systems Fall , Lecture 6

FUNCTIONAL LEVELS AND FSMO

AMD RAID Installation Guide

Installing or booting DSS V6 from a USB flash drive or other writable media starting with the ZIP file

Troubleshooting smart card logon authentication on active directory

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Cybersecurity in Data Centers. Murat Cudi Erentürk ISACA CISA, ISO Lead Auditor Gandalf Consulting and Software Ltd.

Information protection BitLocker Overview of BitLocker Device Encryption in Windows 10 BitLocker frequently asked questions (FAQ) Prepare your

SIMATIC. Industrial PC Microsoft Windows Embedded Standard 7. Safety instructions 1. Initial startup: Commissioning the operating.

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

Hardening the Modern Windows Client Let s NOT break it this time

FIDO TECHNICAL OVERVIEW. All Rights Reserved FIDO Alliance Copyright 2018

Extending Security Functions for Windows NT/2000/XP

Windows 8 Uefi Bios Update Step By Step Guide Msi Usa

Free4Torrent. Free and valid exam torrent helps you to pass the exam with high score

Apple Product Security

ThinkVantage Fingerprint Software

DriveClone Workstation. Users Manual

Check Point GO R75. User Guide. 14 November Classification: [Public]

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

DigitalPersona Pro Enterprise

About the XenClient Enterprise Solution

How to Clear TPM HW on HP Personal Systems

HP Image Assistant. User Guide

Fujitsu Stylistic ST6000 Series

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Table of Contents. Frequently Asked Questions (FAQ) 1

ECE 471 Embedded Systems Lecture 16

Software Vulnerability Assessment & Secure Storage

Manufacturing Tools in the UEFI Secure Boot Environment

PKI Enhancements in Windows 7 and Windows Server 2008 R2

Chapter. Chapter. Magnetic and Solid-State Storage Devices

SAML-Based SSO Solution

BitLocker Group Policy Settings

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

This version of the IDGo 800 middleware contains the following components: IDGo 800 Credential Provider build 01

Transcription:

GOLD PARTNER: Hlavní partner: Hlavní odborný partner: UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory MVP:Security CISA CISM CEH CHFI ondrej@sevecek.com www.sevecek.com relevantní kurzy: GOC163 (Moderní bezpečnost), GOC169 (ISO 27001), GOC165 (CISM), GOC163 (GDPR a ZaKB)

UEFI Secure Boot Device Guard TPM WHB Hardware Virtual Machine

UEFI UEFI, SecureBoot, DeviceGuard, TPM a WHB

Unified Extensible Firmware Interface newer BIOS :-) backward compatible can be x32/x64 BIOS was 16bit better code and "drivers", bigger RAM two APIs boot services runtime services configurable from OS with a runtime service NVRAM non-volatile RAM config + OS variables accessible through runtime services from OS Hyper-V VM generations generation 1 = BIOS generation 2 = UEFI

UEFI knows its boot devices

UEFI boots from MBR and GPT disks old MBR disks (dumb jump to MBR) max 4 partitions, 2 TB sector 0 = MBR 512 bytes of code to jump into the Active partition boot sector 512+ bytes of code to find bootmgr on the partition (NTFS, FAT,...) GPT disks (understands) sector 1+ = GPT max 127 partitions, 68 000 000 000 TB with 4kB sector disks partition GUIDS and types EFI system partition (ESP) = C12A7328-F81F-11D2-BA4B-00A0C93EC93B no active partition

UEFI knows FAT32 and can read EFI system partition EFI partition FAT32 (up to 32 GB) FASTFAT if supported can boot directly bootxxxxx.efi faster and OS configurable can check digital signatures of boot files removable media CD/DVD, USB flash single UDF/CDFS/FAT32 partition up to 32 GB

Firmware variables and UEFI locks NVRAM non-volatile RAM storage accessible read/write over runtime services API locking changes must be written during boot services phase by a trusted UEFI application RunAsPPL, DeviceGuard

UEFI lock on RunAsPPL

SecureBoot UEFI, SecureBoot, DeviceGuard, TPM a WHB

SecureBoot UEFI only GPT + EFI partition checking signatures of boot components UEFI: boot sector + boot loader OS: winload, kernel, drivers, LSASS,...

SecureBoot enabled on HW (msinfo32)

SecureBoot enabled on VM (msinfo32)

SecureBoot requirements GPT + EFI disk supporting OS 8.1/2012 x64 and newer disabled CSM (compatibility support mode) plus disable any "legacy" options password protected "BIOS" OS vendor public signature verification keys (re)loaded

Enabling secure boot within "BIOS"

SecureBoot protection protects against boot code modifications does not prevent booting "rogue OS" in itself

DeviceGuard UEFI, SecureBoot, DeviceGuard, TPM a WHB

LSASS sensitive memory vulnerability NTLM Process Process Process Process Process LSASS password TGT High-Level OS Attacker

Smart card principle public storage memory PC API calls CryptoCPU Attacker PIN master PIN protected private crypt memory OS firmware ROM

LSASS sensitive memory solution NTLM TGT Process Process Process Process LSASS Secure Kernel Isolate User Mode (IUM) High-Level OS Attacker password Hypervisor vmbus trustlet

Requirements SecureBoot => UEFI ensures that the secure kernel and lsass would load untouched the secure kernel ensures that only the first interface user (lsass) can use it

(Non)Protection long-term memory credential protection does not protect BitLocker AES FVEK yet vulnerabilities can be disabled by Admins with restart remotely (without UEFI lock) can be disabled by Admins with restart attended (with UEFI lock) hardware keyloggers software keyloggers RDP + HTTP basic auth loggers SSO injections memory dumping local management

Disabling DeviceGuard with UEFI lock

TPM UEFI, SecureBoot, DeviceGuard, TPM a WHB

Used by BitLocker to store volume decryptor TPM smart cards Windows Hello for Business

Trusted Platform/Policy Module on-board smart-card or plug-in module if supported by motherboard and BIOS or VM emulated unlocked with multiple entry-key-parts UEFI NVRAM hash boot sector hash boot loader hash,... +PIN possibly owner password for privileged operations clear, export,...

VM emulated TPM vs. hardware based

VM TPM emulation does not require physical TPM on the host data stored encrypted in the VM configuration file encrypted with HgsGuardian either local or remote if configured

TPM ownership always some password present maybe not known to us :-) OS can store owner password None Delegated binary blob only (not easily remembered) newer applications support only Full plain-text password any application support reset ownership password always possible must clear the TPM requires physical presence (BIOS instead of UEFI application)

TPM owner information in registry HKLM\System\CurrentControlSet\Service\TPM\WMI\Admin

TPM state and owner authorization in PowerShell Get-TPM

Clearing TPM without owner password

TPM virtual smart-cards smart-card logon Kerberos PKINIT enterprise PKI + client certificates change PIN with CTRL-ALT-DEL PIN length policy binds user identity to the machine

Provisioning TPM virtual smart card tpmvscmgr.exe create /name "useradlogon" /AdminKey PROMPT /PIN prompt /generate /pinpolicy minlen 4 # AdminKey: 48 hexa-digits (0-9,A-F) # PIN: 8 any-characters by default certutil csplist # Microsoft Smart Card Key Storage Provider certutil scinfo tpmvscmgr destroy /instance root\smartcardreader\0000 # if unknown, use Device Manager for lookup

Looking up virtual smart card device in devmgmt.msc

Attestation AD CS can require hardware attestations for issued certificates certificate request is signed by a TPM internal private key public verification key imported into CA manual enrollment by a RA registration authority? autoenrollment into defined device with attestation

Windows Hello for Business UEFI, SecureBoot, DeviceGuard, TPM a WHB

What? Convenience PIN store password on the disk, protected with a simpler PIN Windows Hello store password on the disk, protected with a thumbprint or anything payed within Office365 Windows Hello for Business smart card logon mapped from anything

Multiple-multifactor-biometric authentication maps to Kerberos PKINIT smart-card logon credentials stored locally in TPM or in software better then fingerprint-readers,... AD user, AAD user,... shadow account in Active Directory

Requires Device Registration with ADFS

Enabled with Group Policy

Nice to have UEFI GPT disks NVRAM variable locking SecureBoot signed boot components requires UEFI DeviceGuard isolated credential storage (secure kernel) requires SecureBoot TPM stores BitLocker keys provides virtual smart cards provides WHB UEFI Secure Boot Device Guard TPM WHB Hardware Virtual Machine

GOLD PARTNER: Hlavní partner: Hlavní odborný partner: UEFI, SecureBoot, DeviceGuard, TPM a WHB Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory MVP:Security CISA CISM CEH CHFI ondrej@sevecek.com www.sevecek.com relevantní kurzy: GOC163 (Moderní bezpečnost), GOC169 (ISO 27001), GOC165 (CISM), GOC163 (GDPR a ZaKB)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback