Microsoft Secured-Core PCs to Protect Financial Services, Government, and Healthcare
In October last year, Microsoft announced that it was working with hardware partners on new device security requirements to protect against targeted firmware attacks. According to David Weston, Directory of Enterprise and OS Security at Microsoft, the last three years has shown a five-fold increase in the number of firmware vulnerabilities.
Firmware vulnerabilities are an appealing target for hackers because traditional security defenses, like antimalware software installed on the operating system, doesn’t get access to firmware-level activity. Hackers can easily avoid detection and go unnoticed for long periods of time and firmware-based exploits can also be hard to remove. Protections built-in to the operating system, like Secure Boot and Virtualization-Based Security (VBS), are also easier to circumvent with access to the firmware.
Secured-Core PCs protect against firmware attacks
To help better protect customers against firmware attacks, Microsoft announced a new initiative called Secured-Core PCs. In partnership with PC and chip makers, the new scheme requires devices to meet new standards that follow isolation best practices and have minimal trust of firmware. Microsoft says that the devices are intended for industries whose workers handle intellectual property, customer or personal data, including Personally Identifiable Information (PII).
Secured-Core PCs are designed to prevent firmware attacks. Using a combination of identity, virtualization, OS, and hardware defenses, Secured-Core PCs have protection at both the hardware and software layers. Along with Windows Defender System Guard, which is built-in to Windows 10, Secured-Core PCs provide organizations with assurances of OS integrity and verifiable measurements to help prevent firmware attacks.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Windows Defender System Guard Secure Launch
Windows Defender System Guard Secure Launch was first introduced as part of Windows 10 version 1809. It is a key component of Microsoft’s Secured-Core PC program.
Secure Launch is designed to improve on Static Root of Trust for Measurement (SRTM) of early boot UEFI components. Due to the sheer number of device configurations available, SRTM requires maintenance of either a whitelist or blacklist of SRTM measurements.
But there are two main drawbacks to maintaining these lists. Whitelists require each new piece of hardware to be added to the list. And blacklists let hackers change just 1 bit in a component to create a new SRTM hash that needs to be listed.
Secure Launch, or Dynamic Root of Trust for Measurement (DRTM) as it is also known, lets the system boot into untrusted code. But soon after, DRTM launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
Secure Launch makes managing SRTM measurements easier because the launch code isn’t tied to a specific hardware configuration. And because the number of approved code measurements is small, any changes that need to be made in the future can happen easily and quickly.
Hardware requirements for Windows Defender Secure Launch
While Secure Launch is implemented in Windows 10 today, it isn’t enabled by default and it requires certain features on the silicon. All the features required for Windows Defender Device Guard, Credential Guard, and VBS must be met before Secure Launch can be enabled.
For more information on Secure Launch requirements and how to check whether it’s enabled, see Microsoft’s website here.
Other technologies that form part of Secured-Core PC
Along with Secure Launch, there are several other technologies that are part of the Secured-Core PC initiative. All hardware must use the Trusted Platform Module 2.0 (TPM) for measuring components used during launch. Windows Defender System Guard runtime attestation and conditional access policies can help enable zero-trust networks. VBS also plays an important part in Secured-Core PCs.
Zero-trust networks do away with the idea of running devices in a specific network location within a firewalled perimeter. Instead, zero-trust works on the basis of device and user trust claims to control access to data and resources.
How to get a Secured-Core PC?
Secured-Core PCs are not intended for everyone because they require hardware features, management infrastructure, and expertise that isn’t available to everyone. But for organizations that have the necessary resources to deploy Secured-Core PCs, they provide a more robust and secure computing experience.
Secured-Core PCs are already available from Microsoft’s partners. For a complete list of the devices that are currently certified, go to Microsoft’s website here.