RSAC: Microsoft Touts Windows 8 Support for Latest Hardware Security Options

At the RSA Conference I recently sat down for an interview with Microsoft’s Chris Hallum, a senior product manager who deals with client security for Windows 8. During our interview Chris provided some additional details about some of the security features that are exclusive to Windows 8, and explained how Microsoft is adopting a security strategy for Windows 8 that revolves around malware resistance, data protection, and modern access control.

Hallum also suggested that mobile devices running Windows 8 — including Surface RT and Surface Pro tablets, as well as other mobile devices running Windows RT and various editions of Windows — would help increase adoption of Windows 8 in the enterprise. “BYOD is the tip of the spear for Windows 8,” Hallum said. “Administrators also need to have the mentality that it’s not just about one OS [in the enterprise], such as Windows 8, but many of them.” Hallum said that businesses of all sizes are now using multiple OSes and devices, from iOS and Android devices on mobile devices to desktop and laptop clients with Windows 7. Hallum’s commits underscore Microsoft’s current approach of being an amicable corporate citizen and playing well with other OSes and devices.

Microsoft’s “Three Pillars” Approach to Windows 8 Client Security

We then discussed the approach Microsoft is taking with Windows 8 security efforts, and Hallum explained that Microsoft is grouping their Windows 8 client security strategy into three broad areas: Malware resistance, data protection, and modern access control.


Microsoft Circle of Trust

Microsoft is all about trust at RSA this year: Root of Trust, Chain of Trust, Trusted Computing. What about a Circle of Trust? (Image: Robert DeNiro from Meet the Fockers)

Malware Resistance

Hallum said that security can’t be solved on the software side of things alone, and mentioned several developments on the hardware security front that Microsoft is embracing with Windows 8 to improve client security. One feature is the adoption of the Unified Extensible Firmware Interface (UEFI), which provides for a secure boot-up process for Windows 8 PCs. Hallum said that adoption of UEFI should help control boot kits (malicious software that starts before Windows can load) and root kits (which load during the normal Windows OS boot process).
Windows 8 also supports remote attestation when a trusted platform module (TPM) is present on the hardware, which allows trusted entities to access and managed the TPM hardware to enhance system security. Hallum said that Windows 8 also supports the latest TPM 2.0 specification, which includes Address Space Layout Randomization (ASLR), measured boot, and virtual smart cards.

Data Protection

In addition to support for the latest TPM specification, Windows 8 also supports the new encrypted hard drive standard. “In the past, drive encryption had two big challenges,” Hallum said. “It was hard to configure, and it took a long time to encrypt large drives. Hallum recounted how one Microsoft partner had developed creative solutions for encrypting drives sing existing methods, with laptops lined up assembly-line fashion as the drive encryption process chugged away.
With Windows 7 Bitlocker, the entire drive needed to be encrypted, which led to the time-consuming process and hoop-jumping described above. Windows 8 allows admins to choose a “Used Disk Space only” option that only encrypts the actual data itself — not the drive free space — which can lead to enormous time savings.

Modern Access Control

Hallum also pointed out that the new breed of Windows 8 and Windows Phone devices running on ARM processors have a connected standby feature prevents director memory access on those devices, which provides an additional measure of security to mobile devices. In a blog post on Technet about connected standby, Hallum elaborates on the benefits of the feature. “As part of the Connected Standby certification requirements we’ve added language that prevents the inclusion of Direct Memory Access (DMA) ports and system memory can’t easily be removed, Hallum said. ” These changes eliminate the requirement for implementing pre-boot authentication on Connected Standby certified devices.”

Are you attending the RSA Conference in San Francisco this week? Add a comment to this blog post and let me know what you think of the conference so far.