Redmond Protocols Plugfest 2016 Windows 10 Device Health

Redmond Protocols Plugfest 2016 Windows 10 Device Health Attestation (DHA) Kam Kouladjie Microsoft OSG, Enterprise and Security R&D June 2016

Agenda Introduction to Device Health Attestation attested security assurance Overview of Windows 10 & enterprise security risk management framework Device Health Attestation (DHA): Implementation options Use case scenarios Detailed data flows Office 365 – Conditional Access VPN – Conditional Access hardware monitored &

Attestation is a Windows security feature that was released as part of Windows 8 release: TPM creates a tamper resistant audit log (as it is measuring/monitoring the boot) It can be validated locally and remotely

Windows 10, Device Health Attestation (DHA) is a new Windows 10 feature that was released in June 2015 as part of the initial Windows 10 RTM release: Integrates with Windows 10 Mobile Device Management (MDM) framework Designed to work on devices that support Trusted Module Platform (TPM) in firmware or discrete formats (TPM 2. 0 and 1. 2) Enables enterprises to raise the security bar of their organization to hardware monitored and attested security for On-premise, Hybrid & Cloud based scenarios

Windows 10, Device Health Attestation (DHA) Before Windows 10, DHA release device health was assumed

Windows 10, Device Health Attestation (DHA) After Windows 10 DHA release, device health can be assessed based on hardware measured state

Windows 10, Device Health Attestation (DHA) Device Health Attestation enables organizations to: Define security compliance baseline for different operational environments Monitor and report on device compliance Detect violations Trigger remote corrective actions On enrolled devices (i. e. disable features, lock devices, initiate remote wipe, . . ) Or enforce conditional access (i. e. prevent access to online enterprise resources. . )

Windows 10, Device Health Attestation (DHA) Sample use case scenarios: Data Collection (i. e. Anomaly analysis, Audit) Compliance Reporting ( i. e. On demand, Scheduled) Live Monitoring (i. e. Continuous diagnostics) Zero Day Incident Response (Incident Response Agility) Online Enforcement (i. e. Conditional Access) Out of band enforcement (i. e. Alert, notification, expiring access tokens. . )

Windows 10, Device Health Attestation (DHA) Device Health Attestation: Builds upon existing Windows security technologies: “Secure Boot”, “Measured Boot”, “Early Launch Anti-Malware” and “TPM Attestation” Enables administrators to monitor remotely and make security decisions based on “TPM protected”, “tamper resistant” and “tamper evident” data

Windows 10, Device Health Attestation (DHA) TPM (Trusted Platform Module) Types : Discrete (Physical) TPM (Laptop, Desktop, Servers ) Firmware TPM (Tablets, Phone) Virtual TPM (Virtual PC)

Windows 10, Device Health Attestation (DHA) ISO/IEC 11889

Windows 10, Device Health Attestation (DHA) Supported devices: Every PC that has a relatively New Intel or AMD processor, runs Windows 10 Every Windows Mobile Phone (WP 8 +) upgraded to Windows 10, or shipped after Windows 10 release

Windows 10, Device Health Attestation (DHA) DHA-Enabled MDM: And more ………

Windows 10, Device Health Attestation (DHA) Sample Risk Scenario A malware (i. e. jailbreak) disables UEFI secure boot, prevents ELAM from getting loaded during the boot, and enables kernel debug Mitigation Device Health Attestation Service (HAS) reports the findings to MDM server - even in the face of a malicious OS

Windows 10, Device Health Attestation (DHA) Questions?

Windows 10, Device Health Attestation (DHA) Windows 10 & enterprise security risk management

Windows 10, Device Health Attestation (DHA)

Windows 10, Device Health Attestation (DHA)

Windows 10, Device Health Attestation (DHA) ? ? ? ? ? ?

Windows 10, Device Health Attestation (DHA) Addressing the threats requires a new approach 1 2 3 Increase attack cost: Look for repeated behaviors: detect anomaly, create signatures, clean up impacted devices Reduce exposure to risks : harden runtimes, applications, networks, devices reduce attacker return on investment 4 Monitor compliance : assume breach, verify compliance

Windows 10, Device Health Attestation (DHA) 1 2 Increase attack cost: Look for repeated behaviors: detect anomaly, create signatures, clean up impacted devices reduce attacker return on investment Microsoft Digital Crime Unit

Windows 10, Device Health Attestation (DHA) Device Guard Windows Hello Credential Guard Bitlocker 3 Reduce exposure to risks : harden runtimes, applications, networks, devices

Windows 10, Device Health Attestation (DHA) Device Guard Windows Hello Credential Guard Bitlocker Trusted Module Platform 3 4 Reduce exposure to risks : harden runtimes, applications, networks, devices Monitor compliance : assume breach, verify compliance

Windows 10, Device Health Attestation (DHA) Sample Risk Scenario Verifies if a device is booted to a Factory Trusted state (firmware) Assures that MDM is talking to the same device Validates that the device is running a Trusted OS and provides a mechanism to monitor compliance. For example validates: Secure boot state (on/off) Bitlocker state (on/off) Firmware patch version OS security policy/state

Windows 10, Device Health Attestation (DHA) Questions?

Windows 10, Device Health Attestation (DHA) Implementation options

Windows 10, Device Health Attestation (DHA) Cloud based device management solutions On-Premise device management solutions AD, AAD managed, MDM managed, BYOD

Windows 10, Device Health Attestation (DHA) Windows 10 TPM enabled devices Device Health Attestation Service (DHA-Service) options Microsoft Cloud: ready now On-Prem (2016 Server): ready for beta testing in April 2016 Device Management Solution (MDM) options 1 st and 3 rd party On-Prem and Cloud MDM solutions

Windows 10, Device Health Attestation (DHA) Compliance monitoring example: SCCM

Windows 10, Device Health Attestation (DHA) Compliance monitoring example: INTUNE

Windows 10, Device Health Attestation (DHA) Data collection & compliance monitoring example: Power BI

Windows 10, Device Health Attestation (DHA) Compliance monitoring example: Power BI

Windows 10, Device Health Attestation (DHA) Sample use case scenario: incident response

Windows 10, Device Health Attestation (DHA) Sample use case scenario: incident response

Windows 10, Device Health Attestation (DHA) Questions?

Windows 10, Device Health Attestation (DHA) Detailed Data Flows

Windows 10, Device Health Attestation (DHA) 8 - Device sends the EK_CERT and EK_PUB to AIK provisioning service 1 - Fuse EK Seed 2 - Generate EK Key Pairs (EK_PRIV, EK_PUB) and AIK key Pairs 3 - Send EK_PUB to signing server 9 - AIK Provisioning service issues a challenge: - Verifies the EK_CERT - Issues a challenge: - Generates a random value - Encrypts it with EK_PUB - Sends the encrypted challenge to the device 7 - User purchases the device, turns the device on 4 - Sign the EK_PUB, issue an EK_CERT 5 - Store the EK_CERT on the device 10 - Device decrypts the challenge with EK_PRIV, forward the following to the AIK provisioning service - Challenge data in clear format - Hash of AIK_PUB to 11 - AIK provision service, gets the data: - validates if the challenge data are correct - Issues a 6 - Ship the device

Windows 10, Device Health Attestation (DHA) Windows 10, TPM Enabled Device Health Attestation Service (DHA-Service) Device Management Solution (MDM) Enterprise Managed Asset

Windows 10, Device Health Attestation (DHA) Step 1: Device Measures Boot Components in the TPM Step 2: DHA-CSP Forwards Measurements to HAS, Gets an Encrypted Report BIOS / UEFI 2. 1. TPM Boot Log Boot Loader 1. TPM PCR Kernel Windows 10 Device Early Launch Anti-Malware Early Drivers (phone, tablet, laptop, PC, …) } e (PC Quot g, G_Lo TC {D SSL rt : = Repo oot_ ypted ncr ed (E Sign )) } Data DH lyzed (Ana _B { DH SSL 2. 2. Device cert Health CSP 3. 2. SSL {DH A_V erific ation _Cla ims: = DH A_B oot_ Rep ort, Quo 3. 1. te(C urre nt_S tate , No SSL { Se ssio n No nce } nce) , Ce rt } 3. 4. SSL { Device Health Report } ta : = H Da ter), oun R, C 3. 3. SSL { Verify : = DH Quote(Current_State, Nonce), Cert + Nonce} Step 3: Device Management Solution Gets and Verifies Device Health Report Microsoft Device Health Attestation Service (DHA-Service) Device Management Solution (MDM)

Windows 10, Device Health Attestation (DHA) Sample data points that is evaluated/reported by HAS Bitlocker. Status Win. PE Secure. Boot. Enabled Boot. Debugging. Eanabled Code. Integrity. Enabled OSKernel. Debugging. Enabled ELAMDriver. Loaded Test. Signing. Enabled VSMEnabled AIKCert. Present CIPolicy. Hash Value of PCR 0 SBCPPolicy. Hash Reset Count (Hibernation) DEPPolicy State Restart Count (Boot/reboot) Safe. Mode And more ….

Windows 10, Device Health Attestation (DHA) Sample implementation scenario: Device Health Attestation & Office 365

Windows 10, Device Health Attestation (DHA) (E 6) Present Token Office Apps Bios UEFI (E ( Cert ealth (B 1) Send Nonce ice H ( CG l og & A 1) relat ed b Issu e ard T (A 2) (B 4) Validate Device Health Data D) Set “Is. Compliant” B 5) Issue Device Health Report MDM Device Attribute AAD (C) Query Device Config - State (D) Set “Is. Compliant” Device Attribute (E 4) (E 3) Validate Device Compliance Sate Issue Office 365 Access Token (Auth. N, Auth. Z) (E 2) Request Access Token Forw (B) Validate Device Health (C 3) Validate Compliance Sate Data Forward Health Data & Nonce DHA-Service (A) Get Device Health Certificate (C 2) (B 2) Forward Health Data (B 3) (C 1) Query Device Config - State ata tate d ) Forward Device Config – State Info oot s Early Drivers Office 365 Resource AAD TB Plugin/ADAL MDM Client (B 1 Dev Measured boot Device Health CSP TCG Boot Log PCR (F) Access Office 365 Protected Resources 1) Early Launch Antimalware (B 2 ) (C Kernel 2) TPM Boot Loader 1 (C )T Ac rig qu ger isi T tio ok n en Other Device Configuration Service Providers (CSP’s) Fo E 5 To rwa ) ke rd n Win 10 Device (E) Request Office 365 Access Token (F) Access Office 365 Protected Resources

Windows 10, Device Health Attestation (DHA) Sample implementation scenario: Device Health Attestation & VPN

Windows 10, Device Health Attestation (DHA) Win 10 Device Bios UEFI (F 2) Present Short Lived Cert (EAP-TLS) (F 1) Retrieve VPN Other Device Configuration Service Providers (CSP’s) VPN Client Short Lived Certificate Store (F 3) VPN client authenticated (G) Access Internal Network Resources (C (B 1 ) Cert ealth te ica Device Attribute (E) Request VPN Certificate er if ert (B 1) Send Nonce ice H rt (E 3 Li ) ve d C NC (B 4) Validate Device Health Data D) Set “Is. Compliant” MDM (D) Set “Is. Compliant” Device Attribute Sh o VP Dev e for Issu est (A 2) (C) Query Device Config - State Is u eq ( og & A 1) relat ed b (B) Validate Device Health )R CG l (A) Get Device Health Certificate c (E 1 Forw ard T eq (if c rt r ce ction ne on (E 2) Validate tif ic at e Compliance State [VPN Compliance Policy configured] (C 3) Validate Compliance Sate Data Forward Health Data & Nonce DHA-Service B 5) Issue Device Health Report (C 2) (B 2) Forward Health Data (B 3) Forward Device Config – State Info oot s Early Drivers PN lid) g rig ) T on V t va (E 0 uest ert no AAD Token Broker Plugin MDM Client (C 1) Query Device Config - State data ) tate Measured boot PCR ) (E 3 Device Health CSP TCG Boot Log VPN Server er 1) Early Launch Antimalware (B 2 (C Kernel 2) TPM Boot Loader AAD mini CA AAD (F) F- Client connects to VPN Server (G) Access Internal Network Resources

Windows 10, Device Health Attestation (DHA) Upcoming TAP opportunities

Windows 10, Device Health Attestation (DHA) DHA-On. Prem DHA-Cloud SCCM INTUNE Airwatch SOTI Citrix Mobile Iron Symantec

Windows 10, Device Health Attestation (DHA) Questions?

APPENDIX

Appendix https: //msdn. microsoft. com/en-us/library/dn 920025(v=vs. 85). aspx

Appendix https: //msdn. microsoft. com/en-us/library/dn 934876(v=vs. 85). aspx