nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Pesky users! They're always compromising endpoints! Security baked into silicon helps

Intel chippery tech mitigates the most careless of workers

By Stuart Burns, 25 Sep 2017

Sponsored We can all agree that endpoint security is important – and also that it is a pain to enforce. Because of people. Worker carelessness is the most potent threat to endpoint security, according to US IT decision makers.

When defending against malware there are well-established routines including obvious items such as using accounts of least privilege, proactive security, good patching hygiene and updated antivirus software. But is this enough? In a word, no – workers will, if they can, always take shortcuts that may expose their organisations to bad actors. The IT world is, however, moving beyond that somewhat rudimentary stance.

For instance, with Windows 10, Microsoft has doubled down on some of the security concepts and ideas built into previous generations of the software that were not universally used or were difficult to implement.

In addition, Windows 10 security is fortified by a lot of the intensive workloads (eg, Full Disk Encryption) handled in silicon. Indeed, Microsoft and Intel have developed quite the partnership, with features baked into newer CPUs such as the 7th Gen Intel Core vPros to deliver a secure endpoint computing platform for Windows 10. According to Intel, this is achieved "without complicating worker efficiency".

For instance, Microsoft's Device Guard, available for Windows 10 Enterprise and Windows Server 16, changes from a "mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorised by your enterprise. You designate these trusted apps by creating code integrity policies."

Underpinning its defences, Device Guard uses Intel Virtualization Technology (Intel VT) to, says Intel, isolate critical validation in containers that are nearly invisible and less accessible to malware. "At the vulnerable moment of boot, before any security software is even able to turn on, Intel BIOS Guard and Intel Boot Guard also help Unified Extensible Firmware Interface (UEFI) for Secure Boot help ensure the coast is clear before handing control over to the operating system."

TPM: It can be useful!

One example of a much-maligned and misunderstood item is that of the TPM (trusted platform module) built into modern devices.

Many sysadmins either misunderstand or ignore the ease of use that TPM can bring to environments of all sizes. But TPM really is the backbone of secure computing.

Some functionality requires TPM. There are also multiple ways to use it but it really does depend on your environment. In practice, the main aim of TPM is to make computing simple while also being secure.

Windows 10 takes these solid security practices and makes them easier (albeit occasionally taking away the rights from the user, a la Windows update). Unpatched machines are not what anyone wants. All future security in the hardware realm will be reflected in Windows 10.

On the other hand, there are some features that, when pushed, users love. Windows Hello and Bitlocker are a couple examples of software that uses some of the advanced hardware built into PCs and utilising TPM.

Forgot your password? Forget about it

Windows Hello is a key facet of security hardware that makes life easier for bonafide users and more difficult for hackers and malware. A lot of people poo-poo the idea of using a PIN to log into their computer (it can't be secure, can it?) but there is more to it than the simple PIN used for bank cards, etc.

When using a PIN with Windows 10 it is a rudimentary form of two-factor authentication. The PIN is unique to the device it is paired with. This is an example of two-factor authentication at work, something you have and something you know.

The PIN never leaves the device. What makes this more interesting still is that it requires no additional hardware. This simplifies the user experience and keeps the costs low as there is no need to support hardware tokens that are lost, broken or misconfigured.

Intel has even released a new plugin for Edge to allow users to use their Windows Hello PIN to sites that support it. Replacing passwords is no bad thing. Leaky passwords lead to additional compromise.

The same functionality is available to business users but what makes it more powerful is that the PIN can unlock PKI infrastructure and ensure secure cryptographic communications between the user and the AD infrastructure and other providers that are set up to use PKI.

Leverage the power of the silicon

Underlying this simpler, more secure hardware platform is the cryptography built into modern CPUs, which have AES, the currently accepted gold standard, built into them. (There is serious degradation in performance when software has to perform these tasks: silicon wins every time in terms of speed.)

This means that users or administrators can deploy Bitlocker in just a few clicks. Although some may think "whatever", consider the bigger picture. Device theft is a serious issue for business. Having full disk encryption saves the company from having a full-scale security breach on their hands as the attacker would need to know the credentials in order to access the data.

With Windows 10 Enterprise, Microsoft has introduced Windows Defender Credential Guard to combat misused, default or stolen credentials. The software leans on hardware platform security for several features, managing use of Intel VT to isolate credential keys in containers where hackers have less visibility.

Microsoft explains the identity protection technology thus:

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

There is no reason to not use full disk encryption. What makes Windows 10 even more secure is that there is no need to have multiple passwords. That one pin can be used to authenticate the user for almost all local requirements.

Talking about bits and registers

Alongside this user authentication, some of the functionality of newer CPUs can be be deployed only using newer versions of Windows. Some protections did work in the world of 32-bit, but 64-bit is where it's at. These protections mitigate common malware practices to prevent execution of code that the processor wasn't meant to run.

These include NX bit (No eXecute), a processor technology that goes hand in hand with DEP (Data Execution Prevention) functionality found in modern versions of Windows. In essence, NX bit allows the CPU to differentiate between application-executable data and normal application data. The CPU can then be prevented from running some executable data in the application data space. This was one of the big ways in which malware got in.

ASLR (Address Space Layout Randomisation) was available in earlier versions of Windows, but Microsoft have gone to town on this feature with Windows 10. ASLR originally existed to randomise the locations used by software and make them difficult to locate – if an application knew ahead of time where it would be located it could overwrite that code with its own instructions and give the attack vector an elevated privilege. ASLR does work on 32-bit systems but nowhere near as effectively as on 64 bit systems. Let me put it simply: anyone running a 32-bit version of Windows is not playing with a full deck.

So you are under attack. Here, Intel touts the benefits of AMT (active management technology) and recommends that organisations install Intel Manageability Commander into their Microsoft System Center Configuration Manager (SCCM) consoles. Subject to certain connectivity limitations, this team-tag enables IT operations managers to remotely take a compromised device off the network so a virus doesn't spread. If the operating system is down or the device is without power, the Intel MC-SCCM combo delivers out-of-band flexibility that means you can be prepared for recovery. Processor-based devices can be reimaged and remotely brought back to a good state. Intel also touts the additional data protection benefits of devices incorporating its solid-state drives such as the Intel SSD Pro 6000p. With Intel MT activated you can remotely delete encryption keys using Intel Remote Secure Erase.


In summary, prevention is better than a cure. The Windows 10 7th Gen Intel Core vPro combination provides several advances in security that, when implemented correctly, can help prevent malware attempts. All these new functions are no substitute for properly managing endpoints and using common sense and user education.

The Register - Independent news and views for the tech community. Part of Situation Publishing