secure startup hardware enhanced security l.
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Startup Hardware-Enhanced Security PowerPoint Presentation
Download Presentation
Secure Startup Hardware-Enhanced Security

Loading in 2 Seconds...

play fullscreen
1 / 22

Secure Startup Hardware-Enhanced Security - PowerPoint PPT Presentation

  • Uploaded on

Secure Startup Hardware-Enhanced Security. Stacy Stonich Program Manager Windows Security Microsoft Corporation. Peter Biddle Product Unit Manager Windows Security Microsoft Corporation.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Secure Startup Hardware-Enhanced Security' - velvet

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure startup hardware enhanced security

Secure StartupHardware-Enhanced Security

Stacy Stonich

Program Manager

Windows Security

Microsoft Corporation

Peter Biddle

Product Unit Manager

Windows Security

Microsoft Corporation


A large multi-national company who wishes to remain anonymous told us that they lose an average of one corporate laptop per day in the taxicabs of just one US city…

session outline
Session Outline
  • Problem: Easily Stolen Data
    • Current situation
    • Customer pain
  • Solution: Full Volume Encryption (FVE)
    • What it provides
    • The feature in action
      • Demo
    • Architectural Details
    • Value Add
    • Recovery Scenarios
    • Wrap up
    • Q & A
session goals
Session Goals
  • Attendees should leave this session with:
    • A better understanding of Secure Startup
    • Knowledge of where to find resources for how to build platforms that support this feature
    • An understanding of how they can add hardware and software support to the feature
current situation
Current Situation
  • Password recovery programs are widely available that enable offline attacks whichcan circumvent Windows XP datasecurity mechanisms
  • Offline attacks expose core system keys that allow for the compromise of secured data
  • Hundreds of thousands of laptops are lost every year
customer pain
Customer Pain
  • Difficult to protect the data on lost or stolen laptops
  • Corporate networks can be attacked via lost or stolen machines
  • User data stored on hard disk may be tampered with without a user knowing
  • User data from encrypted files may be disclosed to others during runtime
  • Compromise of users’ encrypted data can occur
  • Machine data cannot truly be erased
industry data
Industry Data
  • “Dutch public prosecutor … was condemned yesterday for putting his old PC out with the trash. It contained sensitive information about criminal investigations in Amsterdam, and also his email address, credit card number, social security number and personal tax files.” – The Register, Oct 8, 2004
  • “Hurried travelers have left as many as 62,000 mobiles, 2,900 laptops and 1,300 PDAs in London taxis over the past six months.” – BBC, August 2001
  • “An estimated 11,300 laptop computers, 31,400 handheld computers and 200,000 mobile telephones were left in taxis around the world during the last six months … passengers had lost three times more handheld computers in the second half of 2004 than in 2001” – CNN, January 24, 2005
secure startup
Secure Startup
  • Technology providing higher security through use of Trusted Platform Module (TPM)
  • Addresses the lost or stolen laptop scenarios with TPM-rooted boot integrity and encryption
  • Provides secure system startup, full hard drive encryption, and TPM services
  • Attackers are stopped from using software tools to get at data

Secure Startup gives you stronger security on your Windows codenamed “Longhorn” client systems, even when the system is in unauthorized hands or is running a different or exploiting OS. Secure Startup does this by preventing a thief who boots another OS or runs a hacking tool from breaking Longhorn file and system protections.

disk layout
Disk Layout

Encrypted OS Volume contains:

Encrypted OS

Encrypted page file

Encrypted temp files

Encrypted data

Encrypted hibernation file


System Partition contains:

Boot utilities

(Unencrypted, ~50MB)

full volume encryption value add
Full Volume Encryption Value Add
  • Encryption of the hibernation file protects against user allowing laptop to hibernate with sensitive docs open and then having the laptop stolen and docs at the fingertips of thieves
  • Full volume encryption enhances the security value of all registry, config files, paging files and hibernation files stored on the fully encrypted volume
  • Simply destroying the key allows for the safe disposal of corporate hardware/computer assets without fear of residual sensitive data
recovery scenarios
Recovery Scenarios
  • Broken Hardware Recovery Scenario
    • User swaps the hard drive into a new machine because laptop screen is broken from a drop
  • Attack Detected Recovery Scenario
    • Virus makes modifications to the Boot loader
  • Recovery password (known by the user or retrieved from a repository by an administrator)
    • Recovery can occur ‘in the field’
    • Windows operation continue as normal
  • Automated escrow of the keys and recovery passwords (i.e. to an AD) to allow for centralized storage and management of recovery mechanisms
  • Optionally, recovery keys can be written to media – such as a USB device
  • Hardware requirements to support Secure Startup
    • Trusted Platform Module (TPM) v1.2
      • Provides platform integrity measurement and reporting
      • Requires platform support for TPM Interface (TIS)
      • See
    • Firmware (Conventional or EFI BIOS) – TCG compliant
      • Establishes chain of trust for pre-OS boot
      • Must support TCG specified Static Root Trust Measurement (SRTM)
      • See
call to action
Call to Action
  • Firmware
    • Make sure INT 1A Subfunction BBh calls behave correctly as documented by TCG (Trusted Computing Group) - even if no TPM
  • Hardware
    • Make sure Secure Startup works with TPM 1.2's
  • Disk utilities
    • TPM not required to test Secure Startup for application compatibility. Work with MS to make encrypted volumes work with low level utilities
community resources
Community Resources
  • Windows Hardware & Driver Central (WHDC)
  • Technical Communities
  • Non-Microsoft Community Sites
  • Microsoft Public Newsgroups
  • Technical Chats and Webcasts
  • Microsoft Blogs
additional resources
Additional Resources
  • Web Resources
    • Whitepapers
  • Related Sessions
    • How to Build Hardware Support for Secure Startup
  • Non-Microsoft Community Sites
  • Questions? Send mail to

© 2005 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.