https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
Tag: Microsoft
Microsoft Surface Enterprise Management Mode (SEMM)
Quoting the Ars Technica story:
[…]To further increase the appeal of the Surface in constrained enterprise environments, today Microsoft is announcing Surface Enterprise Management Mode (SEMM) for Surface Pro 4, Surface Book, and Surface Studio. SEMM enables administrators with physical access to the hardware to lock out integrated peripherals such as webcam, microphone, and USB ports. This locking out is done by the firmware, disabling the devices in question, rendering them wholly inaccessible to the operating system. It’s intended as a much more elegant alternative to supergluing the ports or drilling out the cameras. SEMM is designed to allow not just static configuration, wherein the devices are disabled permanently, but also dynamic configuration that responds to the environment. For example, a SEMM system could be configured so that when it was on a classified network the USB ports and camera were disabled, but when on an open network they were re-enabled. The system uses digital signatures and certificates to manage the configurations, preventing end users from re-enabling devices that they shouldn’t have access to.[…]
https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode
Microsoft updates Device Guard OEM guidance
Microsoft has updated it’s OEM guidance for using Device Guard and Credential Guard.
There is no changelog, hopefully you have an old copy of this web page cached somewhere for you to manually diff…
Microsoft Updates OEM Device/Credential Guard requirements
Microsoft just updated this page:
No list of what’s changed, it seems that would be a reasonable thing for a large list of requirements…Ā I’ll leave you to figure out what changed. š
(If someone knows of a good way to diff this page against the same page a few weeks ago (without archive.org), please leave a Comment on this blog post. Thanks.)
Microsoft updates OEM Device/Credential Guard requirements
This page was just updated:
Sorry, I didnāt do the detective work to see what has changed, Iāll leave that to you.š
Microsoft updates ‘Disabling Secure Boot’ document
This page was just updated:
Sorry, I didn’t do the detective work to see what has changed, I’ll leave that to you. š
I wish there was some Microsoft Twitter/other feed that announced these changes…. ;-(
Microsoft Surface
https://twitter.com/aionescu/status/815878947200077824
This is an interesting Twitter thread to read, giving a bit of information on Intel ME use by Microsoft — in the capacity of a BIOS vendor, IBV — on it’s Surface device.
In other Surface news, ARM has a post about the device including an ARM chip:
http://www.theverge.com/2016/11/29/13775320/microsoft-surface-studio-ifixit-teardown
Lenovo UEFI patches and Microsoft Patch Tuessday
InfoWorld has an article about Microsoft changing it’s patch schedule, along with multiple UEFI patches from Lenovo:
Intel Manageability Commander for Windows: Intel AMT tool
pdxgrlgeek has a new post on the Intel blog, on the topic of Intel Manageability Commander, an Intel AMT-centric, Microsoft Windows-centric tool, which optionally Integrates with Microsoft SCCM. Excerpts of blog post and from the software’s readme PDF:
I am excited to announce the release of IntelĀ® Manageability Commander.Ā Built from the widely used MESHCommander application, IntelĀ® Manageability Commander will make it significantly easier to take advantage of IntelĀ® AMT out of band hardware management features provided on IntelĀ® vProā¢ platforms. IntelĀ® Manageability Commander is a light weight console used to connect with and utilize the features of IntelĀ® Active Management Technology (IntelĀ® AMT). Through this software, users will be able to connect to activated IntelĀ® AMT devices to perform functions such as power control, remote desktop, hardware inventory, remote terminal, and more. Additionally, this software will plug into Microsoft* System Center Configuration Manager (SCCM) version 1511 and later.
Subset of features from blog post:
* View and modify network settings of IntelĀ® AMT. If the PC has a wireless interface, users can add multiple wireless profiles to connect to IntelĀ® AMT using the wireless interface
* Configure IntelĀ® AMT security features such as System Defense, Audit Log, and Access Control List
* Discover, diagnose and manage IntelĀ® AMT configured PCs remotely
* View and solve user PC and Operating System issues via integrated KVM remote control (Keyboard, Video, Mouse)
* Display IntelĀ® AMT events and filter events by keyword
* Enable or disable IntelĀ® AMT features on a configured system directly from IntelĀ® Manageability Commanderās user interface.
* Integrate with Microsoft SCCM current build version 1511 and later
Read the list of errata in the relnotes, too. For example:
“1) Powering off a system using IntelĀ® Manageability Commander uses the IntelĀ® AMT power control feature and is outside of the operating system. This means that an OS-based reboot or power down is not possible. Over time, repeated use of this feature could lead to corruption in the operating system. This is the expected behavior of IntelĀ® AMT power off command for all versions of IntelĀ® AMT”
This is a Windows-centric tool. It appears if you want to have all the fun tools from Intel, you have to use Windows, not Linux or MacOSX or Android or ChromeOS. š
https://communities.intel.com/community/tech/vproexpert/blog/2016/11/05/intel-manageability-commander-with-microsoft-sccm-integration
http://www.intel.com/content/www/us/en/support/software/manageability-products/intel-manageability-commander.html
https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander
MBRFilter: MBR security for Windows
Lucian Constantin has an article about a new MBR-based Windows-centric tool created by Cisco’s Talos. From his article on CSO Online:
[…]Cisco’s Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks. threat intelligence The tool, called MBRFilter, functions as a signed system driver and puts the disk’s sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub. The master boot record (MBR) consists of executable code that’s stored in the first sector (sector 0) of a hard disk drive and launches the operating system’s boot loader. The MBR also contains information about the disk’s partitions and their file systems. Since the MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits — boot-level rootkits. […]
From the project’s readme:
[…]This is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers. The goal of this filter is to prevent writing to Sector 0 on disks. This is useful to prevent malware that overwrites the MBR like Petya. This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. HitĀ ‘Cancel’ when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting. […]
Windbg updated
Windbg, Microsoft’s Windows system debugger, has been released with new features, one of which is ability to write debugger scripts in JavaScript.
(WordPress renders the MSDN blog URL strangely, if you can’t click on that, click on the URL in Alex’s twtter.)
https://twitter.com/aionescu/status/792157463076233216
https://blogs.msdn.microsoft.com/windbg/2016/10/27/new-insider-sdk-and-javascript-extensibility/
Microsoft: Keeping Windows Secure documents on Github
https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/keep-secure/TOC.md
This reminds me, the guidance for Linux users from the Linux Foundation is nearly a year old now, no updates:
More info on Microsoft BIOS to UEFI feature
Earlier I saw some brief information about some “BIOS to UEFI” feature that Microsoft was adding to some product of theirs, but had no idea what it was about. Here is a bit more information on the System Center feature:
“Improvements for BIOS to UEFI conversion
You can now customize an operating system deployment task sequence with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare a FAT32 partition on the hard drive for transition to UEFI. The following procedure provides an example of how you can create task sequence steps to prepare the hard drive for the BIOS to UEFI conversion.”
https://technet.microsoft.com/library/mt772349(TechNet.10).aspx#Improvements-for-BIOS-to-UEFI-conversion
Analysis of MSI’s NTIOlib
MSI ntiolib.sys/winio.sys local privilege escalation:
So, it seems that not only ASUS drivers allows unprivileged reading and writing to physical memory. Just a few months ago I was looking at the drivers that are loaded on my machine, and I found small MSI driver called NTIOLib_X64.sys. Out of curiosity Iāve looked at it in IDA and it turned out that it has almost the same functionality as the ASMMAP/ASMMAP64 ASUS drivers. Iāve tried to contact MSI through various different channels, but I havenāt really get past their customer support, so Iām not sure if anyone from the development team is aware of this design flaw. After almost 4 months I decided to publish my findings here. […]
Intel Firmware Engine 2.1.1 for Windows released
Microsoft UEFI unit tests!
Thanks to Microsoft for open sourcing some UEFI unit test harness code!!!
https://github.com/Microsoft/MsUEFI-Test/tree/master/MsUnitTestPkg
Peter Jones on Secure Boot failures and mitigations
I just now came across a blog post written by Peter Jones from LAST MONTH on that “Microsoft Secure Boot Golden Key” news reports that is worth reading. Peter owns the Linux shim, so he knows a bit about UEFI’s boot process.
https://blog.uncooperative.org/blog/2016/08/18/secure-boot-failures-and-mitigation/
Especially because I’ve had nearly nothing useful in this blog on this post:
Also note other articles in Peter’s blog: he makes regular canary posts about the state of his Shim code. I wish all of the boot/firmware code required all contributes to have canaries!
SPYRUS secure USB drives in some Microsoft Surface devices
Recently SPYRUS, Inc. announced the integration of their NIST 140-2 Level 3 secure USB 3.0 drive family with Microsoft Surface Pro devices.
āSPYRUS is currently the only manufacturer of hardware encrypted Windows To Go products that have successfully integrated support with the Microsoft Surface Pro family of tablets.Ā The unique feature set, to include provisioning support to boot the Windows To Go in UEFI Secure Boot mode, in conjunction with FIPS 140-2 Level 3 certification sets a new standard for security features and performance,ā said Tom Dickens, SPYRUS COO. āUse cases for these smart drives also dovetail perfectly with the rapidly emerging requirements for collaboration, secure data storage, secure mobile computing, and secure devices with auditable cybersecurity.ā
http://www.spyrus.com/windows-to-go-live-drives and http://www.spyrus.com/encrypting-usb-storage/
http://www.spyrus.com/spyrus-announces-integration-of-windows-to-go-and-p-3x-product-lines-with-microsoft-surface-pro-3-and-4/
Microsoft OMI: WMI for Linux
WMI, the Windows-centric API wrapper the DMTF CIM standard, has an OMI variant that works outside of Windows. I don’t understand why Microsoft didn’t just submit OMI to DMTF, instead of OpenGroup… š
https://twitter.com/mattifestation/status/768445468925829120
Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIXĀ® systems and Linux. In addition to OMI’s small footprint, it also demonstrates very high performance. RPM and DEB packages are provided for the installation of OMI on most enterprise Linux distributions. To install OMI, download the correct package for your Linux computer. […]
https://github.com/Microsoft/omi
http://www.opengroup.org/software/omi
https://blogs.technet.microsoft.com/windowsserver/2012/06/28/open-management-infrastructure/
Microsoft updates PE/COFF spec
https://twitter.com/mattifestation/status/768111896461398016
Unlike most large specs, this does not have a revision history/changelog. It sounds like AArch64 support is main change, but I have not read it yet.
https://www.microsoft.com/en-us/download/details.aspx?id=19509
Firmware Security 
You must be logged in to post a comment.