All the Guards–Part 1

A while back I wrote an article about all the Defender products Microsoft has:

Turns out that Microsoft also has a range of “Guard” products as well. In general, you can think of Microsoft Guard products as interfacing and working in combination with the physical device to enhance the security of your environment.

You’ll also find that there is plenty of cross over between Defender and Guard products, for example, Windows Defender Application Guard (WDAG).

What I’m going to try and do here is look specifically at all the products that have the name ‘guard’ in them and show how they help improve the security of your environment. I will readily admit, that because of the integration of hardware and software here, getting definitive answers on many questions has proved extremely challenging. Thus, I’ll do my best here to share what I have learned but I’m sure there is still more to uncover.

To commence this journey we need to examine the actual Windows 10 boot process, which is nicely covered in this article from Microsoft:

Secure the Windows 10 boot process

and from which I’ll quote:

Secure Boot

When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:

– The bootloader was signed using a trusted certificate. In the case of PCs certified for Windows 10, the Microsoft® certificate is trusted.
– The user has manually approved the bootloader’s digital signature. This allows the user to load non-Microsoft operating systems.

The first step you’ll need to take is to ensure that your UEFI boot is enabled on your device. You can follow this article:

Enable Secure Boot on your device

To verify you have Secure Boot enabled you can:

Run the system configuration utility (Start | MSINFO) which should show you something like:

Here you should find both the BIOS mode set to UEFI and the Secure Boot State set to ON.

You can also run the PowerShell command:

confirm-securebootuefi

as an administrator as shown above, which should return as True.

Finally, you can also open Windows Defender on your device, select Device Security and under the Secure boot option, shown above, you should see Secure boot is ON.

Windows 10 startup process

The above, from the Secure the Windows 10 boot process gives you a good idea of how the boot sequence proceeds. To again quote the article:

Trusted Boot

Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 10 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.

Measured Boot

Working with the TPM and non-Microsoft software, Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:

    1. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
     2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.
     3. The TPM uses the unique key to digitally sign the log recorded by the UEFI.
     4. The client sends the log to the server, possibly with other security information.

Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.

Windows 10 includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it.

Now that the boot process is complete and secure, thanks to Secure Boot, we can move onto the next phase in protection with Windows 10 Guards,

Next – Virtualization Based Security

Check for CVE-2021-36934

Inspired by:

CVE-2021-36934/CVE-2021-36934.ps1 at main · JoranSlingerland/CVE-2021-36934 (github.com)

I have update my security testing script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

To now also test for this and report back as shown above. If you want to actually run the recommended fixes then run Joran’s script, my security script only tests for the issue.

Need to Know podcast–Episode 271

I speak with a long time personality in the SMB space, Linus Chang who is probably best known for his Backup Assist product that provides backup and recovery for your data in the cloud and also on premises. Linus has a wealth of experience in the software development and Microsoft space, so listen in for some fascinating insights.

I also bring all the latest announcements in the Microsoft Cloud, hot off the presses from Microsoft Inspire. Lots of big announcements there as well, so listen in and don’t miss out.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-271-linus-chang/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Linus Chang – Linkedin, BackupAssist

Announcing the general availability of Windows 365

Get started with Windows 365 Business

Windows 365 admin setup and management tutorial for Cloud PCs

What’s coming to OneNote

What’s New in Microsoft Teams | July 2021

When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure

When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks

Microsoft rides Azure, cloud commercial revenue in strong Q4

Announcing Public Preview of App Governance

Microsoft 365 Lighthouse is now in public preview

Secwerks–The bug

Registrations still open:

CIAOPS Secwerks

A virtual 16 hour level 400+ event focused on teaching the security best practices for Microsoft 365.

This remote classroom style learning event will be conducted over four half day sessions and cover topics such as Email security, Device configurations, Windows 10 Security features and more.

If you manage an Office 365 or Microsoft 365 environment, this event is for you.

CIAOPS Need to Know Microsoft 365 Webinar – August

laptop-eyes-technology-computer

Join me for the free monthly CIAOP Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at the role SharePoint plays in Microsoft 365 and how it is your repository for shared files.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite! Yeah Teams webinars.

You can register for the regular monthly webinar here:

August Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – August 2021
Friday 27th of August 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Testing for the PrintNightmare vulnerability

Taking inspiration from:

https://github.com/gentilkiwi/mimikatz/tree/master/mimispool#readme

I’ve updated my own security testing script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

to check for the PrintNightmare vulnerability.

The video

https://www.youtube.com/watch?v=LvmRlc40WWI

gives you a walk through of the process when you run my security testing script and results on a vulnerable system.

Announcing the CIAOPS Patron Power Platform community

I am pleased to announce the new CIAOPS Patron Power Platform Community (3PC). The growing need for applications in modern businesses and the increasing functionality provided by the Microsoft Power Platform has created a need for skilled professionals. It is the aim of the CIAOPS Patron Power Platform Community to provide somewhere that people interested in solving business challenges with the Microsoft Power Platform can come together, share learn and grown their knowledge.

One of the things that makes the CIAOPS Patron Power Platform Community unique will be it’s focus on providing solution for small businesses. There are lots of resources available for larger businesses but we wanted to bring a similar set of resources plus more for smaller businesses. This community is also not solely focused on technology, it is designed as place to solve business challenges with technology, specially, with the Microsoft Power Platform. This means you don’t need to be a developer, and IT administrator or even have any experience with the Microsoft Power Platform to join. You just need to want to learn more about the Microsoft Power Platform and how it can be harnesses inside a business to improve productivity.

Another major difference with the CIAOPS Patron Power Platform Community is the desire to ensure that is an active community. This means that there is an expectation that to invest at least one hour a week in the community forums, attending events and contributing to group projects. We also encourage all member to obtain at least one Microsoft Power Platform certification (the PL-900 certification being the recommended starting point) within 6 months of joining. the community is full of all the resources you’ll need to pass these exams and there are members who are more than willing to help mentor you through your certification journey.

We want the CIAOPS Patron Power Platform Community to be a place where people can contribute to group projects that aim to build solutions such as the

Power Automate Drink Ordering System

Projects like these are the best way to learn about the Microsoft Power Platform as well as learn from those more experienced. We also love it when people bring a project they wish to develop with the help of the community. The more projects we work on the more we all learn.

We have big plans for the CIAOPS Patron Power Platform Community and we are just getting started. As such are offering a never to be repeated foundation membership of A$15 per month to be part of what we think will become much bigger in the not to distant future. Now is therefore the time to jump on board at this specially discounted rate and enjoy the benefits of membership for life! You’ll find the links to sign up here:

https://www.ciaopspatron.com/

scroll down the page until you see the Power Platform option.

We are super excited to launch this community publicly and we hope that you can join us on this journey with the Microsoft Power Platform.