windows 10 and Surface hardware are now good enough for government work, even when dealing with classified data. The operating system and the Surface Pro 3 and 4, Surface Book, and Surface Studio have all been added to NSA's Commercial Solutions for Classified Programs (CSfC) list. This means that, when properly configured and used in a properly designed layered deployment, the hardware and software all provide adequate security for classified data.

To further increase the appeal of Surface in constrained enterprise environments, today Microsoft is announcing Surface Enterprise Management Mode (SEMM) for Surface Pro 4, Surface Book, and Surface Studio. SEMM enables administrators with physical access to the hardware to lock out integrated peripherals such as webcam, microphone, and USB ports. This locking out is done by the firmware, disabling the devices in question, rendering them wholly inaccessible to the operating system. It's intended as a much more elegant alternative to supergluing the ports or drilling out the cameras.

SEMM is designed to allow not just static configuration, wherein the devices are disabled permanently, but also dynamic configuration that responds to the environment. For example, a SEMM system could be configured so that when it was on a classified network the USB ports and camera were disabled, but when on an open network they were re-enabled. The system uses digital signatures and certificates to manage the configurations, preventing end users from re-enabling devices that they shouldn't have access to.

When they can, companies might want to leave those webcams enabled, however. Windows Hello biometric authentication currently requires systems to have some element of cloud connectivity. For home users, this means using a Microsoft Account. For enterprise users, this means either pairing the domain account with a Microsoft Account or using Azure Active Directory. Companies that were unwilling to use Microsoft Accounts or unable to federate their local Active Directory with Azure were left out. The Windows 10 Creators Update changes that: it enables Windows Hello for any Active Directory organization, even if it's fully on-premises. This means that facial recognition using suitable webcams―including the ones found in Surface―is available to many more enterprise users.

Later in the year, Microsoft will integrate Windows Hello with Intel Authenticate , a hardware-based authentication system that's part of Intel's vPro platform.

Windows systems currently have two broad sets of management tools: there's the Group Policy system, which remains the most capable, further reaching setting and configuration tool, and there's also a range of settings that can be controlled by Mobile Device Management (MDM) software. The Creators Update is going to expand the number of settings that MDM can configure to include many of those in the Security Baseline Policies, and the MDM Migration Analytics Tool will help replicate policy settings so that they can be applied to MDM-controlled devices.

Microsoft hasdescribed already improvements that the Creators Update is bringing to Windows Defender Advanced Threat Protection (WDATP), and one more piece of data is now coming soon. WDATP users have told Microsoft that they want to gather all security-related reporting in a single place, and so WDATP is going to include reports from anti-malware software, starting with Windows Defender.

The cloud-based Windows Analytics service is also being enhanced to show uptake rates of Windows 10 security and feature updates.

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: Windows
分页:12
转载请注明
本文标题:No more superglued USB ports: Surface hardware can be locked down in firmware
本站链接:http://www.codesec.net/view/532391.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(81)