Securing Virtual Machines in Windows 10


Trusted Platform Module (TPM)

A TPM is a specialized chip soldered on an endpoint device’s motherboard that provides hardware-based device authentication, tamper detection, and encryption key storage.
The TPM generates RSA encryption keys specific to the host system making it impossible to recover data from an encrypted hard drive in a different computer than the one in which it was originally installed.
Further, the TPM generates a unique digital signature from the motherboard in which it was originally embedded, foiling any attempts to move the TPM chip itself to another machine.
This secure cryptographic integrated circuit provides a hardware-based approach to manage user authentication, network access and data protection. The TPM can be used with any major operating system and works best in conjunction with other security technologies such as firewalls, antivirus software, smart cards and biometric verification.

Secure Boot

When you boot a modern Windows PC, the Secure Boot feature in the UEFI firmware checks the operating system loader and its drivers to ensure they’re signed by an approved digital signature. On Windows PCs, the UEFI Secure Boot feature generally checks to see if the low level software is signed by Microsoft or the computer’s manufacturer. This prevents low-level malware like rootkits from interfering with the boot process. Note that the latest versions of popular Linux distributions, including Ubuntu, Mint and Fedora, already install just fine on a Windows PC that has Secure Boot enabled.
Besides, Linux operating systems can now take advantage of secure boot in Generation 2 VMs in Hyper-V on Windows 10. Both Ubuntu 14.04 and SUSE Linux Enterprise Server 12 are currently supported, and this trend will widen over time. These Linux VMs must be configured to use the Microsoft UEFI Certificate Authority (CA) as a Secure Boot template.

Linux VM Secure Boot

Measured Boot

One of the most concerning trends in malware over the last few years is the appearance of increasingly sophisticated rootkits that can hide from detection. In order to detect and resolve these early boot threats, Windows 8 introduced a new feature called Measured Boot, which measures each component, from firmware up through the boot start drivers, stores those measurements in the TPM on the machine, and then makes available a log that can be tested remotely to verify the boot state of a client machine.
The Measured Boot feature provides antimalware software with a reliable (resistant to tampering and spoofing) log of all boot components that started before the antimalware software. Thus, the software can use the log to determine whether components that ran before it are trustworthy or if they are infected with malware.

Virtual TPM on Windows 10 Hyper-V

Windows 10 version 1511 (Fall Update) brought a number of new features to Microsoft’s latest OS, namely the ability to use a virtual TPM inside Generation 2 (link) Virtual Machines. This virtual TPM isn’t emulated in software and therefore a physical TPM is required in the host device. If your machine doesn’t have a TPM (or if the chip is disabled in your BIOS/UEFI), your VM Security settings might be missing the entire Trusted Platform Module section.

Virtual TPM
As you can see in the picture, in order to use the virtual TPM in a VM, you’ll first need to enable the Isolated User Mode on your host computer. This can be easily done by turning on the required Windows feature and rebooting.

Isolated User Mode
The next step is to turn on Virtualization Based Security using the Local Group Policy Editor (gpedit.msc). Set the policy to Enabled and reboot again.

Device Guard
Last but not least, you need to configure Windows Remote Management on your host machine. Just run winrm quickconfig from an elevated command prompt.

Once you complete the above procedures, you can now enable the virtual TPM in your Generation 2 VMs.

Virtual TMP Inside a VM

The Future of Cyber Threats

Cyber threats appear as quickly as new technologies themselves, and with computers now being such a critical part of our infrastructure – from our smartphones and cars to national energy systems and even prisons – the potential for damage is catastrophic. Large global multinationals and small local businesses and startups use the online infrastructure to facilitate economic and technological innovation. Defense and intelligence agencies depend on cyber networks to manage far-flung operations, analyze intelligence data and implement homeland security, military logistics and emergency services.

Global dependence on the Internet grows every day and many nations are now depending on a cyber infrastructure that enables the operation of financial markets, transportation networks, taxation and energy grids, as well as the public agencies protecting the health and security of their citizens. With this growth come ever-greater risks as well as opportunities.Advanced persistent threats reflect the risks posed by adversaries with the sophistication, resources and determination to cause real and permanent damage by exploiting the architecture of networks, and of cyberspace itself.

The biggest threat is state involvement. Where a rogue phisher or malware attack might be the criminal equivalent of a street mugger, state-sponsored attacks come with all the resources and technological sophistication of James Bond. Resistance is extremely hard and these attacks are very difficult to attribute to anyone; they can be routed via any country or written in any language.

Because the Internet is an evolving technology that carries enormous potential and vulnerabilities, cybersecurity problems implicate questions of Internet freedom, network architecture and the economic potential for cyberspace. We are at the beginning of a new and dangerous era of cyberwarfare and governments should be encouraged to cooperate in order to identify and punish the criminals. But let's not be naïve about it, they will also be engaging in cyber espionage against each other.  

Cyberthreats for 2013


Cloud-Based Botnets

The trend to move the computer infrastructure to the cloud can not only jeopardize data, but can also be used to quickly create a “zombie army” – also known as botnet. Over the last years, Africa has become highly connected but many of the operating systems in use are pirated, meaning they are not receiving patches or updates. Therefore, Africa is a huge target for hackers and it is being used as a hub to target other countries – using command and control attacks, denial of service, phishing and spam.

The new undersea fiber optic cable along the east coast of Africa has enabled rapid growth in the number of users obtaining high speed connections to the internet creating a great opportunity for attackers to infect new machines and create new bots. A growing number of users in countries served by the cable had access to broadband links but without awareness about the need for computer protection, opening a new front for botnets.

Now, Africa is not attacking – they are being attacked and used. While businesses in Africa get some security, government and end users are totally exposed due to a of lack of awareness and money to invest in safe and legitimate software.

Cyber Threats History: A New Cold War (Present)

This is the decade of cloud computing, the rise of hacktivism and the birth of real cyberwarfare. Who knows what else is going to happen? Cyber attacks continue to rise at a great pace, increasing 42 percent in 2012 from the previous year and IT security experts have no reason to believe that it'll slow down. On the contrary, most experts believe cyber threats will not only grow in frequency, but will also become more sophisticated. Hackers are now either criminals out to make money, activists out to protest or governments engaged in targeting their own citizens or attacking other governments, whether for espionage or cyberwarfare. This new level of resources and sophistication makes life very difficult for those charged with defending networks from attack.

Historical Landmarks


Dozens of technology companies - most in Silicon Valley - have their computer networks infiltrated by hackers located in China. Google publicly reveals that it has been sustaining a highly sophisticated and targeted attack on their corporate infrastructure also originating from China that resulted in the theft of intellectual property. The attacks are named Operation Aurora and official Chinese media responds stating that the incident is part of a U.S. government conspiracy.

Operation Aurora

Britain announces it will devote $1 billion to building new cyber defenses. Iain Lobban, the director of the Government Communications Headquarters, says the country faces a "real and credible" threat from cyber attacks by hostile states and criminals as government systems are targeted 1,000 times each month, threatening Britain's economy.