Securing Virtual Machines in Windows 10


Trusted Platform Module (TPM)

A TPM is a specialized chip soldered on an endpoint device’s motherboard that provides hardware-based device authentication, tamper detection, and encryption key storage.
The TPM generates RSA encryption keys specific to the host system making it impossible to recover data from an encrypted hard drive in a different computer than the one in which it was originally installed.
Further, the TPM generates a unique digital signature from the motherboard in which it was originally embedded, foiling any attempts to move the TPM chip itself to another machine.
This secure cryptographic integrated circuit provides a hardware-based approach to manage user authentication, network access and data protection. The TPM can be used with any major operating system and works best in conjunction with other security technologies such as firewalls, antivirus software, smart cards and biometric verification.

Secure Boot

When you boot a modern Windows PC, the Secure Boot feature in the UEFI firmware checks the operating system loader and its drivers to ensure they’re signed by an approved digital signature. On Windows PCs, the UEFI Secure Boot feature generally checks to see if the low level software is signed by Microsoft or the computer’s manufacturer. This prevents low-level malware like rootkits from interfering with the boot process. Note that the latest versions of popular Linux distributions, including Ubuntu, Mint and Fedora, already install just fine on a Windows PC that has Secure Boot enabled.
Besides, Linux operating systems can now take advantage of secure boot in Generation 2 VMs in Hyper-V on Windows 10. Both Ubuntu 14.04 and SUSE Linux Enterprise Server 12 are currently supported, and this trend will widen over time. These Linux VMs must be configured to use the Microsoft UEFI Certificate Authority (CA) as a Secure Boot template.

Linux VM Secure Boot

Measured Boot

One of the most concerning trends in malware over the last few years is the appearance of increasingly sophisticated rootkits that can hide from detection. In order to detect and resolve these early boot threats, Windows 8 introduced a new feature called Measured Boot, which measures each component, from firmware up through the boot start drivers, stores those measurements in the TPM on the machine, and then makes available a log that can be tested remotely to verify the boot state of a client machine.
The Measured Boot feature provides antimalware software with a reliable (resistant to tampering and spoofing) log of all boot components that started before the antimalware software. Thus, the software can use the log to determine whether components that ran before it are trustworthy or if they are infected with malware.