Microsoft Vista: Trusted Platform Module Services

Windows IT Pro

- Advertise

Microsoft Vista: Trusted Platform Module Services
View the book table of contents

Author:	Tony Piltzecker
Published:	February 2007
Copyright:	2007
Publisher:	Syngress Publishing

CONFIGURING AND MANAGING THE TPM IN AN ENTERPRISE ENVIRONMENT

The TPM MMC provides a familiar interface for Windows system administrators to manage the TPM on a local machine. However, you cannot use the MMC to perform remote TPM management, and it does not allow for the batch processing of management tasks across multiple machines at once. In the enterprise environment, you’re going to need to deploy numerous systems all at once instead of just one. Even in the enterprise where you will not be utilizing the TPM and the services Microsoft has built on it, it is still a good idea to lock users out of being able to manage the TPM locally. Otherwise, your help desk phones are likely to start ringing with calls from users who read about the cool new TPM features somewhere, tried to enable BitLocker Drive Encryption themselves, and in the end lost all the data on their hard drives when they cleared the TPM. Regardless of whether you plan to use the TPM right away, it is now a resource in your organization that needs to be managed.

This presents a whole new slew of challenges, and you know you are not going to be able to enjoy your weekends if you have to manually configure and manage the TPM on all these devices manually. You absolutely do not want to be using the TPM MMC to manage all your devices, and you don’t want to be saving the hash of each owner password to one USB key which you’ll then toss into your bottom desk drawer. Microsoft has thought of these challenges and has provided some pretty handy deployment tools. Again, these tools should be old news to any seasoned Microsoft systems administrator. Windows Management Instrumentation (WMI) scripting will allow administrators to complete tasks, such as taking ownership of the TPM, turning on the TPM, or turning off the TPM, on multiple systems at the same time. GPOs available with Windows Server 2007 (codenamed Longhorn) provide administrators with a cadre of configuration options that will work with the scripts they use to deploy TPM-based systems.

Tools & Traps...

TPM Management Best Practices

You should use the following best practices to help ensure a secure and manageable deployment of TPM hardware and Windows Vista services within your enterprise:

First, you need to ensure that you are purchasing systems with TPM chips that comply with the TCG TPM version 1.2 specification.
Second, make sure that any applications you plan to use comply with version 1.2 of the TCG TSS specification, and have been developed to work with TBS.
Use WMI scripts to initialize the TPM on multiple systems, if possible, before you deploy hardware to users.
Use WMI scripts to take ownership of the TPM if you need to do it remotely, or if you are performing the task on multiple systems.
Store TPM-related data in Active Directory.
Use unique owner passwords on all systems in the enterprise.
Never give TPM owner passwords or authorization information to system users.
If system users need to perform tasks that require TPM owner credentials, it is best to delegate permissions to the users to perform the tasks. This will depend on whether the software supports delegation of duties.
Maintain the list of blocked TPM commands using restrictive policies.
Do not store the owner password or authorization information on local system media.

Using GPOs and Active Directory

The next version of Windows Server, codenamed "Longhorn," will include Active Directory schema extensions that support both TPM management and BitLocker Drive Encryption management. (The latter is covered in more detail in Chapter 5). The main thing you need Active Directory to do for you is provide a place to store the hashes of TPM owner passwords so that each TPM may have a unique owner password, and you can store the hashes in a central, secure location. The same goes for the BitLocker Drive Encryption keys. You can store those keys in Active Directory in the event you need to enact emergency recovery procedures. The Active Directory attribute where the TPM owner authorization value is stored is ms- TPM-OwnerInformation. Keep this in mind for when you need to run a script, and you need to have the computer’s owner authorization information to call the Win32_Tpm method you want.

Preparing Your Pre-Longhorn Domain Controllers

These schema extensions come with Windows Server 2007 by default, but if you are running a domain that utilizes Windows Server 2003 and/or Windows 2000 Server domain controllers, you do not have the necessary objects and attributes in Active Directory to take advantage of these central management and key storage features. In order to extend your Active Directory schema, all of your domain controllers must be running Windows Server 2003 Service Pack (SP) 1 or later because the Active Directory schema version in this release contains the ability to set certain attributes in Active Directory as confidential, which protects them from being read by unauthorized personnel. The TPM and BitLocker Drive Encryption keys should be stored in confidential attributes for obvious reasons.

There is a version of the Microsoft schema preparation utility, adprep, which comes on the Windows Vista and Windows Server 2007 DVDs in sources\adprep. This is not a new utility, and anyone who has been through the Active Directory upgrade process should be familiar with it. However, the official word from Microsoft is that this should not be used. This folder is included for informational purposes only, to demonstrate what schema changes will take place. The scripts did work for us on a Windows Server 2003 for Small Business Server SP1 system, but because you are not supposed to be using them at this time, you’ll have to run them at your own risk. Once Windows Server 2007 is actually released, official support for using these is sure to come with it.

It is suggested that you make sure you use the latest version of adprep anytime you perform an upgrade of Active Directory. You’ll need to be able to access the entire adprep folder (adprep needs those .ldf files too) from your Windows Server 2003 SP1 flexible single master operations (FSMO) server in order to perform the required schema upgrade. When the folder is available, execute the following command from a command prompt (the location of the files is assumed to be C: \adprep in the following example):

C: \adprep>adprep /forestPrep

After a lengthy warning from the utility, if you choose to continue you should see something such as the following:

Opened Connection to DC1
SSPI Bind Succeeded
Current Schema Version is 30
Upgrading schema to version 39
Connecting to "DC1"
Logging in as current user using SSPI
Importing directory from file "C: \WINDOWS\system32\sch31.ldf"
Loading entries . . . . . . . . . . . . . . . . . . . . . . .
139 entries modified successfully.

The command has completed successfully
Connecting to "DC1"
Logging in as current user using SSPI
Importing directory from file "C: \WINDOWS\system32\sch32.ldf"
Loading entries . . . . . . . . . . . . . . . . . . . . . . .
18 entries modified successfully.

The command has completed successfully
Connecting to "DC1"
Logging in as current user using SSPI
Importing directory from file "C: \WINDOWS\system32\sch33.ldf"
Loading entries . . . . . . . . . . . . . . . . . . . . . . .
17 entries modified successfully.

This continues until you’ve reached version 39 of the schema. After this, just run:

C: \adprep>adprep /domainPrep

At this point, you will have an Active Directory schema capable of accommodating the new features of Windows Vista. The downside is that you will not have the proper administrative templates installed to see the corresponding Group Policy settings. However, you can add the following text to your System administrative template, stored in %systemroot%\SYSVOL\Policies\\Adm\system. Adm, in the section where the policy categories are defined, in order to have the same template available as Windows Server 2007 users will have:


CATEGORY !!TrustedPlatformModuleServices
       #if version >= 4
             EXPLAIN !!TrustedPlatformModuleServices_Help
       #endif
      POLICY !!ActiveDirectoryBackup
             #if version >= 4
                    SUPPORTED !!SUPPORTED_WindowsVista
             #endif
             EXPLAIN !!ActiveDirectoryBackup_Help
             KEYNAME "Software\Policies\Microsoft\TPM"
             VALUENAME "ActiveDirectoryBackup"
             VALUEON NUMERIC 1
             VALUEOFF NUMERIC 0
             PART !!RequireActiveDirectoryBackup_Name CHECKBOX
                   VALUENAME "RequireActiveDirectoryBackup"
                   DEFCHECKED
                   VALUEON NUMERIC 1
                   VALUEOFF NUMERIC 0
             END PART
       END POLICY
       POLICY !!BlockedCommandsList
              #if version >= 4
                     SUPPORTED !!SUPPORTED_WindowsVista
              #endif
             EXPLAIN !!BlockedCommandsList_Help
             KEYNAME "SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands"
             VALUENAME "Enabled"
             VALUEON NUMERIC 1
             VALUEOFF NUMERIC 0
             PART !!BlockedCommandsList_Ordinals2 LISTBOX
                    KEYNAME
"SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands\List"
             END PART
       END POLICY
       POLICY !!IgnoreDefaultList
             #if version >= 4
                    SUPPORTED !!SUPPORTED_WindowsVista
             #endif
             EXPLAIN !!IgnoreDefaultList_Help
             KEYNAME "Software\Policies\Microsoft\TPM\BlockedCommands"
             VALUENAME "IgnoreDefaultList"
             VALUEON NUMERIC 1
             VALUEOFF NUMERIC 0
       END POLICY
       POLICY !!IgnoreLocalList
             #if version >= 4
                    SUPPORTED !!SUPPORTED_WindowsVista
             #endif
             EXPLAIN !!IgnoreLocalList_Help
             KEYNAME "Software\Policies\Microsoft\TPM\BlockedCommands"
             VALUENAME "IgnoreLocalList"
             VALUEON NUMERIC 1
             VALUEOFF NUMERIC 0
      END POLICY
END CATEGORY ; TrustedPlatformModuleServices

In the [strings] section at the bottom of the file, include the following text:

ActiveDirectoryBackup_Help="This policy setting allows you to manage the
Active Directory Domain Services (AD DS) backup of Trusted Platform Module
(TPM) owner information. \n\nTPM owner information includes a cryptographic
hash of the TPM owner password. Certain TPM commands can only be run by the
TPM owner. This hash authorizes the TPM to run these commands. \n\nIf you
enable this policy setting, TPM owner information will be automatically and
silently backed up to AD DS when you use Windows to set or change a TPM
owner password. \n\nIf you select the option to "Require TPM backup to AD
DS", a TPM owner password cannot be set or changed unless the computer is
connected to the domain and the AD DS backup succeeds. This option is
selected by default to help ensure that TPM owner information is available.
Otherwise, AD DS backup is attempted but network or other backup failures do
not impact TPM management. Backup is not automatically retried and the TPM
owner information may not have been stored in AD DS during BitLocker setup.
\n\nIf you disable or do not configure this policy setting, TPM owner
information will not be backed up to AD DS. \n\nNote:  You must first set up
appropriate schema extensions and access control settings on the domain
before AD DS backup can succeed. Consult online documentation for more
information about setting up Active Directory Domain Services for TPM.
\n\nNote:  The TPM cannot be used to provide enhanced security features for
BitLocker Drive Encryption and other applications without first setting an
owner. To take ownership of the TPM with an owner password, run "tpm.msc"
and select the action to "Initialize TPM". \n\nNote:  If the TPM owner
information is lost or is not available, limited TPM management is possible
by running "tpm.msc" on the local computer."
BlockedCommandsList_Help="This policy setting allows you to manage the Group
Policy list of Trusted Platform Module (TPM) commands blocked by Windows.
\n\nIf you enable this policy setting, Windows will block the specified
commands from being sent to the TPM on the computer. TPM commands are
referenced by a command number. For example, command number 129 is
TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find
the command number associated with each TPM command, run "tpm.msc" and
navigate to the "Command Management" section. \n\nIf you disable or do not
configure this policy setting, only those TPM commands specified through the
default or local lists may be blocked by Windows. The default list of
blocked TPM commands is pre-configured by Windows. You can view the default
list by running "tpm.msc", navigating to the "Command Management" section,
and making visible the "On Default Block List" column. The local list of
blocked TPM commands is configured outside of Group Policy by running
"tpm.msc" or through scripting against the Win32_Tpm interface. See related
policy settings to enforce or ignore the default and local lists of blocked
TPM commands."
ActiveDirectoryBackup="Turn on TPM backup to Active Directory Domain
Services"
BlockedCommandsList_Name="Configure the list of blocked TPM commands"
IgnoreDefaultList_Help="This policy setting allows you to enforce or ignore
the computer's default list of blocked Trusted Platform Module (TPM)
commands. \n\nIf you enable this policy setting, Windows will ignore the
computer's default list of blocked TPM commands and will only block those
TPM commands specified by Group Policy or the local list. \n\nThe default
list of blocked TPM commands is pre-configured by Windows. You can view the
default list by running "tpm.msc", navigating to the "Command Management"
section, and making visible the "On Default Block List" column. The local
list of blocked TPM commands is configured outside of Group Policy by running
"tpm.msc" or through scripting against the Win32_Tpm interface. See the
related policy setting to configure the Group Policy list of blocked TPM
commands. \n\nIf you disable or do not configure this policy setting, Windows
will block the TPM commands in the default list, in addition to commands in
the Group Policy and local lists of blocked TPM commands."
IgnoreDefaultList="Ignore the default list of blocked TPM commands"
IgnoreLocalList_Help="This policy setting allows you to enforce or ignore
the computer's local list of blocked Trusted Platform Module (TPM) commands.
\n\nIf you enable this policy setting, Windows will ignore the computer's
local list of blocked TPM commands and will only block those TPM commands
specified by Group Policy or the default list. \n\nThe local list of blocked
TPM commands is configured outside of Group Policy by running "tpm.msc" or
through scripting against the Win32_Tpm interface. The default list of
blocked TPM commands is pre-configured by Windows. See the related policy
setting to configure the Group Policy list of blocked TPM commands. \n\nIf
you disable or do not configure this policy setting, Windows will block the
TPM commands found in the local list, in addition to commands in the Group
Policy and default lists of blocked TPM commands."
IgnoreLocalList="Ignore the local list of blocked TPM commands"
TrustedPlatformModuleServices="Trusted Platform Module Services"
TrustedPlatformModuleServices_Help="The Trusted Platform Module is a
microchip that supports trusted computing services in Windows Vista. These
settings control the functioning of the device."
BlockedCommandsList="Configure the list of blocked TPM commands"
BlockedCommandsList_Ordinals2="The list of blocked TPM commands: "
RequireActiveDirectoryBackup_Name="Require TPM backup to AD DS"
SUPPORTED_WindowsVista="At least Microsoft Windows Vista"

Now your Windows Server 2003 SP1 or later domain controller will provide the same functionality as a Windows Server 2007 domain controller does with regard to TPM management. It should be noted that you can use the Group Policy Object Editor (GPOE) or Group Policy Management Console (GPMC) that comes with Windows Vista and Windows Server codenamed "Longhorn" to manage your Windows Server 2003 environment.

Preparing Your Longhorn Domain Controllers

The process of preparing your Windows Server 2007 domain controllers in an all- Longhorn environment is much simpler. There is no need to upgrade the Active Directory schema. The only things missing from these domain controllers are the administrative templates that display the relevant Group Policy settings in the Group Policy Management MMC. Actually, they’re not missing entirely. They are installed in the %systemroot%\PolicyDefinitions folder on both Windows Vista and Windows Server 2007 systems where the Local Computer Policy reads them from.

All we need to do is copy them to the central store which is part of SYSVOL so that they are replicated to all domain controllers and are available for domain GPOs. We need to make sure we copy both the administrative templates and the languagespecific files. For English, execute the following commands from a command prompt:

C: \>xcopy C: \WINDOWS\PolicyDefinitions\*
C: \WINDOWS\SYSVOL\domain\policies\PolicyDefinitions\
C: \>xcopy C: \WINDOWS\PolicyDefinitions\EN-US\*
C: \WINDOWS\SYSVOL\domain\policies\PolicyDefinitions\EN-US\

When the files have been copied, you may need to wait for replication to distribute this change throughout your network. However, on the domain controller on which you just performed the copy, you can start using the Group Policy Object Editor to create a GPO right away.

Blocking Commands

In order to block TPM commands, you don’t actually need to meet the requirements set forth in the section on preparing Windows Server 2003 domain controllers. The GPO used to block commands simply pushes changes to the Registry on domain computers. The schema upgrades we covered are necessary only for storing the TPM owner authorization hash and other cryptographic keys related to the TPM (such as BitLocker Drive Encryption keys) in Active Directory. Technically, you could make the changes to your administrative template that were shown on any domain controller in an enterprise running Active Directory, and you’d still be able to utilize the settings related to command blocking. Just be absolutely sure you don’t enable the Turn on TPM backup to Active Directory Domain Services setting. If you do this, you will require the computer to back up the TPM owner authorization values to Active Directory, but there will be no place for the keys to be stored in Active Directory. The result is that no attempts to set ownership on any TPM devices in your organization will be able to succeed.

Table 4.2 contains a listing of the settings you can implement in your domain using GPOs. Table 4.3 contains the suggested settings you should use.

Deploying TPMEquipped Devices with Scripting

Once you’ve configured GPOs to handle your TPM settings, you can move on to using scripts to deploy the devices containing version 1.2 TPMs. We strongly suggest you get everything else in place before moving on to actual device deployment. Update your Active Directory schema if necessary, build your administrative template if necessary, and set the Group Policy settings. This will ensure that once you start taking ownership of TPM chips, the owner authorization values will get backed up to Active Directory. Finally, refer to the section earlier in the chapter where we covered the BIOS settings you need to configure.

Your TPM WMI Primer
It wouldn’t be appropriate to simply dive into chunks of script code here without providing a basic explanation of WMI and how you will be able to interact with the TPM using scripts. So, let’s start with a WMI primer. We think it will be valuable for all but advanced programmers/scripters.

Microsoft implemented WMI with Windows 2000 in order to serve as a uniform and consistent way to monitor and manage Windows platforms. Not only does it standardize access to components of the systems you need to manage, but it also provides greater access to those components than were previously supported. In other words, administrators were tired of having to manually manage their Windows systems through graphical user interfaces (GUIs) or other kludgy means. There was a strong outcry to be able to script everything, just like those UNIX guys have been doing for the past 30 or so years. In previous versions of Windows, we could use a few command- line interface (CLI) utilities and various scripting languages to hack solutions together, but scripted system management was limited with these tools. Microsoft answered with WMI, which administrators generally rely on VBScript to access.

With WMI, every piece of the system is an object, including files, user accounts, and hardware resources. There is a WMI Class (WMIC) for each type of resource, and each WMIC has methods and properties. You can use scripts to read or modify the properties of an object, and to invoke the methods of the object. WMI remains the consistent interface that exposes those properties and methods to you. The TPM is no different.

Win32_Tpm is the class representing the TPM hardware in your system. Table 4.4 shows some of the more basic and useful methods available with the Win32_Tpm class.

NOTE: Although you can accomplish a lot with the methods listed in Table 4.4, you should familiarize yourself with the full list of methods and properties in the Win32_Tpm class. This will allow you to write more robust scripts. For example, you may want to check whether the device is owned before you go ahead and execute the TakeOwnership method. The Win32_Tpm class is not overly complex, so you should be able to gain an understanding of the full range of functions fairly quickly. The full Win32_Tpm class reference is available at http://msdn2.microsoft.com/en-us/library/aa376484. Aspx.

Scripting the TPM Deployment
The first task you need to perform when deploying a TPM-equipped platform is to initialize the TPM. This means enabling, activating, and taking ownership of the device. The unfortunate thing when working with TPM-equipped devices is that some tasks require that you be physically present at the machine. This is part of what makes us trust these trusted platforms. So, when you run a script, you still need to be present at the system to provide input when the BIOS requires it with interfaces such as that shown back in Figure 4.8.

In order to initialize the TPM, we suggest that you first use the SetPhysicalPresenceRequest() method of the Win32_Tpm class. SetPhysicalPresenceRequest() allows you to perform a lot of different tasks depending on the numeric value you pass to the method. This method sends a command request to the TPM which is processed on the next reboot. Table 4.5 shows just a handful of these.

You probably want to use the SetPhysicalPresenceRequest() method as the leadoff in your TPM deployment script. Go ahead and call the method using parameter 10. When the system reboots, you will, as we mentioned, need to be physically present at the device. You should see the screen shown in Figure 4.8 twice before Windows will actually start, and you need to select MODIFY for both. Once that is complete, you only need to set an owner for the device. For this, you want to create an SHA-1 hash for the owner authorization value using the ConvertToOwnerAuth() method, and then set that value in the device using the TakeOwnership() method:

'Generate a random number to use as the owner password
Dim num1, num2, pword
num1 = (100000000 * rnd())
num2 = (10000000 * rnd())
pword = (CDbl(num1) * CDbl(num2))

' Create the Win32_Tpm object
Set oTpmService = GetObject("winmgmts: {impersonationLevel=impersonate," _
                              & "authenticationLevel=pktPrivacy}!\\" _
                              & "." _
                              & "\Root\CIMV2\Security\MicrosoftTpm")
Set oTpm = oTpmService.Get("Win32_Tpm=@")

oTpm.IsActivated isactv        'Test if the TPM is activated
oTpm.IsEnabled isenabled       'Test if the TPM is enabled
oTpm.IsOwnershipAllowed isownable       'Test if ownership of the TPM is
allowed
oTpm.IsOwned isowned           'Test if the TPM is owned

If isowned = False And isenabled = False Then
   oTpm.SetPhysicalPresenceRequest(10)      'Enable, activate, and allow the
installation of an owner
   Wscript.Echo "The TPM has been initialized. The system will now reboot
to complete this operation. When the system reboots a screen will ask if
you want to modify the configuration of the TPM. You will need to allow this
operation twice, and then Windows will load."
   CreateObject("Wscript.Shell").Run "shutdown /r /t 5"      'Reboot the
machine
ElseIf isowned = False And isactv = True And isenabled = True And isownable
= True Then
   oTpm.ConvertToOwnerAuth pword, ownerauth ' Create a SHA-1 hash of a
password
   oTpm. TakeOwnership(ownerauth) ' Take ownership
End If

Add this command as the logon script for yourself (or a special user account you use to initialize TPM devices), and then start booting and logging on to machines. If these commands complete successfully, the first time you boot you’ll get the first set of logical tests. They should indicate that the system needs to be enabled, or activated, or set to allow ownership, and the SetPhysicalPresenceRequest call will make it happen. After you answer the BIOS’ questions and log on again, the first set of logical tests will fail. The second set will then call the ConvertToOwnerAuth and then the TakeOwnership methods. After a brief wait, you’ll have a TPM that is ready to perform all of the functions that other services and applications that rely upon it need. If your Group Policy is configured as we mentioned earlier, you have all of those TPM owner authorization values stored in Active Directory as well. You may need those if you want to perform further management operations on the TPM.

We won’t cover all of the methods of the Win32_Tpm class here. You can head to the Microsoft Web site to find references on the class, at http://msdn2.microsoft.com/en-gb/library/aa376484. Aspx. In this section, we did cover the methods you’ll need to deploy TPM systems in your enterprise, however. Just remember that if you need to call a method that utilizes the owner authorization information stored in Active Directory, you need to perform a Lightweight Directory Access Protocol (LDAP) search for ms-TPM-OwnerInformation using its LDAP display name, msTPM-OwnerInformation. Also, keep in mind that you want to be sure you set up a secure connection to send this information. Do not pass the owner authorization value across your network in plain text.

NOTE: You can rely on the Win32_Tpm class alone to perform all your administrative functions, but if you like to have options, there’s no need to feel locked in. A script called manage-bde. Wsf is included with Windows Vista for managing BitLocker Drive Encryption from the command line, and it includes some basic TPM management functions, including the ability to set an owner. So, you could use this script to set an owner by issuing the following command in a command prompt: cscript manage-bde. Wsf –tpm –o owner_password. The owner_password is any string of at least eight characters which the script will automatically hash for you.

TPM APPLICATIONS

Now that we have seen how the TPM works and we know what sort of capabilities it provides to us, it is time to discuss some of the applications that are using that functionality. Microsoft has made good use of the TPM for some applications in Windows Vista, and some third-party applications that utilize the TPM are already on the market. However, as this is an emerging technology, and because the scope of usefulness of the TPM is so broad, we are likely to see an explosion of applications implementing TPM-based features in the coming years.

Digital Rights Management

The TPM is a part of what Microsoft is calling its Next-Generation Secure Computing Base (NGSCB), or System Integrity, which was originally codenamed Palladium. Many saw the initiative as a way for Microsoft to implement, and to allow others to implement, very strong Digital Rights Management (DRM) protections. This has not changed much in the years since it was first announced, and at this time, there is a great deal of skepticism and an outcry against the NGSCB.

You’ll notice that we have not mentioned DRM in this chapter until now, and we’ve done that for a reason. The TPM,Windows Vista’s TPM Services, and the NGSCB overall, provide a great deal of functionality. You can use some of that functionality to implement DRM techniques that are stronger than anything media pirates have come up against thus far. That is sure. However, as you have seen throughout this chapter, the TPM is not about DRM. It is a device centered on cryptography, providing key storage locations, cryptographic functions, and hashing functions. Yes, you can use those cryptography features to implement DRM applications, but you can also use them to implement a great number of security features and applications.

Therefore, we could have spent the entire chapter participating in the flame war that rages on the Internet about the TPM and Microsoft’s NGSCB, or we could have a productive discussion about how the TPM works, what it can be used for, and how Windows Vista takes advantage of it. If we had taken the first route, you’d end up with some gross misconceptions about the TPM and everything related to it, and you wouldn’t be equipped to implement Windows Vista on TPM-equipped devices.

However, it would be just as misleading if we did not mention DRM at all in the chapter. So, keep in mind that there are DRM applications for the TPM as well. One TPM feature that will be especially useful to those who want to implement DRM is the device authentication feature the TPM provides. You may buy a song via download with a usage right that limits playback of the song to that device alone. The TPM can seal a key that will be used to encrypt the song, and the song cannot be decrypted and played back from another system.

Microsoft Applications

Currently, Microsoft has implemented a good base of functionality in Windows Vista using the TPM. It has built BitLocker Drive Encryption and its secure startup mechanism around the TPM. It has built a very nice, easy-to-use set of management tools for the TPM in both the TPM MMC and the Win32_Tpm WMI class. However, there is a whole set of TPM-based functionality, called Code Integrity, that is available only in the 64-bit version of Windows Vista.

When we discussed the TCG trusted platform, we mentioned that the TPM could be used to extend trust to higher-level components that run on the OS. Code Integrity takes advantage of this by implementing the following protections:

Verifies the integrity of all code that loads into a protected process.
Winload verifies the integrity of all drivers that are critical to the boot process, including the HAL and the Windows kernel.
Verifies the integrity of all kernel-mode drivers.
Verifies the integrity of all user-mode binaries that implement cryptographic functions.
Verifies the integrity of all user-mode binaries that load into a protected process used for the playback of high-definition media.
Verifies the integrity of a specific set of user-mode binaries using page hashes in nt5ph.cat and ntpe.cat.
Verifies kernel code.

These functions are generally carried out just as we discussed in the beginning of the chapter: Code integrity measurements are taken, and the TPM can be used to attest to these measurements. This protects the system from running any of the areas of code mentioned earlier if intentional or unintentional corruption occurs. If a rootkit successfully loads into the kernel on your Windows Vista 64-bit system, it will be detected, and it will be prevented from executing. Obviously, this does not necessarily protect your system from being compromised by a rootkit, but it does ensure that the compromise is brought to light when integrity measurements uncover it.

Third-Party Applications

Some third-party applications that rely on the TPM have already begun to emerge. Probably the best example of this is Wave Embassy Suites. This software package was originally developed to take advantage of version 1.1 TPM chips, but it now supports version 1.2 chips as well. This is a very popular application that OEMs are deploying with devices they sell that include biometric hardware. The TPM will be utilized by applications such as this which enable strong biometric authentication measures by securing the biometric data that the application relies upon. Just as the TPM assists BitLocker Drive Encryption by sealing the VMK, the TPM can seal the user’s biometric data that the application is using.

Another important application for TPM-enabled devices that will emerge will be remote access solutions. Given the strong device authentication possible with the TPM, you can be sure that remote access will appeal to a segment of the software market that turns toward implementing TPM support. In this way, you can think of the user needing an RSA SecureID or smart card to authenticate to the remote access solution, and the device he or she is connecting from will also need to present its credentials using the TPM. This can help network administrators eliminate remote security breaches due solely to compromised user authentication tokens such as passwords, RSA SecureIDs, or smart cards. Now the attacker will also need to have the user’s laptop as well.

This is really only the tip of the iceberg as far as TPM-based applications go, however. Some implementations we are likely to see are as follows:

Users are provided with the ability to wrap the cryptographic keys they use for secure connections over the Internet, such as logging into their bank accounts via a Web browser and using secure e-mail applications.
Web servers can use the TPM’s sealing functionality to provide assurance to connecting nodes that they are trustworthy, including assurance that the server-side software and settings are the same as when the node connected previously, when the trust relationship was established.
DRM will likely emerge as a popular way to use the TPM. Media applications such as iTunes can use the TPM’s sealing functions to lock down access to media if tampering takes place.

UNDERSTANDING THE SECURITY IMPLICATIONS OF THE TPM

One of the main implications of the TPM is that it will require massive hardware expenditures in order to take advantage of it. In most cases, when a new version of Windows is released, every enterprise has some systems that need to be upgraded in order to run the new version, but many of their existing systems already support it. So, the rollout does not require sweeping hardware upgrades across the board. However, the TPM is a new piece of hardware that is still included in only certain product offerings from OEMs, with market penetration of these devices only really getting started within the past 12 months, and it is required in order to take advantage of the TPM services in Windows Vista. This means enterprises that want to take advantage of the TPM will need to budget for widespread replacements of desktop and mobile systems, which can be expensive.

Aside from the budgetary implications, the TPM and TPM support in Windows Vista solve many security problems, and at the same time there is a lot of nonsense about the TPM being a magic bullet. These issues are worth discussing so that we, as information security professionals, can make informed decisions about what countermeasures are worth implementing, and so that we can accurately assess the security posture of our systems and our enterprise as a whole.

Encryption as a Countermeasure

Let’s start by first mentioning cryptography in a general sense. After all, the TPM device and TPM services in Windows Vista are obviously focused on encryption. The TPM is mainly designed to create, store, and protect encryption keys, password hashes, and digital certificates.

The first thing we should say here is that no single countermeasure will fully protect digital assets from attack. In fact, there is probably not a combination of countermeasures that can ensure 100 percent protection from attack. Cryptography is no exception to that rule. Consider this as you read vendor product claims, white papers, and other industry articles that tout TPM as the end of your search for a secure enterprise.

Several sources are currently touting media sanitization as a feature of the TPM. The argument goes that you can clear the TPM in a matter of seconds, and your data is gone. No more spending money on and waiting hours for National Security Agency (NSA) media sanitization procedures to work. Just clear the TPM and your data is gone forever. There are two important points here:

When you clear the TPM your data is not gone. Only the key that was used to wrap the key that was used to encrypt that data is gone. The data, in encrypted form, still exists on the drive.

Encryption can be defeated by brute force attacks.

This is not meant to argue that encryption is insecure. The fact of the matter is that with current computing power, it would take a state-of-the-art desktop machine more than 100 trillion years to brute force your data if it is encrypted using the 128- bit Advanced Encryption Standard (AES)! Obviously, if it takes trillions of years to crack into your data, it’s safe. We raise this issue only because a lot of talk is circulating about using the clearing of the TPM as a media sanitization method, when technically speaking, the data is not destroyed and it can be attacked using brute force. Now those brute force attacks may very well remain infeasible for the next 2,000 years. However, there is a chance that leaps in the power of computers over the next two decades or a flaw discovered in the AES algorithm could make brute forcing a 128-bit AES encryption seem as easy as cracking the Data Encryption Standard (DES) is today.

Tools & Traps...

Media Sanitization

The most important thing to consider when using encryption is how long the data you are protecting needs to remain confidential. If you have information on your hard drive that you expect to remain sensitive for the next six months (maybe it is a proposal you are working on, and you must turn it in within that six-month time frame), you can expect the AES algorithm with a 128-bit key to do the job for you. On the other hand, if you are storing a full portfolio of personal information which you need to keep confidential for the next 50 years, you might want to consider how quickly a computer can chug through those keys 35 years down the road. What is the shelf life of your data?

Even the good folks at the National Institute of Standards and Technology (NIST) seem to be riding the fence on this media sanitization issue. In the recently released Special Publication 800-88, "Guidelines for Media Sanitization," found at http: //csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf, NIST added and then removed the following text: "Encryption is not a generally accepted means of sanitization. The increasing power of computers decreases the time needed to crack cipher text and therefore the inability to recover the encrypted data [cannot] be assured."

You’ll also find a lot of good debate on the topic throughout the Internet. We don’t usually disagree with what comes out of NIST, and we won’t start here. Just remember that this method of sanitization does not destroy the data or the media. Encryption is a method of ensuring that it takes a long time to get to sensitive data, and for most data this method of sanitization will probably buy us enough time. However, in some applications, this will not be an adequate sanitization method. The important point is that you know how sensitive your data is and how long it must remain confidential before it becomes useless, and that you apply the proper methods given those facts.

You should also note that NIST did not go so far as to add cryptographic destruction anywhere in its list of sanitization methods.

Now that we’ve addressed that caveat, let’s look at the power at our fingertips. Where the TPM and its capability to give us a more robust encryption platform help the most is simply in the fact that the data we are protecting is increasingly moving outside the walls of the enterprise. As we mentioned before, employees are going ever more mobile, with laptops replacing desktops, and cell phones, PDAs, and even MP3 players providing more and more storage and remote connectivity features. Those firewalls, proxies, DMZs, and other layered perimeter protection rings we designed and built in the past are doing a great job at keeping the bad stuff out. What we have increasingly less ability to do is keep the assets we protect in. This is where encryption and the trusted platform come to the rescue.

Encrypting data, especially when we utilize full-disk encryption technologies such as BitLocker Drive Encryption, allows us to create an environment where employees are carrying our security perimeter with them wherever they go. That encryption creates a boundary wherever the device and the data are between the data and the outside world. There are, of course, already software-only solutions for full-disk encryption, but the TPM provides better protection of encryption keys because key recovery techniques that may have worked fairly well against keys held in software are not likely to work against keys protected by the TPM.

Our protection is strengthened even more by the fact that many normal attacks which involve subverting the system software will not work. As soon as part of the system has been modified, the chain of trust will cease to extend to that part of the system. The platform will not load, and the data will not be able to be recovered by simply creating a backdoor in some poorly coded software. The only piece of software we have to rely upon is the tiny bit of code known as the CRTM. Because this code is small and relatively simple, it is easier to ensure that there are no vulnerabilities in it. Buffer overflows and backdoors tend to get lost in a program of tens of thousands of lines of code.

Either brute force cracking methods or attacks on the hardware itself will be required. As long as the data was encrypted using large keys and a secure algorithm, brute force attacks will prove to be a fruitless endeavor, and hardware attacks require a lot more skill and resources than running the canned attack code available on the Internet which is used against software.

Notes from the Underground...

Mandating Full-Disk Encryption

On June 23, 2006, the Office of Management and Budget (OMB) issued Memoranda M-06-16, "Protection of Sensitive Agency Information." This was a direct response to many of the data loss problems that afflicted the federal government during the first half of 2006. The memoranda requires a blend of technical, management, and operational controls defined in the NIST Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems," to be implemented, but one specific requirement leading off the memoranda requires that all sensitive data on mobile devices be encrypted.

In rapid response to the memoranda, the U.S. Air Force posted a request for a full-disk encryption solution on the Federal Business Opportunity Web site. The U.S. Department of Agriculture (USDA) also posted a request for quotes (RFQ) on www.fbo.gov in relation to mobile device encryption. In an article for Government Computer News found at www.gcn.com/ online/vol1_no1/42640-1.html?topic=mobile-wireless, Mary Mosquera wrote that the USDA’s requirements for the encryption solution include the following:

It must be Federal Information Processing Standards (FIPS) 140-2 compliant.
It must integrate with a Microsoft Active Directory infrastructure.
It must be invisible to users.
It must be scalable.
It must provide automated deployment tools.
It must provide adequate recovery processes.

As we have seen throughout this chapter, devices containing version 1.2 TPM chips and Windows Vista TPM services fulfill all of these requirements. They go beyond the requirements by securing encryption keys with TPM hardware instead of relying on a software-only solution. Whether Windows Vista becomes the solution of choice for most federal agencies remains to be seen.

This is the leading edge of a widespread change in the way that both the public and the private sectors protect their digital assets on mobile devices. As the federal government leads this process of carefully identifying all PII, controlling which mobile devices that the PII. It is just unfortunate that the compromise of the PII of millions of people has been the impetus required to effect this change.

Here are some references for more information on this issue:

You can find OMB Memoranda M-06-16 at www. Whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf.
You can find information about the U.S. Air Force procurement at www.fbo.gov/spg/USAF/AFMC/ESC/FA8771-07-R-0001/Attachments.html.
You can find NIST SP 800-53 Revision 1 at http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf.

Can I Really Trust These People?

We must rely on trustworthy BIOSes,TPM drivers, the TBS, and TSS implementations from myriad sources in order to be sure that our trusted platforms are actually trustworthy. More important, as we saw in discussing the trusted platform architecture, the platform builds by evaluating the trustworthiness of each component one at a time, and then relying on that component to evaluate the next component, and so on. In this way, trust in one component is derived from the trust we had in each preceding component. Therefore, if one component in the chain is suspect, all components that derived their trust from that piece are also suspect.

How much can we really trust these platforms, then? We can be sure that there will be numerous problems with code security in the coming years. BIOSes, drivers, OSes, and third-party applications will all be susceptible to attack. What we rely upon is the capability of the trusted platform to provide reliable metrics about itself—in fact, the TCG has defined trusted platform as "a computing platform that can be trusted to report its properties," in its glossary of terms at www.trustedcomputinggroup. org/groups/glossary. So, the idea is not that the trusted computing platform is impervious to attack, nor that it can detect when it has been compromised. As we discussed at the beginning of this chapter, the trusted platform can enter insecure or unstable states. However, it must provide reliable measurements of itself. Other parties then challenge the system to produce these measurements when they need to decide whether they trust the platform, and in this way, communication with an untrusted system can be avoided.
The TPM Only Enables Technical Security Controls

Any good information security program relies upon technical, operational, and management security controls. The TPM and Windows Vista TPM services provide us with an incredibly powerful and flexible set of technical controls. However, they do not help us to implement operational or management controls, and therefore they can never be touted as the end game in information security. So, be wary of any claims of that nature.

What the TPM and TPM services in Windows Vista do allow us to do is to implement a range of controls based on encryption and device authentication to greatly improve enterprise security. However, as with many of the technical controls we currently have, holes still exist. For the most part, people are either using or implementing those technical controls, and we have management and operational controls to which those people are supposed to adhere. Whether they do adhere to them is the issue.

For example, we read in the sidebar about best practices for TPM management that the TPM owner password should never be stored to local media. However, when we initialized the TPM and set the TPM owner password using the automatically created password, we were required to save the password to local media in an XML file with a .tpm extension (refer to the section on initializing the TPM, and to Figure 4.2). From Microsoft’s perspective, this required save is understandable. There is simply no way that anyone will remember a 48-digit password, so in order to ensure that the owner authorization information is available when required, Microsoft requires that automatically created authorization information be saved.

This is exactly where a good operational control is necessary. That file should be stored in a secured location away from the device on which it was created as soon as the initialization process completes. This will eliminate the chance that the owner authorization information is stolen along with the asset to which the owner authorization information pertains. However, those TPM files will invariably be saved to USB keys which will then be carried around in the laptop bag or backpack that contains the laptop on which they were created. So, basically, we have a tool that allows us to provide a high level of security for a platform if we use it correctly, but in all likelihood, a simple mistake such as this will invalidate any security that the TPM can provide.

This is not a weakness of the TPM or of Windows Vista’s TPM services. This should be considered a weakness of an immature security program that does not provide a broad range of controls, and instead foolishly counts on a single magic bullet to provide protection. With an already robust security program, the TPM could be just what is needed to help the organization implement an even stronger security posture.

If you believe that technical security controls are superior to management and/or operational controls, please revisit the "Are You 0wned?" sidebar that kicked off this chapter. Note that ChoicePoint sold PII on more than 160,000 people to identity thieves just a few years ago. ChoicePoint was not hacked. There was no missing laptop. Identity thieves were able to breach very weak management and operational controls. They portrayed themselves as private companies that required the information for various credit and background checks, and ChoicePoint sold them the information despite the fact that policies and procedures for performing basic checks would have revealed the fraud. The following quote is from an MSNBC.com article on the data breach, found at www.msnbc.msn.com/id/11030692:

"The FTC’s complaint against ChoicePoint paints a picture of a firm that was selling data to all comers, even after obvious signs of trouble. Law enforcement agencies began to warn ChoicePoint of fraudulent activity back in 2001, the complaint alleges. ChoicePoint continued to sell data to companies with expired business licenses, with canceled telephones and after employees signaled them out as suspicious. The firm even continued to supply credit reports to the crime ring after the fake accounts it had set up were suspended by ChoicePoint for non-payment, the complaint says."

Are You 0wned?

I Wonder How Much My Social Security Number Costs

Existing Attacks

The main problem people may have with Windows Vista TPM services is incorrect usage of it. As we discussed, many people see clearing the TPM as a valid method of wiping your drive if the drive is encrypted using the TPM. The flip side to that is that it takes only one small mistake to eliminate all of someone’s data. So be careful with the TPM MMC. Do not run the Clear TPM wizard if you have data that you need that was encrypted with the TPM and be careful with those scripts. When you issue a SetPhysicalPresenceRequest(5) call on a machine, you had better mean it, or you had better be able to get on the machine and prevent the configuration modification from completing after reboot.

By the same token, this may become a popular form of denial of service (DoS) attack for the bad guys. If they cannot get to your data, it may simply be enough to prevent you from getting to it. This means organizations are going to make sure they enable the backup of recovery keys so that they can enact emergency recovery procedures. This makes protecting the Active Directory infrastructure more important than ever, but we already have ways to protect what is inside the perimeter.We need to have a tool that could help us extend the security perimeter outside the walls of the office, and that is where we can leverage the TPM to great effect.

What we will see is how effective and easy hardware attacks can become.We know this is a weakness, now that we are relying on hardware to provide some security functions. These sorts of attacks generally require more skill and are harder to implement than software attacks, though, and attackers will always take the path of least resistance.

SUMMARY

The TPM is the cornerstone of the TCG trusted platform, which is a computing platform that can provide reliable integrity metrics on itself. The TPM itself does not prevent virus attacks, theft of equipment, theft of data, or hacking attempts. However, it does allow software developers to outfit security professionals, administrators, and even users with a wide range of tools that can protect their systems. Windows Vista includes some of these tools, including BitLocker Drive Encryption, a secure startup mechanism within BitLocker, and Code Integrity features. The TPM and Windows TPM services also support strong device authentication, which gives network administrators a reliable means for controlling connectivity throughout their networks.

It is interesting to see that although Microsoft has certainly spent a lot of development time on implementing TPM services and applications in Windows Vista, it also has spent a very large amount of time and effort on penetration testing Windows Vista’s TPM implementation.We included a link to the Doug MacIver presentation earlier in the chapter. Microsoft used BitLocker penetration testing as a way to provide feedback to the developers, and apparently this has had an important impact on the choices of which PCRs are used to seal the VMK.

This is an emerging technology, in terms of both the hardware and the software that takes advantage of it. At this point, it seems as though Microsoft has built a very robust and secure platform around the TPM, but given the wide-ranging possibilities for TPM applications, we have seen only the tip of the iceberg. Although Microsoft has even taken a whole new approach to system architecture in controlling what processes may operate in kernel mode, and implementing Code Integrity to provide integrity monitoring for all of that code, Code Integrity could very well be extended to provide this integrity checking for other parts of the system. As Tom Petty once sang, "the future was wide open."

However, it’s good to bring at least a small degree of skepticism anytime you examine something. As we pointed out throughout this chapter, as old attack surfaces vanish, attackers will find new ones. Hardware attacks such as those that are currently possible against smart cards will emerge as a popular target. Although the TPM is just emerging, some lessons are being incorporated into chip design, such as under- and over-volting protection mechanisms. Despite any weaknesses, the TPM and Windows Vista’s TPM services provide security professionals with a very useful tool to secure their data.

SOLUTIONS FAST TRACK

Understanding the TPM

The Trusted Computing Group is an industry standards organization that is developing specifications for the trusted platform architecture. The TPM is at the core of the trusted platform.
Trusted platforms are based on two trusted components: the TPM and CRTM, which are called the Trusted Building Blocks. Trust in the rest of the platform is derived from these two basic components. The trust boundary gradually extends to include other components, such as the OS and applications.

Configuring and Managing the TPM on a Stand-Alone System

Use the TPM MMC console to configure the TPM on your stand-alone system. This MMC provides all the functionality you should need in a familiar interface that is easy to use.
Always back up your TPM owner authorization information to an external storage device, and make sure you do not keep this device with the system for which it contains the owner authorization information.

Configuring and Managing the TPM in an Enterprise Environment

Make sure you are requiring that the TPM owner authorization information is backed up to Active Directory, if at all possible. This backup functionality requires (1.) that all your domain controllers are running Windows Server 2003 SP1 or later and (2.) that you have upgraded your Active Directory schema using the adprep utility that comes with the Windows Server 2007 and Windows Vista DVDs.
Utilize the Group Policy settings covered earlier in this chapter to lock down users’ ability to tamper with the TPM command block lists, and to configure your central block list. If you need to have the Group Policy settings available with Windows Server 2007 on your Windows Server 2003 domain controllers, you can use the code included in this chapter and on the CD that comes with this book to modify your administrative templates.
Use scripting to take advantage of the Win32_Tpm WMI class to ease your TPM device deployments.You can refer to Microsoft’s reference documentation on this class at http://msdn2.microsoft.com/engb/ library/aa376484.aspx in order to familiarize yourself with the class.

TPM Applications

Microsoft has built several key TPM-related components into Windows Vista. The TBS has been implemented to serve as an agent that mediates access to the TPM. The TCG has outlined an architecture whereby a trusted platform relies on the BIOS and the OS boot manager to implement a trusted boot process in order to maintain system integrity through to the OS. BitLocker Drive Encryption implements this trusted boot process. See the coverage of BitLocker Drive Encryption provided in Chapter 5.
A small number of applications rely on the TPM, and there should be large growth in these types of applications once Windows Vista is officially released and begins to gain a foothold in desktop deployments.
To the dismay of music and movie lovers everywhere, the TPM will enable content providers to implement more robust DRM techniques.

Understanding the Security Implications of the TPM

The TPM and Windows Vista TPM services are powerful tools for securing the enterprise. They can provide very strong device authentication, powerful protection of encryption keys, and assurance that code running on the system is trustworthy. However, the TPM and services that depend on it cannot ensure security. In order to provide security, we as security professionals must implement strong technical, management, and operational controls. The TPM can help us to implement strong technical controls, but it does not address the other control areas.
As small devices include ever-increasing storage capacity, information security professionals have two problems to solve as users become more mobile. First, we must understand the data we protect so that we know where any sensitive data is, and we must provide policies and training on how the data is to be stored and handled. Second, we must implement a mobile security perimeter to protect that data when it leaves the walls of the enterprise, and the way to do this is to use cryptography.

FREQUENTLY ASKED QUESTIONS

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the "Ask the Author" form. Q: Can I protect sensitive data by storing it in the TPM in my computer?

A: No, the TPM is used only to create and store the private portions of keys, and certain platform metrics. Those keys may then be used to encrypt the contents of a disk or other data storage locations. So, you would use the TPM to protect your data, but not by directly storing the data in the TPM.

Q: If I want to use Microsoft’s new BitLocker Drive Encryption, do I need to have a TPM?

A: No, you can take advantage of BitLocker Drive Encryption by storing the encryption key on a USB storage device. However, using the TPM to store the key is preferred, and it is strongly recommended that you utilize the TPM if one is present in your system. For more information on BitLocker Drive Encryption, see Chapter 5.

Q: Does the TPM mean that Windows Vista is hack-proof?

A: No, nothing can make a computer hack-proof. Even if a system is unplugged and powered off it is susceptible to physical attacks. However, the TPM and Windows Vista TPM services have provided coverage against a lot of the most popular current attack vectors, and using them together will provide better security than an otherwise identical system that does not take advantage of them can provide. In the meantime, attackers are going to be looking for new attack surfaces through which they can gain access to the system and the data stored on it. Implementing layers of defense across the spectrum of technical, management, and operational security controls is a necessary supplement to a security program that leverages the powerful countermeasures that Windows Vista’s TPM services provide.

Q: Are there any differences between the TPM features included in the 32-bit version and 64-bit version of Windows Vista?

A: Yes, there are. Only the 64-bit version of Windows Vista includes Code Integrity features, which include:

Verification of the integrity of all code that loads into a protected process
Winload verification of the integrity of all drivers which are critical to the boot process, including the HAL and the Windows kernel
Verification of the integrity of all kernel-mode drivers
Verification of the integrity of all user-mode binaries that implement cryptographic functions
Verification of the integrity of all user-mode binaries that load into a protected process used for the playback of high-definition media
Verification of the integrity of a specific set of user-mode binaries using page hashes in nt5ph.cat and ntpe.cat
Verification of kernel code

Page: 1, 2

ADS BY GOOGLE