Core Security

Applies To: Windows Server 2008

Core Security includes system security functionality, such as authentication, authorization, and access control features, built into the Windows operating system. These features include BitLocker Drive Encryption, CryptoAPI 2.0, Code Integrity, Kerberos protocol, Software Restriction Policies, and Windows Initialization.

Hierarchy of Managed Entities

Managed Entities

Name Description

Authentication Protocols

Authentication protocols are used to authenticate a user or computer by validating its identity against a trusted identity. Kerberos is one example of an authentication protocol.

Kerberos

Kerberos is a network authentication protocol that verifies both the identity of the user that is requesting authentication as well as the server providing the requested authentication, also known as mutual authentication. The Kerberos authentication mechanism issues tickets for accessing network services. These tickets contain encrypted data, including an encrypted password, that confirms the user's identity to the requested service.

Kerberos Client

Kerberos clients are applications acting on behalf of users who need access to a resource, such as opening a file, querying a database, or printing a document. Every Kerberos client requests authentication before the resource is accessed. Once the client is recognized as trusted, a secure session between the client and the service hosting the resource is established.

Kerberos Key Distribution Center

The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS).

BitLocker Drive Encryption

BitLocker Drive Encryption (BitLocker) is a component of Windows Vista Ultimate Edition and Windows Vista Enterprise Edition and is an optional component of Windows Server 2008 that helps to protect data by encrypting the entire volume and checking the integrity of early startup components. For more information, see "BitLocker Drive Encryption Technical Overview" in Windows Server 2008 Help and Support or on the Web at https://go.microsoft.com/fwlink/?LinkId=99542.

BitLocker API

An application programming interface (API) is the gateway between the application programs, including the Windows interface, and the underlying components of the operating system. The BitLocker API is implemented in the dynamic link library (DLL) named fveapi.dll. The Windows interface and the BitLocker Windows Management Instrumentation (WMI) provider use the commands in the API. These API commands control the operation of the BitLocker filter driver. The API and the filter driver together provide the functionality of BitLocker Drive Encryption.

BitLocker Filter Driver

The BitLocker filter driver is the main component that implements live encryption/decryption functionality. It converts the volume from decrypted to encrypted when BitLocker is set up.

TPM Driver

The Microsoft TPM Driver is the software component that allows the Windows operating system to communicate with the Trusted Platform Module (TPM) hardware component. It is called exclusively by the TPM Base Service (TBS).

A TPM is a hardware component of the computer that has security features to perform cryptographic operations, store cryptographic keys, generate random numbers, record measurements of platform components like the BIOS or software components, and so forth. Software applications can use TPM features to provide solutions with enhanced security.

BitLocker Drive Encryption in some configurations uses the TPM to seal a cryptographic key so that it can be accessed only if the computer is configured in the same way as when the key was sealed.

TPM WMI Provider

The Trusted Platform Module (TPM) Windows Management Instrumentation (WMI) provider is a component of Windows that allows access to management and configuration information for the TPM by means of WMI.

A TPM is a hardware component of the computer that has security features to perform cryptographic operations, store cryptographic keys, generate random numbers, record measurements of platform components like the BIOS or software components, and so forth. Software applications can use TPM features to provide solutions with enhanced security. BitLocker Drive Encryption can use the TPM to seal a cryptographic key so that it can be accessed only if platform components have the same measurement as when the key was sealed.

The TPM Management Console, BitLocker Setup Wizard, and the manage-bde.wsf command-line tool use the TPM WMI provider when configuring BitLocker. If Windows is configured by local policy or Group Policy settings to automatically back up the TPM owner password, the TPM Management Console or BitLocker Setup Wizard will use the TPM WMI provider to perform the backup.

TPM Base Services

The Trusted Platform Module (TPM) Base Services (TBS) is a software component that allows the Windows operating system and applications to use services provided by the TPM. Because multiple applications on a computer share a single TPM hardware component and TPM driver, the TBS virtualizes certain limited TPM resources. The TBS uses priorities specified by calling applications to cooperatively schedule TPM access.

A TPM is a hardware component of the computer that has security features to perform cryptographic operations, store cryptographic keys, generate random numbers, record measurements of platform components like the BIOS or software components, and so forth. Software applications can use TPM features to provide solutions with enhanced security. BitLocker Drive Encryption in some configurations uses the TPM to seal a cryptographic key so that it can be accessed only if certain platform components have the same measurement as when the key was first sealed.

The TBS is used by BitLocker, and can also be used by other applications.

Code Integrity

Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative privileges. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

CryptoAPI 2.0

CryptoAPI 2.0 is a set of application programming interfaces (APIs) that provide the support for certificate chain validation, certificate store operations, and signature verification in Windows. CryptoAPI 2.0 logs information about these operations, which can be used to help identify the cause of public key infrastructure (PKI) problems.

Software Restriction Policies (SRP)

Software restriction policies provide administrators with a mechanism for identifying software programs running on a computer and controlling the ability of those programs to execute. Software restriction policies are not enabled by default. These policies are enabled and configured using either the Group Policy Management Console or the Local Group Policy Editor.

A software restriction policy consists of a default rule that defines the security level under which programs can run and additional rules that define the exceptions to the default rule. You can set the default security level either Unrestricted (program can run if the access rights of the user allow it), Disallowed (program cannot run), or Basic User (program runs as a normal user, regardless of the rights of the user). This policy can be enforced on all users, or you can specify that the policy is not enforced on users that are members of the local administrators group.

There are four types of additional rules that can be defined in a software restriction policy to identify software that is an exception to the default rule. Your software restriction policy can identify software using the following methods

  • HashHash. A cryptographic fingerprint of the file.
  • Certificate. A software publisher certificate used to digitally sign a file.
  • Path. The local or universal naming convention (UNC) path to where the file is stored.
  • Network Zone. The network zone.

For more information about software restriction policies, see Using Software Restriction Policies to Protect Against Unauthorized Software(https://go.microsoft.com/fwlink/?LinkID=98671).

 

Windows Logon and Initialization

Windows logon and initialization is the startup routine by which bootup information on the drive is accessed by invoking processes and calling services in order for the computer to be properly configured for an operational state and ready for a user account to log on.

Windows Logon

Windows logon is the set of interfaces that controls the management of credentials and user profiles when a user first attempts to log on to a computer, when a user logs off from a computer, or when the active user account is switched. These processes control the acquisition and release of system resources for a particular user, process, or service.

Windows logon also includes interfaces that perform Windows license verification when the operating system is first loaded to ensure that the operating system has been activated and that the use license is valid.

Windows Initialization

Windows initialization is the startup routine by which bootup information on the drive is accessed by invoking processes and calling services in order for the computer to be properly configured for an operational state.