No more superglued USB ports: Surface hardware can be locked down in firmware

Enlarge / No longer do these ports need to be defiled with glue. (credit: Casey Johnston)

Windows 10 and Surface hardware are now good enough for government work, even when dealing with classified data. The operating system and the Surface Pro 3 and 4, Surface Book, and Surface Studio have all been added to NSA’s Commercial Solutions for Classified Programs (CSfC) list. This means that, when properly configured and used in a properly designed layered deployment, the hardware and software all provide adequate security for classified data.

To further increase the appeal of Surface in constrained enterprise environments, today Microsoft is announcing Surface Enterprise Management Mode (SEMM) for Surface Pro 4, Surface Book, and Surface Studio. SEMM enables administrators with physical access to the hardware to lock out integrated peripherals such as webcam, microphone, and USB ports. This locking out is done by the firmware, disabling the devices in question, rendering them wholly inaccessible to the operating system. It’s intended as a much more elegant alternative to supergluing the ports or drilling out the cameras.

SEMM is designed to allow not just static configuration, wherein the devices are disabled permanently, but also dynamic configuration that responds to the environment. For example, a SEMM system could be configured so that when it was on a classified network the USB ports and camera were disabled, but when on an open network they were re-enabled. The system uses digital signatures and certificates to manage the configurations, preventing end users from re-enabling devices that they shouldn’t have access to.

Read 5 remaining paragraphs | Comments

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s