Windows 10 and Surface hardware are now good enough for government work, even when dealing with classified data. The operating system and the Surface Pro 3 and 4, Surface Book, and Surface Studio have all been added to NSA’s Commercial Solutions for Classified Programs (CSfC) list. This means that, when properly configured and used in a properly designed layered deployment, the hardware and software all provide adequate security for classified data.
To further increase the appeal of Surface in constrained enterprise environments, today Microsoft is announcing Surface Enterprise Management Mode (SEMM) for Surface Pro 4, Surface Book, and Surface Studio. SEMM enables administrators with physical access to the hardware to lock out integrated peripherals such as webcam, microphone, and USB ports. This locking out is done by the firmware, disabling the devices in question, rendering them wholly inaccessible to the operating system. It’s intended as a much more elegant alternative to supergluing the ports or drilling out the cameras.
SEMM is designed to allow not just static configuration, wherein the devices are disabled permanently, but also dynamic configuration that responds to the environment. For example, a SEMM system could be configured so that when it was on a classified network the USB ports and camera were disabled, but when on an open network they were re-enabled. The system uses digital signatures and certificates to manage the configurations, preventing end users from re-enabling devices that they shouldn’t have access to.