Windows 8 Remote Attestation Service

Q: What's the goal of a remote attestation service in the context of Windows 8.1 and Windows 8? How can such a service benefit the security of Windows platforms?

A: Remote attestation is linked to the notion of measured boot that Microsoft introduced in Windows 8.1 and Windows 8. Measured boot can take measurements of different software components used in the Windows boot process (e.g., the BIOS, OS loader, Windows kernel, drivers) and sign and securely store these measurements in a Trusted Platform Module (TPM—a security chip that's embedded on today's computers' motherboards).

These measurements can be used by a security service to check the integrity of a given Windows platform and show that the platform hasn't been infected by malware. Such security service is a trusted third party that's typically referred to as a remote attestation service. It compares the measurements with known good values. In doing so, it can attest that the Windows boot process of a particular machine is secure and/or that the anti-malware software on that machine is functioning properly.

When organizations use Dynamic Access Control (DAC) to control access to their resources, a remote attestation service can also issue a secured device claim to the computer, which can be used for different access-control scenarios. For example, it can grant network or file access if the device claim indicates that the computer is secure, or it can deny access if the claim states the computer is not secure.

A software option that organizations can leverage today to secure their Windows 8 platforms through a remote attestation service is Wave's Endpoint Monitor. Organizations can also follow Microsoft guidance, such as that provided in the TPM Platform Crypto-Provider Toolkit, to develop a custom remote attestation service.