Saturday, March 4, 2017

Locking down enterprise PCs with Device Guard

Device Guard is a new feature that allows IT pros to lock down a device so tightly that it is incapable of running untrusted software, effectively neutering any attacker or exploit that works by convincing users to run a malicious program. In this configuration, the only programs allowed to run are those that are trusted, and even programs that bypass other security layers by exploiting a zero-day vulnerability are thwarted.

Even if an attacker manages to take over the Windows kernel, that person still won’t be able to run malicious or unknown executable code, thanks to a key architectural feature of Device Guard. The trust decision for any application is performed using Windows Code Integrity services, which run in Virtual Secure Mode, a Hyper-V protected container that runs alongside Windows. This service makes trust decisions based on signatures that are protected by the UEFI firmware and by antitampering features.

To deploy Device Guard, your hardware and software must meet the following requirements:
■ The device must be running Windows 10 Enterprise.

■ The UEFI firmware must be version 2.3.1 or higher, with Secure Boot enabled and a secure firmware update process. For additional security against physical attacks, Microsoft recommends locking firmware setup to prevent changes in UEFI settings and to block startup using other operating systems.

■ Virtualization-based security features require Hyper-V, which runs only on 64-bit PCs that support Intel VT-x or AMD-V virtualization extensions and Second Level Address Translation.

■ A VT-d or AMD-Vi input/output memory management unit is required to provide additional protection against memory attacks.

■ A Trusted Platform Module is optional, but highly recommended.

You can also configure these features manually using Windows PowerShell cmdlets or Deployment Image Servicing and Management.

When Configuring Device Guard, you can specify both Universal Windows Platform (UWP) apps and classic Windows desktop programs as trusted. This trust relationship requires that the apps or classic programs be signed using a digital certificate that your organization defines as trustworthy. For UWP apps, the Windows Store publishing process uses compatible signatures that can be verified by Microsoft’s certificate authority (CA) or your organization’s CA. Independent software vendors can sign Windows desktop apps using certificates, a public key infrastructure, or a non-Microsoft signing authority that is then added to the list of trusted signers.

Microsoft has also announced its intention to introduce a secure Web service that software developers and enterprises can use to sign classic Windows apps.

The final step in Device Guard is to create a Code Integrity policy, which consists of a binary-encoded XML document that includes configuration settings for both the User and Kernel modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. This policy restricts what code can run on a device.

With those configurations and policies enabled, you’re ready to deploy Device Guard. For a comprehensive deployment guide, see the detailed write-up at

Source of Information : Microsoft Introducing Windows 10 For IT Professionals

No comments: