Microsoft Edge Application Guard Takes Center Stage
Microsoft's biggest security announcement this week during its Ignite event for IT pros may have concerned Edge, the company's consumer-oriented Web browser.
The newly announced "Windows Defender Application Guard for Microsoft Edge" technology, which works with the Windows 10 Enterprise edition, could turn Edge into "the most secure browser in the enterprise," suggested Yusuf Mehdi, corporate vice president of the Windows and Devices Group, in an announcement this week.
Microsoft Edge, released with Windows 10, has tended to be a work in progress so far. It's maybe not the first choice of enterprises, as they may still be using Internet Explorer 11 to support their older Web applications. August Net Applications browser-use data generally showed Chrome as the leading browser at 53.9 percent, followed by Internet Explorer (27.3 percent) and Firefox (7.6 percent). The Microsoft Edge browser had a 5.1 percent market share.
Windows Defender Application Guard adds security to the Edge browser using Microsoft's Hyper-V virtualization solution. It leverages the device's hardware to run untrusted sites in a virtual machine. Any malicious actions that might get executed by malware located on the untrusted site are isolated from an organization's network resources in this way.
This hardware-based virtual machine approach for the Microsoft Edge browser seems somewhat like the Google Chrome OS approach that's used to protect Chromebooks computers. However, by tapping the hardware, Windows Defender Application Guard for Microsoft Edge differs from the software-based sandbox technologies that are used by other browsers, according to Mehdi:
Unlike other browsers that use software-based sandboxes, which still provide a pathway for malware and vulnerability exploits, Microsoft Edge's use of Application Guard isolates the browser and employee activity using a hardware-based container to prevent malicious code from impacting the device and moving across the enterprise network. This robust security service helps protect enterprises from malware, viruses, vulnerabilities, and even zero-day attacks.
Edge gets protected by a "hardware-based container." It's actually a copy that has no access to the underlying operating system. The temporary container will get discarded at the end of the session, and any injected malware gets deleted as well. This virtualization security approach is used by other Windows 10 features, according to a blog post by Rob Lefferts, director of program management for Windows Enterprise and Security:
Hardware based isolation, with Virtualization Based Security (VBS), is one of the key ways we've hardened against attacks with Windows 10. VBS uses the processors' virtualization extensions to create a hardware-based security boundary between sensitive Windows components and data and the rest of the operating system. With Windows 10, this secure execution environment powered some of our most impactful security features, including Virtual TPM, Device Guard and Credential Guard.
Application Guard blocks access to "memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker," Microsoft explained, in an Edge team blog post. The idea is to prevent credential stealing, which can be used to escalate attacker privileges from a single PC, as in so-called "pass-the-hash" attacks.
Under the Application Guard protection scheme, IT pros create a list of trusted sites for employees to use. Application Guard will kick in for the sites that aren't recognized as trusted. Those browser sessions are "visually different" for end users, according to a Microsoft video, which showed a red shield-like icon appearing in the upper left corner of an Edge browser.
Windows Defender Application Guard will be available for testing by Windows Insider program participants "in the coming months," according to Mehdi. It'll get rolled out "more broadly next year." So far, Microsoft has described it as just a Windows 10 Enterprise edition offering. The feature isn't shown yet in Microsoft's Windows 10 edition comparison page.
On another security note, Mehdi also announced this week that Microsoft is now enhancing the "threat intelligence sharing" between its Windows Defender Advanced Threat Protection service, which helps organizations perform system log research after security breaches, and its Office 365 Advanced Threat Protection service. The enhancement will permit organizations to "follow the complete chain of an attack from an email." It will reduce the investigation time from "days or weeks to mere hours," Mehdi claimed.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.