The Schwartz Report

Blog archive

Device Guard Joins Windows Hello and Passport To Lockdown Windows 10

Microsoft's effort to displace passwords with technology with its forthcoming biometrics-based Windows Hello and Passport technology has received a fair amount of attention over the past few weeks. But Microsoft has another new technology slated for Windows 10 called Device Guard, which aims to further protect Windows from malware and known and new advanced persistent threats.

Device Guard, announced at last month's RSA Conference in San Francisco, will be an option for those who want deeper protection against APTs and malware in instances where intruders get in. Device Guard uses hardware-based virtualization to block the ability to execute unsigned code. It does so by creating a virtual machine that's isolated from the rest of the operating system. Device Guard can protect data and applications from attackers and malware that have already managed to gain access, according to Chris Hallum, a senior product manager for commercial Windows client security at Microsoft.

"This gives it a significant advantage over traditional antivirus and app control technologies like AppLocker, Bit9, and others which are subject to tampering by an administrator or malware," Hallum explained in an April 21 blog post. "In practice, Device Guard will frequently be used in combination with traditional AV and app control technologies. Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script-based malware while AV will continue to cover areas that Device Guard doesn't such as JIT based apps (e.g.: Java) and macros within documents. App control technologies can be used to define which trustworthy apps should be allowed to run on a device. In this case IT uses app control as a means to govern productivity and compliance rather than malware prevention."

Device Guard blocks against malware and zero days targeting Windows 10 by only allowing trusted apps signed by software vendors, the Windows Store and internally developed software, according to Hallum. "You're in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor," he explained.

When I met with Hallum and Dustin Ingalls, group program manager for OS security, at the RSA Conference in San Francisco last month, we primarily discussed Windows Hello and Passport, which Microsoft is hoping will replace passwords by enabling biometric authentication. Device Guard is not quite as sexy since it'll be invisible to individual end users but will allow enterprise IT administrators to make it impossible for attackers to execute code not recognized by Device Guard, Ingalls explained.

The VM created with Device Guard creates what Ingalls called a "tiny OS" where the operating system's decision-making components are isolated. "We take the actual critical integrity components and move those out of the main OS," Ingalls explained. "Now we have operating system that's much more difficult to compromise. "On top of that we make use of a feature called user mode integrity, which they know is vetted in the Windows Store."

Stella Chernysak, a senior director for Windows Commercial at Microsoft, described Device Guard as similar to Bitlocker in concept. "Device Guard will be on business systems, where IT has an opportunity to turn it on," Chernysak explained in an interview last week at Microsoft's Ignite conference in Chicago. "It will be an option for IT to take advantage of that feature or IT may make the decision to ask an OEM or partner to turn it on."

Posted by Jeffrey Schwartz on 05/11/2015 at 12:48 PM


comments powered by Disqus

Subscribe on YouTube