Denys Rudyi - Fotolia

Does Windows 10 virtualization-based security defend the OS?

With Windows 10, Microsoft emphasized virtualization-based security, such as Device Guard and Credential Guard, to keep corporate information off users' devices.

Most people lock their doors when they leave the house. Some people take an extra step and hide extremely valuable items away in a safe, essentially adding a second line of defense.

The idea behind virtualization-based security is similar. Yes, IT puts up a firewall and takes other security precautions, but hackers can circumvent these measures and enter the network anyway. In those cases, IT needs a safe-like protection method to keep valuable corporate data and user credentials out of harm's way.

Microsoft added new Windows 10 virtualization-based security features, such as Isolated User Mode, Credential Guard and Device Guard, to fortify the defenses of the OS.

Take a closer look at Windows 10 virtualization-based security

Isolated User Mode delivers a secure kernel that allows IT to isolate data or processes from the OS itself, which adds an extra layer of protection from attackers. It works in conjunction with the other two virtualization-based security tools in Windows 10 -- Device Guard and Credential Guard -- to keep data out of harm's way.

Device Guard uses Virtual Secure Mode (VSM) -- a VM directly on the Microsoft Hyper-V hypervisor that is completely isolated from the OS -- to separate itself from the rest of the OS. What makes this unique compared to other setups is that the hypervisor connects directly with the hardware, rather than the host OS. Device Guard aims to make application whitelisting more feasible by preventing attackers from gaining administrator rights and changing policies that would allow malicious apps to run on users' devices. It does so by allowing IT to create a code integrity policy, which limits the software that can run on Windows 10. The policy also allows IT to set a list of trusted users who are the only people who can alter the policy. Device Guard also regularly performs code integrity checks to make sure users do not work with any software that they shouldn't. Even if malicious code gets on the device, it does not affect anything protected by Device Guard.

Credential Guard protects users' login information against theft by storing it within VSM. Credential Guard is particularly effective against pass-the-hash attacks, which occur when a hacker activates an authenticated user session by using shortened credentials. VSM can only run the logon service that is responsible for authentication brokering, which protects user credentials.

Credential Guard is particularly effective against pass-the-hash attacks.

Credential Guard also fights brute-force attacks by storing access tokens in randomized full-length hashes. The randomization and length make a brute-force attack, which is essentially a trial-and-error method of stealing a user's credentials, less effective because it is much harder to land on the right password.

Like Device Guard, Credential Guard keeps credentials safe even if a hacker gets onto a device. It's important to note that Credential Guard does nothing to prevent against keyloggers, however, which are particularly dangerous with credentials because they allow hackers to monitor a user's every keystroke, including when they are logging in.

To take advantage of Windows 10 virtualization-based security with Device Guard and Credential Guard, IT pros should create a new domain with both tools turned on. They can then build their code integrity policy by installing only the apps they want to allow users to work with on the domain and having Windows identify that list of apps.

Next Steps

Dig deeper into virtualization-based security in Windows 10

Common Windows 10 security risks to watch out for

Create the near-perfect Windows 10 security setup

Dig Deeper on Windows OS and management

Virtual Desktop