pixel_dreams - Fotolia


Microsoft Device Guard tackles Windows 10 malware

A new Microsoft security feature takes aim at Windows 10 malware. Expert Michael Cobb explains what enterprises should know about Device Guard.

The endpoint is once again at the center of the information security war. Malware infections are a daily occurrence and tie up vital resources as security teams battle to keep networks safe from malicious code. Windows 10 Enterprise introduces various security innovations, such as Windows Hello multifactor biometric authentication and Microsoft Passport, which now fully supports the FIDO (Fast Identity Online) Alliance standards. The key security control to prevent malicious code from permanently compromising Windows 10 devices, however, is Microsoft Device Guard, which protects the core kernel from malware. Windows security professionals should be aware of how this new security technology works and where enterprises can best deploy it to defend against Windows 10 malware and today's cyberattacks.

Application whitelisting follows a trust-centric model, only permitting applications that have been explicitly allowed to execute. On single-use devices, which only need to run a limited number of known programs, it's an effective security control against malware and poor user behavior, providing protection against zero-day attacks, polymorphic viruses and unknown malware variants. However, it's never been easy to apply application whitelisting on an enterprise scale due to the number of applications, versions and patches that need to be managed. Microsoft aims to change that with Device Guard by making enterprise-wide whitelists easier to administer and enforce, and by locking users' devices down so they can only run trusted applications.

Microsoft Device Guard combines hardware and software security features to restrict the Windows 10 Enterprise operating system to run only code signed by trusted parties, as defined in the enterprise's code integrity policy. In-house as well as third-party-developed applications that haven't been cryptographically signed, can be authenticated using a certificate that chains up to Microsoft without the need to repackage the application. Only an updated policy signed by a trusted signer can change a device's application control policy, making it a big improvement from AppLocker, which could be accessed by attackers with administrative privileges.

Device Guard works by leveraging the IOMMU (Input–Output Memory Management Unit) features in a device's processor and motherboard chipset to isolate itself from the rest of Windows. This virtualization-assisted security leverages a new Hyper-V component called Virtual Secure Mode (VSM), which is a protected VM that sits directly on the hypervisor and is separated from the Windows 10 kernel. When a device starts, the Universal Extensible Firmware Interface (UEFI) Secure Boot ensures Windows boot components start before anything else to prevent boot kits from executing. Next, the Hyper-V virtualization-based security (VBS) services fire up, isolating core Windows services that are critical to the security and integrity of the operating system. This isolation protects the kernel, privileged drivers and system defenses like antimalware programs, by preventing malware from running early in the boot process, or in the kernel after startup. The trusted platform module (TPM), an isolated hardware component that protects sensitive data such as user credentials and certificates, also starts. The TPM can store the proof that a system booted securely, which can be used to validate the integrity of a device before allowing it to connect to a network.

Device Guard combines hardware and software security features to restrict the Windows 10 Enterprise operating system to run only code signed by trusted parties, as defined in the enterprise's code integrity policy.

With VBS enabled and Device Guard running its own barebones instance of Windows in a VSM container isolated from the Windows kernel and the rest of the operating system, it can't be tampered with by other software. But Device Guard is more than just an updated version of kernel mode code signing; it also provides user mode code integrity checks to make sure anything that runs in User mode, such as a service, a Universal Windows Platform application or a classic Windows application, is signed and trusted. Even if malware infects the machine, it cannot access the Device Guard container or bypass the code-signing checks to execute a malicious payload. This will make it a lot harder for an attacker to run malware -- even if it has full system privileges -- or install code to persist across a reboot and permanently compromise a device with an advanced persistent threat.

Microsoft Device Guard doesn't mean the end of Windows 10 malware, but it raises the competency barrier required by hackers looking to install malicious code. Although digitally signed applications have been around for a long time, this is the first time administrators can easily manage them to ensure the integrity of enterprise devices and enforce their own comprehensive trust model. Only applications authorized by the enterprise will be trusted as opposed to those that an AV program passes as trusted, though both solutions will still need to be deployed: Device Guard to block executable and script-based malware, and AV to cover attack vectors that Device Guard can't, such as JIT-based apps and macros within Office documents.

Credential Guard

According to Microsoft, about 80% to 90% of data breaches result from credential theft, with attackers using stolen domain and user credentials to move around a network and access other computers. A big problem with NT LAN Manager (NTLM) authentication -- a challenge-response authentication protocol used by Microsoft -- which exists in most Windows environments, is that an attacker doesn't necessarily need to obtain a user's plaintext password to authenticate to a remote server or service; the hash of their password will do. Malware installed on a system can collect hashes when a user logs in to Windows and can use them to impersonate the user. These attacks are known as "pass the hash" and "pass the ticket" attacks, depending on which credentials are targeted. Although Microsoft's Kerberos security package improves the security of NTLM, it can still be attacked using these attacks techniques to bypass the authentication system.

To prevent these types of attack, which are used in many high-profile data attacks including the Office of Personnel Management breach, Windows Enterprise 10 uses a new feature called Credential Guard to safeguard credentials inside a VSM with only enough capabilities to run the logon service used for authentication brokering. Access tokens and tickets are stored in fully randomized and managed full-length hashes to avoid brute-force attacks. By using the same hardware and virtualization-based security as Device Guard, even if malicious code gains access to full system privileges, it won't have access to any data held in Credential Guard.

Enterprises will have to invest in hardware and software to take advantage of many of Windows 10 Enterprise's new security features. Microsoft Device Guard and Credential Guard for example have the following requirements:

•          UEFI 2.3.1 or greater

•          Virtualization extension such as Intel VT-d or AMD-Vi

•          64-bit version of Windows Enterprise 10

•          IOMMU

•          TPM chip version 2.0

•          Secure Boot

Hardware vendors already producing Device Guard-capable or Device Guard-ready devices include HP, Acer, Lenovo and Toshiba, but they are not regular lightweight, low-cost, consumer models. Device Guard-ready means the device has the required IOMMU hardware present, installed kernel drivers optimized for Device Guard, and the security feature enabled, while Device Guard-capable devices have just the IOMMU hardware present, leaving the driver installation and configuration up to the system administrator. Another requirement is that domain controllers run Windows Server 2016.

Deploying Microsoft Device Guard

The best approach for enterprises wanting to take advantage of Windows 10 Enterprise's new security controls is to create a new domain with Device Guard, Credential Guard, and other features turned on for those users whose devices meet the hardware requirements. Microsoft provides various options for creating a code integrity policy, including scanning a system to build a list of all installed applications. By default, policies are created with audit mode enabled, which means the policy won't be enforced, but will instead log all the files that would have been blocked to the event log. This enables administrators to assess any issues before fully enforcing the policy. Those machines or legacy systems that can't be upgraded can be left in the existing domain where the security team can focus on protecting privileged accounts and deploy malware detection and containment solutions.

The combination of Device Guard and Credential Guard, along with Microsoft Passport and Windows Hello, will certainly reduce the success rate of many common attack techniques and will go a long way toward locking down a Windows environment, but to use them effectively requires not only the right hardware, but staff training as well. SANS has long maintained that one of the primary causes of computer security vulnerabilities is "assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job." Windows 10 security features are different, so build in time for IT teams to learn how best to use and deploy them.

The success of Device Guard in stopping malware infections will depend on the robustness of hypervisor-based security, which is still somewhat unknown. Device Guard may run in its own tightly controlled secure execution environment, but "secure execution environments" have been defeated in the past, and despite blocking pass-the-hash attacks, Credential Guard doesn't provide protection against key loggers. Also, enterprises will be reliant on the quality of the vetting process for applications submitted to the Windows Store, while enterprises and software vendors alike will need to heavily guard signing certificates, otherwise the entire trust model breaks down.

This level of security does come at a price and the cost of upgrading legacy hardware and older operating systems is likely to slow down widespread adoption. However, with new European rules on data protection introducing fines of up to 4% of global annual turnover, enterprises may well decide it's a price worth paying to ensure the integrity of their systems.

Next Steps

Find out more about the pros and cons of upgrading to Windows 10, for businesses.

Read about how Windows 10 addresses longstanding vulnerabilities.

Take a comprehensive look at new security features in Windows 10.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing