Microsoft added two game-changing security features for enterprise users in Windows 10, but until recently, the company has been relatively quiet about them.
So far the buzz has mainly been about Windows Hello, which supports face and fingerprint recognition. But Device Guard and Credential Guard are the two standout security features of Windows 10 -- they protect the core kernel from malware and prevent attackers from remotely taking control of the machine. Device Guard and Credential Guard are intended for business systems and are available only in Windows 10 Enterprise and Windows 10 Education.
“Clearly, Microsoft thought a lot about the kind of attacks taking place against enterprise customers and is moving security forward by leaps and bounds,” said Ian Trump, a security lead at LogicNow.
Device Guard relies on Windows 10’s virtualization-based security to allow only trusted applications to run on devices. Credential Guard protects corporate identities by isolating them in a hardware-based virtual environment. Microsoft isolates critical Windows services in the virtual machine to block attackers from tampering with the kernel and other sensitive processes. The new features rely on the same hypervisor technology already used by Hyper-V.
Using hardware-based virtualization to extend whitelisting and protecting credentials was a “brilliant move” by Microsoft, said Chester Wisniewski, senior security strategist for Sophos Canada, an antivirus company.
Apps on lockdown
Device Guard relies on both hardware and software to lock down the machine so that it can run only trusted applications. Applications must have a valid cryptographic signature from specific software vendors -- or from Microsoft if the application comes from the Windows Store.
Although there have been reports of malware code writers stealing certificates to sign malware, a significant majority of malware is unsigned code. The reliance of Device Guard on signed policies will block most malware attacks.
“It is a great way to protect against zero-day attacks that make it by antimalware defenses,” Trump said.
While this approach is similar to what Apple does with its App Store, there's a twist: Microsoft recognizes that enterprises need a wide array of applications. Businesses can sign their own software without having to make changes to the code, and for applications they know and trust (custom software they bought, for example), they can sign those applications, too. In this way, organizations can create a list of trusted applications independent of whether the developer obtained a valid signature from Microsoft.
This puts organizations in control of which sources Device Guard considers trustworthy. Device Guard comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor. Clearly, Microsoft is looking for middle ground between a total lockdown and keeping everything open, enabling organizations to “have their cake and eat it, too,” Wisniewski said.
Sign up for Computerworld eNewsletters.