Under the hood, Device Guard is more than another whitelisting mechanism. It handles whitelisting in a way that is actually effective because the information is protected by the virtual machine. That is, malware or an attacker with administrator privileges cannot tamper with the policy checks.
Device Guard isolates Windows services that verify whether drivers and kernel-level code are legitimate in a virtual container. Even if malware infects the machine, it cannot access that container to bypass the checks and execute a malicious payload. Device Guard goes beyond the older AppLocker feature, which could be accessed by attackers with administrative privileges. Only an updated policy signed by a trusted signer can change the app control policy that has been set on the device.
“It’s exciting for Windows to put this right in the box,” said Trump. “It may become a corporate standard.”
Credential Guard may not be as exciting as Device Guard, but it addresses an important facet of enterprise security: It stores domain credentials within a virtual container, away from the kernel and user mode operating system. This way, even if the machine is compromised, the credentials are not available to the attacker.
Advanced persistent attacks rely on the ability to steal domain and user credentials to move around the network and access other computers. Typically, when users log into a computer, their hashed credentials are stored in the operating system’s memory. Previous versions of Windows stored credentials in the Local Security Authority, and the operating system accessed the information using remote procedure calls. Malware or attackers lurking on the network were able to steal these hashed credentials and use them in pass-the-hash attacks.
By isolating those credentials in a virtual container, Credential Guard prevents attackers from stealing the hash, restricting their ability to move around the network. The combination of Device Guard and Credential Guard could go a long way toward locking down an environment and stopping APT attacks.
“Microsoft’s Implementation may not be as easy as some vendors, and Microsoft may not have a fancy dashboard, but to include security features like these [Credential Guard, Device Guard, Microsoft Hello two-factor authentication, and BitLocker] you have an operating system worthy of the title ‘Enterprise’ and a very hard target to hack," Trump said.
Not for everyone
Exciting features aren’t enough to spur adoption. While Windows 10 will make inroads in the enterprise, the hardware requirements and infrastructure changes will delay widespread adoption of Device Guard and Credential Guard for at least four or five years, Wisniewski predicted.
The hardware requirements are hefty. To enable Device Guard and Credential Guard, the machines need Secure Boot, support for 64-bit virtualization, Unified Extensible Firmware Interface (UEFI) firmware, and the Trusted Platform Module (TPM) chip. Only enterprise hardware, not consumer PCs, includes such features. For example, business laptops such as Lenovo ThinkPad and Dell Latitude models typically have these specs, but consumer models such as the Lenovo Yoga 3 Pro do not. The hypervisor-level protections are available only if the machine has a processor with virtualization extensions, such as Intel VT-x and AMD-V.
Sign up for Computerworld eNewsletters.