A Fast Track into Device Guard Microsoft 2016 7/24/2018 3:57 AM THR1062 A Fast Track into Device Guard Raymond Comvalius – @NEXTXPERT IT Infrastructure Architect/MVP © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Raymond Comvalius - www.nextxpert.com About Me Independent trainer/architect since 1998 Most Valued Professional (MVP) Microsoft Certified Trainer (MCT) Author of “Windows 7 for XP Professionals””
Introducing Device Guard Combination of hardware and software security features to lock a device down and only run trusted applications by creating code integrity policies. Requires Windows 10 Enterprise, Windows 10 Education, Windows Server 2016 or Windows IOT Enterprise.
Device Guard Overview Code Integrity Virtualization-based Security Secure Boot
Code Integrity Protects against unsigned code and new malware Two primary components: Kernel Mode Code Integrity (KMCI) As in previous versions of Windows User Mode Code Integrity (UMCI) New in Windows 10 v1607 and Windows Server 2016 No security related hardware required Catalog Files Use Catalog Files when you have unsigned applications Sign your own applications with the Catalog File
Virtualization Based Security Protects against malware with kernel access Code Integrity Service in hypervisor-protected container Strengthens KMCI and Code Integrity Policy Hypervisor enforces R/W/X permissions on system memory Hardware requirements 64-bit CPU CPU virtualization extensions SLAT (Second Level Address Translation) Add I/O Memory Management Units (IOMMUs) for DMA attack mitigation
Windows Operating System 7/24/2018 Device Guard with VBS Kernel Windows Platform Services Apps SystemContainer DEVICE GUARD Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
UEFI Secure Boot Protects against boot kits and boot time attacks Protects the boot process and firmware from tampering UEFI is locked down Hardware requirements: Only firmware requirements as defined in System.Fundamentals.Firmware.UEFISecureBoot
Planning for Device Guard
Planning for Device Guard 7/24/2018 Planning for Device Guard Configurable CI works on any Windows 10 PC Choose the right policy options based on scenarios/machine configurations and maturity of IT Policy management can be complicated by the diversity of hardware and software VBS and HVCI have specific hardware requirements Virtualization and IOMMU Microsoft Hyper-V hypervisor Driver compatibility! New or existing systems? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Device Guard Scenarios and Recommendations Tightly managed Very well-defined software and hardware configurations Low churn No user or standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode generated from “golden” system(s) Fixed workloads
Device Guard Scenarios and Recommendations Tightly managed Well-defined hardware configurations Managed software only Ideally standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode created from “golden” system(s) or based on DGSP default policy Optionally, use Managed Installer to simplify policy management Fully managed Fixed workloads
Device Guard Scenarios and Recommendations Multiple and varied hardware configurations User can install “unmanaged” software Standard or Admin users Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity in audit mode OR KMCI enforced only Optionally, use Managed Installer to simplify policy management Optionally, use AppLocker to increase assurance of “unmanaged” software Lightly managed Fully managed Fixed workloads
Device Guard Scenarios and Recommendations Personally owned devices Highly-variable hardware and software Device Guard not appropriate BYOD Lightly managed Fully managed Fixed workloads
Deploying Device Guard 7/24/2018 Deploying Device Guard Buy Device Guard “ready” machines from OEMs -- OR -- Use Device Guard and Credential Guard Readiness tool to identify Device Guard “capable” devices Use Windows Store for Business to create default code integrity policy and catalog sign LOB apps Create policy from “golden” systems and sign apps with Windows Store for Business or internal PKI Optionally, use Managed Installer and AppLocker to balance security and manageability © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Summary Device Guard can run on standard hardware Hardware features can significantly improve security Only enforce on highly locked down devices What’s the strategy in case of compromise? More information: Device Guard Deployment Guide
Please evaluate this session 7/24/2018 3:57 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7/24/2018 3:57 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.