Device Guard: AppLocker on steroids 9/21/2018 11:42 AM Device Guard: AppLocker on steroids Raymond Comvalius IT Infrastructure Architect © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Raymond Comvalius - www.nextxpert.com Independent trainer/architect since 1998 Most Valued Professional (MVP) Microsoft Certified Trainer (MCT) Author of “Windows 7 for XP Professionals”
Introducing Device Guard Combination of hardware and software security features to lock a device down and only run trusted applications by creating code integrity policies. Requires Windows 10 Enterprise, Windows 10 Education, Windows Server 2016 or Windows IOT Enterprise.
Device Guard in the Windows Security Stack Secure Boot Includes Secure Firmware Updates and Platform Secure Boot Code Integrity Kernel Mode User Mode AppLocker ROM/Fuses Bootloaders Native UEFI Windows OS Loader Windows Kernel and Drivers 3rd Party Drivers User mode code (apps, etc.) KMCI UEFI Secure Boot UMCI Platform Secure Boot AppLocker
Device Guard vs AppLocker Functionally they look alike – a little bit Device Guard AppLocker User Mode & Kernel Mode User Mode System-wide User/Group addressable Admin cannot circumvent Admin can circumvent Admin cannot always disable Admin can always disable Requires specific hardware Runs on all Windows hardware
UEFI Secure Boot Protects against boot kits and boot time attacks Protects the boot process and firmware from tampering UEFI is locked down Hardware requirements: Only firmware requirements as defined in System.Fundamentals.Firmware.UEFISecureBoot
Code Integrity Protects against unsigned code and new malware Two primary components: Kernel Mode Code Integrity (KMCI) As in previous versions of Windows User Mode Code Integrity (UMCI) New in Windows 10 v1607 and Windows Server 2016 No security related hardware required Catalog Files Use Catalog Files when you have unsigned applications Sign your own applications with the Catalog File
Virtualization Based Security Protects against malware with kernel access Code Integrity Service in hypervisor-protected container Strengthens KMCI and Code Integrity Policy Hypervisor enforces R/W/X permissions on system memory Hardware requirements 64-bit CPU CPU virtualization extensions SLAT (Second Level Address Translation) Add I/O Memory Management Units (IOMMUs) for DMA attack mitigation
Device Guard with Virtualization Based Security 9/21/2018 Device Guard with Virtualization Based Security Kernel Windows Platform Services Apps SystemContainer DEVICE GUARD Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Planning for Device Guard Kernel Mode CI is the default Code Integrity in User Mode? Virtualization Based Security Virtualization and IOMMU Microsoft Hyper-V hypervisor Driver compatibility Signing the CI Policy
Deploying Device Guard 9/21/2018 Deploying Device Guard Use Device Guard and Credential Guard Readiness tool to identify Device Guard “capable” devices Use Windows Store for Business to create default code integrity policy and catalog sign LOB apps -- OR -- Create policy from “golden” systems and sign apps with Windows Store for Business or internal PKI Optionally, use Managed Installer and AppLocker to balance security and manageability © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended blocklist Some applications and PowerShell files should not run on a Device Guarded system: bash.exe fsi.exe mshta.exe bginfo.exe (< version 4.22) fsianycpu.exe ntsd.exe cbd.exe kd.exe rcsi.exe csi.exe ntkd.exe system.management.automation.dll dbghost.exe lsxxmanager.dll windbg.exe dnx.exe msbuild.exe dbgsvc.exe Download the CI Policy here
Deploying Device Guard Audit Mode Event Logs provide status information Enforce Mode Sign the CI Policy
Deployment Steps Create initial policy Run New-CIPolicy to create initial policy XML Merge with recommended policy Convert XML to binary Apply CI Policy Evaluate policy Scan Audit Log to create new policy Merge with existing policy
Deployment Steps Prepare for accidents: 9. Enable option 9 - Advanced Boot Options Menu 10. Enable option 10 - Boot Audit on Failure Disable Audit Mode: 11. Delete option 3 – Audit Mode Enabled Finalize: 12. Convert XML to binary format 13. Apply Policy
Deployment Steps – Signed Policy An applied signed CI policy can only be changed by the owner of the private key of the signing certificate. It’s like Device Guard on Steroids
AppLocker CI Policy is certificate based Allows all apps that comply Example: Allow all apps from the Windows Store Use AppLocker to filter that
Deploying Device Guard Demo
Summary Device Guard can run on standard hardware Hardware features can significantly improve security Device Guard is only for highly locked down devices What’s your strategy in case of compromise? AppLocker is way easier to deploy, but covers less More information: Device Guard Deployment Guide
9/21/2018 11:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.