Drop the hammer down on malware threats with Windows 10’s Device Guard

Slides:



Advertisements
Similar presentations
Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Advertisements

Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.
Paul Cooke - CISSP Director Microsoft Session Code: CLI322.
Connect with life Ravi Sankar Technology Evangelist | Microsoft Corporation Ravisankar.spaces.live.com/blog.
Deployment Planning Services
Deployment Planning Services
Make your app a native part of Office with Add-ins
Nested Virtualization: A game changer in Hyper-V and Azure
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
The changing of the guard
Microsoft Virtual Academy
Configure and Manage Your Hybrid Cloud Environment at Scale
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Deployment Planning Services
Contain and Isolate Ransomware with Citrix and Microsoft
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access
Best practices to secure Windows 10 with already included features
Manage Nano Server with Windows Server 2016 Hyper-V
6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
7/1/2018 5:07 PM BRK2080 Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib Jeffrey Sutherland Dune Desormeaux.
Optimizing Microsoft OneDrive for the enterprise
Microsoft Ignite /17/ :54 PM BRK2092
Microsoft Ignite /18/2018 8:30 PM BRK2065
Protect sensitive information with Office 365 DLP
A Fast Track into Device Guard
Microsoft Ignite /31/ :08 AM
Understanding Windows Analytics Update Compliance
Automated Response with Windows Defender ATP
9/12/2018 7:18 AM THR1081 Don’t be the first victim of new malware Turn Windows Defender AV Cloud Protection on! Amitai Senior Program.
Automate all things! Microsoft Azure continuous deployment
Microsoft Teams Mobile Collaboration on the go
Windows Tech Series Module 13: Device Guard
Use server-based personal desktops in Windows Server 2016
Microsoft Intune MAM without Device Enrollment
9/18/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
9/20/2018 2:30 PM BRK2279 Everything you need to know about the new Windows Server release cadence Chris Van Wesep, Director Product Marketing Jeff Woolsey,
Device Guard: AppLocker on steroids
Application Delivery & MAM Policy
Managing Specialized Devices With Windows Embedded Device Manager 2011
Microsoft /12/2018 8:06 AM BRK2103 Deliver more features faster with a modern development and test solution Claude Remillard Group Program Manager.
Continuous Delivery for Microsoft Azure
Microsoft Virtual Academy
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Laura A. Robinson July 10, June 30, /15/2018 4:19 PM
Customize and Tune Microsoft Office 365 Data Loss Prevention
11/17/2018 6:41 PM BRK3392 Windows 10 servicing explained (WAAS) Deploying Windows as an inplace upgrade Adnan Hendricks Microspecialist
Run Bash scripts from Windows 10
Fixing Bad IT Security: Stupid Mistakes and Dangerous Conveniences
12/5/2018 2:50 AM How to secure your front door with real-time risk assessments of your logons Jan Ketil Skanke COO and Principal Cloud Architect CloudWay.
TechEd /2/2018 5:42 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
12/4/ :37 PM Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib © 2014 Microsoft Corporation. All rights.
Microsoft Virtual Academy
Microsoft Virtual Academy
System Center Application Management
What’s new in the Fall Creators Update for Windows Defender ATP
Overview: Dynamics 365 for Project Service Automation
Surviving identity management in a hybrid world
TechEd /28/2019 3:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Learn how to leverage the Microsoft Store for Education in your school
Service Template Creation from the Ground Up
Ask the Experts: Windows 10 deployment and servicing
Service Template Creation from the Ground Up
Microsoft Virtual Academy
Day 2, Session 2 Connecting System Center to the Public Cloud
Deploying and Managing Windows To Go
Microsoft Virtual Academy
Microsoft 365 Business Technical Fundamentals Series
Microsoft Data Insights Summit
Microsoft 365 Business Technical Fundamentals Series
Presentation transcript:

Drop the hammer down on malware threats with Windows 10’s Device Guard Microsoft 2016 11/11/2018 4:22 PM BRK2129 Drop the hammer down on malware threats with Windows 10’s Device Guard Scott Anderson Program Manager – OS Security © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

200+ 80 The Malware threat $3Trillion $3.5Million Microsoft 2016 11/11/2018 4:22 PM The Malware threat Median number of days attackers are present on a victims network before detection 200+ Days after detection to full recovery 80 Impact of lost productivity and growth $3Trillion Average cost of a data breach (15% YoY increase) $3.5Million “There are two kinds of companies, those who’ve been hacked, and those who don’t know they’ve been hacked.” -James Comey, FBI Director © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Device Guard Achieving PC lockdown for enterprise 11/11/2018 4:22 PM Device Guard Achieving PC lockdown for enterprise Enterprise-grade application whitelisting Virtualization-based security protections Hardware and UEFI bios lockdown Device Guard “ready” and Device Guard “capable” options from OEMs © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/11/2018 4:22 PM Code Integrity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Whitelisting is a top security recommendation 11/11/2018 4:22 PM Whitelisting is a top security recommendation Australian Signals Directorate top 4 Strategies to Mitigate Targeted Cyber Intrusion Application Whitelisting Application patching Operating System patching Minimise administrative privileges “ASD TOP 4 PREVENTS OVER 85% OF INTRUSTIONS” “Application Whitelisting is the most effective strategy in the Australian Signal Directorate’s (ASD) Strategies to Mitigate Targeted Cyber Intrusions” © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Ensuring the Integrity of Windows 11/11/2018 Ensuring the Integrity of Windows Secure Boot Includes Secure Firmware Updates and Platform Secure Boot Kernel Mode Code Integrity (KMCI) User Mode Code Integrity (UMCI) AppLocker Device Guard’s configurable code integrity ROM/Fuses Bootloaders Native UEFI Windows OS Loader Windows Kernel and Drivers 3rd Party Drivers User mode code (apps, etc.) Device Guard’s configurable code integrity Platform Secure Boot UEFI Secure Boot KMCI UMCI AppLocker © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

But Whitelisting is Hard… 11/11/2018 4:22 PM But Whitelisting is Hard… IT codesigning is not pervasive Best option for strong app identity and integrity validation Decentralized LOB app development Lack of code signing expertise Enterprises don’t want to (and shouldn’t) blindly trust all software from an ISV, even if signed Too darned many existing LOB apps © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Getting Apps in to the Circle of Trust Adopting Code Signing 11/11/2018 4:22 PM Getting Apps in to the Circle of Trust Adopting Code Signing Make codesigning part of the LOB app development process – OR – app deployment workflows Create catalogs for “legacy” and ISV apps with Windows 10’s Package Inspector tool No need to repackage/rebuild apps Easily deployed with SCCM Device Guard signing in the Windows Store for Business Download default Device Guard configurable CI policy Catalog signing with enterprise-specific, unique keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: Deploying Policies and Applications Microsoft 2016 11/11/2018 4:22 PM Demo: Deploying Policies and Applications © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Secured Scripts with Config CI 11/11/2018 4:22 PM Secured Scripts with Config CI Windows Script Host will be limited Require signed scripts for full functionality WSH is the scripting host for VBScript (.vbs), Jscript (.js), Windows script file (.wsf) and Windows script component (.wsc) scripts Beware unenlightened 3rd party script hosts MSIs must be signed PowerShell runs in “ConstrainedLanguage” mode Only signed PowerShell scripts runs in full language mode .bat & .cmd scripts are not restricted © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Configurable Code Integrity and AppLocker 11/11/2018 4:22 PM Configurable Code Integrity and AppLocker Complementary features to whitelist application/code execution on Windows Configurable Code Integrity (CCI) sets machine policy AppLocker for user role-specific policies, managing UWP apps, and managing .bat/.cmd Signed Device Guard CI policy protects from local admin Signed policy stored in pre-OS secure variable Requires a newer signed policy to update – cannot be deleted by admin Becomes a “machine” level policy which means boot from media must be compliant Measured into the TPM and part of device health attestation © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“That all sounds great. But… whitelisting is still too hard!” 11/11/2018 4:22 PM “That all sounds great. But… whitelisting is still too hard!” Every IT Pro in the World © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: Introducing Trusted Managed Installers Microsoft 2016 11/11/2018 4:22 PM Demo: Introducing Trusted Managed Installers © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Simplifying Whitelist Management 11/11/2018 4:22 PM Simplifying Whitelist Management Managed Installer Automatically trust software installed by your IT app deployment solution (e.g. SCCM) Available in RS1 as custom AppLocker policy with configurable CI support coming soon Enable enterprises to better balance security and manageability © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtualization Based Protection of Code Integrity 11/11/2018 4:22 PM Virtualization Based Protection of Code Integrity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtualization based security (VBS) A new trust boundary for Windows 11/11/2018 4:22 PM Virtualization based security (VBS) A new trust boundary for Windows Secure execution environment isolated from the high-level OS Enhanced OS protection against attacks (including attacks from kernel mode) Protection of secrets (e.g. derived user credentials) Protection of guest VM secrets from the host OS © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/11/2018 4:22 PM KMCI protected by VBS Code integrity (CI) rules enforced even if a vulnerability allows unauthorized kernel mode memory access Memory pages are only marked executable when CI validation succeeds Kernel memory cannot be marked both writable and executable BUT… not all drivers will be compatible © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Hardware (TPM, virtualization extensions, IOMMU) KMCI in Windows 8.1 Host OS User Kernel Normal World Howdy Peer! KMCI Malware Firmware (UEFI) Hardware (TPM, virtualization extensions, IOMMU)

Hardware (TPM, virtualization extensions, IOMMU) Secure Trustlets with Windows 10 VBS KMCI with Windows 10 VBS I thought we could be friends  Measured Host OS User Secure World Normal World Hardened Boundary LSAIso LSASS Secure App 2 Normal App 2 Kernel KMCI Malware Hypervisor Firmware (UEFI) Hardware (TPM, virtualization extensions, IOMMU)

INTRODUCING Device Guard and Credential Guard Readiness Tool 11/11/2018 4:22 PM INTRODUCING Device Guard and Credential Guard Readiness Tool Verify device compatibility with Device Guard and Credential Guard Hardware and virtualization support Driver compatibility with HVCI Audit status of DG/CG on systems Use SCCM or other management solutions to automate end-to-end deployment of DG/CG Can use the tool to automate enablement of DG/CG © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: Readiness Tool Microsoft 2016 11/11/2018 4:22 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Preparing for Device Guard 11/11/2018 4:22 PM Preparing for Device Guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Planning for Device Guard Considerations 11/11/2018 Planning for Device Guard Considerations Configurable CI works on any Windows 10 PC Choose the right policy options based on scenarios/machine configurations and maturity of IT Policy management can be complicated by the diversity of hardware and software VBS and HVCI have specific hardware requirements Virtualization and IOMMU Microsoft Hyper-V hypervisor Driver compatibility! New or existing systems? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Device Guard Scenarios and Recommendations Tightly managed Very well-defined software and hardware configurations Low churn No user or standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode generated from “golden” system(s) Fixed workloads

Device Guard Scenarios and Recommendations Tightly managed Well-defined hardware configurations Managed software only Ideally standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode created from “golden” system(s) or based on DGSP default policy Optionally, use Managed Installer to simplify policy management Fully managed Fixed workloads

Device Guard Scenarios and Recommendations Multiple and varied hardware configurations User can install “unmanaged” software Standard or Admin users Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity in audit mode OR KMCI enforced only Optionally, use Managed Installer to simplify policy management Lightly managed Fully managed Fixed workloads

Device Guard Scenarios and Recommendations Personally owned devices Highly-variable hardware and software Device Guard not appropriate BYOD Lightly managed Fully managed Fixed workloads

Deploying Device Guard 11/11/2018 4:22 PM Deploying Device Guard Buy Device Guard “ready” machines from OEMs -- OR -- Use Device Guard and Credential Guard Readiness tool to identify Device Guard “capable” devices Use Windows Store for Business to create default code integrity policy and catalog sign LOB apps Create policy from “golden” systems and sign apps with Windows Store for Business or internal PKI Use Managed Installer to simplify manageability © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/11/2018 4:22 PM Resources Device Guard and Credential Guard Readiness Tool - https://www.microsoft.com/en-us/download/details.aspx?id=53337 Device Guard signing in Business Store Portal - https://businessstore.microsoft.com/en-us/DeviceGuard/ Managing Device Guard with SCCM blog - https://blogs.technet.microsoft.com/configmgrteam/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/ SCCM as a Managed Installer blog - https://blogs.technet.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/ Device Guard deployment guide - https://technet.microsoft.com/en-us/library/mt463091.aspx Ignite 2015 Device Guard session - https://channel9.msdn.com/Events/Ignite/2015/BRK2336 Windows 10 Device Guard Overview en Français - https://channel9.msdn.com/Blogs/Concretement/Episode-5-Windows-10-Device-Guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 11/11/2018 4:22 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/11/2018 4:22 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.