Presentation is loading. Please wait.

Presentation is loading. Please wait.

7/1/2018 5:07 PM BRK2080 Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib Jeffrey Sutherland Dune Desormeaux.

Published byClinton Cain Modified over 6 years ago

Similar presentations

Presentation on theme: "7/1/2018 5:07 PM BRK2080 Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib Jeffrey Sutherland Dune Desormeaux."— Presentation transcript:

1 7/1/2018 5:07 PM BRK2080 Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib Jeffrey Sutherland Dune Desormeaux © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 WE ARE UNDER ATTACK…

3 “There are two kinds of companies, those who’ve been hacked, and those who don’t know they’ve been hacked.” -James Comey, Former FBI Director Median number of days attackers are present on a victims network before detection 200+ Days after detection to full recovery 80 Impact of lost productivity and growth $3Trillion Average cost of a data breach (15% YoY increase) $3.5Million Microsoft Confidential

4 7/1/2018 5:07 PM “Application Whitelisting is the most effective strategy” – Australian Signals Directorate © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Whitelisting is Hard… IT codesigning is not pervasive
Microsoft Ignite 2015 7/1/2018 5:07 PM Whitelisting is Hard… IT codesigning is not pervasive Best option for strong app identity and integrity validation Decentralized LOB app development Lack of code signing expertise Enterprises don’t want to (and shouldn’t) blindly trust all software from an ISV, even if signed Too darned many existing LOB apps © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 7/1/2018 5:07 PM Windows Defender Application Control (Re-)Introducing Whitelisting in Windows 10 Enterprise-grade application and software whitelist capabilities leveraging Windows code integrity Sets a single, machine policy for the enterprise Continue to use AppLocker for user/role-specific policies and managing .bat/.cmd Windows Script Host, MSIs, PowerShell operates in constrained language mode Formerly “configurable code integrity” © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 7/1/2018 5:07 PM Device Guard Overview A Combination of Security Technologies in Windows 10 Device Guard primarily consists of two security technologies Application control – application whitelisting with an enterprise defined policy Virtualization based security for the Windows kernel – enforce code integrity protections even if a vulnerability allows unauthorized kernel mode memory access Each of the above can be deployed independently © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Windows 10 Whitelisting: The Road So Far…
Anniversary Update (RS1) New: DG/CG HW Readiness Tool; HVCI compatibility now required for all RS certified drivers; Managed Installer preview feature w/ SCCM Reduce/Remove Deployment Blockers Scenario focus: same as Threshold Threshold New: Virtualization-based security; Powershell-based policy authoring; PackageInspector; DG signing service (TH2); GP native management; support for MDM Challenges: Confused messaging; high manageability cost + lack of management tool support Initial Release Scenario focus: tightly managed/restricted devices (e.g. ATMs, medical devices, PoS, secure admin workstations) New: New config CI option enables automatic authorization powered by ISG; WDATP Shields-up Cloud-driven Application Execution Control Scenario focus: Lightly-managed enterprise Creators Update (RS2) Fall Creators Update (RS3) New: Managed Installer official feature release; SCCM 1706 native management for config CI; Per-app allow/deny rules (aka EMET ASR-style rules); Windows 10 S Simplified Whitelist Management Scenario focus: Managed environments

9 7/1/2018 5:07 PM Simplified Whitelisting Cloud-powered whitelists – Coming in Fall Creators Update! Allow “known good” code as identified by Microsoft Intelligent Security Graph Automatically authorize app executables based on positive reputation Complements explicit allow/deny rules in the policy and managed installer Automatically re-validate reputation on reboots Ideal for SMB; “lightly-managed”; or environments with less mature codesigning/IT app control processes Intune/SCCM integration coming soon © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Simplified Whitelisting in Intune
7/1/2018 5:07 PM Simplified Whitelisting in Intune © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Simplified Whitelisting in Intune
7/1/2018 5:07 PM Simplified Whitelisting in Intune © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Cloud-Powered Whitelisting
Nazmus Sakib

13 Auto-authorize “Managed” apps Managed Installer – Available in Creators Update (1703)
Automatically allow software installed by your IT app deployment solution (e.g. SCCM) “Windows Works” starter policy included in Windows Managed installer AppLocker rule + configurable CI policy option Ideal for SMB and Enterprise; “fully-managed” environments with mature IT app lifecycle management SCCM integration available since 1706 release

14 SCCM as a Managed Installer
Dune Desormeaux

15 Explicit Policy – Most Secure Approach Adopting Code Signing
7/1/2018 5:07 PM Explicit Policy – Most Secure Approach Adopting Code Signing Integrate codesigning with LOB app development – OR – app deployment workflows Create catalogs for “legacy” and ISV apps with Windows 10’s Package Inspector tool No need to repackage/rebuild apps Easily deployed with SCCM Device Guard signing in the Windows Store for Business Download default Device Guard configurable CI policy Catalog signing with enterprise-specific, unique keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Managing Custom App Control Policies
7/1/2018 5:07 PM Managing Custom App Control Policies Powershell cmdlets simplify policy creation Windows example policies c:\Windows\schemas\CodeIntegrity\ExamplePolicies Recommended block list Deploy via SCCM or GP Signed policy to protect against admin tampering © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Make whitelisting work for you
Jeffrey Sutherland

18 Where is WDAC Applicable
There are different types of device workloads in an enterprise Workloads vary on: Security stance – what security requirements need to be meet given how the device is used? Manageability – how much time/expertise can be spent on managing a device? Application variability – how much churn is there in the set of applications that need to run on a device? Depending on how these 3 constraints need to be balanced different combinations of the WDAC policy capabilities can be used

19 Where is WDAC Applicable
Fixed workloads Security stance Manageability Application variability Tightly managed Very well-defined software and hardware configurations Low churn No user or standard user only Explicit rules Managed Installer ISG integration Signed policy OFF ON

20 Where is WDAC Applicable
Corporate fully managed Security stance Manageability Application variability Tightly managed Well-defined hardware configurations Managed software only Ideally standard user only Explicit rules Managed Installer ISG integration Signed policy OFF ON

21 Where is WDAC Applicable
Corporate lightly managed Security stance Manageability Application variability Multiple and varied hardware configurations User can install “unmanaged” software Standard or Admin users Explicit rules Managed Installer ISG integration Signed policy OFF ON

22 Where is WDAC Applicable
BYOD Security stance Manageability Application variability Personally owned devices Highly-variable hardware and software Consider “Audit” mode deployment Explicit rules Managed Installer ISG integration Signed policy OFF ON

23 Windows 10 S Compositionally identical to Windows 10 Pro enables seamless “Switch to Pro” experience Code integrity enforces SKU “lockdown” policy identical to “Windows Works” plus additional explicit blocks Components that interpret/execute arbitrary code or otherwise enable bypass of code integrity policy Components that enable automation/weaponization of bypasses and are not required for MDM management Store app recommendations and curated driver store help deliver safer, more reliable user experiences

24 Where is WDAC Applicable
Security stance Manageability Application variability Tightly managed Well-defined software and hardware configurations Low churn with only Store app support Explicit rules Managed Installer ISG integration Signed policy OFF ON

25 7/1/2018 5:07 PM Device Guard Overview A Combination of Security Technologies in Windows 10 Device Guard primarily consists of two security technologies Application control – application whitelisting with an enterprise defined policy Virtualization based security for the Windows kernel – enforce code integrity protections even if a vulnerability allows unauthorized kernel mode memory access Each of the above can be deployed independently © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 7/1/2018 5:07 PM Hypervisor Protected Code Integrity Virtualization-based security for the Windows kernel Code integrity (CI) enforced even if a vulnerability allows unauthorized kernel mode memory access Memory pages are only marked executable when CI validation succeeds Kernel memory cannot be marked both writable and executable HVCI compatibility required for all kernel drivers since Anniversary Update New required OEM system test for HVCI with Fall Creators Update Additional hardware and UEFI bios lockdown features to deliver most defensible security posture (Device Guard “ready” vs. Device Guard “capable”) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 traditional platform stack
7/1/2018 traditional platform stack Device Hardware Kernel Windows Platform Services Apps © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

28 VIRTUALIZATION BASED SECURITY Windows 10
7/1/2018 VIRTUALIZATION BASED SECURITY Windows 10 Kernel Windows Platform Services Apps SystemContainer Trustlet #1 Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

29 Device Guard Readiness Tool
7/1/2018 5:07 PM Device Guard Readiness Tool Verify device compatibility with HVCI Hardware and virtualization support Driver compatibility Audit status of DG/CG on systems Use SCCM or other management solutions to automate end-to-end deployment of DG/CG Can use the tool to automate enablement of DG/CG © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Links & Resources Microsoft Virtual Academy session on Device Guard - hammer-on-malware-with-windows-10-device-guard-16926 Managing Device Guard with SCCM blog - windows-10-device-guard-with-configuration-manager/ SCCM as a Managed Installer blog - managed-installer-with-win10/ Device Guard Discussion – Device Guard deployment guide - Device Guard and Credential Guard Readiness Tool - Device Guard signing in Business Store Portal - Ignite 2016 Device Guard session - Windows 10 Device Guard Overview en Français - Windows-10-Device-Guard

31 Please evaluate this session
Tech Ready 15 7/1/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 7/1/2018 5:07 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "7/1/2018 5:07 PM BRK2080 Deploying and Managing Windows Defender Application Control in the Real World Nazmus Sakib Jeffrey Sutherland Dune Desormeaux."

Similar presentations

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Make your app a native part of Office with Add-ins

Make your app a native part of Office with Add-ins
From IT Pros to IT Heroes - with Azure DevTest Labs

From IT Pros to IT Heroes - with Azure DevTest Labs
5/22/2018 1:39 AM BRK2156 Power BI Report Server: Self-service BI and enterprise reporting on-premises Christopher Finlan Senior Program Manager © Microsoft.

5/22/2018 1:39 AM BRK2156 Power BI Report Server: Self-service BI and enterprise reporting on-premises Christopher Finlan Senior Program Manager © Microsoft.
Azure Machine Learning Deploying and Managing Models in production

Azure Machine Learning Deploying and Managing Models in production
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
The changing of the guard

The changing of the guard
Cloud Security IS Application-Centric Security

Cloud Security IS Application-Centric Security
Configure and Manage Your Hybrid Cloud Environment at Scale

Configure and Manage Your Hybrid Cloud Environment at Scale
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
How to expand your Azure Stack marketplace

How to expand your Azure Stack marketplace
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access

Modernizing your Remote Access
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect,

6/26/2018 5:24 AM THR1083 Enabling Advanced Security Capabilities: Drive consistent authorization across multiple applications Bryan Bolling Solution Architect,
Do more with Microsoft Word and Office 365

Do more with Microsoft Word and Office 365
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise
Microsoft Ignite 2016 7/18/2018 8:30 PM BRK2065

Microsoft Ignite /18/2018 8:30 PM BRK2065

Similar presentations

Ads by Google