Download presentation
Presentation is loading. Please wait.
1
A Fast Track into Device Guard
Microsoft 2016 7/24/2018 3:57 AM THR1062 A Fast Track into Device Guard Raymond Comvalius IT Infrastructure Architect/MVP © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Raymond Comvalius - www.nextxpert.com
About Me Independent trainer/architect since 1998 Most Valued Professional (MVP) Microsoft Certified Trainer (MCT) Author of “Windows 7 for XP Professionals””
3
Introducing Device Guard
Combination of hardware and software security features to lock a device down and only run trusted applications by creating code integrity policies. Requires Windows 10 Enterprise, Windows 10 Education, Windows Server 2016 or Windows IOT Enterprise.
4
Device Guard Overview Code Integrity Virtualization-based Security
Secure Boot
5
Code Integrity Protects against unsigned code and new malware
Two primary components: Kernel Mode Code Integrity (KMCI) As in previous versions of Windows User Mode Code Integrity (UMCI) New in Windows 10 v1607 and Windows Server 2016 No security related hardware required Catalog Files Use Catalog Files when you have unsigned applications Sign your own applications with the Catalog File
6
Virtualization Based Security
Protects against malware with kernel access Code Integrity Service in hypervisor-protected container Strengthens KMCI and Code Integrity Policy Hypervisor enforces R/W/X permissions on system memory Hardware requirements 64-bit CPU CPU virtualization extensions SLAT (Second Level Address Translation) Add I/O Memory Management Units (IOMMUs) for DMA attack mitigation
7
Windows Operating System
7/24/2018 Device Guard with VBS Kernel Windows Platform Services Apps SystemContainer DEVICE GUARD Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
8
UEFI Secure Boot Protects against boot kits and boot time attacks
Protects the boot process and firmware from tampering UEFI is locked down Hardware requirements: Only firmware requirements as defined in System.Fundamentals.Firmware.UEFISecureBoot
9
Planning for Device Guard
10
Planning for Device Guard
7/24/2018 Planning for Device Guard Configurable CI works on any Windows 10 PC Choose the right policy options based on scenarios/machine configurations and maturity of IT Policy management can be complicated by the diversity of hardware and software VBS and HVCI have specific hardware requirements Virtualization and IOMMU Microsoft Hyper-V hypervisor Driver compatibility! New or existing systems? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11
Device Guard Scenarios and Recommendations
Tightly managed Very well-defined software and hardware configurations Low churn No user or standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode generated from “golden” system(s) Fixed workloads
12
Device Guard Scenarios and Recommendations
Tightly managed Well-defined hardware configurations Managed software only Ideally standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode created from “golden” system(s) or based on DGSP default policy Optionally, use Managed Installer to simplify policy management Fully managed Fixed workloads
13
Device Guard Scenarios and Recommendations
Multiple and varied hardware configurations User can install “unmanaged” software Standard or Admin users Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity in audit mode OR KMCI enforced only Optionally, use Managed Installer to simplify policy management Optionally, use AppLocker to increase assurance of “unmanaged” software Lightly managed Fully managed Fixed workloads
14
Device Guard Scenarios and Recommendations
Personally owned devices Highly-variable hardware and software Device Guard not appropriate BYOD Lightly managed Fully managed Fixed workloads
15
Deploying Device Guard
7/24/2018 Deploying Device Guard Buy Device Guard “ready” machines from OEMs -- OR -- Use Device Guard and Credential Guard Readiness tool to identify Device Guard “capable” devices Use Windows Store for Business to create default code integrity policy and catalog sign LOB apps Create policy from “golden” systems and sign apps with Windows Store for Business or internal PKI Optionally, use Managed Installer and AppLocker to balance security and manageability © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
16
Summary Device Guard can run on standard hardware
Hardware features can significantly improve security Only enforce on highly locked down devices What’s the strategy in case of compromise? More information: Device Guard Deployment Guide
17
Please evaluate this session
7/24/2018 3:57 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
18
7/24/2018 3:57 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
