1. Device Guard: AppLocker on steroids
9/21/ :42 AM
Device Guard: AppLocker on steroids
Raymond Comvalius
IT Infrastructure Architect
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Raymond Comvalius - www.nextxpert.com
Independent trainer/architect since 1998
Most Valued Professional (MVP)
Microsoft Certified Trainer (MCT)
Author of “Windows 7 for XP Professionals”

3. Introducing Device Guard
Combination of hardware and software security features to lock a device down and only run trusted applications by creating code integrity policies.
Requires Windows 10 Enterprise, Windows 10 Education, Windows Server 2016 or Windows IOT Enterprise.

4. Device Guard in the Windows Security Stack
Secure Boot
Includes Secure Firmware Updates and Platform Secure Boot
Code Integrity
Kernel Mode
User Mode
AppLocker
ROM/Fuses
Bootloaders
Native UEFI
Windows
OS Loader
Windows Kernel and Drivers
3rd Party Drivers
User mode code (apps, etc.)
KMCI
UEFI Secure Boot
UMCI
Platform Secure Boot
AppLocker

5. Device Guard vs AppLocker
Functionally they look alike – a little bit
Device Guard
AppLocker
User Mode & Kernel Mode
User Mode
System-wide
User/Group addressable
Admin cannot circumvent
Admin can circumvent
Admin cannot always disable
Admin can always disable
Requires specific hardware
Runs on all Windows hardware

6. UEFI Secure Boot Protects against boot kits and boot time attacks
Protects the boot process and firmware from tampering
UEFI is locked down
Hardware requirements:
Only firmware requirements as defined in System.Fundamentals.Firmware.UEFISecureBoot

7. Code Integrity Protects against unsigned code and new malware
Two primary components:
Kernel Mode Code Integrity (KMCI)
As in previous versions of Windows
User Mode Code Integrity (UMCI)
New in Windows 10 v1607 and Windows Server 2016
No security related hardware required
Catalog Files
Use Catalog Files when you have unsigned applications
Sign your own applications with the Catalog File

8. Virtualization Based Security
Protects against malware with kernel access
Code Integrity Service in hypervisor-protected container
Strengthens KMCI and Code Integrity Policy
Hypervisor enforces R/W/X permissions on system memory
Hardware requirements
64-bit CPU
CPU virtualization extensions
SLAT (Second Level Address Translation)
Add I/O Memory Management Units (IOMMUs) for DMA attack mitigation

9. Device Guard with Virtualization Based Security
9/21/2018
Device Guard with Virtualization Based Security
Kernel
Windows Platform Services
Apps
SystemContainer
DEVICE GUARD
Trustlet #2
Trustlet #3
Hypervisor
Device Hardware
Windows Operating System
Hyper-V
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

10. Planning for Device Guard
Kernel Mode CI is the default
Code Integrity in User Mode?
Virtualization Based Security
Virtualization and IOMMU
Microsoft Hyper-V hypervisor
Driver compatibility
Signing the CI Policy

11. Deploying Device Guard
9/21/2018
Deploying Device Guard
Use Device Guard and Credential Guard Readiness tool to identify Device Guard “capable” devices
Use Windows Store for Business to create default code integrity policy and catalog sign LOB apps
-- OR --
Create policy from “golden” systems and sign apps with Windows Store for Business or internal PKI
Optionally, use Managed Installer and AppLocker to balance security and manageability
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Recommended blocklist
Some applications and PowerShell files should not run on a Device Guarded system:
bash.exe
fsi.exe
mshta.exe
bginfo.exe (< version 4.22)
fsianycpu.exe
ntsd.exe
cbd.exe
kd.exe
rcsi.exe
csi.exe
ntkd.exe
system.management.automation.dll
dbghost.exe
lsxxmanager.dll
windbg.exe
dnx.exe
msbuild.exe
dbgsvc.exe
Download the CI Policy here

13. Deploying Device Guard
Audit Mode
Event Logs provide status information
Enforce Mode
Sign the CI Policy

14. Deployment Steps Create initial policy
Run New-CIPolicy to create initial policy XML
Merge with recommended policy
Convert XML to binary
Apply CI Policy
Evaluate policy
Scan Audit Log to create new policy
Merge with existing policy

15. Deployment Steps Prepare for accidents:
9. Enable option 9 - Advanced Boot Options Menu
10. Enable option 10 - Boot Audit on Failure
Disable Audit Mode:
11. Delete option 3 – Audit Mode Enabled
Finalize:
12. Convert XML to binary format
13. Apply Policy

16. Deployment Steps – Signed Policy
An applied signed CI policy can only be changed by the owner of the private key of the signing certificate.
It’s like Device Guard on Steroids 

17. AppLocker CI Policy is certificate based Allows all apps that comply
Example: Allow all apps from the Windows Store
Use AppLocker to filter that

18. Deploying Device Guard
Demo

19. Summary Device Guard can run on standard hardware
Hardware features can significantly improve security
Device Guard is only for highly locked down devices
What’s your strategy in case of compromise?
AppLocker is way easier to deploy, but covers less
More information: Device Guard Deployment Guide

20. 9/21/ :42 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.