Presentation is loading. Please wait.

Presentation is loading. Please wait.

Drop the hammer down on malware threats with Windows 10’s Device Guard

Published bySharleen Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "Drop the hammer down on malware threats with Windows 10’s Device Guard"— Presentation transcript:

1 Drop the hammer down on malware threats with Windows 10’s Device Guard
Microsoft 2016 11/11/2018 4:22 PM BRK2129 Drop the hammer down on malware threats with Windows 10’s Device Guard Scott Anderson Program Manager – OS Security © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 200+ 80 The Malware threat $3Trillion $3.5Million
Microsoft 2016 11/11/2018 4:22 PM The Malware threat Median number of days attackers are present on a victims network before detection 200+ Days after detection to full recovery 80 Impact of lost productivity and growth $3Trillion Average cost of a data breach (15% YoY increase) $3.5Million “There are two kinds of companies, those who’ve been hacked, and those who don’t know they’ve been hacked.” -James Comey, FBI Director © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Device Guard Achieving PC lockdown for enterprise
11/11/2018 4:22 PM Device Guard Achieving PC lockdown for enterprise Enterprise-grade application whitelisting Virtualization-based security protections Hardware and UEFI bios lockdown Device Guard “ready” and Device Guard “capable” options from OEMs © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 11/11/2018 4:22 PM Code Integrity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Whitelisting is a top security recommendation
11/11/2018 4:22 PM Whitelisting is a top security recommendation Australian Signals Directorate top 4 Strategies to Mitigate Targeted Cyber Intrusion Application Whitelisting Application patching Operating System patching Minimise administrative privileges “ASD TOP 4 PREVENTS OVER 85% OF INTRUSTIONS” “Application Whitelisting is the most effective strategy in the Australian Signal Directorate’s (ASD) Strategies to Mitigate Targeted Cyber Intrusions” © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Ensuring the Integrity of Windows
11/11/2018 Ensuring the Integrity of Windows Secure Boot Includes Secure Firmware Updates and Platform Secure Boot Kernel Mode Code Integrity (KMCI) User Mode Code Integrity (UMCI) AppLocker Device Guard’s configurable code integrity ROM/Fuses Bootloaders Native UEFI Windows OS Loader Windows Kernel and Drivers 3rd Party Drivers User mode code (apps, etc.) Device Guard’s configurable code integrity Platform Secure Boot UEFI Secure Boot KMCI UMCI AppLocker © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 But Whitelisting is Hard…
11/11/2018 4:22 PM But Whitelisting is Hard… IT codesigning is not pervasive Best option for strong app identity and integrity validation Decentralized LOB app development Lack of code signing expertise Enterprises don’t want to (and shouldn’t) blindly trust all software from an ISV, even if signed Too darned many existing LOB apps © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Getting Apps in to the Circle of Trust Adopting Code Signing
11/11/2018 4:22 PM Getting Apps in to the Circle of Trust Adopting Code Signing Make codesigning part of the LOB app development process – OR – app deployment workflows Create catalogs for “legacy” and ISV apps with Windows 10’s Package Inspector tool No need to repackage/rebuild apps Easily deployed with SCCM Device Guard signing in the Windows Store for Business Download default Device Guard configurable CI policy Catalog signing with enterprise-specific, unique keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Demo: Deploying Policies and Applications
Microsoft 2016 11/11/2018 4:22 PM Demo: Deploying Policies and Applications © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Secured Scripts with Config CI
11/11/2018 4:22 PM Secured Scripts with Config CI Windows Script Host will be limited Require signed scripts for full functionality WSH is the scripting host for VBScript (.vbs), Jscript (.js), Windows script file (.wsf) and Windows script component (.wsc) scripts Beware unenlightened 3rd party script hosts MSIs must be signed PowerShell runs in “ConstrainedLanguage” mode Only signed PowerShell scripts runs in full language mode .bat & .cmd scripts are not restricted © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Configurable Code Integrity and AppLocker
11/11/2018 4:22 PM Configurable Code Integrity and AppLocker Complementary features to whitelist application/code execution on Windows Configurable Code Integrity (CCI) sets machine policy AppLocker for user role-specific policies, managing UWP apps, and managing .bat/.cmd Signed Device Guard CI policy protects from local admin Signed policy stored in pre-OS secure variable Requires a newer signed policy to update – cannot be deleted by admin Becomes a “machine” level policy which means boot from media must be compliant Measured into the TPM and part of device health attestation © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 “That all sounds great. But… whitelisting is still too hard!”
11/11/2018 4:22 PM “That all sounds great. But… whitelisting is still too hard!” Every IT Pro in the World © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Demo: Introducing Trusted Managed Installers
Microsoft 2016 11/11/2018 4:22 PM Demo: Introducing Trusted Managed Installers © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Simplifying Whitelist Management
11/11/2018 4:22 PM Simplifying Whitelist Management Managed Installer Automatically trust software installed by your IT app deployment solution (e.g. SCCM) Available in RS1 as custom AppLocker policy with configurable CI support coming soon Enable enterprises to better balance security and manageability © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Virtualization Based Protection of Code Integrity
11/11/2018 4:22 PM Virtualization Based Protection of Code Integrity © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Virtualization based security (VBS) A new trust boundary for Windows
11/11/2018 4:22 PM Virtualization based security (VBS) A new trust boundary for Windows Secure execution environment isolated from the high-level OS Enhanced OS protection against attacks (including attacks from kernel mode) Protection of secrets (e.g. derived user credentials) Protection of guest VM secrets from the host OS © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 11/11/2018 4:22 PM KMCI protected by VBS Code integrity (CI) rules enforced even if a vulnerability allows unauthorized kernel mode memory access Memory pages are only marked executable when CI validation succeeds Kernel memory cannot be marked both writable and executable BUT… not all drivers will be compatible © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Hardware (TPM, virtualization extensions, IOMMU)
KMCI in Windows 8.1 Host OS User Kernel Normal World Howdy Peer! KMCI Malware Firmware (UEFI) Hardware (TPM, virtualization extensions, IOMMU)

19 Hardware (TPM, virtualization extensions, IOMMU)
Secure Trustlets with Windows 10 VBS KMCI with Windows 10 VBS I thought we could be friends  Measured Host OS User Secure World Normal World Hardened Boundary LSAIso LSASS Secure App 2 Normal App 2 Kernel KMCI Malware Hypervisor Firmware (UEFI) Hardware (TPM, virtualization extensions, IOMMU)

20 INTRODUCING Device Guard and Credential Guard Readiness Tool
11/11/2018 4:22 PM INTRODUCING Device Guard and Credential Guard Readiness Tool Verify device compatibility with Device Guard and Credential Guard Hardware and virtualization support Driver compatibility with HVCI Audit status of DG/CG on systems Use SCCM or other management solutions to automate end-to-end deployment of DG/CG Can use the tool to automate enablement of DG/CG © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Demo: Readiness Tool Microsoft 2016 11/11/2018 4:22 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Preparing for Device Guard
11/11/2018 4:22 PM Preparing for Device Guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Planning for Device Guard Considerations
11/11/2018 Planning for Device Guard Considerations Configurable CI works on any Windows 10 PC Choose the right policy options based on scenarios/machine configurations and maturity of IT Policy management can be complicated by the diversity of hardware and software VBS and HVCI have specific hardware requirements Virtualization and IOMMU Microsoft Hyper-V hypervisor Driver compatibility! New or existing systems? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Device Guard Scenarios and Recommendations
Tightly managed Very well-defined software and hardware configurations Low churn No user or standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode generated from “golden” system(s) Fixed workloads

25 Device Guard Scenarios and Recommendations
Tightly managed Well-defined hardware configurations Managed software only Ideally standard user only Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity policy with both kernel and user mode created from “golden” system(s) or based on DGSP default policy Optionally, use Managed Installer to simplify policy management Fully managed Fixed workloads

26 Device Guard Scenarios and Recommendations
Multiple and varied hardware configurations User can install “unmanaged” software Standard or Admin users Turn on VBS protection of Kernel Mode Code Integrity Deploy configurable code integrity in audit mode OR KMCI enforced only Optionally, use Managed Installer to simplify policy management Lightly managed Fully managed Fixed workloads

27 Device Guard Scenarios and Recommendations
Personally owned devices Highly-variable hardware and software Device Guard not appropriate BYOD Lightly managed Fully managed Fixed workloads

28 Deploying Device Guard
11/11/2018 4:22 PM Deploying Device Guard Buy Device Guard “ready” machines from OEMs -- OR -- Use Device Guard and Credential Guard Readiness tool to identify Device Guard “capable” devices Use Windows Store for Business to create default code integrity policy and catalog sign LOB apps Create policy from “golden” systems and sign apps with Windows Store for Business or internal PKI Use Managed Installer to simplify manageability © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 11/11/2018 4:22 PM Resources Device Guard and Credential Guard Readiness Tool - Device Guard signing in Business Store Portal - Managing Device Guard with SCCM blog - SCCM as a Managed Installer blog - Device Guard deployment guide - Ignite 2015 Device Guard session - Windows 10 Device Guard Overview en Français - © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Please evaluate this session
11/11/2018 4:22 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 11/11/2018 4:22 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Drop the hammer down on malware threats with Windows 10’s Device Guard"

Similar presentations

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,

Sony White House Anthem Lockheed Aramco Bushehr nuclear reactor NSA Hacked Facebook Hacked Apple,Google,Microsoft,
Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.

Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.
Paul Cooke - CISSP Director Microsoft Session Code: CLI322.

Paul Cooke - CISSP Director Microsoft Session Code: CLI322.
Connect with life www.connectwithlife.co.in Ravi Sankar Technology Evangelist | Microsoft Corporation Ravisankar.spaces.live.com/blog.

Connect with life Ravi Sankar Technology Evangelist | Microsoft Corporation Ravisankar.spaces.live.com/blog.
Deployment Planning Services

Deployment Planning Services
Deployment Planning Services

Deployment Planning Services
Make your app a native part of Office with Add-ins

Make your app a native part of Office with Add-ins
Nested Virtualization: A game changer in Hyper-V and Azure

Nested Virtualization: A game changer in Hyper-V and Azure
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
The changing of the guard

The changing of the guard
Microsoft Virtual Academy

Microsoft Virtual Academy
Configure and Manage Your Hybrid Cloud Environment at Scale

Configure and Manage Your Hybrid Cloud Environment at Scale
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Deployment Planning Services

Deployment Planning Services
Contain and Isolate Ransomware with Citrix and Microsoft

Contain and Isolate Ransomware with Citrix and Microsoft
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Modernizing your Remote Access

Modernizing your Remote Access
Best practices to secure Windows 10 with already included features

Best practices to secure Windows 10 with already included features
Manage Nano Server with Windows Server 2016 Hyper-V

Manage Nano Server with Windows Server 2016 Hyper-V
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

Similar presentations

Ads by Google