Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Windows Microsoft Security

Microsoft Announces Device Guard For Windows 10 190

jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.
This discussion has been archived. No new comments can be posted.

Microsoft Announces Device Guard For Windows 10

Comments Filter:
  • by ZorinLynx ( 31751 ) on Wednesday April 22, 2015 @08:44AM (#49527205) Homepage

    This actually sounds like a great idea. Whitelist all the executables on your system. Then, if something tries to execute that's not whitelisted, throw up a dialog explaining what's going on. This would catch sneaky attempts to execute trojans in a lot of cases.

    One downside is it probably wouldn't work with interpreted languages, and those can be fairly powerful. But it's a start.

    • It also wont block Malware from "Trusted Malware suppliers".

      I think it is safe to presume the signing process will be hacked in a matter of hours.

      • by Greyfox ( 87712 ) on Wednesday April 22, 2015 @09:26AM (#49527653) Homepage Journal
        "Trusted Malware Suppliers"

        You mean, like SONY?

        • by ron_ivi ( 607351 )
          Not just Sony.

          McAfee, Norton, Oracle (that damn Ask toolbar), HP Support Assistant, Razer mice [boingboing.net], Skype [dogtownmedia.com].

          Heck, it seems most Windows software has a "malware" buisness model these days.

      • I think it is safe to presume the signing process will be hacked in a matter of hours.

        Code signing uses the same cryptographic technology as SSL-TLS, and is used by many operating systems already (the notable exception being Linux). The only real way for this system to be subverted is the same as for the web - for a trusted certificate authority to either lose or misuse their private keys, which would allow a certificate to be spoofed.

        So, no, the signing system isn't going to be hacked. Code signing isn't a new feature. It's already been a part of Windows for many years. This is just an

        • Code signing uses the same cryptographic technology as SSL-TLS, and is used by many operating systems already (the notable exception being Linux). The only real way for this system to be subverted is the same as for the web - for a trusted certificate authority to either lose or misuse their private keys, which would allow a certificate to be spoofed.

          So, no, the signing system isn't going to be hacked. Code signing isn't a new feature. It's already been a part of Windows for many years. This is just an additional enterprise feature that happens to use it.

          What's the best way to wash sand out of your hair?
          Where'd you get those wraparound granny sunglasses?
          Do you prefer Icy Hot or Bengay for severe stiffness and cramps?
          Etc.

          Maybe you had your head in the sand, were stuck in a cave, or were living under a rock for the past eon, so I'll just point out that the "trusted" certificate "authorities" have repeatedly proven themselves to be untrustworthy and unauthoritative.

          • I'll just point out that the "trusted" certificate "authorities" have repeatedly proven themselves to be untrustworthy and unauthoritative.

            No shit, which is why I mentioned that this could be circumvented if the private keys are compromised. Compromised certificate authorities are definitely the Achilles heel of the system, and my concern is that we trust far too many of them at this point, and there's little to prevent one root from impersonating another.

            Even so, code-signing still generally does it's job reasonably well, as most hackers don't have the resources or skills to acquire private root certificate keys. No system is completely foo

    • This actually sounds like a great idea. Whitelist all the executables on your system.

      If this were done well, it could be useful (if occasionally annoying).

      That said, I suspect the definition of "executables" is what's going to cause the biggest headache. Sure, an EXE file is an executable. Sure, so is an SCR. But these days there's so much interpreted code that it's not clear what is a .NET app or Java app and what isn't. How about Flash content? It's sort of executable in that a runtime will process it and DO something. But wait, there's more. PDFs have macros, as do most document

    • You've been able to do exactly this for ages via group policy.
      I believe there's even a mechanism to whitelist via certificate (so you don't have to whitelist each time there's an update), though I've never used it.

      I'm not sure what's "new" about this feature. Perhaps moving this piece to a separate virtualized ring and relying on hardware virtualization features?

    • Couldn't you already create this "executable whitelist" if you setup software restriction policies ? (https://technet.microsoft.com/en-us/library/hh994620.aspx)
  • by Anonymous Coward on Wednesday April 22, 2015 @08:49AM (#49527245)

    This does almost nothing. Just more window dressing.

    Most applications DO come from "trusted vendords" (such as Microsoft itself). Yet the virus attacks continue, and the security failures continue.

    • Unless I'm misunderstanding this, it's what your IT department trusts by applying its own signature; Microsoft is providing its own list of "trusted" sources, but your organization would still have to whitelist them along with whatever else it wants. This should hypothetically give administrators an easy way to grant limited software installation privileges to users, making it easier to allow/disallow certain software by request. While it doesn't address deeper problems like signature spoofing, it should re
    • by Jawnn ( 445279 )

      This does almost nothing. Just more window dressing.

      Most applications DO come from "trusted vendords" (such as Microsoft itself). Yet the virus attacks continue, and the security failures continue.

      You don't understand. This isn't an "antivirus" solution. It works in completely different manner, one designed specifically to be effective even in the presence of porous and buggy operating systems like Windows. That approach is already being used, effectively.

  • by PPH ( 736903 )

    Everyone is a Windows Administrator. So how well will this really work?

    Most non IT people will just see the popup saying "Blah, blah blah blah. Blah blah, blah, unsigned blah blah." And click the button that says, "Make the nasty popup go away and run the neat app I just downloaded."

    • by Trepidity ( 597 )

      Not always in corporate settings, which is probably what this is aimed at. It's admittedly super-annoying to have to use a machine where you don't have administrator access, but it happens.

    • This is true for home users, but anyone connected to an enterprise domain who doesn't work for the help desk probably knows the pain of not having an administrator account. Even people who fall under the auspices of "IT" often don't have administrator accounts, if they aren't part of the team that holds the keys to the castle.

      I know many software engineers who don't have admin rights on their PCs. It'll be interesting to see the tug of war over this, between paranoid IT guys and the rest of the people who a

      • As a developer, it's always fun when I have to submit a ticket to get a simple Visual Studio plugin installed, wait a month, get signoffs from my manager, IT, the desktop testing lab, and finally get it installed by someone in India that doesn't know how to install it. He then proceeds to close the ticket even though it's not configured right and I can't configure it without admin rights. We need a better system.
      • by PPH ( 736903 )

        This is true for home users,

        And the BYOD crowd. And the telecommuters, who's systems could be configured who knows how when they aren't connected to the company VPN. Or the CEO who can't figure out why he can't take his company laptop to Starbucks and download whatever the hell he wants.

    • The idea is that there are different levels of control: "All good, Warning, Deny".

      Application control already exists through group policies. What this does is make it easier for the administrators to manage but it also brings another level of flexibly which is virtualization. Windows 10 comes with built-in virtualization which will allow isolation of the instance being run. This will further protect the system. I believe some antivirus are already doing this but obviously MS is trying to make the OS provide

    • If you set up the permissions in your organization correctly that doesn't happen, however on home pc yes very much so.

      I'm considering making my next pc Ubuntu LTS with KDE. I built one for my brother... he saw the price tag on win7 and said let try Ubuntu, I can always buy windows later if I don't like it. It's been about three months and him and his wife love it.

  • by Anonymous Coward

    Remember that Stuxnet used drivers signed with "stolen" Realtek and JMicron certificates. Lots of malware is signed with fake, stolen, or weak certs. Hell, some manufacturers like Lenovo even included malware like Superfish on new laptops. Will Deviceguard prevent that from happening?

  • by xxxJonBoyxxx ( 565205 ) on Wednesday April 22, 2015 @09:03AM (#49527407)

    Unless Microsoft's changed something, you can still change the code in (non-device driver) SIGNED executables. (Try it today by flipping a few junk bits in a signed app and see if Microsoft notices the difference.) If that remains true, this isn't much of a deterrent to malware at all.

    Furthermore, some of the biggest recent hacks (e.g., Sony) used a SIGNED commercial device driver (running in trial mode) to circumvent NTFS permissions; a default scheme that allows only signed executables wouldn't stop that down either.

    • I think anybody with enough of a system background knows you can fool a certificate system locally but how does the external malware know what certificates your organization allow? As for apps from the app store, you cannot fool it into providing a different certificate than it's authentic one.

      Considering most apps will eventually be app store downloads/purchases, I suspect their strategy is pretty sound.

      • >> how does the external malware know what certificates your organization allow

        The same way hackers with malicious HTTPS sites do today. They look at the ungodly-long list of default Microsoft CA certs, find a "broken" CA in that list that can be corrupted or whose issuer doesn't really care, and get a signed certificate that looks legit to 99.9% of all corporate users today.

        (So far the signing system for Microsoft has also used the Microsoft Certificate Store; the certificates used to allow signed e

        • The point is that it makes it a lot harder for malware to target masses. The malware creator needs to fake the right certificate and hope the users make the mistake of running their malware AND it most not be known to AV. That's increased the difficulty significantly.

  • by Ed Tice ( 3732157 ) on Wednesday April 22, 2015 @09:05AM (#49527415)
    Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
    • I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux

      Lol!! That was me 10 years ago.

    • by Nemyst ( 1383049 )
      I think the only potential weaknesses would be Java, Flash and browsers which now run a bunch of apps of their own. Java still only ever shows up as a single executable and is easily the biggest security risk in that context. Mind you, you might be able to get away with not having Java installed in a corporate environment, depending on your in-house platform of choice.
    • First, let me say that I totally agree that "regular" users -- those who are not programmers or testers or system administrators -- do not typically need administrative rights, nor do they, in the ideal case, need the ability to run unauthorized third-party programs.

      HOWEVER, my concern is that there will be many inappropriate and heavy-handed uses of this technology called "Device Guard" by IT departments that are not effectively satisfying the needs of their users.

      Firstly, every IT department would, in an

      • And for heaven's sake, if you're an IT administrator and reading this, please, please, PLEASE stop forcing users to run IE 6/7/8 and nothing else. At a bare minimum, install and support Firefox ESR. It is not in your job description to take pleasure in your users' suffering. ;)

      • One client I worked for, software developers were issued 2 PCs. One for email, Word and Excel documents, and other office stuff. The other for SW development. There was also a separate LAN for the SW dev PCs. The only support IT provided for the SW dev PCs was (1) an install DVD so we could re-install Windows and (2) hardware repairs (for example, replace a failed hard drive). Otherwise, IT treated us like an outside vendor.

  • by david.emery ( 127135 ) on Wednesday April 22, 2015 @09:05AM (#49527425)

    If you look at Windows NT and beyond, it was all about removing capabilities from untrusted users, and placing them in the hands of IT staff/CIOs. That was a huge success for Microsoft, CIOs -control the budget- and decide what gets purchased. So they stuck with what empowered them, regardless of whether this was good for the user community, and whether the Microsoft monoculture created more problems -and more costs- than it solved. (After all, the measure of 'power' in many organizations is the size of the budget and staff, growing the CIO budget and hiring more IT workers equated to more CIO power.

    So now, with the growth of non-PCs (phones, tablets, even IoT) in companies, Microsoft once again plays to (you could say 'panders to') the CIO and ability to control the device.

    This could be quite a battle, with Apple/IBM (and presumably Google/Android soon) providing business services to the user community, versus Microsoft providing control (and familiarity) to the CIO community.

    • by Nemyst ( 1383049 )
      You're severely misrepresenting things here: the notion of putting IT staff in control and removing privileges from users is a fundamental part of how corporate IT is supposed to work. Linux does the exact same thing in that context. You are using and working your employer's hardware: they, not you, get to decide how it's run and what happens on it. You're free to ask them about something, but you don't get to install your own shit because you wanted to. A dumb user installing a cat screensaver trojan doesn
      • I documented the change of control, and noted Microsoft profited from enabling that change. If that's characterized as "misrepresenting" things, so be it.

        When Corporate IT provides all employees with a charge number, from the CIO's budget, to use when the IT keeps the employee from being productive, then maybe I'll have more sympathy for corporate IT. How many times, for example, has your computer been forced to reboot in the middle of the day because IT decided to roll out some change? How many times ha

  • a lot of the malware out there is "trusted" crap from "partners"

    So now we will have Microsoft certified SAFE malware....

  • This sounds like new lipstick on the Windows UAC [microsoft.com] pig. From the UAC page:

    User Account Control (UAC) helps defend your PC against hackers and malicious software. Any time a program wants to make a major change to your computer, UAC lets you know and asks for permission.

    This new "feature" looks like yet another security prompt that the user is going to click through.

  • by mccalli ( 323026 ) on Wednesday April 22, 2015 @09:19AM (#49527595) Homepage
    This sounds a lot like Gatekeeper on the Mac, which works really well. It allows the user several levels of trust - "trust store apps only", "trust store apps plus recognised developers" (certificate signed), "allow everything".

    I have mine set to "store apps plus recognised developers" and ask for the rest. If I run something else, I can right click and select Open..., it asks me if I'm sure and I say yes. This is a five second operation which gives me control over my options, whilst preventing unknown apps from running without my knowledge and explicit say so. This Windows one sounds pretty much the same, with the addition of your classic enterprise lock down features - it it's a corporately-owned machine, then yes the corporate should get say over what's running on it.

    Imagine the kind of download-happy, click-on-everything user that we've all seen around. They would download cunningly-disguised-malware.exe and try to run it, and the OS would simply prevent them. Now true if they had admin rights they could go into preferences, set to allow everything etc. but it's all more effort and a quick realisation that something's unusual here.

    Nope, I regard this as a good move. It already exists in OS X and works well - putting a similar system into Windows seems like a good idea to me.
  • by Da w00t ( 1789 ) on Wednesday April 22, 2015 @09:21AM (#49527617) Homepage
    Bit9's application whitelisting product was leveraged to attack customers using it.

    http://krebsonsecurity.com/201... [krebsonsecurity.com]
    • by Nemyst ( 1383049 )
      By that logic, SSL is also broken, and so is any form of encryption: if you have the key, you're shit out of luck. Thankfully, getting the key(s) is a lot more complicated than you make it sound.
  • Ok, so this will prevent a modified "acrobat.exe" from running without a prompt. But running a properly-signed "acrobat.exe" to open evil.pdf still pwns the machine. You can also completely pwn a system by interacting with PowerShell. Wanna bet that in a corporate environment (which this is intended to help) powershell.exe will be allowed to run? (and thirdly, this functionality already exists since XP, in the form of "Parental Controls" and/or AppLocker.) --Joe
  • by jd142 ( 129673 ) on Wednesday April 22, 2015 @09:37AM (#49527751) Homepage
    So this feature has been around in some form or another since at least 2003. See https://technet.microsoft.com/... [microsoft.com] for how to implement it 12 years ago. It included the ability to make generate a hash for an executable, so if you needed people to run foobar.exe version 1.1.1.1, you generated the hash and then people could not run 1.1.1.0 or 1.1.1.2. You could also do certificates from trusted publishers, etc. It looks like there are a few new features, including virtualization options, but this is really just a rebranding of an existing feature to make it more prominent for the end user. Something all corporations do.
  • one more reason to get a new computer WITHOUT A OS
    That way i can install MY OWN NON Microsoft OS

  • Device Guard; the proven security model of ActiveX.

  • I could see this being useful for my desktop. I think all of my games are signed, I would need to check. But if it became common practice, this could be useful. I could create a whitelist.
  • Looks like MS is going to kill McAfee's application control(used to be solidcore) product.

Genius is ten percent inspiration and fifty percent capital gains.

Working...