Get the lowest-cost and the best server colocation service in the business. Learn more.
Information Technology News.

There's a new security feature in Windows 10 called Device Guard

Share on Twitter.

Get the most reliable SMTP service for your business. You wished you got it sooner!

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

April 24, 2015

This week at the RSA conference in San Francisco, Microsoft vice president Scott Charney outlined a new security system in Windows 10 called Device Guard. Here's a closer look at how it works and what it can do for the average user.

The details are still a bit sketchy for now, but more information will emerge at MS' Build Event next week.

However, from what we can tell, Device Guard wraps an extra layer of security around the operating system to prevent malware from permanently compromising a PC or laptop.

To be sure, when enabled by an administrator, Device Guard checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run.

The new system goes a step further than where Microsoft usually goes. Device Guard itself runs in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest of the operating system by the IOMMU features in the PC's processor and motherboard chipset.

These IOMMU features work off Device Guard from the computer's hardware, so it cannot be tampered with by other software, no matter how low level that software is, according to the software behemoth.

If the Windows 10 kernel is ever compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run.

And to make 100 percent sure that this works, a hypervisor running beneath the kernel and Device Guard enforces this at all times.

From the outset, it looks pretty clever. In theory, that is – similar "secure execution environments" have been defeated in the past, so there's the nuance if you will...

But the new concept is to stop miscreants installing malware on a machine, thus limiting the amount of long-term damage the attacker can do at any time.

"If you want to create a persistent threat on Windows you have to get code running in the kernel, because then you can get under apps, under a lot of safeguards, and change the behavior of the system," said Dustin Ingalls, Microsoft's group program manager for operating system security.

"With MS' Device Guard, we take at least a similar sized step forward as the change for Windows 8 by making a bet on hypervisor-based security. With Windows 10, what will happen is that the hypervisor will be on all the time. You'll have your main OS, but what you'll also have is this very tiny, constrained version of Windows with no network or display stack. It's designed to be a very tiny, tightly controlled secure execution environment."

Ingalls added that Device Guard will approve trusted universal apps on Windows 10 desktops, tablets and phones.

Applications available from the Windows Store will be signed off and ready to run via Device Guard. Enterprises with legacy apps can send hashes of the executables to Microsoft to be signed within minutes, we're told.

"When apps are submitted to the Store, those apps go through vetting and all kinds of security checks," Ingalls said.

"But if an enterprise is saying 'Hey, sign this for me,' it will be done with a key that only works for that company. If that enterprise wants to sign bad code, they are entitled to do that – we're not trying to say we'll only sign this or that. All we're doing is trying to make it easy for you to get an app signed so the new defenses will allow this piece of software to run," he added.

There is, of course, a catch. To get Device Guard working, a supported IOMMU setup must be present in the PC or device. But Intel and AMD processors, and even certain ARM and MIPS cores, have had IOMMU protection mechanisms built-in for a while already.

Intel calls its IOMMU tech VT-d. AMD prefers to call it AMD-Vi, but they all work in a very similar manner.

When Windows 10 comes out this summer, computer giants such as HP, Dell, Lenovo, Acer, and Toshiba, will tout their hardware as Device Guard-capable or Device Guard-ready.

Device Guard-ready systems will have the required IOMMU hardware present, kernel drivers optimized for Device Guard installed, and the security feature enabled.

Device Guard-capable devices will have just the IOMMU hardware present, leaving the driver installation and configuration up to the user.

There may be an extra cost for Device Guard-ready systems over Device Guard-capable products, but that's up to the manufacturers, Microsoft said.

In the longer term, it's hoped that cost will disappear. "Device Guard has to be one of the most compelling security innovations we're shipped in Windows," Ingalls said. "But it doesn't signal an end to malware. It makes it much more difficult especially in the world where you're dealing with cybercriminals."

Source: Microsoft.

Get the most dependable SMTP server for your company. You will congratulate yourself!

Share on Twitter.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.