Why Windows 10 is the most secure Windows ever

With Device Guard and Credential Guard, Windows enjoys unprecedented protection from malware and advanced persistent threats

Microsoft added two game-changing security features for enterprise users in Windows 10, but until recently, the company has been relatively quiet about them.

So far the buzz has mainly been about Windows Hello, which supports face and fingerprint recognition. But Device Guard and Credential Guard are the two standout security features of Windows 10 -- they protect the core kernel from malware and prevent attackers from remotely taking control of the machine. Device Guard and Credential Guard are intended for business systems and are available only in Windows 10 Enterprise and Windows 10 Education.

Device Guard relies on Windows 10’s virtualization-based security to allow only trusted applications to run on devices. Credential Guard protects corporate identities by isolating them in a hardware-based virtual environment. Microsoft isolates critical Windows services in the virtual machine to block attackers from tampering with the kernel and other sensitive processes. The new features rely on the same hypervisor technology already used by Hyper-V.

Using hardware-based virtualization to extend whitelisting and protecting credentials was a “brilliant move” by Microsoft, said Chester Wisniewski, senior security strategist for Sophos Canada, an antivirus company.

Microsoft published tehnical guides for Device Guard and Credential Guard on TechNet last week.

Apps on lockdown

Device Guard relies on both hardware and software to lock down the machine so that it can run only trusted applications. Applications must have a valid cryptographic signature from specific software vendors -- or from Microsoft if the application comes from the Windows Store.

Although there have been reports of malware code writers stealing certificates to sign malware, a significant majority of malware is unsigned code. The reliance of Device Guard on signed policies will block most malware attacks.

“It is a great way to protect against zero-day attacks that make it by antimalware defenses,” Trump said.

While this approach is similar to what Apple does with its App Store, there's a twist: Microsoft recognizes that enterprises need a wide array of applications. Businesses can sign their own software without having to make changes to the code, and for applications they know and trust (custom software they bought, for example), they can sign those applications, too. In this way, organizations can create a list of trusted applications independent of whether the developer obtained a valid signature from Microsoft.

This puts organizations in control of which sources Device Guard considers trustworthy. Device Guard comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor. Clearly, Microsoft is looking for middle ground between a total lockdown and keeping everything open, enabling organizations to “have their cake and eat it, too,” Wisniewski said.

Under the hood, Device Guard is more than another whitelisting mechanism. It handles whitelisting in a way that is actually effective because the information is protected by the virtual machine. That is, malware or an attacker with administrator privileges cannot tamper with the policy checks.

Device Guard isolates Windows services that verify whether drivers and kernel-level code are legitimate in a virtual container. Even if malware infects the machine, it cannot access that container to bypass the checks and execute a malicious payload. Device Guard goes beyond the older AppLocker feature, which could be accessed by attackers with administrative privileges. Only an updated policy signed by a trusted signer can change the app control policy that has been set on the device.

“It’s exciting for Windows to put this right in the box,” said Trump. “It may become a corporate standard.”

Isolating secrets

Credential Guard may not be as exciting as Device Guard, but it addresses an important facet of enterprise security: It stores domain credentials within a virtual container, away from the kernel and user mode operating system. This way, even if the machine is compromised, the credentials are not available to the attacker.

Advanced persistent attacks rely on the ability to steal domain and user credentials to move around the network and access other computers. Typically, when users log into a computer, their hashed credentials are stored in the operating system’s memory. Previous versions of Windows stored credentials in the Local Security Authority, and the operating system accessed the information using remote procedure calls. Malware or attackers lurking on the network were able to steal these hashed credentials and use them in pass-the-hash attacks.

By isolating those credentials in a virtual container, Credential Guard prevents attackers from stealing the hash, restricting their ability to move around the network. The combination of Device Guard and Credential Guard could go a long way toward locking down an environment and stopping APT attacks.

“Microsoft’s Implementation may not be as easy as some vendors, and Microsoft may not have a fancy dashboard, but to include security features like these [Credential Guard, Device Guard, Microsoft Hello two-factor authentication, and BitLocker] you have an operating system worthy of the title ‘Enterprise’ and a very hard target to hack," Trump said.

Not for everyone

Exciting features aren’t enough to spur adoption. While Windows 10 will make inroads in the enterprise, the hardware requirements and infrastructure changes will delay widespread adoption of Device Guard and Credential Guard for at least four or five years, Wisniewski predicted.

The hardware requirements are hefty. To enable Device Guard and Credential Guard, the machines need Secure Boot, support for 64-bit virtualization, Unified Extensible Firmware Interface (UEFI) firmware, and the Trusted Platform Module (TPM) chip. Only enterprise hardware, not consumer PCs, includes such features. For example, business laptops such as Lenovo ThinkPad and Dell Latitude models typically have these specs, but consumer models such as the Lenovo Yoga 3 Pro do not. The hypervisor-level protections are available only if the machine has a processor with virtualization extensions, such as Intel VT-x and AMD-V.

Employees regularly working in the field or traveling extensively throughout the year are more likely to opt for a lighter laptop -- and most Ultrabooks do not have TPM inside. “The executives are the ones I worry about,” Wisniewski said, as they're the ones most at risk of attack and more likely to be using consumer models.

The hardware isn’t the only barrier to getting started; most organizations will also need to make changes to infrastructure and processes. Many IT teams don’t currently use UEFI or Secure Boot because they impact existing workflows. IT may be concerned about getting locked out of computers with Secure Boot; it’s easier to wipe a machine and load a stock corporate image when setting it up. Likewise, some machines may run critical applications with specific requirements that cannot be upgraded.

Fortunately, Device Guard and Credential Guard don't require an all-or-nothing decision. IT can build a new domain with Device Guard and Credential Guard protections turned on and move users who meet the hardware requirements. The machines that can’t be upgraded can be left in the existing domain. This lets IT maintain a “clean” network with signed policy and protected credentials and focus their attention on the older, “dirty” domains. “Don’t hold the entire network back for just one thing,” Wisniewski said.

Few enterprises believe the current state of enterprise Windows security is acceptable. Device Guard and Credential Guard actually offer a way forward, albeit one that demands a substantial investment. With Windows 10, “Microsoft is telling enterprises, ‘If you want good technology you need to do security [our way],’” Wisniewski said. Time will tell whether enterprises are willing to follow that path.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftWindows 10

More about AdvancedAMDAppleAPTDellIntelLenovoLogicNowMicrosoftSophosTechNet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts