Slashdot Mirror
Microsoft Announces Device Guard For Windows 10
jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.
This actually sounds like a great idea. Whitelist all the executables on your system. Then, if something tries to execute that's not whitelisted, throw up a dialog explaining what's going on. This would catch sneaky attempts to execute trojans in a lot of cases.
One downside is it probably wouldn't work with interpreted languages, and those can be fairly powerful. But it's a start.
This does almost nothing. Just more window dressing.
Most applications DO come from "trusted vendords" (such as Microsoft itself). Yet the virus attacks continue, and the security failures continue.
"which are apps that are signed by specific software vendors, the Windows Store, or even your own organization"
When Corporate America IT organizations start deploying this with Windows 10 rollouts in, oh, 2020 or so, a whole slew of things that are necessary to keep companies operational are just going to stop working.
IT "administrators" will be unable to resist the temptation to enable this "feature", surmising that any user running an .exe that wasn't signed by a shortlist of vendors must be doing something illegal.
So that business process automation workflow that saves thousands of hours every year? It depends on, say, Ruby, or 7-zip .exes. Poof; gone.
How about that little Office add-in that the CFO really likes because he can rubber stamp all the incoming requests in one batch? Well, it'll probably block .dlls too, so that's gone.
That customer deliverable that people have been pulling 16 hour shifts to get done, which is due tomorrow? It depends on a complicated .NET app written in C# using heavy Excel automation. Now they have to rewrite it in VBA, or maybe your deliverable just won't get delivered.
This is bad, bad news for the skunkworks that keep the world spinning. Better start rewriting everything in Java (make sure it's compatible with the ancient version of Java that comes preinstalled on every system) and calling into native land via JNA. Uhh, provided that Windows will let you dynamically load the JNA .dll into the Java process, that is...
Actually, that probably won't work because of the aforementioned JNA .dll. Let's just rewrite everything in VBA forever and ship our "applications" as Word documents. Who needs proper threading or actually good performance, anyway?
This is a good idea but it will be broken (and fixed), repeatedly.
However, it will make malware writers work harder/spend more money and reduce their reach, which should knock many bad actors out of the game.
Unlike Apple, this will be something most users will have to turn on manually or at least be something they can turn off if the manufacturer has it turned on "out of the box".
I'm more worried about Windows 10+1 - by that time people may be so used to the "safety" of walled-garden "app stores" that a computer you actually own (that is, control) will be a niche market.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Steam and Steam games as well + user mods + user maps + and more.
Also opens the door to all apps must come from MS with them taking $99 a year (even for free apps) + 20%-30% cut of sales.
Later say good buy to hardware that did not pay MS a free to get there drivers trusted and MS wants to be evil keyboards and mouses as well.
No, but that's not a surprising thing to see someone post at this conspiracy nutjob site.
Everyone is a Windows Administrator. So how well will this really work?
Most non IT people will just see the popup saying "Blah, blah blah blah. Blah blah, blah, unsigned blah blah." And click the button that says, "Make the nasty popup go away and run the neat app I just downloaded."
Have gnu, will travel.
Doesn't Windows have this already? If the installer isn't signed with a "trusted" certificate, you get a scary warning message. Or is the "hardware technology and virtualization" the new bit?
As long as the user has the option to override the warning and install anyway, you'll still get malware being installed.
This feature however seems more aimed at IT departments so they can lock down their users' machines to only run their definition of trusted software. How will it apply to standone or home users?
RR
This announcement sounds vaguely familiar. Did they just rename UAC?
Wouldn't surprise me. First time I heard of UAC I thought it was the company that blew up the world in the DOOM games.
This is an optional feature, mainly targeted for enterprise use. The system administrator chooses what to whitelist. Also, any app can be self-signed.
Quite nice feature if you want to prevent random executables from conquering the computer. Of course this does not protect from vulnerabilities contained inside any of the trusted apps.
With OS X, you (as an administrator) can decide whether you want to allow apps downloaded from 1) Mac App Store, 2) Mac App Store and identified developers, 3) Anywhere. I don't use Windows but I could imagine MS taking a similar approach.
Do you trust MS? Do you feel lucky, punk?
Remember that Stuxnet used drivers signed with "stolen" Realtek and JMicron certificates. Lots of malware is signed with fake, stolen, or weak certs. Hell, some manufacturers like Lenovo even included malware like Superfish on new laptops. Will Deviceguard prevent that from happening?
We have this already but it's Windows Enterprise which needed Software-Assurance...
No imbecile, it's talking about checking the code signing certificate.
If you've trusted the particular vendor or cert chain, then the app is allowed to be installed, if you don't trust the cert, it warns or blocks installation or execution.
Unless Microsoft's changed something, you can still change the code in (non-device driver) SIGNED executables. (Try it today by flipping a few junk bits in a signed app and see if Microsoft notices the difference.) If that remains true, this isn't much of a deterrent to malware at all.
Furthermore, some of the biggest recent hacks (e.g., Sony) used a SIGNED commercial device driver (running in trial mode) to circumvent NTFS permissions; a default scheme that allows only signed executables wouldn't stop that down either.
It's for organizations... You know, so you don't install stupid shit on your company laptop. It's not "microsoft says what you can install"... But you would actually have to read the article before commenting...
Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
If you look at Windows NT and beyond, it was all about removing capabilities from untrusted users, and placing them in the hands of IT staff/CIOs. That was a huge success for Microsoft, CIOs -control the budget- and decide what gets purchased. So they stuck with what empowered them, regardless of whether this was good for the user community, and whether the Microsoft monoculture created more problems -and more costs- than it solved. (After all, the measure of 'power' in many organizations is the size of the budget and staff, growing the CIO budget and hiring more IT workers equated to more CIO power.
So now, with the growth of non-PCs (phones, tablets, even IoT) in companies, Microsoft once again plays to (you could say 'panders to') the CIO and ability to control the device.
This could be quite a battle, with Apple/IBM (and presumably Google/Android soon) providing business services to the user community, versus Microsoft providing control (and familiarity) to the CIO community.
a lot of the malware out there is "trusted" crap from "partners"
So now we will have Microsoft certified SAFE malware....
Do not look at laser with remaining good eye.
Android has the same functionality, and it can be disabled there as well. No reason to believe it would be any different in Windows, at this point.
Now, there is the question of whether some malicious software could reactivate it, railroad it, use it for evil. But that's true of any beneficial functionality in the OS.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I had to turn off UAC in Windows 8 to compile and automatically copy my plugin project to its proper directory because that directory is under Programs Files. This was necessary because I had set the host program to start immediately afterwards in order to debug my plugin as it ran. This worked, but in doing so, I lost access to my Windows 8 apps. I only use a few, but it was annoying enough that I eventually moved the project to a Windows 7 machine (and you don't have to turn UAC off completely, it's just as far as Windows 8 is concerned, if that one registry entry concerning protected directories is toggled off the whole thing is compromised).
So, while any rebuttals here to the effect that "undoubtedly you can turn this off" are probably accurate, I wouldn't be surprised if there were things like this built into the system to encourage the user to keep it on. "Want to develop software on your PC? Well, either apply for a personal certificate or stop using Metro apps." It won't really stop developers, but it could shut down new user interest outside of closed markets.
I believe this feature is more for corporate IT (the real administrators) rather than for individual administrators of the system. Although corporate IT has some control, it basically centers around limiting the installation and not the execution of applications. For home use, I'm sure this is going to be disabled quickly - just like the firewall.
Views expressed do not necessarily reflect those of the author.
why is it that people can't read?
This is a feature for corporate IT, not for home users. Basically, this is to enforce company IT rules more and prevent malware.
User Account Control (UAC) helps defend your PC against hackers and malicious software. Any time a program wants to make a major change to your computer, UAC lets you know and asks for permission.
This new "feature" looks like yet another security prompt that the user is going to click through.
Why would I want MS have control of my device? No thanks, it's just another ploy to let them own your hardware.
You're kind of an ass. Not that there's anything wrong with that.
Some things need to be said...
For home use, I'm sure this is going to be disabled quickly - just like the firewall.
Really? Do home users disable allowed app verification in OSX? No? Thought so!
Windows (like iOS and OSX) is no longer just an operating system, it's a platform. The new paradigm is to download from the app store ecosystem where it's vetted. Even Android has this process. The days of downloading programs from dubious vendors and websites zipping up files via shareware/freeware is over. In OSX, it ca be overridden to run programs like Onyx which is real easy with a few mouse clicks; but most people don't do that, let alone download Onyx either.
Life is not for the lazy.
How about you just change the folder permissions on the destination folder rather than compromise/screw your whole system?
I'm going to turn this on in a heart beat for my wife's Mom and Grandma's PCs.
And I'm sure the sys admins here at work will deploy with it enabled and completely locked down. It sounds way easier than dealing with this Power Broker crap.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
This sounds a lot like Gatekeeper on the Mac, which works really well. It allows the user several levels of trust - "trust store apps only", "trust store apps plus recognised developers" (certificate signed), "allow everything".
I have mine set to "store apps plus recognised developers" and ask for the rest. If I run something else, I can right click and select Open..., it asks me if I'm sure and I say yes. This is a five second operation which gives me control over my options, whilst preventing unknown apps from running without my knowledge and explicit say so. This Windows one sounds pretty much the same, with the addition of your classic enterprise lock down features - it it's a corporately-owned machine, then yes the corporate should get say over what's running on it.
Imagine the kind of download-happy, click-on-everything user that we've all seen around. They would download cunningly-disguised-malware.exe and try to run it, and the OS would simply prevent them. Now true if they had admin rights they could go into preferences, set to allow everything etc. but it's all more effort and a quick realisation that something's unusual here.
Nope, I regard this as a good move. It already exists in OS X and works well - putting a similar system into Windows seems like a good idea to me.
Just saying this looks like another layer of software that will only raise the barrier of entry for malware a little bit...
Nothing wrong with that. No security feature is perfect. A nice mix of different mechanisms is what you want anyway.
Bit9's application whitelisting product was leveraged to attack customers using it.
http://krebsonsecurity.com/201...
da w00t. mtfnpy?
MS has the bucks to buy H1B hacks to make "a device" that *nix users have come to consider normal in an O/S. I give some bored 14 year old about a month to publish the simple work around for MS's "solution?"
Poor A/C, you did.
Meph, it gives bored 14 year old's something new to play with.
Ok, so this will prevent a modified "acrobat.exe" from running without a prompt. But running a properly-signed "acrobat.exe" to open evil.pdf still pwns the machine. You can also completely pwn a system by interacting with PowerShell. Wanna bet that in a corporate environment (which this is intended to help) powershell.exe will be allowed to run? (and thirdly, this functionality already exists since XP, in the form of "Parental Controls" and/or AppLocker.) --Joe
1. It's from an AC. Any attitude goes.
2. You really should have been asking the questions, not making a baseless statement.
However, in a manor of speaking, you may be correct. If the cert has become compromised, it could quickly be revoked. Not sure what that technically means for apps already installed and running on an existing workstation/server however.
Life is not for the lazy.
Stop with the Transformer quotes.
there needs to be free certificates at least for testing / dev stuff.
Stop with the Transformer quotes.
It's not Transformers, It's Dirty Harry.
What's the default? If it's like OS X's Gatekeeper BS, then it's not really optional. Most Mac users are honestly too stupid to know that Gatekeeper exists or where to change the default so that they can install non-App-store software.
Morphing Software
"which are apps that are signed by specific software vendors, the Windows Store, or even your own organization"
This is no solution. I'd have to sign every software that gets in through the door for the users, every new version?
Because microsoft is not going to give free signatures to open source projects like libreoffice or preinstalling the public key of some open source project or organization...
Kids these days - no clue !
Time for bed, said Zebedee - boing
Slashdot needs a "+1 Hey everybody, look at this idiot!" moderation.
So this feature has been around in some form or another since at least 2003. See https://technet.microsoft.com/... for how to implement it 12 years ago. It included the ability to make generate a hash for an executable, so if you needed people to run foobar.exe version 1.1.1.1, you generated the hash and then people could not run 1.1.1.0 or 1.1.1.2. You could also do certificates from trusted publishers, etc. It looks like there are a few new features, including virtualization options, but this is really just a rebranding of an existing feature to make it more prominent for the end user. Something all corporations do.
It needed 2 be said, I guess ;-)
Perl Programmer for hire
Are you an idiot?
Stop with the Transformer quotes.
It's not Transformers, It's Dirty Harry.
Yoots today have no appreciation for classic movie quotes. Hell they think "Toy Soldier" by Martika was written by Emenim because they heard it in Grand Theft Auto.
there needs to be free certificates at least for testing / dev stuff.
You can do it yourself by setting up your own internal CA and trusting the root certificate on your test machines. It's totally free and included in Windows Server.
The days of downloading programs from dubious vendors and websites zipping up files via shareware/freeware is over.
Darn, there goes my home software business that I've run on the side for the last 15 years under the old "shareware" model. And I always thought the biggest threat to extinction that I faced came from pimply-faced teenage hackers posting cracks for my registration keying system. (Nobody but teenagers would spend the time to crack such low-volume software. I ain't exactly selling Photoshop.)
Device Guard allows using a local certificate as well, so it shouldn't be a problem.
I'm a software developer. I am constantly recompiling new versions of the code I'm working on.
It's bad enough that I have to keep reconfiguring my firewall (yes, all link-local addresses should be whitelisted; yes, all addresses given out by my own DHCP server should be whitelisted; yes, our server in the "cloud" should be whitelisted; yes, all address in a VM should be whitelisted; etc.).
Will I now have to include some sort of signing step in my build process? What about when I download and install a new tool? Currently, I do get asked to verify this, which is okay, because I don't install new tools every day, so having to occasionally click "ok" is worth the benefit of knowing that something won't get installed without my knowledge.
You know this is why the CD function exists right? You're not supposed to use program files this way. Use AppData folder or user-space folder.
Aren't there project that deal with distributions of open source software?, I think they're called "distributions", or "distros" or such.
They maintain "repositories", which contain software packages. Sometimes the packages are signed!
Which is quoted in Transformers.
To address that scenario, we would probably need signed documents as well.
I would like to think if I installed Win10 Enterprise on my systems at home and use workgroups, I could deploy this and manage my kid's ability to allow/disallow various applications as well...
In the mind of an Administrator, domain employees are not any different than children after all.
We've reached a time where the general consensus seems to be that automated installations are a required thing, but their existence wreaks havoc on defense in depth strategies. The security implications of automated installations clearly were not considered well, or considered and sacrificed on the altar of expedience. Just look at Ubuntu (I'm picking on you Ubuntu, but pick nearly any other OS too), with PolicyKit with permissions that provide for automated privilege elevation to allow completely unattended and automated background software download and installation. That's like having a nice castle with 4 concentric walls, then putting a giant door in each wall, with all the doors lined up, and a single key used to unlock each one.
Maybe a geek Benjamin Franklin born in this generation would have said something about those desiring convenience at the expense of security deserve neither.
Like most people here, if you don't how to use Windows, the problem is you, not the OS.
It is understandable to be worried... but similar functionality has been in Windows for a while.
Secure Device is basically AppLocker, except on a driver level. AppLocker is a function that can be turned on since Windows 7 that can allow applications by signature or by their hash.
For the enterprise, this is a useful tool. One use case would be on servers, as a way to prevent an attacker from trying to install a driver for keylogging or to hook into disk I/O in efforts to try to grab a key or a password. Another use case would be in groups of locked down desktops (finance and point of sale systems come to mind.)
What Device Guards adds is that the business can choose which companies to trust. That way, if someone wants to install a product not on the list, even though the code may be signed, the install would be stopped.
All and all, this is a useful feature to have, especially on machines which should be locked down thoroughly (edge webservers, for example.)
Slashdot needs a "+1 Hey everybody, look at this idiot!" moderation.
No we don't - it's just assumed.
Faster! Faster! Faster would be better!
You should probably point out that that's the joke to the GP. Something tells me it'll sail over his head otherwise.
And Gatekeeper is fine (for individual use, it's not an Enterprise solution). If you don't understand the concept of walled garden or malware, then the DEFAULT secure position is to protect you from you lack of computer sophistication.
If you pass computer kindergarten and can now walk along the road unchaperoned, then you are one simple click away from freedom.
A perfectly sensible approach. I suspect that anyone posting here using OS X has unclicked Gatekeeper, but we are not it's target audience. Remember, it is still Eternal September out there.
Faster! Faster! Faster would be better!
By that logic, SSL is also broken, and so is any form of encryption: if you have the key, you're shit out of luck. Thankfully, getting the key(s) is a lot more complicated than you make it sound.
Children tend to complain to HR a little more often about complicated login processes and restrictive password policies.
Doesn't the host program have a configuration somewhere allowing you to set up locations for plugins?
This wont fix java running with more privileged than the user. Additionally if you allow java the executable do you allow every jar ever made?
TFA is a little vague; but if it is implemented the way that Software Restriction Policies currently are; I'd be all for it(and I say that as a smirking, linux using, tinfoil-hatted paranoiac.)
Cryptographic verification and whitelisting are enormously powerful techniques, and (aside from being able to take advantage of them), they are simply too useful to forbid successfully. What matters, and makes the difference between a fortress and a prison, is who gets to put something on the whitelist.
If you can whitelist something(either by signing it yourself, adding the cert of the person who signed it to the trusted list or both), it's a fortress. If the whitelist is what the vendor says it is, it's a prison. Same deal with 'secure boot'. If I can re-key it, it's a valuable tool. If I can't, it's a device that I'll never be more than a peon on.
Wait... I'm confused...
Whenever I hear anything by Enema it's basically just fart noises in an angry little adolescent voice....
Well, yes. I don't want my kids installing stuff on any of the other computers in the house. I was going to qualify that statement, but maybe it should stand as is. I don't want them installing anything at all without my knowledge.
I guess it's okay as long as it is sufficiently configurable. I know what I'm doing, and I need to do things that I don't expect my wife or kids to need to do. I'm also pretty careful about protecting myself, but they are more interested in their forums or facebook or tumbler or youtube or whatever, and they wouldn't even notice a restriction on what can be installed.
We had an issue like this at work a few years ago. Various protections, which were ABSOLUTELY necessary to protect the marketing people from themselves, were very inconvenient for developers, who were very frequently running builds that opened and read hundreds if not thousands of files. I KNOW that my header file is a text file and is NOT infected with a virus and doesn't need to be scanned each time it is opened (or ever), and especially not if it was just read a fraction of a second ago when it was #included from a different file than the one that is #including it now.
I can only comment on SRPs as they currently exist; but as of now the only real pain is vendors who don't sign anything. Self-signed or untrusted roots throw up scary warning by default; but you can add those to the trusted list if you wish. Legacy software is a giant pain in the ass, since most of it predates the custom of signing much of anything by default; but newer stuff generally isn't so bad. If necessary, you bless the vendor's cert and that takes care of it. You can also (again, with the present implementation of SRPs) bless binaries by hash, rather than by signature, which is frequently easier if you need to do once-offs.
So let me see. I assume all Microsoft apps will be signed as trusted from day 1. But of course, the bugs that make them malware don't turn up till months or even years down the road. Same applies to, say, Firefox or Chrome, but new versions of those won't be automatically signed - or maybe they're big enough players that they will, but you get the point. Other than allowing some administrators to force a Microsoft-only 'standard' desktop on users, what does this accomplish?
Posted from my Android phone. Oh, I can change this? There, that's better...
What is damned annoying is that 'Gatekeeper' can be turned off; but as of 10.10, it will turn itself back on after a period of time. iOSX seems likely in the near future.
one more reason to get a new computer WITHOUT A OS
That way i can install MY OWN NON Microsoft OS
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
Actually, I keep Gatekeeper on. When installing software, I two-finger-click (equivalent of right-click) the installer and option-click "open," which prompts for an administrator password to bypass Gatekeeper just this once. That way there are no accidents: installation of new software is a highly intentional act, equivalent to using sudo on the command line.
And that's exactly how it should be. That's why sudo works. That's why users should not run with administrator privileges.
Whining about Gatekeeper? You might as well be whining about not running everything as root on Linux.
I only want two things out of windows 10:
1) hololens, so I can have simulated acid trips without any drugs involved...
2) a mod for Cortana to make her speak and behave like a virtual girlfriend (forever stuck in the "giddy over new relationship" phase).
The way that OS X solves the issue is that unsigned apps can still be run, but they require a more explicit first-time-only execution (right-click -> open which then displays a confirmation dialog indicating the app name and the website it was downloaded from) as opposed to signed apps that just run like normal. Its very unobtrusive, never even happens for most people, and works very well in the "least amount of tech to solve the problem" sense.
You're special forces then? That's great! I just love your olympics!
How often do you install new un-signed software that you didn't compile locally yourself that right-clicking only on the first time that an app is executed is a problem?
You're special forces then? That's great! I just love your olympics!
Um, this is how I get all my PC software. Some of which I pay good money for. Store, indeed.
Gatekeeper was never really designed for corporate style use, but to be honest, neither was the mac itself. For that matter, Windows PCs aren't really designed for corporate use, either.
My worry is that it works like Gatekeeper, though. The Windows Store is a hideous mess, especially on the free side - a lot of programs that should be free come up as low voted "lite" versions that do nothing without you paying for the real program. A prime example of this is .7z - the default programs (and there are about 20) are all view only unless you pay their fee and all you get is a touch interface 7zip, a program which you can download and use free on non-touch devices. I got so frustrated finding one that I just gave up and installed 7zip (this was a touch supporting laptop). Uninstalling one of these crapware programs is completely unintuitive to a desktop user, as well (supports the touch paradigm only). I actually had no idea how until my wife got a Windows Nokia phone.
And yes, I think the Windows Store is far worse than the Android store in this respect - way too many "lite" programs or trialware that does little or nothing without you paying for them. With android you usually get advertisement injection with this sort of free program. I'd rather have that than shakedown-ware. For reference, on android I had no problems finding a free .7z extractor (and it compresses, too!). It was the first hit I got and had 4.2 stars (first I got on Windows was 2 stars).
No, I don't mind paying for software, but when the program is free on the same platform just with a different interface I draw the line. Set up a paypal account and ask for donations if you are a poor college student. Be sure to state that you are a poor college student on the download page - I'm a sucker for pity pay donations. My worst fear is a Gatekeeper-like app locking the vast majority of users to some money grubbing bottom feeder developers like people that make money this way. This is capitalism at its worst, profiting off of someone else's creation.
>>
Windows (like iOS and OSX) is no longer just an operating system, it's a platform. The new paradigm is to download from the app store ecosystem where it's vetted. Even Android has this process. The days of downloading programs from dubious vendors and websites zipping up files via shareware/freeware is over.
You're kidding, right? The "vetted" Android apps are (in general) collection shit, a sizeable portion of which is unsafe or downright toxic.
Transformers has dialogue?
Any insufficiently advanced magic is indistinguishable from technology.
Device Guard; the proven security model of ActiveX.
one more step so that MS can control what you can run on your computer...
You already have Boot loader signing, now you may block the non-whitelisted apps... (for sure MS signed apps are automatically allows)
next is to require all apps to be signed to be executed (if not enabled with this)...
Finally require all apps to be delivered by MS store (with the excuse to automatically sign all apps), or if you are big enough, setup your public store with expensive MS software and some CA like key from CA
I'm so glad i have stopped using windows
Higuita
2 to 3 lines.
I could see this being useful for my desktop. I think all of my games are signed, I would need to check. But if it became common practice, this could be useful. I could create a whitelist.
I would be happier if the Microsoft store contained a section that allowed you to install and update desktop apps. Pretty much everything on there at the moment looks as if it was designed for a touchscreen
Yeah normally its why can't my password be '12345' or pressing Ctrl+alt+delete is too complicated to login
I think right-clicking on an icon and selecting uninstall is intuitive to desktop users; it certainly was for me. And there's always Powershell :-)
It also has butts and boobs.. and a dumbass protagonist who needs a girl to teach him about cars. Yay for feminism.
Looks like MS is going to kill McAfee's application control(used to be solidcore) product.
Uhhhh....its the same thing Google does with ChromeOS only unlike ChromeOS its OPTIONAL and can be turned off. I seriously doubt it will even be on by default for any SKU other than Windows Enterprise as it would mean a ton of headaches for any OEM that sold a PC with this on thanks to the increased support calls.
Don't you just love how whatever MSFT does its automatically evil, even when its just copying Slashdot darling Google? It doesn't matter that Nadella is nothing like Gates or Ballmer, that one of the first things he did was open up .NET (as many devs had asked for) and bring their open source back into the fold so it wouldn't be treated like an afterthought, got rid of Metro for everything other than phones/tablets (again just like so many of us asked for) and then to top it all off have Windows 10 be free for a year to make up for Windows Mist8ke...what happened to letting the new guy have a chance before tarring and feathering?
This CEO change so far looks to be as big a direction shift for MSFT as bringing Jobs back was for Apple, as he doesn't seem to give a shit about planting Winflags on everything (like Ballmer) or treating FOSS like the plague and fucking users in favor of getting snugly with the OEMs (ala Gates) but actually seems to be LISTENING TO THE USERS and giving us what we ask for...shouldn't we at least give the guy one OS launch to see what he's gonna do?
ACs don't waste your time replying, your posts are never seen by me.
Let's see what we have here....
Really? Do home users disable allowed app verification in OSX? No? Thought so!
Comparison to another operating system. Tsk, tsk, tsk.
"Paradigm", "Platform", "Ecosystem" Three marketing-speak terms. My my.
A sentence with the phrase "The days of X are over". This is looking very bleak.
I'm afraid you have a case of elite-ism
Please consult with a physician about an inter-glutial-cranial-ectomy as soon as possible.
No, I don't. Windows will already routinely install all sorts of crap merely because it's been signed, without ever asking the user for permission. Including drivers from USB devices and smart phones. I would personally prefer an option to turn this feature off so that it must ask me always before it installs anything.
What is a "yoot"?
So in the past our government has actually compromised Windows Update to distribute Flame/Duqu. How does this prevent that from happening? You know if the government can do it that's a fairly low bar.
I presume that this is policies being dumber down for use on all versions of Windows 10, not just Pro or Enterprise. I'm happy with the policies we set that only allow installations from specific mapped locations. Our workstation that is running Windows 10 preview to see how useful it is, updated directly from Windows 7 Pro, imported all the policies perfectly. I hope that doesn't change..
I wasn't saying it was Microsoft being evil. I just thought stupid admins - or corporate policy makers might set a policy that only allows Microsoft apps - and this feature was giving them a way to enforce that. Imagine if this had been in place during the heyday of IE6. Firefox would've been severely hindered in getting acceptance, and IE6 would've ruled (and messed up) the web longer than it did. As it was, lots of corporate IT disallowed you to install it. So yeah, at this point maybe it's the "nobody got fired for restricting you to MS products" crowd that's evil - but that doesn't mean it's not potentially problematic...
Posted from my Android phone. Oh, I can change this? There, that's better...
That was the first thing I did. It didn't work.
Tell that to Autodesk's Navisworks division. I'm just a guy making a plugin.
Nope.
Fairly often if I'm running alpha or beta tests on someone else's software.
Yeah i have given up on Apple as a workstation. My 2011 Mac mini is slowly turning from a Unix-alike workstation to a very fancy ipad.
Good-bye
This is why i refuse to use/buy the windows 8 apps. They are like weird alien programs on a machine im used to executing anything i want. IF I have the exe, it should run, logins be damned.
Good-bye
For home use, I'm sure this is going to be disabled quickly - just like the firewall.
Yes, but it requires a deliberate action from the user, who shouldn't be surprised if problems then happen...
...trusted.
Wasn't there a report of how the Windows/Metro app store was infested with malware?
It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization.
Basically all they doing is trying to kill open source. This won't do a thing to stop malware.
Stupid admins can set policies that don't allow some useful software. GIFs at 11.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What about software that is just run uninstalled?
How does Microsoft Device Guard protect against that?
So have them sign the software as part of the build (self-signed is fine, you'd only have to add the cert once). Still not an issue for the vast majority of users out there.
You're special forces then? That's great! I just love your olympics!