Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Announces Device Guard For Windows 10

Posted by Soulskill on from the throwing-up-a-new-moat dept.

jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.

13 of 190 comments (clear)

  1. Whitelisting executables... by ZorinLynx · · Score: 4, Insightful

    This actually sounds like a great idea. Whitelist all the executables on your system. Then, if something tries to execute that's not whitelisted, throw up a dialog explaining what's going on. This would catch sneaky attempts to execute trojans in a lot of cases.

    One downside is it probably wouldn't work with interpreted languages, and those can be fairly powerful. But it's a start.

  2. So Microsoft is still papering over failures. by Anonymous Coward · · Score: 3, Insightful

    This does almost nothing. Just more window dressing.

    Most applications DO come from "trusted vendords" (such as Microsoft itself). Yet the virus attacks continue, and the security failures continue.

  3. There goes most of Shadow IT by allquixotic · · Score: 1, Insightful

    When Corporate America IT organizations start deploying this with Windows 10 rollouts in, oh, 2020 or so, a whole slew of things that are necessary to keep companies operational are just going to stop working.

    IT "administrators" will be unable to resist the temptation to enable this "feature", surmising that any user running an .exe that wasn't signed by a shortlist of vendors must be doing something illegal.

    So that business process automation workflow that saves thousands of hours every year? It depends on, say, Ruby, or 7-zip .exes. Poof; gone.

    How about that little Office add-in that the CFO really likes because he can rubber stamp all the incoming requests in one batch? Well, it'll probably block .dlls too, so that's gone.

    That customer deliverable that people have been pulling 16 hour shifts to get done, which is due tomorrow? It depends on a complicated .NET app written in C# using heavy Excel automation. Now they have to rewrite it in VBA, or maybe your deliverable just won't get delivered.

    This is bad, bad news for the skunkworks that keep the world spinning. Better start rewriting everything in Java (make sure it's compatible with the ancient version of Java that comes preinstalled on every system) and calling into native land via JNA. Uhh, provided that Windows will let you dynamically load the JNA .dll into the Java process, that is...

    Actually, that probably won't work because of the aforementioned JNA .dll. Let's just rewrite everything in VBA forever and ship our "applications" as Word documents. Who needs proper threading or actually good performance, anyway?

  4. Administrators control by PPH · · Score: 1, Insightful

    Everyone is a Windows Administrator. So how well will this really work?

    Most non IT people will just see the popup saying "Blah, blah blah blah. Blah blah, blah, unsigned blah blah." And click the button that says, "Make the nasty popup go away and run the neat app I just downloaded."

    --
    Have gnu, will travel.
  5. Re:FTFY by gtall · · Score: 1, Insightful

    Do you trust MS? Do you feel lucky, punk?

  6. Re:privacy :{ by Anonymous Coward · · Score: 5, Insightful

    No imbecile, it's talking about checking the code signing certificate.
    If you've trusted the particular vendor or cert chain, then the app is allowed to be installed, if you don't trust the cert, it warns or blocks installation or execution.

  7. Not sure this helps... by xxxJonBoyxxx · · Score: 3, Insightful

    Unless Microsoft's changed something, you can still change the code in (non-device driver) SIGNED executables. (Try it today by flipping a few junk bits in a signed app and see if Microsoft notices the difference.) If that remains true, this isn't much of a deterrent to malware at all.

    Furthermore, some of the biggest recent hacks (e.g., Sony) used a SIGNED commercial device driver (running in trial mode) to circumvent NTFS permissions; a default scheme that allows only signed executables wouldn't stop that down either.

  8. Re:FTFY by cinky · · Score: 3, Insightful

    It's for organizations... You know, so you don't install stupid shit on your company laptop. It's not "microsoft says what you can install"... But you would actually have to read the article before commenting...

  9. Corporate IT salvation by edtice1559 · · Score: 5, Insightful

    Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.

  10. Re:FTFY by DigiShaman · · Score: 4, Insightful

    For home use, I'm sure this is going to be disabled quickly - just like the firewall.

    Really? Do home users disable allowed app verification in OSX? No? Thought so!

    Windows (like iOS and OSX) is no longer just an operating system, it's a platform. The new paradigm is to download from the app store ecosystem where it's vetted. Even Android has this process. The days of downloading programs from dubious vendors and websites zipping up files via shareware/freeware is over. In OSX, it ca be overridden to run programs like Onyx which is real easy with a few mouse clicks; but most people don't do that, let alone download Onyx either.

    --
    Life is not for the lazy.
  11. Re:privacy :{ by Anonymous Coward · · Score: 2, Insightful

    How about you just change the folder permissions on the destination folder rather than compromise/screw your whole system?

  12. It was a nice feature in 2003 by jd142 · · Score: 4, Insightful

    So this feature has been around in some form or another since at least 2003. See https://technet.microsoft.com/... for how to implement it 12 years ago. It included the ability to make generate a hash for an executable, so if you needed people to run foobar.exe version 1.1.1.1, you generated the hash and then people could not run 1.1.1.0 or 1.1.1.2. You could also do certificates from trusted publishers, etc. It looks like there are a few new features, including virtualization options, but this is really just a rebranding of an existing feature to make it more prominent for the end user. Something all corporations do.

  13. Re:FTFY by fuzzyfuzzyfungus · · Score: 1, Insightful

    What is damned annoying is that 'Gatekeeper' can be turned off; but as of 10.10, it will turn itself back on after a period of time. iOSX seems likely in the near future.