Microsoft Announces Device Guard For Windows 10
jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.
"It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps."
Say goodbye to open source, pirate, or non-Microsoft software.
Yay Windows 10.
"Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not."
So, basically, everything you install will be logged and checked by Microsoft servers. I turn these features off in my browsers, I wonder if I can turn them off in Windows 10 (without being constantly annoyed by the Security Center).
Some things need to be said...
This actually sounds like a great idea. Whitelist all the executables on your system. Then, if something tries to execute that's not whitelisted, throw up a dialog explaining what's going on. This would catch sneaky attempts to execute trojans in a lot of cases.
One downside is it probably wouldn't work with interpreted languages, and those can be fairly powerful. But it's a start.
This does almost nothing. Just more window dressing.
Most applications DO come from "trusted vendords" (such as Microsoft itself). Yet the virus attacks continue, and the security failures continue.
When Corporate America IT organizations start deploying this with Windows 10 rollouts in, oh, 2020 or so, a whole slew of things that are necessary to keep companies operational are just going to stop working.
IT "administrators" will be unable to resist the temptation to enable this "feature", surmising that any user running an .exe that wasn't signed by a shortlist of vendors must be doing something illegal.
So that business process automation workflow that saves thousands of hours every year? It depends on, say, Ruby, or 7-zip .exes. Poof; gone.
How about that little Office add-in that the CFO really likes because he can rubber stamp all the incoming requests in one batch? Well, it'll probably block .dlls too, so that's gone.
That customer deliverable that people have been pulling 16 hour shifts to get done, which is due tomorrow? It depends on a complicated .NET app written in C# using heavy Excel automation. Now they have to rewrite it in VBA, or maybe your deliverable just won't get delivered.
This is bad, bad news for the skunkworks that keep the world spinning. Better start rewriting everything in Java (make sure it's compatible with the ancient version of Java that comes preinstalled on every system) and calling into native land via JNA. Uhh, provided that Windows will let you dynamically load the JNA .dll into the Java process, that is...
Actually, that probably won't work because of the aforementioned JNA .dll. Let's just rewrite everything in VBA forever and ship our "applications" as Word documents. Who needs proper threading or actually good performance, anyway?
This is a good idea but it will be broken (and fixed), repeatedly.
However, it will make malware writers work harder/spend more money and reduce their reach, which should knock many bad actors out of the game.
Unlike Apple, this will be something most users will have to turn on manually or at least be something they can turn off if the manufacturer has it turned on "out of the box".
I'm more worried about Windows 10+1 - by that time people may be so used to the "safety" of walled-garden "app stores" that a computer you actually own (that is, control) will be a niche market.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Steam and Steam games as well + user mods + user maps + and more.
Also opens the door to all apps must come from MS with them taking $99 a year (even for free apps) + 20%-30% cut of sales.
Later say good buy to hardware that did not pay MS a free to get there drivers trusted and MS wants to be evil keyboards and mouses as well.
Everyone is a Windows Administrator. So how well will this really work?
Most non IT people will just see the popup saying "Blah, blah blah blah. Blah blah, blah, unsigned blah blah." And click the button that says, "Make the nasty popup go away and run the neat app I just downloaded."
Have gnu, will travel.
Doesn't Windows have this already? If the installer isn't signed with a "trusted" certificate, you get a scary warning message. Or is the "hardware technology and virtualization" the new bit?
As long as the user has the option to override the warning and install anyway, you'll still get malware being installed.
This feature however seems more aimed at IT departments so they can lock down their users' machines to only run their definition of trusted software. How will it apply to standone or home users?
RR
This announcement sounds vaguely familiar. Did they just rename UAC?
Wouldn't surprise me. First time I heard of UAC I thought it was the company that blew up the world in the DOOM games.
Remember that Stuxnet used drivers signed with "stolen" Realtek and JMicron certificates. Lots of malware is signed with fake, stolen, or weak certs. Hell, some manufacturers like Lenovo even included malware like Superfish on new laptops. Will Deviceguard prevent that from happening?
We have this already but it's Windows Enterprise which needed Software-Assurance...
Unless Microsoft's changed something, you can still change the code in (non-device driver) SIGNED executables. (Try it today by flipping a few junk bits in a signed app and see if Microsoft notices the difference.) If that remains true, this isn't much of a deterrent to malware at all.
Furthermore, some of the biggest recent hacks (e.g., Sony) used a SIGNED commercial device driver (running in trial mode) to circumvent NTFS permissions; a default scheme that allows only signed executables wouldn't stop that down either.
Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
If you look at Windows NT and beyond, it was all about removing capabilities from untrusted users, and placing them in the hands of IT staff/CIOs. That was a huge success for Microsoft, CIOs -control the budget- and decide what gets purchased. So they stuck with what empowered them, regardless of whether this was good for the user community, and whether the Microsoft monoculture created more problems -and more costs- than it solved. (After all, the measure of 'power' in many organizations is the size of the budget and staff, growing the CIO budget and hiring more IT workers equated to more CIO power.
So now, with the growth of non-PCs (phones, tablets, even IoT) in companies, Microsoft once again plays to (you could say 'panders to') the CIO and ability to control the device.
This could be quite a battle, with Apple/IBM (and presumably Google/Android soon) providing business services to the user community, versus Microsoft providing control (and familiarity) to the CIO community.
a lot of the malware out there is "trusted" crap from "partners"
So now we will have Microsoft certified SAFE malware....
Do not look at laser with remaining good eye.
User Account Control (UAC) helps defend your PC against hackers and malicious software. Any time a program wants to make a major change to your computer, UAC lets you know and asks for permission.
This new "feature" looks like yet another security prompt that the user is going to click through.
Why would I want MS have control of my device? No thanks, it's just another ploy to let them own your hardware.
This sounds a lot like Gatekeeper on the Mac, which works really well. It allows the user several levels of trust - "trust store apps only", "trust store apps plus recognised developers" (certificate signed), "allow everything".
I have mine set to "store apps plus recognised developers" and ask for the rest. If I run something else, I can right click and select Open..., it asks me if I'm sure and I say yes. This is a five second operation which gives me control over my options, whilst preventing unknown apps from running without my knowledge and explicit say so. This Windows one sounds pretty much the same, with the addition of your classic enterprise lock down features - it it's a corporately-owned machine, then yes the corporate should get say over what's running on it.
Imagine the kind of download-happy, click-on-everything user that we've all seen around. They would download cunningly-disguised-malware.exe and try to run it, and the OS would simply prevent them. Now true if they had admin rights they could go into preferences, set to allow everything etc. but it's all more effort and a quick realisation that something's unusual here.
Nope, I regard this as a good move. It already exists in OS X and works well - putting a similar system into Windows seems like a good idea to me.
Bit9's application whitelisting product was leveraged to attack customers using it.
http://krebsonsecurity.com/201...
da w00t. mtfnpy?
Ok, so this will prevent a modified "acrobat.exe" from running without a prompt. But running a properly-signed "acrobat.exe" to open evil.pdf still pwns the machine. You can also completely pwn a system by interacting with PowerShell. Wanna bet that in a corporate environment (which this is intended to help) powershell.exe will be allowed to run? (and thirdly, this functionality already exists since XP, in the form of "Parental Controls" and/or AppLocker.) --Joe
there needs to be free certificates at least for testing / dev stuff.
So this feature has been around in some form or another since at least 2003. See https://technet.microsoft.com/... for how to implement it 12 years ago. It included the ability to make generate a hash for an executable, so if you needed people to run foobar.exe version 1.1.1.1, you generated the hash and then people could not run 1.1.1.0 or 1.1.1.2. You could also do certificates from trusted publishers, etc. It looks like there are a few new features, including virtualization options, but this is really just a rebranding of an existing feature to make it more prominent for the end user. Something all corporations do.
there needs to be free certificates at least for testing / dev stuff.
You can do it yourself by setting up your own internal CA and trusting the root certificate on your test machines. It's totally free and included in Windows Server.
Device Guard allows using a local certificate as well, so it shouldn't be a problem.
I'm a software developer. I am constantly recompiling new versions of the code I'm working on.
It's bad enough that I have to keep reconfiguring my firewall (yes, all link-local addresses should be whitelisted; yes, all addresses given out by my own DHCP server should be whitelisted; yes, our server in the "cloud" should be whitelisted; yes, all address in a VM should be whitelisted; etc.).
Will I now have to include some sort of signing step in my build process? What about when I download and install a new tool? Currently, I do get asked to verify this, which is okay, because I don't install new tools every day, so having to occasionally click "ok" is worth the benefit of knowing that something won't get installed without my knowledge.
To address that scenario, we would probably need signed documents as well.
We've reached a time where the general consensus seems to be that automated installations are a required thing, but their existence wreaks havoc on defense in depth strategies. The security implications of automated installations clearly were not considered well, or considered and sacrificed on the altar of expedience. Just look at Ubuntu (I'm picking on you Ubuntu, but pick nearly any other OS too), with PolicyKit with permissions that provide for automated privilege elevation to allow completely unattended and automated background software download and installation. That's like having a nice castle with 4 concentric walls, then putting a giant door in each wall, with all the doors lined up, and a single key used to unlock each one.
Maybe a geek Benjamin Franklin born in this generation would have said something about those desiring convenience at the expense of security deserve neither.
By that logic, SSL is also broken, and so is any form of encryption: if you have the key, you're shit out of luck. Thankfully, getting the key(s) is a lot more complicated than you make it sound.
So let me see. I assume all Microsoft apps will be signed as trusted from day 1. But of course, the bugs that make them malware don't turn up till months or even years down the road. Same applies to, say, Firefox or Chrome, but new versions of those won't be automatically signed - or maybe they're big enough players that they will, but you get the point. Other than allowing some administrators to force a Microsoft-only 'standard' desktop on users, what does this accomplish?
Posted from my Android phone. Oh, I can change this? There, that's better...
one more reason to get a new computer WITHOUT A OS
That way i can install MY OWN NON Microsoft OS
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
I only want two things out of windows 10:
1) hololens, so I can have simulated acid trips without any drugs involved...
2) a mod for Cortana to make her speak and behave like a virtual girlfriend (forever stuck in the "giddy over new relationship" phase).
Device Guard; the proven security model of ActiveX.
one more step so that MS can control what you can run on your computer...
You already have Boot loader signing, now you may block the non-whitelisted apps... (for sure MS signed apps are automatically allows)
next is to require all apps to be signed to be executed (if not enabled with this)...
Finally require all apps to be delivered by MS store (with the excuse to automatically sign all apps), or if you are big enough, setup your public store with expensive MS software and some CA like key from CA
I'm so glad i have stopped using windows
Higuita
I could see this being useful for my desktop. I think all of my games are signed, I would need to check. But if it became common practice, this could be useful. I could create a whitelist.
Looks like MS is going to kill McAfee's application control(used to be solidcore) product.
Uhhhh....its the same thing Google does with ChromeOS only unlike ChromeOS its OPTIONAL and can be turned off. I seriously doubt it will even be on by default for any SKU other than Windows Enterprise as it would mean a ton of headaches for any OEM that sold a PC with this on thanks to the increased support calls.
Don't you just love how whatever MSFT does its automatically evil, even when its just copying Slashdot darling Google? It doesn't matter that Nadella is nothing like Gates or Ballmer, that one of the first things he did was open up .NET (as many devs had asked for) and bring their open source back into the fold so it wouldn't be treated like an afterthought, got rid of Metro for everything other than phones/tablets (again just like so many of us asked for) and then to top it all off have Windows 10 be free for a year to make up for Windows Mist8ke...what happened to letting the new guy have a chance before tarring and feathering?
This CEO change so far looks to be as big a direction shift for MSFT as bringing Jobs back was for Apple, as he doesn't seem to give a shit about planting Winflags on everything (like Ballmer) or treating FOSS like the plague and fucking users in favor of getting snugly with the OEMs (ala Gates) but actually seems to be LISTENING TO THE USERS and giving us what we ask for...shouldn't we at least give the guy one OS launch to see what he's gonna do?
ACs don't waste your time replying, your posts are never seen by me.
So in the past our government has actually compromised Windows Update to distribute Flame/Duqu. How does this prevent that from happening? You know if the government can do it that's a fairly low bar.
I presume that this is policies being dumber down for use on all versions of Windows 10, not just Pro or Enterprise. I'm happy with the policies we set that only allow installations from specific mapped locations. Our workstation that is running Windows 10 preview to see how useful it is, updated directly from Windows 7 Pro, imported all the policies perfectly. I hope that doesn't change..
I wasn't saying it was Microsoft being evil. I just thought stupid admins - or corporate policy makers might set a policy that only allows Microsoft apps - and this feature was giving them a way to enforce that. Imagine if this had been in place during the heyday of IE6. Firefox would've been severely hindered in getting acceptance, and IE6 would've ruled (and messed up) the web longer than it did. As it was, lots of corporate IT disallowed you to install it. So yeah, at this point maybe it's the "nobody got fired for restricting you to MS products" crowd that's evil - but that doesn't mean it's not potentially problematic...
Posted from my Android phone. Oh, I can change this? There, that's better...
...trusted.
Wasn't there a report of how the Windows/Metro app store was infested with malware?
It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization.
Basically all they doing is trying to kill open source. This won't do a thing to stop malware.
Stupid admins can set policies that don't allow some useful software. GIFs at 11.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What about software that is just run uninstalled?
How does Microsoft Device Guard protect against that?