Slashdot Mirror
Microsoft Announces Device Guard For Windows 10
jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.
This actually sounds like a great idea. Whitelist all the executables on your system. Then, if something tries to execute that's not whitelisted, throw up a dialog explaining what's going on. This would catch sneaky attempts to execute trojans in a lot of cases.
One downside is it probably wouldn't work with interpreted languages, and those can be fairly powerful. But it's a start.
This does almost nothing. Just more window dressing.
Most applications DO come from "trusted vendords" (such as Microsoft itself). Yet the virus attacks continue, and the security failures continue.
"which are apps that are signed by specific software vendors, the Windows Store, or even your own organization"
This is an optional feature, mainly targeted for enterprise use. The system administrator chooses what to whitelist. Also, any app can be self-signed.
Quite nice feature if you want to prevent random executables from conquering the computer. Of course this does not protect from vulnerabilities contained inside any of the trusted apps.
Remember that Stuxnet used drivers signed with "stolen" Realtek and JMicron certificates. Lots of malware is signed with fake, stolen, or weak certs. Hell, some manufacturers like Lenovo even included malware like Superfish on new laptops. Will Deviceguard prevent that from happening?
No imbecile, it's talking about checking the code signing certificate.
If you've trusted the particular vendor or cert chain, then the app is allowed to be installed, if you don't trust the cert, it warns or blocks installation or execution.
Unless Microsoft's changed something, you can still change the code in (non-device driver) SIGNED executables. (Try it today by flipping a few junk bits in a signed app and see if Microsoft notices the difference.) If that remains true, this isn't much of a deterrent to malware at all.
Furthermore, some of the biggest recent hacks (e.g., Sony) used a SIGNED commercial device driver (running in trial mode) to circumvent NTFS permissions; a default scheme that allows only signed executables wouldn't stop that down either.
It's for organizations... You know, so you don't install stupid shit on your company laptop. It's not "microsoft says what you can install"... But you would actually have to read the article before commenting...
Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
If you look at Windows NT and beyond, it was all about removing capabilities from untrusted users, and placing them in the hands of IT staff/CIOs. That was a huge success for Microsoft, CIOs -control the budget- and decide what gets purchased. So they stuck with what empowered them, regardless of whether this was good for the user community, and whether the Microsoft monoculture created more problems -and more costs- than it solved. (After all, the measure of 'power' in many organizations is the size of the budget and staff, growing the CIO budget and hiring more IT workers equated to more CIO power.
So now, with the growth of non-PCs (phones, tablets, even IoT) in companies, Microsoft once again plays to (you could say 'panders to') the CIO and ability to control the device.
This could be quite a battle, with Apple/IBM (and presumably Google/Android soon) providing business services to the user community, versus Microsoft providing control (and familiarity) to the CIO community.
Not always in corporate settings, which is probably what this is aimed at. It's admittedly super-annoying to have to use a machine where you don't have administrator access, but it happens.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I had to turn off UAC in Windows 8 to compile and automatically copy my plugin project to its proper directory because that directory is under Programs Files. This was necessary because I had set the host program to start immediately afterwards in order to debug my plugin as it ran. This worked, but in doing so, I lost access to my Windows 8 apps. I only use a few, but it was annoying enough that I eventually moved the project to a Windows 7 machine (and you don't have to turn UAC off completely, it's just as far as Windows 8 is concerned, if that one registry entry concerning protected directories is toggled off the whole thing is compromised).
So, while any rebuttals here to the effect that "undoubtedly you can turn this off" are probably accurate, I wouldn't be surprised if there were things like this built into the system to encourage the user to keep it on. "Want to develop software on your PC? Well, either apply for a personal certificate or stop using Metro apps." It won't really stop developers, but it could shut down new user interest outside of closed markets.
I believe this feature is more for corporate IT (the real administrators) rather than for individual administrators of the system. Although corporate IT has some control, it basically centers around limiting the installation and not the execution of applications. For home use, I'm sure this is going to be disabled quickly - just like the firewall.
Views expressed do not necessarily reflect those of the author.
For home use, I'm sure this is going to be disabled quickly - just like the firewall.
Really? Do home users disable allowed app verification in OSX? No? Thought so!
Windows (like iOS and OSX) is no longer just an operating system, it's a platform. The new paradigm is to download from the app store ecosystem where it's vetted. Even Android has this process. The days of downloading programs from dubious vendors and websites zipping up files via shareware/freeware is over. In OSX, it ca be overridden to run programs like Onyx which is real easy with a few mouse clicks; but most people don't do that, let alone download Onyx either.
Life is not for the lazy.
How about you just change the folder permissions on the destination folder rather than compromise/screw your whole system?
This sounds a lot like Gatekeeper on the Mac, which works really well. It allows the user several levels of trust - "trust store apps only", "trust store apps plus recognised developers" (certificate signed), "allow everything".
I have mine set to "store apps plus recognised developers" and ask for the rest. If I run something else, I can right click and select Open..., it asks me if I'm sure and I say yes. This is a five second operation which gives me control over my options, whilst preventing unknown apps from running without my knowledge and explicit say so. This Windows one sounds pretty much the same, with the addition of your classic enterprise lock down features - it it's a corporately-owned machine, then yes the corporate should get say over what's running on it.
Imagine the kind of download-happy, click-on-everything user that we've all seen around. They would download cunningly-disguised-malware.exe and try to run it, and the OS would simply prevent them. Now true if they had admin rights they could go into preferences, set to allow everything etc. but it's all more effort and a quick realisation that something's unusual here.
Nope, I regard this as a good move. It already exists in OS X and works well - putting a similar system into Windows seems like a good idea to me.
Bit9's application whitelisting product was leveraged to attack customers using it.
http://krebsonsecurity.com/201...
da w00t. mtfnpy?
Stop with the Transformer quotes.
It's not Transformers, It's Dirty Harry.
The idea is that there are different levels of control: "All good, Warning, Deny".
Application control already exists through group policies. What this does is make it easier for the administrators to manage but it also brings another level of flexibly which is virtualization. Windows 10 comes with built-in virtualization which will allow isolation of the instance being run. This will further protect the system. I believe some antivirus are already doing this but obviously MS is trying to make the OS provide this functionality built-in. After all, MS best understands their own OS and the API that runs on it.
So this feature has been around in some form or another since at least 2003. See https://technet.microsoft.com/... for how to implement it 12 years ago. It included the ability to make generate a hash for an executable, so if you needed people to run foobar.exe version 1.1.1.1, you generated the hash and then people could not run 1.1.1.0 or 1.1.1.2. You could also do certificates from trusted publishers, etc. It looks like there are a few new features, including virtualization options, but this is really just a rebranding of an existing feature to make it more prominent for the end user. Something all corporations do.
I would like to think if I installed Win10 Enterprise on my systems at home and use workgroups, I could deploy this and manage my kid's ability to allow/disallow various applications as well...
In the mind of an Administrator, domain employees are not any different than children after all.
I'm not a dev, but work with them. As I understand it, they work in OSX or Windows with full access to the resources they need. They test, then publish. If that means obtaining a method of certification, so be it. Otherwise, home-brew apps will just have to include instructions on temporarily allowing access to the program.
In OSX at least, I can run Onyx for the first time, then go back and re-enable "Mac Store and Identified Develops". My preferences for that one application is retained as the rule to the exception.
Life is not for the lazy.
If some of the IT departments I've had to tangle with in the past were doing their jobs correctly, anyone doing software development -- whether an "official" part of the IT department or not -- would be able to easily obtain local admin rights on their workstation.
If they were doing their jobs correctly, it wouldn't take 2-3 years to develop, test and deploy a simple productivity enhancement or workflow automation solution that might take 40-80 hours to actually code, and maybe another 100 hours to design, test and document. Not to mention, anyone who's actually gone through the whole 2-3 year lifecycle often ends up paying way more than they wanted to, for a way over-engineered solution that tries to solve every problem anyone's ever had, instead of just solving the problem at hand.
Also, IT departments never have any free bandwidth for new requests, which is why it takes at least a year for them to even start looking at a problem someone comes to them with. This is not entirely their fault: the CFO will often demand the IT director to keep all of their staff 100% utilized on required projects, so if the IT director tried to keep some staff semi-available for new requests that come in, the CFO would just reduce their head count until they had just enough people to work the projects that are already in development.
I'm not saying *all* IT Administrators do their jobs poorly or take too long to get things done. I'm saying that the processes and bureaucracy in place -- which, let's face it, most of the IT folks hate just as much as their "customers" -- make the IT organization very inefficient for handling anything that needs a quick turnaround. They are good for managing general use computer rollout with bog standard Office software and Internet access. Beyond that, if a manager or director wants something different, and they want it done *this* year, they are probably going to have to hire their own software folks, interns, or tap internal talent of people who happen to know software development (whether or not it's in their job description). At that point, they've just created a Shadow IT organization.
My point is that Shadow IT isn't a bad thing if the people working it know what they're doing, and can avoid pitfalls like downloading malware, pirating commercial software, etc. One good way to go about it is to develop your solution in an open source environment (e.g. Java, a GCC language, Ruby, etc.) and to only pull in third-party libraries that are MIT-licensed. It's very, very hard to run afoul of the three-clause BSD license or MIT license; you just create a LICENSE.txt that fulfills the attribution obligations, and off you go.
This "Device Guard" feature, as I understand it, will actively block non-administrators from being able to compile and run their own executable code, or to install third-party software or runtimes that might enable the same. They then have one of two options: either talk to IT, or try to get around it by using runtimes that already exist on the computer.
If they try to talk to IT, chances are good that IT will ask that the entire shadow IT project be canceled, and that they be allowed to develop (or buy, COTS) the solution themselves. Once you're in that trap, you automatically know it's going to take 2 years at a minimum. The project you're working on may not even be relevant that far down the road. If you don't agree to letting them work it into their pipeline, then they likely won't agree to give you admin rights. These talks very rarely go over well, unless you're in a very progressive company; but if you were, you'd probably have admin rights in the first place, or at least a separate computer or VM with a sandboxed subnet without access to any sensitive stuff on the LAN, where you have full admin rights.
This is why shadow IT organizations often just choose to write their stuff in VBA or VBScript. Java is usually a viable option too, but if you need native libraries or any third-party components that need native libraries, you're probably o
How often do you install new un-signed software that you didn't compile locally yourself that right-clicking only on the first time that an app is executed is a problem?
You're special forces then? That's great! I just love your olympics!
2 to 3 lines.
Uhhhh....its the same thing Google does with ChromeOS only unlike ChromeOS its OPTIONAL and can be turned off. I seriously doubt it will even be on by default for any SKU other than Windows Enterprise as it would mean a ton of headaches for any OEM that sold a PC with this on thanks to the increased support calls.
Don't you just love how whatever MSFT does its automatically evil, even when its just copying Slashdot darling Google? It doesn't matter that Nadella is nothing like Gates or Ballmer, that one of the first things he did was open up .NET (as many devs had asked for) and bring their open source back into the fold so it wouldn't be treated like an afterthought, got rid of Metro for everything other than phones/tablets (again just like so many of us asked for) and then to top it all off have Windows 10 be free for a year to make up for Windows Mist8ke...what happened to letting the new guy have a chance before tarring and feathering?
This CEO change so far looks to be as big a direction shift for MSFT as bringing Jobs back was for Apple, as he doesn't seem to give a shit about planting Winflags on everything (like Ballmer) or treating FOSS like the plague and fucking users in favor of getting snugly with the OEMs (ala Gates) but actually seems to be LISTENING TO THE USERS and giving us what we ask for...shouldn't we at least give the guy one OS launch to see what he's gonna do?
ACs don't waste your time replying, your posts are never seen by me.