Slashdot Mirror
Microsoft Announces Device Guard For Windows 10
jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.
This actually sounds like a great idea. Whitelist all the executables on your system. Then, if something tries to execute that's not whitelisted, throw up a dialog explaining what's going on. This would catch sneaky attempts to execute trojans in a lot of cases.
One downside is it probably wouldn't work with interpreted languages, and those can be fairly powerful. But it's a start.
This is an optional feature, mainly targeted for enterprise use. The system administrator chooses what to whitelist. Also, any app can be self-signed.
Quite nice feature if you want to prevent random executables from conquering the computer. Of course this does not protect from vulnerabilities contained inside any of the trusted apps.
No imbecile, it's talking about checking the code signing certificate.
If you've trusted the particular vendor or cert chain, then the app is allowed to be installed, if you don't trust the cert, it warns or blocks installation or execution.
Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
I had to turn off UAC in Windows 8 to compile and automatically copy my plugin project to its proper directory because that directory is under Programs Files. This was necessary because I had set the host program to start immediately afterwards in order to debug my plugin as it ran. This worked, but in doing so, I lost access to my Windows 8 apps. I only use a few, but it was annoying enough that I eventually moved the project to a Windows 7 machine (and you don't have to turn UAC off completely, it's just as far as Windows 8 is concerned, if that one registry entry concerning protected directories is toggled off the whole thing is compromised).
So, while any rebuttals here to the effect that "undoubtedly you can turn this off" are probably accurate, I wouldn't be surprised if there were things like this built into the system to encourage the user to keep it on. "Want to develop software on your PC? Well, either apply for a personal certificate or stop using Metro apps." It won't really stop developers, but it could shut down new user interest outside of closed markets.
For home use, I'm sure this is going to be disabled quickly - just like the firewall.
Really? Do home users disable allowed app verification in OSX? No? Thought so!
Windows (like iOS and OSX) is no longer just an operating system, it's a platform. The new paradigm is to download from the app store ecosystem where it's vetted. Even Android has this process. The days of downloading programs from dubious vendors and websites zipping up files via shareware/freeware is over. In OSX, it ca be overridden to run programs like Onyx which is real easy with a few mouse clicks; but most people don't do that, let alone download Onyx either.
Life is not for the lazy.
So this feature has been around in some form or another since at least 2003. See https://technet.microsoft.com/... for how to implement it 12 years ago. It included the ability to make generate a hash for an executable, so if you needed people to run foobar.exe version 1.1.1.1, you generated the hash and then people could not run 1.1.1.0 or 1.1.1.2. You could also do certificates from trusted publishers, etc. It looks like there are a few new features, including virtualization options, but this is really just a rebranding of an existing feature to make it more prominent for the end user. Something all corporations do.