Slashdot Mirror
Microsoft Announces Device Guard For Windows 10
jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.
This is an optional feature, mainly targeted for enterprise use. The system administrator chooses what to whitelist. Also, any app can be self-signed.
Quite nice feature if you want to prevent random executables from conquering the computer. Of course this does not protect from vulnerabilities contained inside any of the trusted apps.
No imbecile, it's talking about checking the code signing certificate.
If you've trusted the particular vendor or cert chain, then the app is allowed to be installed, if you don't trust the cert, it warns or blocks installation or execution.
Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
I had to turn off UAC in Windows 8 to compile and automatically copy my plugin project to its proper directory because that directory is under Programs Files. This was necessary because I had set the host program to start immediately afterwards in order to debug my plugin as it ran. This worked, but in doing so, I lost access to my Windows 8 apps. I only use a few, but it was annoying enough that I eventually moved the project to a Windows 7 machine (and you don't have to turn UAC off completely, it's just as far as Windows 8 is concerned, if that one registry entry concerning protected directories is toggled off the whole thing is compromised).
So, while any rebuttals here to the effect that "undoubtedly you can turn this off" are probably accurate, I wouldn't be surprised if there were things like this built into the system to encourage the user to keep it on. "Want to develop software on your PC? Well, either apply for a personal certificate or stop using Metro apps." It won't really stop developers, but it could shut down new user interest outside of closed markets.