Uncategorized

Microsoft Updates OEM Device/Credential Guard requirements

Microsoft just updated this page:

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/design/minimum/device-guard-and-credential-guard

No list of what’s changed, it seems that would be a reasonable thing for a large list of requirements…  I’ll leave you to figure out what changed. 🙂

(If someone knows of a good way to diff this page against the same page a few weeks ago (without archive.org), please leave a Comment on this blog post. Thanks.)

 

Standard
Uncategorized

Device Guard: undocumented policies

“Interesting undocumented Device Guard code integrity policy rules. Obtained via the SIPolicy XML schema.”

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules

WordPress mangles Github Gist urls, click on the above Twitter URLs to get the Gist URL.

Standard
Uncategorized

Troy Martin’s Windows Device Guard trilogy

Troy Martin of 1E has written the final of this 3-part blog posts on Device Guard, a new feature of Windows 10, targetting enterprise sysadmins.

[…]
Welcome to the third and final blog in the series on Device Guard!!
Device Guard hardens various attack surfaces on an endpoint creating a “chain of trust” from the hardware through to the Windows OS kernel and to software running in Windows.
Device Guard components run in isolation from the Windows kernel and is secured by a Windows Hyper-V container called Virtual Secure Mode (VSM).
It is evident that Device Guard provides revolutionary endpoint security in Windows 10; a formidable opponent and offense against viruses, malware, bad actors and other modern day threats. Time to start taking advantage of it and securing the enterprise!!
[…]

Standard
Uncategorized

Windows Device Guard information

Ash de Zylva of Microsoft has a blog post on Windows 10’s Device Guard and Credential Guard:
Windows 10 Device Guard and Credential Guard Demystified
While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I’ve observed there’s still a lot of confusion regarding the security features of the operating system. This is a shame since some of the key benefits of Windows 10 involve these deep security features. This post serves to detail the Device Guard and Credential Guard feature sets, and their relationship to each other. […]
http://blogs.technet.com/b/ash/archive/2016/03/02/windows-10-device-guard-and-credential-guard-demystified.aspx

 

Standard
Uncategorized

MalwareTech on Microsoft Device Guard

The MalwareTech blog has a good article on Microsoft Device Guard for Windows:

Excerpt:

Everyone is probably already familiar with x64 driver signature enforcement (64-bit Windows systems can only load signed drivers); Well, now Microsoft has introduced a similar feature for user mode code, which is a huge deal when it comes to malware (Currently the feature is only present on Windows 10 Enterprise, but I’m fairly certain as it matures it will make it’s way to home systems). Device Guard not only adds customizable user mode code integrity checks (UMCI), but re-works a lot of the kernel mode code integrity (KMCI) allowing far more flexibility than just allowing all signed drivers. The policy can either be deployed locally by and administrator or from a domain controller, making it scalable for enterprise networks. Something I was actually quite surprised by is the fact that the user mode code integrity is not simply limited to executable (I was expecting Device Guard to be just another throw away pseudo-security feature like UAC, but it’s clear some real thought has gone into this).

Full post:
http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html

Standard