Sony Hacked White House Hacked Anthem Hacked Lockheed Hacked Aramco Hacked Bushehr nuclear reactor Hacked NSA Hacked Microsoft, Google, Apple, Facebook Hacked.
Download
Report
Transcript Sony Hacked White House Hacked Anthem Hacked Lockheed Hacked Aramco Hacked Bushehr nuclear reactor Hacked NSA Hacked Microsoft, Google, Apple, Facebook Hacked.
Sony Hacked
White House Hacked
Anthem Hacked
Lockheed Hacked
Aramco Hacked
Bushehr nuclear reactor Hacked
NSA Hacked
Microsoft, Google, Apple, Facebook Hacked
Secure
Identities
Threat
Resistance
Device Guard
Information
Protection
What is Device Guard?
Combination of hardware + software security features
Enables businesses to strongly control what is allowed to run
Brings mobile-like security protections to desktop OS with
support for existing line of business apps
The Parts to the Solution
Hardware security
Configurable code integrity
Virtualization based security
Protects critical parts of the OS against admin/kernel level malware
Manageability via GP, MDM, or PowerShell
Secure Boot
Includes Secure Firmware Updates and Platform Secure Boot
Kernel Mode Code Integrity (KMCI)
User Mode Code Integrity (UMCI)
AppLocker
Platform Secure Boot
ROM/Fuses
Bootloaders
UEFI Secure Boot
Native UEFI
Windows
OS Loader
UMCI
KMCI
Windows
Kernel and
Drivers
3rd Party
Drivers
AppLocker
User mode code (apps,
etc.)
Tightly managed
Very well-defined software and hardware
configurations
Secure Boot restricted to only boot
Windows
Virtualization-based security (VBS)
enabled
Low churn
No user or standard user only
Corporate lightly managed
Kernel mode code integrity protected by
VBS
User mode code integrity enforced
Tightly managed
Well-defined hardware configurations
Managed software only
Ideally standard user only
Secure Boot restricted to only
boot Windows
Virtualization-based security
(VBS) enabled
Kernel mode code integrity
protected by VBS
User mode code integrity
enforced
Multiple and varied hardware
configurations
Secure Boot may be restricted to
only boot Windows
User can install “unmanaged”
software
VBS enabled
KMCI may be protected by VBS
Code Integrity in audit mode
Standard or Admin users
Corporate lightly
managed
Personally owned devices
Secure Boot not required
Highly-variable hardware and
software
No VBS
No enterprise code integrity
policy
Corporate lightly managed
1. Know your target(s)
2. Use Powershell cmdlets to create policy from “golden” system(s)
Defaults to Audit Mode
Merge multiple policies OR Deploy differentiated policies
3. Deploy policy in audit mode and test
4. Use Powershell cmdlets to create policy from audit log and merge
5. Enable enforcement
New-CIPolicy
Merge-CIPolicy
Set-RuleOption
#Create a ShadowCopy to avoid locks
$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\",
"ClientAccessible")
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq
$s1.ShadowID }
PS C:\> $d = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"
#Create policy from current system
New-CIPolicy -l PcaCertificate -f C:\IgnitePolicy.xml
–s C:\scpy –u
#Remove ShadowCopy
"vssadmin delete shadows /Shadow=""$($s2.ID.ToLower())""
/Quiet" | iex
#Create policy from audit log events
New-CIPolicy -l PcaCertificate -f C:\AuditPolicy.xml –a –u
#Merge audit policy with other policy/policies
Merge-CIPolicy –OutputFilePath C:\MergedPolicy.xml
–PolicyPaths C:\AuditPolicy.xml,C:\IgnitePolicy.xml
#Set policy options e.g. Audit Mode (option 3)
Set-RuleOption –option 3 –FilePath C:\MergedPolicy.xml
#Compile policy as binary
ConvertFrom-CIPolicy C:\MergedPolicy.xml C:\MergedPolicy.bin
#Install compiled policy
cp C:\MergedPolicy.bin
c:\Windows\System32\CodeIntegrity\SIPolicy.p7b
#Policy takes effect after reboot
Just as most malware is unsigned, so too are the vast
majority of LOB apps
“Codesigning is hard”
Decentralized LOB app development
Lack of codesigning expertise
Enterprises don’t want to (and shouldn’t) blindly trust all
software from an ISV even if signed
Windows 10 includes tools to enable IT to address
codesigning for existing apps
Embedded Signature
Catalog Signing
Adopting Code Signing
Raising the bar for what runs in the kernel
Windows 10 drivers must be signed by Microsoft
Strong driver publisher identity verification via Extended Validation (EV)
certificates
Enterprises can enforce Windows 10 driver requirements via Device Guard policy
Signed Device Guard CI policy protects from local admin
Signed policy stored in pre-OS secure variable
Requires a newer signed policy to update – cannot be deleted by admin
Becomes a “machine” level policy which means boot from media must be
compliant
Measured into the TPM and part of device health attestation
Together, AppLocker and code integrity are the basis for
enforcing code and application rules on Windows
Think of code integrity as the bouncer at the door, and
AppLocker as the bartender
Code integrity best expresses high level expression of trust
AppLocker allows for granular rules
Managed through common management tools in
Windows 10
Service whitelisting for managing non-interactive processes
AppLocker management now available via MDM and WMI
Provides a new trust boundary for system software
Leverage platform virtualization to enhance platform security
Limit access to high-value security assets from supervisor mode (CPL0) code
Provides a secure execution environment to enable:
Protected storage and management of platform security assets
Enhanced OS protection against attacks (including attacks from kernel-mode)
A basis for strengthening protections of guest VM secrets from the host OS
Windows 10 services protected with virtualization based security
LSA Credential Isolation
vTPM (server only)
Kernel Mode Code Integrity
Host OS
Normal World
Howdy Peer!
User
Kernel
Malware
KMCI
Firmware (UEFI)
Hardware (TPM 2.0, Vt-x2, IOMMU)
I thought we could be
friends
Host OS
Normal World
Measured
Secure World
User
Kernel
KMCI
Malware
Hardened Boundary
Hypervisor
Firmware (UEFI)
Hardware (TPM 2.0, Vt-x2, IOMMU)
CI rules are still enforced even if a vulnerability
allows unauthorized kernel mode memory access
Memory pages are only marked executable if CI
validation succeeds
Kernel memory cannot be marked both writable
and executable
BUT… not all drivers will be compatible initially
Device Guard “capable”
Device Guard “ready” PCs
http://myignite.microsoft.com