Microsoft's 'anti-malware Device Guard' in Windows 10: How it works, what you need
Redmond unbuttons shirt to reveal more detail on hypervisor-based tech
Microsoft has published a technical guide to its new Device Guard features in Windows 10 – including how to configure the anti-malware technology, and what hardware you'll need to use it.
We first learned of Device Guard in April at the RSA 2015 conference in San Francisco, and then a month later a little more info was teased out. Back then, it appeared the tech involved sticking critical parts of the operating system into a hardware-protected zone that is fenced off from applications and the rest of the Windows OS.
That zone is guarded by the IOMMU and other mechanisms in the computer's processor that ensures kernel-level drivers and other privileged code, as well as devices plugged into the machine, cannot interfere with these vital parts of the OS – the parts that verify an app is legit before it is run, for instance. The IOMMU works by locking down what hardware can touch in the system memory, preventing malicious drivers and devices from meddling with the OS and apps. Ultimately, it shuts down a route into the lowest levels of the operating system by malware and its masters.
Microsoft has confirmed, or rather, gone into length about how Device Guard is supposed to work. "The same type-1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container," the TechNet article, quietly published at the end of last week, explained.
"This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today."
In other words, Microsoft has moved the bits of Windows that check whether or not drivers and kernel-level code are legit into a container that malware (in theory) cannot reach. That means even if (or when) a software nasty manages to get into the Windows operating system, it shouldn't be able to crack this final layer of protection. With that in mind, all the other features of Device Guard can be built on this foundation, we're told.
Device Guard is aimed at enterprises and other large organizations, and parts of it looks like the protection mechanisms in Windows RT and Windows Phone with the serial numbers filed off. Tablets and smartphones running Windows RT and Phone are locked down in that only code cryptographically signed by Microsoft or your IT department is allowed to run. Now that's been popped into Windows 10.
"Historically, UMCI [user mode code integrity] has been available only in Windows RT and on Windows Phone devices, which has made it difficult for these devices to be infected with viruses and malware," the TechNet piece claims.
"In Windows 10, these same successful UMCI standards are available. Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks."
Crucially, it optionally turns your work PC into an Apple-like mobile phone, which can only run vetted software:
By using code integrity policies, an enterprise can select exactly which binaries are allowed to run in both user mode and kernel mode, from the signer to the hash level. When completely enforced, it makes user mode in Windows function like a mobile phone, by allowing only specific applications or specific signatures to be trusted and run.
This code integrity stuff is configurable, we're told: businesses can sign their own software without having to change it, and sign outside trusted apps. The code integrity can run separate from Device Guard, but Microsoft hopes you'll use them together.
There's also a mechanism called Credential Guard that stores domain credentials "within the virtualized container, away from both the kernel and user mode operating system. This makes it difficult for even a compromised system to obtain access to the credentials."
To use the hypervisor-level protections, you'll need a processor with virtualization extensions – such as Intel VT-x and AMD-V – and SLAT support, and ideally a processor that has an IOMMU, such as Intel VT-d and AMD-IOV.
Screenshots showing how to configure Device Guard, and plenty of other reading material, can be found on TechNet. ®
It's worth mentioning that Device Guard, especially its hypervisor approach, reminds this humble hack of Qubes OS – a project that uses the Xen hypervisor to split a system into lots of lightweight virtual machines – one for your internet banking, one for playing games, etc – and then separate VMs to control the network, storage, GUI and so on. If one container is compromised, the rest of the machine should be protected, in theory. It's not quite the same as Windows 10's Device Guard, but it's interesting to see where virtualization is going for personal computers – not just for carving up servers.