This week Microsoft apparently dragged Windows into the era of Advanced persistent Threats (APTs) with a newly-announced technology called Device Guard that will form a fundamental security layer in Windows 10.
Microsoft’s description is pretty vague in places but so far we know this. Device Guard is intended to stop any application that has not been digitally signed by a software vendor, the organisation in question (i.e. an enterprise) or the Windows App Store from running on a Windows 10 system.
The next bit in its blog announcement is interesting.
“Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege.”
Limitations? Microsoft admits it won’t cover just-in-time (JiT) compiled programs such as Java which is a pretty big blind spot but let’s assume the cup is still more than half full. A more significant question is what happens to legacy apps (i.e. almost everything currently running) that have not been signed or to apps that are not approved.
According to Microsoft, a tool will be provided to make it possible to sign Win32 apps that weren’t signed (presumably by stamping them with the organisation’s own certificate) without elaborating on how onerous this will be for IT departments. Certainly, working out which apps are worth signing and which aren’t is going present a headache.
When the user tries to run some sort of non-approved app will the fact that it doesn’t run consume helpdesk time? Probably.
There’s always the issue of leeway. If they need the app to run and it isn’t signed presumably there will be a dialogue choice to get around that which at first sounds suspiciously like User Account Control (UAC), the Vista technology that was supposed to present users with a rational choice as to whether to elevate an application’s privilege level.
It worked a for a bit but a few months after introduction it was a paper-thin layer of security against the malware of the time which could simply socially engineer its way around the user thought process.
It’s unlikely that Microsoft will fall into that trap again – expect Device Guard to tie into Active Directory policies in some way so that the user can’t simply do something stupid.
Meanwhile, in Microsoft’s description, installed anti-virus software will lean on Device Guard as part of its protection. How this will work with consumer PCs, if at all, is not clear but don’t get your hopes up.
Device Guard isn’t the only new security technology Windows 10 will debut with the rather twee-sounding Microsoft Hello biometric authentication (integrated with Passport) also part of the next version. But these new security layers hold out the promise that Windows 10 will be a lot more than a cosmetic fix for the Windows 8 mix-up.