Victoria - Fotolia
Managing Windows Defender Device Guard in Windows desktops
IT pros must understand how Windows Defender Device Guard uses a locked-down approach to desktop security and how this method could cause compatibility issues and headaches for IT.
Desktop security is a major concern for enterprise IT, but traditional antivirus and antimalware tools can't always keep pace with thousands of new and untested files or applications that can reach a system each day.
With Windows Defender Device Guard's approach to desktop security, desktops function as closed systems that only run preapproved code, almost like a whitelist for software. The native Windows Defender Device Guard in Windows 10 helps IT accomplish this goal and other critical security tasks.
What is Windows Defender Device Guard?
Device Guard in Windows 10 starts at the hardware level using virtualization-based security and hypervisor-enforced code integrity (HVCI) capabilities that include firmware, hardware security and secure boot features. For example, Device Guard relies on Unified Extensible Firmware Interface (UEFI) firmware -- today's version of BIOS -- which is capable of locking down a computer through features such as boot order, boot entries, secure boot, control over virtualization extensions and other firmware capabilities.
In addition, Device Guard uses Trusted Platform Module (TPM) 2.0 technology, which authenticates specific hardware systems. IT pros must ensure its desktops have suitable UEFI firmware, TPM and HVCI compliant drivers, which have protected memory that malicious actors can't alter.
Once IT pros enable the capabilities of Device Guard in Windows 10, they can set code integrity policies, enforced with the Windows kernel, that restrict systems to using only authorized applications. The policy itself is protected by digital signing, making it almost impossible for an attacker to change the policy and successfully open a system to attack.
With the release of Windows 10 version 1709, Windows Defender Device Guard has been divided into two tools called Windows Defender Exploit Guard and Windows Defender Application Control. Windows Defender Exploit Guard is largely responsible for the low-level hardware protections including the use of UEFI, Secure Boot and TPM. Windows Defender Application Control sets the policy that controls what code can run on the system in kernel and user mode. For the purposes of this article, both tools will be referred to as Windows Defender Device Guard.
What does Device Guard in Windows 10 protect against?
Windows Defender Device Guard uses a combination of hardware and software policies to lock down desktops so they can only run trusted applications, defined by an organization's code integrity policy. When IT limits the desktop to only run known and trusted software, it doesn't have to rely on antimalware tools as much.
A secondary benefit of Device Guard in Windows desktops is to enhance an organization's compliance and business continuance posture. With Device Guard in place, organizations can ensure that all the code allowed on any given desktop meets their standards. This management practice can complement an organization's change control mechanisms and alert administrators if anyone attempts to run disallowed code, whether a user or an outside malicious actor.
Like most policies, however, a code integrity policy is not a one-time effort. Organizations are always testing, developing and deploying new applications, and existing application developers are constantly patching, updating and upgrading their apps. An organization that implements Device Guard in Windows desktops must revisit the code integrity policy on a frequent basis to ensure that users can access the latest and best versions of applications.
What are the best practices for using Windows Defender Device Guard?
Employing Windows Defender Device Guard features is not as easy as it might seem. Establishing application permissions through a suitable code integrity policy requires some validation and regular updating of the policy, which can take a massive amount of effort.
When organizations rely on code-locked desktops to police themselves security-wise, any desktops that are not locked down can leave significant vulnerabilities in the organization's overall desktop security. This makes Device Guard an all-or-nothing proposition, and this can be difficult to enforce with legacy systems that don't meet the requirements for Device Guard or BYOD devices that IT can't directly control. Therefore, the Device Guard system lockdown approach won't be as effective for organizations that rely on BYOD, mobile devices accessing corporate resources and legacy or otherwise unsupported systems that Device Guard can't manage.
Windows Defender Device Guard features impose a set of system hardware requirements in the processor, the firmware type and minimum version. It also requires TPM security. While the requirements are not particularly exotic or expensive, they are not necessarily available on every computer -- especially endpoints such as PCs -- so IT may have trouble providing Device Guard support.
Tools such as Microsoft’s Device Guard and Credential Guard hardware readiness tool can help by running a PowerShell script to check for hardware compatibility and enable Device Guard in Windows desktops. Organizations that adopt a uniform system lockdown policy, however, are usually better served with standardized computer hardware that supports Device Guard from the start. Under a standardized hardware policy, every employee receives the same PC or laptop model, which supports Device Guard.
IT must also understand the desktop applications its users need; IT must determine which applications are permitted for a business device before pursuing a system lockdown strategy. For example, some applications could cause trouble for IT's lockdown strategy if they can load .DLLs, run automatic updates or install other software. IT professionals must come up with a clear policy and process to update the code integrity policy on a regular basis and ensure that users can access the latest and most effective applications in a timely manner.