MICROSOFT_PRESS_EBOOK_INTRODUCING_WINDOWS_10
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Locking down enterprise PCs with Device Guard<br />
Device Guard is a new feature that allows IT pros to lock down a device so tightly that it is incapable<br />
of running untrusted software, effectively neutering any attacker or exploit that works by convincing<br />
users to run a malicious program. In this configuration, the only programs allowed to run are those that<br />
are trusted, and even programs that bypass other security layers by exploiting a zero-day vulnerability<br />
are thwarted.<br />
Even if an attacker manages to take over the Windows kernel, that person still won’t be able to run<br />
malicious or unknown executable code, thanks to a key architectural feature of Device Guard. The trust<br />
decision for any application is performed using Windows Code Integrity services, which run in Virtual<br />
Secure Mode, a Hyper-V protected container that runs alongside Windows. This service makes trust<br />
decisions based on signatures that are protected by the UEFI firmware and by antitampering features.<br />
To deploy Device Guard, your hardware and software must meet the following requirements:<br />
■■<br />
■■<br />
■■<br />
■■<br />
■■<br />
The device must be running Windows <strong>10</strong> Enterprise.<br />
The UEFI firmware must be version 2.3.1 or higher, with Secure Boot enabled and a secure firmware<br />
update process. For additional security against physical attacks, Microsoft recommends<br />
locking firmware setup to prevent changes in UEFI settings and to block startup using other<br />
operating systems.<br />
Virtualization-based security features require Hyper-V, which runs only on 64-bit PCs that<br />
support Intel VT-x or AMD-V virtualization extensions and Second Level Address Translation.<br />
A VT-d or AMD-Vi input/output memory management unit is required to provide additional<br />
protection against memory attacks.<br />
A Trusted Platform Module is optional, but highly recommended.<br />
In addition to enabling Hyper-V, you must also enable the Isolated User Mode feature, as shown in<br />
Figure 5-3.<br />
FIGURE 5-3 Enabling the Isolated User Mode feature is a prerequisite to configuring Device Guard mode.<br />
62 CHAPTER 5 Security and privacy in Windows <strong>10</strong>