The Windows 10 roadmap provides in-depth details on Device Guard and Credential Guard
Image: iStockphoto.com/Robert St-Pierre
Microsoft’s recently published Windows 10 roadmap describes business-oriented features that have just been made available or that will arrive in the near future. Although this roadmap contains information about some features that will be brand new, if you dig a little deeper you’ll find lots of valuable details on existing Windows features you may not know much about. For instance, I found some detailed information—including deployment guides—on two Windows security technologies I wasn’t all that familiar with: Device Guard and Credential Guard. The level of expertise and detail that I found on these two technologies is just too good to leave alone. I had to spread the word to TechRepublic readers. Let’s take a closer look.
Before we get started, its important to point out that both Device Guard and Credential Guard require the Enterprise edition of Windows 10, which of course implies that these features are intended for large organizations.
The Device Guard feature allows you to lock down Windows 10 Enterprise so it will run only the software your organization deems as trusted. This includes traditional desktop applications and Windows apps, either from the Windows Store or those developed in-house. Microsoft describes Device Guard this way:
“Device Guard on Windows 10 puts you in control of your environment—and a step ahead of malware—with rigorous access controls that help protect the Windows system core and prevent untrusted apps and executables from starting. With it, you can lock down devices, granting access only to apps from trusted sources. Device Guard uses hardware-based isolation and virtualization to protect itself and the Windows system core from vulnerability and zero-day exploits. Its Hyper-V Code Integrity Service feature enforces best practices for running drivers and other software at the highest level of privilege.”
If you follow the Learn More link, you’ll find a brief article titled Device Guard overview, written by Brian Lich, who is a senior content developer at Microsoft. In this overview article, he provides general information about why you would want to use Device Guard, outlines how it works, and includes details on the hardware and software requirements. This information is presented in a series of brief paragraphs and bullet points that will give you a good idea of what Device Guard is all about.
Follow the link to the Device Guard deployment guide, and you’ll find an article that covers Device Guard in great detail. It offers a much more in-depth introduction to Device Guard, along with planning guides, deployment scenarios, hardware considerations, and step-by-step instructions on enabling UFI Secure Boot, configuring Group Policy, and much more.
The Credential Guard feature is designed to provide a secure method of protecting your Windows credentials. Microsoft describes Credential Guard this way:
“While Microsoft Passport and Windows Hello strengthen and protect user credentials, Credential Guard takes the next step and protects the user access tokens that are generated once your users have been authenticated. With these tokens, an attacker could access your resources by effectively impersonating a user’s identity. Credential Guard stores user access tokens within a virtualization-based security environment running on Hyper-V, away from the Windows 10 kernel. So even if a device is compromised, the credentials are not available to the attacker. This helps safeguard you from Pass-the-Hash and other advanced persistent attacks. Isolating security credentials from malware also helps prevent one infected machine from damaging others running in the same datacenter. Credential Guard can be enabled using Group Policy, making it easy to administer using your existing management tools.”
The Learn More link will take you to an outline titled What’s new in Credential Guard? (also written by Brian Lich). This overview briefly explains that credentials that are stored with Credential Manager, including domain credentials, are protected by Credential Guard’s virtualization-based security. This isolates your credentials so that only privileged system software can access them. Again, there’s a link to detailed article, titled Protect derived domain credentials with Credential Guard. This article covers considerations you should to take into account and offers step-by-step instructions on Group Policy settings and deploying machine certificates and authentication policies. You’ll even find a couple of PowerShell scripts that will assist you with issuance policies.
What’s your take?
Device Guard and Credential Guard are powerful security features that come with the Enterprise edition of Windows 10. If you check out the Microsoft articles discussed here, you’ll have a leg up should you decide to employ these features in your organization.
Are you thinking about taking advantage of either Device Guard or Credential Guard? Share your thoughts and experiences with fellow TechRepublic members.