Device Guard Internet of Things Security & Identification Security Blog

Enterprise Security – Plan For & Get Started With Device Guard

Windows Device Guard

We received a lot of feedback from small and medium sized enterprise (SME) customers who are looking for ways to protect company-owned computers, machines and PCs/laptops against the increasing number of threats in the interconnected security landscape.
Therefore we have recently published
an article on Windows Device Guard and the powerful features of Microsoft’s security tool. In this post we will take a look at the effort you will have to take to implement and make use of Device Guard.

Modern malicious attacks are getting more and more of a concern for SMEs as they are often highly sophisticated and focused on revenue generation, intellectual property theft and targeted system degradation, which results in financial loss.
The basic concept of Device Guard offers a huge advantage over other security solutions as it works very similar to the methods used on mobile devices rather than PCs. Conventional anti-malware works “reactive” as such tools first need to detect an infection in order to react and alert the user. In this concept the malicious application is already running and damage can be done before the user is able to intervene.

In the Device Guard concept apps need to be signed and trusted as otherwise they are not allowed to run at all, which makes this model “preventive”.

The drawback of this concept is that it is only suited for certain categories of devices. Therefore companies that want to examine if Device Guard is a good solution for their business should start by grouping devices in those categories.

Device Guard will work best on fixed-workload devices which run a list of approved applications that rarely change. Examples are kiosks, point-of-sale systems and call centre PCs. On those devices all features of Device Guard can be deployed with low device-management effort required from the IT department.

Devices like locked-down, company-owned desktops and laptops can be categorised as fully-managed devices. On those the IT department restricts the software that is installed and run on them, but allows users to request installation of additional software or provides a list of approved software in an application catalog. For this category the application of Device Guard needs more management effort, however it is a highly effective and costs-efficient solution and all features of the tool can be used (depending on the hardware).

On lightly-managed devices users have full control which restricts the benefits of Device Guard to the Kernel-Mode Code Integrity (KMCI) virtualisation-based security (VBS) protection and User-Mode Code Integrity (UMCI) policy in Audit mode.

For “bring your own devices” Device Guard is not a good fit as using Device Guard features would restrict the users from using all features of their PCs outside of work.

In case you are able to assign most or all of the devices within your company to the first two categories and consider to integrate Device Guard into your enterprise security strategy you will need to create a plan on how to get started and manage applications in the future.

Device Guard should not be introduced over night but instead be carefully implemented into the business step by step. This process should involve all affected employees on the user and IT side in order to help them to take full advantage of the solution.

Through categorising your devices you have already tackled the first step. Next you will need to setup a code integrity policy. To accomplish this think about which software and applications are needed by your departments and how many devices you will need to protect. In this process you need to outline which persons only need a fixed set of software and who needs additional privileges.

After you grouped the devices you will need to setup code integrity policies for each group (similar to the way you would manage corporate images). This is achieved through “golden PCs” which you set up for every group and that mimic the software and hardware those individual groups require. You create your policies based on these PCs and can either merge them to one master policy or manage them separately.

The best way to test your code integrity policy prior to enforcement is in audit mode. This allows administrators to run the code integrity policy on a system without actually blocking anything. Instead of prohibiting apps to run events will be logged with each exception to the policy which enables you to identify issues that were not discovered during the initial scan. The audit events can be merged directly into your events policy.

As soon as your code integrity policy is established you will need to assess which currently unsigned applications need to be signed in order to run on your devices. You are able to sign applications that do not currently possess digitally signed binaries or applications that a customer would want to add a secondary signature to through using catalogue files (editor’s note: we will follow up on how apps can be signed in a separate post in order to keep this one short and simple).

As soon as all required applications are signed you are all set to roll out and deploy your code integrity policies and catalog files. It is recommended that you introduce them in phases by starting with test groups in order to be able to make final adjustments if required.

Besides preparing the software features you will further need to consider the hardware of your devices in order to use the full potential of Device Guard. Hardware-based security features can significantly increase protection and provide complementary functionality. You should align your requirements with your hardware life cycle and determine the best-suited hardware replacements for your organisation prior to your next upgrade.

Fixed work-load devices which protect highly sensitive data like ATMs should be upgraded with suitable hardware immediately in order to leverage advanced hardware features such as CPU virtualization extensions, input/output memory management units (IOMMUs), Trusted Platform Module (TPM) and second-level address translation (SLAT) to offer comprehensive modern security.

In conclusion Windows Device Guard is a great tool to improve system integrity and security using both hardware and software features. Considering the high impact of this solution and the preventive approach the expenses are definitely acceptable and will help to protect your business very effectively.

We will take a look at the hardware components and their benefits in another article on the matter. In order to get detailed instructions for the development of code integrity policies, the creation of catalogue files and how to manage applications refer to the Device Guard deployment guide here.

For hardware support and help with the development of secure applications feel free to get in touch with EBV here.