Device Guard Internet of Things Security & Identification Security Blog

Windows Device Guard – Putting Hard- & Software Security Technology To Use

Windows Device Guard & TPM

Security hardware and software go hand in hand these days. Sure, for some less important things ensuring privacy by only using software will be sufficient but when it comes to enterprise level sensitive information you really need to throw some physical components in the mix to get a good result.

One of the main challenges for IT-departments is to keep the devices and computers of employees and within the company safe and in order. To do so, control over which applications can run and which can’t is essential. With Windows Device Guard and TPM hardware you can now lock out malicious files more efficiently and easier than ever before. It’s even good enough to be applied in devices that need advanced security solutions such as ATMs.

In order to provide you with a comprehensive overview on the technologies behind this powerful tool we will take a closer look at the Device Guard itself in this blog and follow up with detailed articles on the role of the TPM hardware as well as some use cases and examples.

Basically, Device Guard combines software and hardware security features which can be configured in order to lock down a device so that it can only run trusted applications. Protection goes even further, as even if an attacker manages to get control of the Windows kernel, it is unlikely that malicious executable code will run after the computer restarts.

Let’s dive in on how Device Guard restricts the Windows 10 Enterprise operating system to only run code that is signed by trusted signers. Device Guard is made up by three major ingredients, which are hardware security, configurable code integrity and virtualisation-based security.

On the hardware side, the optional TPM-chip is the most effective feature as it represents an isolated component which can protect sensitive information (e.g. certificates and user-credentials). During the start of the device the Universal Extensible Firmware Interface (UEFI) Secure Boot, ensures that boot kits can’t run and that Windows 10 Enterprise starts before anything else.

The configurable code integrity allows to control which source code actually is allowed to run. There are two distinctive versions: “The User Mode Code Integrity” (UMCI) and the “Kernel Mode Code Integrity” (KMCI). The last one is capable of using the the Hyper-V virtualisation-based security services. The Hyper-V based code integrity (HVIC) helps to protect the system core (kernel), privileged drivers, and system defences, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup.

Device Guard deploys the UMCI in order to ensure that anything that runs in user mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run.

Now that we established how Device Guard protects a system let’s talk about what you need to do to set it up. First of all you need to sign your apps. Trust between Device Guard and your apps happens when your apps are signed using a signature that you determine to be trustworthy. This can work by using different methods. The first one is to publish an app through the Windows Store as all apps that come out of the Microsoft Store are automatically signed with special signatures – however you can restrict such UWP-Apps using the AppLocker.

The second method would be to use your own digital certificate or public key infrastructure (PKI). Independent software vendors (ISV) and enterprises can add themselves to the trusted list of signers in order to sign their own Classic Windows applications.
Another way is to use a trusted non-Microsoft signing authority to sign own Classic Windows applications.
Fourthly enterprises can use the Device Guard signing portal. This option is available through the  Windows Store for Business.

In addition, before using Device Guard it is required that you set up your Code Integrity policy using tools provided by Microsoft. This policy defines what code can run on a device.

Ok, now why would you want to use Device Guard? As the operating system trusts only apps authorised by your enterprise instead of everything which isn’t blocked by an antivirus or other security solution you gain a significant amount of security. In addition features like the possibility to sign several apps at once make Device Guard easily manageable for enterprises.

Device Guard is especially interesting for devices with fixed software inventory and fully-managed devices. Examples are ATMs, computers in call centres and laptops of employees.

In order to use Device Guard, Windows 10 Enterprise, UEFI firmware version 2.3.1 or higher and Secure Boot, virtualisation extensions, firmware lock, x64 architecture, A VT-d or AMD-Vi IOMMU (Input/output memory management unit) as well as secure firmware update process are required.

Windows developed a highly powerful security tool with Device Guard which offers extensive functionality and makes use of software and hardware technology to protect devices. In order to get a deeper understanding about how you can profit from this solution feel free to contact our EBV security experts here.

Stay tuned for our next blogs on the role of TPM for Windows Device Guard, how to use and set up Device Guard as well as use cases for Device Guard.