Windows 10 will support biometric authentication and hardware-based application whitelisting to help IT pros lock down devices – both positive steps for data security.
However, those Windows 10 security features would require hardware upgrades for many companies and the application whitelisting feature may also involve a significant amount of work for IT.
Device Guard in Windows 10 protects devices from malware variants and Advanced Persistent Threats (APT’s) by blocking untrusted apps. Trusted apps are signed by specific software vendors, the Windows Store, or the IT department. It comes with tools to sign Universal Apps (or Win32 apps) that weren't signed by the software vendor.
With this approach to application whitelisting, Windows determines whether an app is trustworthy and notifies the user if it isn't. Device Guard uses hardware technology and virtualization to isolate that decision making function from the rest of the OS, to protect from attackers or malware that may have gained access to the system, according to Microsoft.
"Hardened, locked down platforms like Microsoft previously delivered with Windows Phone and Windows RT, and Apple delivers with iOS, are a great defense against many types of exploits," said Wes Miller, a Windows analyst with Directions on Microsoft, an independent analysis firm in Kirkland, Wash.
IT pros are optimistic that Device Guard will make the next version of Windows more secure, given the shortcomings of antivirus (AV) software and similar signature-based defenses that systems managers are relegated to, said David Reynolds, systems manager with the Rhode Island Blood Center in Providence and a certified ethical hacker.
However, digital signing can be challenging, so it must be easy to implement and be tied to Active Directory, Reynolds said.
Is Device Guard the answer to malware and APTs?
Microsoft claims Device Guard gives it an advantage over traditional AV and app control technologies such as AppLocker and Bit9, which can be "tampered" by administrators or malware. Microsoft declined to explain how much, or how little, control administrators will have over Device Guard, which concerns IT pros who fear the feature may be a bit too tamper-proof and take flexibility away from IT.
Matt KoshtIT manager
"I have seen AV solutions misclassify legitimate processes like remote control software VNC as 'malware' before," said Matt Kosht, an IT manager with an energy company in Michigan. "Flipping on Device Guard and breaking critical enterprise applications would be an issue."
Having tools to digitally sign or otherwise trust unsigned executables helps, but it could also mean a lot of work for enterprise IT, Kosht said.
"If you had 100 legacy applications you had to pass through this process it could take significant investment to get this implemented effectively," he said.
Still, putting security at the core of the OS and hardware to combat APT's is a good move, especially since AV software is "horribly inadequate" at dealing with APT threats, Kosht said. But he's skeptical Device Guard will effectively stop APT's.
Intel has had the XD (Execute Disable) feature in its processors and Microsoft has had Data Execution Prevention support since Windows XP SP2/Windows Server 2003, he said.
"We all know how ineffective these technologies were with stopping APT's."
Device Guard appears to be an evolution of those approaches, adding virtualization to the technology stack. It isn't novel, however; other products, such as Bromium vSentry, also offer protection through hardware isolation.
Microsoft was careful not to cut its AV software partners out of the equation, and claims Device Guard won't replace traditional AV and app control technologies. Those can work with Device Guard to help block executable and script based malware and cover areas that Device Guard doesn’t. For example, traditional AV software can detect attacks against interpreted platforms that are exploited with payloads, such as Java, Flash, Office, and Acrobat, Miller said.
So far, OEM's that support Device Guard on their hardware include Lenovo, HP, Acer, Fujitsu and Toshiba.
Windows 10 biometrics requires hardware upgrades
Device Guard follows a biometric authentication tool Microsoft introduced last month called Windows Hello that requires specialized hardware.
With Windows Hello, users can show their face, iris, or touch a finger to gain access to apps and enterprise content without a password or being hooked into a network server.
Facial recognition is the evolution of the logon that's embraced by users such as Reynolds, who enjoy biometric capabilities already available in Xbox. But it is a technology that is in its early phases.
"While sometimes commands have to be repeated in a militant fashion for effectiveness, it will continue to mature as most technologies often do," he said. "Facial recognition has also been plagued by pitfalls such as users having tans, facial hair, and eyewear. I've also seen many a user wrestle with fingerprint recognition forcing the vast majority of the current user base to rely on the username and password methodology."
Windows Hello requires hardware with a fingerprint readeror other biometric sensors. Fingerprint-based sensors are already on some devices and will work with Hello. Though the facial recognition feature won't be limited to Intel RealSense 3D Camera, that's the technology Microsoft touts.
So far there are three laptops with Intel RealSense: the Dell Inspiron 15 5000 Series Touch (starting at $749.99 on Dell.com), the HP ENVY - 15t Touch RealSense Laptop (starting at $649.99 on HP.com) and the Lenovo B50 Touch (starting at $849.99 on Lenovo.com).
About the author:
Bridget Botelho is senior news director of TechTarget's Data Center and Virtualization and End-User Computing media groups. Follow her on Twitter: @bridgetbotelho.