The document discusses Windows security features like Device Guard, Credential Guard, and virtualization-based security. It provides information on how these features help protect systems from malware, zero-days, and advanced persistent threats. It also discusses some challenges with implementing these features and provides links for further reading on deploying and managing Windows security.

1. Protecting your critical systems from
new and unknown malware, 0-days,
and APT

2. WE DRIVE BUSINESS EVOLUTION FORWARD
The ONE solution
https://en.wikipedia.org/wiki/Snake_oil

3. WE DRIVE BUSINESS EVOLUTION FORWARD
Modern Users

4. WE DRIVE BUSINESS EVOLUTION FORWARD
Last Weeks Customer Incident

5. WE DRIVE BUSINESS EVOLUTION FORWARD
Luck vs Solution
Luck
- Honesty
- No Judgment
- Response time
Bad Luck
- (Just about)Only local Admin user
- User permission
Mitigation
- Monitoring (ATA)
- User Training
- Procedures, monitoring and alerts (ATP/ATA)

6. WE DRIVE BUSINESS EVOLUTION FORWARD
Affected Client
Bad Luck
• USB Backup Disk
• Local Admin (Exception)
Mitigation
• Azure Backup
• LAPS
• Local Administrator Password Solution
• Device Guard
https://www.microsoft.com/en-us/download/details.aspx?id=46899

7. WE DRIVE BUSINESS EVOLUTION FORWARD
WHY!!!

8. WE DRIVE BUSINESS EVOLUTION FORWARD
Man vs Machine

9. WE DRIVE BUSINESS EVOLUTION FORWARD
Old School Security
o User Education
o Traditional best practices
o Avoid Exceptions
o Etc.
Think!!!

10. WE DRIVE BUSINESS EVOLUTION FORWARD
Windows Security History
November 2006August 2004
https://en.wikipedia.org/wiki/Timeline_of_Microsoft_Windows

11. WE DRIVE BUSINESS EVOLUTION FORWARD
Windows Vista
UAC:
• Stopped more than 50% of 2000
backdoors, keyloggers, rootkits, mass
mailers, trojan horses, spyware, adware, and
various others directly
• Less then 5% survived UAV during reboot
http://us.norton.com/support/premium_services/malware_removal_guide.pdf

12. WE DRIVE BUSINESS EVOLUTION FORWARD
The Windows 10 Defense Stack
PROTECT, DETECT & RESPOND
PRE-BREACH POST-BREACH
Windows Defender
ATP
Breach detection
investigation &
response
Device
protection
Device Health
attestation
Device Guard
Device Control
Security policies
Information
protection
Device protection /
Drive encryption
Enterprise Data
Protection
Conditional access
Threat
resistance
SmartScreen
AppLocker
Device Guard
Windows Defender
Network/Firewall
Built-in 2FA
Account lockdown
Credential Guard
Microsoft Passport
Windows Hello ;)
Identity
protection
Breach detection
investigation &
response
Device
protection
Information
protection
Threat
resistance
Conditional Access
Windows Defender
ATP
Device integrity
Device control
BitLocker and
BitLocker to Go
Windows
Information
Protection
SmartScreen
Windows Firewall
Microsoft Edge
Device Guard
Windows Defender
Windows Hello ;)
Credential Guard
Identity
protection

13. WE DRIVE BUSINESS EVOLUTION FORWARD
POST-BREACHPRE-BREACH
Breach detection
investigation &
response
Device
protection
Identity
protection
Information
protection
Threat
resistance
Windows 10 Security on Legacy or Modern Devices
(Upgraded from Windows 7 or 32-bit Windows 8)

14. WE DRIVE BUSINESS EVOLUTION FORWARD
Dynamic Lock / Goodbye

15. WE DRIVE BUSINESS EVOLUTION FORWARD
Hello (Word) For business
10 Print «Hello World!»
20 Goto 10
Run

16. WE DRIVE BUSINESS EVOLUTION FORWARD
Hello For Business
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification

17. WE DRIVE BUSINESS EVOLUTION FORWARD
Secure Boot / Bitlocker / BIOS -> UEFI
https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview

18. Show & Tell

19. WE DRIVE BUSINESS EVOLUTION FORWARD

26. The Guards

27. WE DRIVE BUSINESS EVOLUTION FORWARD
VIRTUALIZATION BASED SECURITY
Kernel
Windows Platform
Services
Apps
Kernel
SystemContainer
Trustlet#1
Trustlet#2
Trustlet#3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V

28. WE DRIVE BUSINESS EVOLUTION FORWARD
Device guard in vbs environment
decisive mitigation
Kernel
Windows Platform
Services
Apps
Kernel
SystemContainer
DEVICE
GUARD
Trustlet#2
Trustlet#3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V

29. WE DRIVE BUSINESS EVOLUTION FORWARD
Credential Guard
Not currently supported on Windows Server2016

30. WE DRIVE BUSINESS EVOLUTION FORWARD

31. WE DRIVE BUSINESS EVOLUTION FORWARD

32. WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard
KMCI – Kernel Mode Code Integrity
UMCI – User Mode Code Integrity
Whitelist
◦ Applications / Apps
◦ Utilities
◦ Drivers
Audit / Enforce
Lock Policy
https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide

33. WE DRIVE BUSINESS EVOLUTION FORWARD
Drivers
https://msdn.microsoft.com/en-us/windows/hardware/drivers/dashboard/windows-certified-products-listv

34. WE DRIVE BUSINESS EVOLUTION FORWARD
Certificates and Views
2 314 831 bytes
888 068 bytes

35. WE DRIVE BUSINESS EVOLUTION FORWARD
Exceptions (Known Threats)
• Narrator
• Wifi
• Blacklist whitelisted
• Exploit Monday
•https://github.com/mattifestation/DeviceGuardBypassMitigationRules

36. WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard Getting started
• Golden Image
• Audit Mode
• Failed
• Drivers
• Policy files
• Trial and error
• Maintaine
NB! Sign the policy
https://technet.microsoft.com/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-
device-guard

37. WE DRIVE BUSINESS EVOLUTION FORWARD
Group Policy

38. WE DRIVE BUSINESS EVOLUTION FORWARD
Config Manager
https://blogs.technet.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-
configuration-manager/

39. WE DRIVE BUSINESS EVOLUTION FORWARD
CMD:
Powershell Get-ExecutionPolicy
Powershell Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready
Powershell Get-ExecutionPolicy
Powershell:
Get-ExecutionPolicy
Set-ExecutionPolicy unrestricted -scope process; ./DG_Readiness_Tool_v2.1.ps1 –ready
Get-ExecutionPolicy
Script
-Capable
-Enable –CG
-Enable -HVCI

40. WE DRIVE BUSINESS EVOLUTION FORWARD
Management
• Group Policy
• Intune (Comming)
• System Center

41. WE DRIVE BUSINESS EVOLUTION FORWARD
New-CIPolicy -FilePath c:MyRulesMyRule.xml -Level PcaCertificate -ScanPath
Set-RuleOption -FilePath c:MyRulesMyRule.xml -Option X
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-
rules#code-integrity-policy-rules

42. WE DRIVE BUSINESS EVOLUTION FORWARD
Device Guard Links
Basic:
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-
based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats
https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide
https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard
http://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html
Advanced:
https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-
guard-in-windows-10/
https://technet.microsoft.com/en-us/library/mt634481.aspx
https://www.youtube.com/watch?v=n_fq1WnoQbI
https://github.com/mattifestation/DeviceGuardBypassMitigationRules

43. WE DRIVE BUSINESS EVOLUTION FORWARD
Conclusion

44. WE DRIVE BUSINESS EVOLUTION FORWARD
Machine vs Man

45. Olav Tvedt
Senior Principal Architect
Lumagate A/S
Blog: olavtvedt.blogspot.com
Twitter: OlavTwitt
Epost: Olav.Tvedt@Lumagate.com
Cloud and Datacenter Management
Windows and Devices for IT
31. Mai – www.mvpdagen.no