Posted on 04/22/2015 5:53:04 PM PDT by SeekAndFind
Microsoft is making big efforts to increase the security of Windows 10 and turn the new operating system into a fully secure working environment, so several new features will be available in this regard when it comes out.
In addition to Microsoft Passport and Windows Hello, both of which were announced a few months ago, Redmond will also introduce a feature called Device Guard that would give organizations full control over the apps that are allowed to be launched on a device running Windows 10.
According to Microsoft, the new feature should provide advanced malware protection against new and even unknown malware variants and block all zero-day threats for Windows 10. Basically, no other apps than the ones you allow can be launched on a Windows 10 device. You can configure the feature to work with apps signed by defined vendors, apps from the store, or those developed by your company, Microsoft said.
Youre in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor.
owever, Device Guard is supposed not to replace your antivirus but to work together with it. For example, antivirus solutions can still continue to block macros or other forms of malware while Device Guard would be in charge of restricting access to apps that arent allowed in your organization.
Microsoft explains how the duo would work:
Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesnt such as JIT based apps (e.g.: Java) and macros within documents. App control technologies can be used to define which trustworthy apps should be allowed to run on a device.
Windows 10 is projected to launch this summer, with RTM expected to be reached in June, while general availability should be announced in August. Windows 10 will be offered as a free upgrade for Windows 8.1 and Windows 7 users, but enterprises would still have to pay for it.
This seems to be offering a way to implement the same kind of protection to applications that Secure Boot does for the OS Kernel.
Well... in MSDOS days the file extension meant something about how to execute it, but not so much under Windows. Any file with an executable extension (exe/com/bat/scr/msc/...) is executed based on what the first few bytes look like, and no significance is placed on the extension with regard to HOW it is executed. You can rename FOO.EXE to FOO.BAT or FOO.SCR or any other executable extension and as long as it's got a given signature in the first few bytes, it'll get executed correctly.
Microsoft borrowed this feature from Unix/Linux, where executables have the 'x' perm set but typically do not have any extension, so the system figures out how to execute it using a variety of tricks including "magic" (/usr/share/misc/magic) values at the front of the file data. In Windows if you name a plain text file with one of the executable extensions, it generally won't execute (the system might try to read it as a script, depending).
But the real shame is that NTFS has plenty of execute permission control, and it's finer resolution than Unix/Linux. But the default for backward compatibility is to let any damn thing execute, so the control feature is usually wasted, at least on typical user systems.
*sigh*
Except it won’t. As long as you let users install software you’ll never get rid of malware. Users are the unclosable security hole and are the primary vector malware uses.
If used properly it will prevent them from being able to run a program that claims to be from a know, trusted source (Microsoft, Adobe, etc.) but really isn’t.
If used properly. Which is always the problem with users. Eventually they’re always going to install those damn emoticons.
One question and they’ll hang up -
“what IP are you seeing these from?”
I understand the sentiment. Sometimes I think “This would be a great job if we could just get rid of the users.”
It was on my landline that I’ve had since 1989. Near as I can tell it was just regular telemarketer robo-dialing.
The first time I got one of those calls was in the early 1990s. It was before Algore invented the Internet. I had a 1200 baud modem that I only used to connect directly to other PCs.
That's what I am thinking too. A cgroup, zone, container; etc..UNIX and Linux have been at this for quite some time now. Java does it now (under the hood).
I told them “I’m glad you called. I got a virus and someone got in my accounts and took all my money. How can you help?”
No words from them .......
AppLocker was available starting with Server 2008 R2, IIRC. It’s domain-controlled, so it’s not something a retail/home user can just turn on.
Ah, so. Didn't have occasion to use it with my Server installations, at least until now, so I didn't realize that. Thanks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.