Free Republic
Browse · Search
General/Chat
Topics · Post Article

To: Alas Babylon!

Pretty much all those things you name are nearly useless for the average business customer or are unlikely to work in the case of the so-called “security” improvements. I’ve yet to see a “security” feature that can’t be bypassed on a Microsoft OS, because Windows is inherently insecure, always has been and always will be.


29 posted on 10/08/2015 8:09:31 AM PDT by catnipman (Cat Nipman: Vote Republican in 2012 and only be called racist one more time!)
[ Post Reply | Private Reply | To 26 | View Replies ]


To: catnipman
That's simply preposterous!!!

Do you even KNOW what Device Guard is?

So what exactly is Device Guard?

  Well it’s a device configuration for Windows that literally locks the device down, just like we do on Windows Phone, such that it can only run trusted applications. If the app isn’t trusted Windows won’t allow it to run. (By Trust Microsoft means digital signatures using AES 256-bit encryption.)

  Platform or app vulnerability related bypasses can be mitigated using virtualization technology meaning that even if an attacker manages to gain control of the kernel they still couldn’t run malicious executable code..

  The decision making on what can run vs not is performed in the Hypervisor Windows Code Integrity services which has been moved out of Windows and runs alongside it in a hyper-v protected container that we call a Virtual Secure Mode (VSM). The service determines what’s trustworthy vs not based on signatures that are configuring using Windows policy.

As mentioned before Device Guard mode is supported for both Universal and Win32 apps. Trust is established when apps are signed using either the Windows store publishing process or a web service that ISV’s and Enterprises can use to sign their own applications.

  The signatures that Microsoft uses to sign apps aren’t any old signatures. They’re special and either roll up to Microsoft's certificate authority, one you trust, or your own. In other words the apps need to be more than signed. They need to be signed using a signature that Microsoft or you believe is trustworthy.

  The apps signing process is automatic for apps that are published through the Windows store and for ISV’s and Enterprises that want to sign their own apps Microsoft provides them with access to a secure web service. The webs service can sign actual binaries or it can sign what they call a catalog file which is basically a hash table for the apps binaries. The catalog file can easily be generated using a tool that will run simulates the app setup process and generates and the file as the output.

This is part of my course on Windows 10. I then go on to turn on Device Guard and then everyone does in the lab.

If you send me your personal info in a PM I'll get you in the next class for free, but you have to pay your own T&E!

31 posted on 10/08/2015 8:32:04 AM PDT by Alas Babylon! (As we say in the Air Force, "You know you're over the target when you start getting flak!")
[ Post Reply | Private Reply | To 29 | View Replies ]

Free Republic
Browse · Search
General/Chat
Topics · Post Article


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson