Upload
windows-developer
View
250
Download
0
Embed Size (px)
Citation preview
#Build2016
Device Guard Compatible Application DevelopmentGetting Your Apps Into the Circle of Trust Scott AndersonKlaudia Leja
Device Guard - What is Device Guard?Combination of hardware + software securityEnables businesses to strongly control what is allowed to runBrings Appliance or mobile-like security protections to desktop OS with support for existing line of business apps
Kernel Development for Device GuardWindows 10 drivers must be signed by MicrosoftStrong driver publisher identity verification via Extended Validation (EV) certificatesSign drivers with Sysdev portal – cross-signing not good enough anymore
Virtualization Based Security CompatibilityMake drivers HVCI compatible by using NX APIs etc test with Driver verifierNo unsafe drivers (no peek/poke) also filename version, etc. in resources
Enterprises can control driver requirements via Device Guard policy
User Mode Code IntegrityEnterprises can require everything that runs to be trustedAllow an enterprise to specify trusted signers either internal or external
Enterprise CI configuration may be signed for further protectionIf signed, the configuration is stored in the pre-OS and it can only be modified by a new signed updateProtects against admin level attacks/malware which seek to delete, modify, or weaken CI configuration
User Mode Application DevelopmentSign your applicationsInclude filename, version, company name resources
Catalog SigningA signed file that identifies one or more binariesHas been required for driver packages (install-time check)Can also be used for any application signing
Published to the Windows catalog databaseEach machine has its own catalog database of trusted binaries
Can be managed and deployed independently of the packaged binariesPreserves any existing signatures
Code-signing is hardJust as most Malware is unsigned, so too are the vast majority of LOB apps
Enterprises shouldn’t blindly trust all software from an ISV even if signedWindows 10 includes tools to enable IT to address code-signing for existing apps
The Elephant in the Room – IT Code-signing
Microsoft Store signed and distributed appsDevelopers can sign using their own certs Enterprise signing via internally managed Public Key Infrastructure (PKI)Microsoft Device Guard Signing Service
Getting Apps in to the Circle of Trust
Device Guard Signing can be used by enterprises to sign catalogs and CI policiesEither using the GUI in the Windows Store for Business or the PowerShell Commandlets
It will expose the public certificates that are used for signingSigning certificates and keys will be unique for each enterpriseAll private keys will be locked in Hardware Security Modules (HSMs) and never exposed
PKI-as-a-service
• Windows Store for Business • Device Guard White Paper• Making drivers HVCI compatible • Driver Signing Requirements• Managing Device Guard with Configuration
Manager• Continue your education at
Microsoft Virtual Academy online.
Call to Action – Sign your apps!