Translate

Monday, September 4, 2017

Windows Defender Application Guard (updated)

With the new release of Windows 10 - 1709 there is a great new feature out called "Windows Defender - Application Guard"

The idea is to limit the access to the system by isolating the browser experience and lock in hackers potentially using the browser to enter the system.
 
This feature let your Edge browser run in a VM for unknown websites. You will not experience a VM startup. It just feels like a "different private mode" in your browser.

A good idea - how it works behind the scenes - can be found in this video:

 
End-users know the difference by a visual representation.




You can manage it through GPOs telling which trusted websites (e.g. organizational websites) should be open in Edge normally also using the full set of Win32 APIs.

All other websites would be opened in the sandboxed version of Edge. The sandboxing is realized also by Hyper-V virtualization. It includes a kernel with a limited set of Win32 APIs to make it even harder to break in. But even if it is possible to break in the attacker is locked in the virtualization layer. When you close the browser the threat is also gone. As this is a non persistent environment.

Additionally this is tied into Windows Defender Advanced Threat Protection. So you get even notified if someone tried to compromise your environment.



To get more information's on this checkout this site.
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge


And to get the FULL CURRENT (1709) holistic Microsoft Security view. Please checkout this recent video. Which covers more than just Application Guard which is one brick in a bigger wall.


 
To enable it is relatively simple (depending HW reqs.)
 
But you need to fulfill the requirements:
 
  • Windows 10 Enterprise SKU only
  • PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS)
  • Windows Defender Application Guard is Off by default, it must be enabled manually or by policy
  • Hardware Limits:
    • Min. 4 (!) logical processors (E.g. Dual Core + Hyperthreading etc.)
    • Min. 8 GB RAM
    • Min. 5 GB HDD Disk
    • When you follow these limits and you enable GuestVirtualization in the Hyper-V (only possible via Powershell) then it works also in a VM.
Otherwise the feature is greyed out!
 
Currently WDAG reacts a bit tricky with Updates. So it worked in 16299.19 in English-US version of Windows. Update KB4043961 broke the feature so you need to dismiss this update. Also other languages may not work right away. But in later version onwards 17035 is also starts to working in German again.
 
1. You need to enable Windows Application Guard in the "Windows Features"
 
WDAG Turn on and off features.png
 
2. You need to setup the Policies for WDAG (very important!)
  • Network Isolation Policies (defining whats enterprise network)
    Computer Configuration\Administrative Templates\Network\Network Isolation
  • Application Guard Policies (defining WDAG behaviour)
    Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard
More about the policies you find here:

1 comment:

  1. Only aspire to mention ones content can be as incredible. This clarity with your post is superb and that i may think you’re a guru for this issue. High-quality along with your concur permit me to to seize your current give to keep modified by using approaching blog post. Thanks a lot hundreds of along with you should go on the pleasurable get the job done. prywatnoscwsieci

    ReplyDelete