As we improve network security, attackers are having to find new ways around our firewalls and other security tools. Where a blanket attack on your network might have allowed them in, now they’re resorting to targeted attacks to insert malware and to phish key members of staff. They’re going to where your users go — to email and to the web — to find ways around protected networks.
One of the main targets for this new generation of attacks is the browser. Faked domains and fast-flux DNS systems make it hard to use traditional methods to block malicious websites, and specialized targeted attacks often make them indistinguishable from trusted sites and services — even down to using convincing site certificates and well-crafted fake DNS addresses. How can we protect businesses when an attacking site might be targeted at one specific individual?
One option is Microsoft’s Windows Defender Application Guard (WDAG). Originally rolled out only for Enterprise Windows 10 SKUs, but now available to Professional as well, it’s a tool that uses a highly custom virtualization layer to protect Windows 10’s Edge browser when browsing untrusted sites. Based on Hyper-V, it’s only available on PCs that have the appropriate hardware, and virtualization enabled in their BIOS settings.
WDAG operates in a similar manner to the hypervisor protected code integrity features of Windows Defender System Guard (WDSG). However, where WSAG uses the hypervisor to protect low-level Windows processes from code insertion attacks, WDAG goes further and uses a hypervisor and a dedicated kernel to support Edge, and only Edge. There’s some commonality here with the Drawbridge research OS that Microsoft developed as part of its Midori project, which used dedicated kernel modules to support specific applications — a concept referred to as a Library OS.
SEE: Windows 10: The essential guide for business professionals (Tech Pro Research)
With WDAG, untrusted websites are handed over to a copy of Edge that’s running in a secure container hosted on its own hypervisor and with its own kernel. If a site contains targeted malicious code, it can’t affect the rest of your system as it’s isolated in the secure container. There’s no access to system memory, so no access to stored credentials, or to internal network resources. All a WDAG-protected Edge can do is browse the web, blocking most browser-based attack paths.
Microsoft describes this approach as “breaking the attacker playbook”, as it removes a well known route into PCs, forcing attackers to find new and more complex routes into your network. WDAG operates in two distinct modes: a standalone mode for users to investigate sites that might be untrustworthy, and a managed node that allows Edge to operate normally on known internal sites, using WDAG’s isolation on any site that’s not been whitelisted by system administrators.
Getting started with WDAG
It’s easy to get started with WDAG. If you’re setting it up on your own PC, you’ll need to turn it on from the Windows Features control panel. Select Windows Defender Application Guard and then, once the OS components have loaded, reboot your PC. Alternatively you can use Windows MDM tools like InTune to push WDAG to the users you want to protect, and configure domains were it will and will not operate. There’s also the option of using PowerShell to enable the feature, running the appropriate cmdlet as administrator.
Once setup, you can start to use Application Guard in standalone mode using the tools built into Windows 10 to manage it. You’ll find a new menu item in Edge, New Application Guard Window, which launches a new instance of the secure Edge container, ready for use. You’ll be able to browse as normal, but with some restrictions around using bookmarks and saving downloaded files. You also won’t be able to use any extensions. Windows 10’s Security Center’s App & Browser Control option has tools to open up some of the security boundary around WDAG. Under Isolated Browsing, click to open Change Application Guard Settings. Here you can choose to save data, copy and paste between WDAG-secured Edge and the rest of Windows, print files, and even take advantage of using hardware graphics resources to improve performance.
WDAG for the enterprise
Using WDAG in standalone mode isn’t really an effective way of protecting your network. It can help reduce risks, but users have to enable WDAG and explicitly open a protected instance of Edge. You can train users to work this way, but they will have to add extra steps into workflows and it’s often more convenient to carry on using the usual, unprotected Edge. If you’re willing to train users to use it when accessing unknown sites, or when accessing corporate resources, then you’ll see some benefit. However, it’s more practical to use WDAG on managed hardware, where you can control access to resources more effectively.
Enterprise-managed mode does require your users to be logged in to an Active Directory instance, as it uses policy to deliver lists of allowed sites. Users accessing whitelisted, trusted content will be allowed to use Edge as normal. If they go to a URL outside your whitelist, they’ll be redirected to a WDAG container instance of Edge automatically. Each time a user types an address, Edge will check for trusted and untrusted URLs and will automatically switch to the appropriate browser contexts, between protected and unprotected instances of Edge.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)
Using WDAG doesn’t force a complete set of new Group Policy settings to approve sites; it works with your existing network isolation settings to define the boundaries of your network. If you’re using Windows’ low-level network security tooling, then you’ll already be using these, and Edge running with WDAG will automatically treat these as its own security boundary. Network isolation has settings for private network IP ranges, enterprise resources that are cloud hosted, and domains that may be both used for both corporate and personal uses. The first two settings are automatically treated as safe, while the second can be accessed in both insecure and secure modes.
Group policies can also be used to control how WDAG interacts with the rest of Windows. You can use them to block access to the clipboard, to enable printing, to save downloaded files or use favorites and enable persistent cookies. You’ll need to use another policy to allow files to be saved outside the WDAG container.
Windows Defender Application Guard is a powerful tool that’s also a pointer to how future operating systems and applications will interact. By isolating applications in secure containers, it’s possible to protect users’ data and the rest of the network. Isolation doesn’t need to be complete, as users can still save and share files, after the overall risk has been evaluated.
If you’re running a Windows 10 enterprise network, WDAG is an essential security: expect other applications to join Edge in their own secure containers in the future.
- Windows 10 updates are about to get smaller and less painful (TechRepublic)
- Windows 10 April 2018 Update: An insider’s guide (free PDF) (TechRepublic)
- Windows 10 after three years: A greatly improved report card (ZDNet)
- Windows 10 April 2018 Update: A cheat sheet (TechRepublic)
- Microsoft Surface $400 iPad rival has Intel Pentium, Windows 10, benchmarks suggest (ZDNet)
- Don’t expect Microsoft’s Andromeda this year… or maybe ever (ZDNet)