Microsoft seems to have embarked on a mission on making Windows 10, the most secure operating system. As such, it has decided to add a slew of security enhancements across a range of its products. Windows Defender Application Guard happens to be one of those enhancements that found a mention in yesterday’s keynote.
The new capability that would come as the next major update to Windows 10 will be in the form of Windows Defender Application Guard. The feature would enable Edge browser to run in a lightweight virtual machine. Running the update in a virtual machine would reduce even remote possibility of a system getting infected, thereby ensuring safety and protection of the enterprise’s devices and its corporate network.
Windows Defender Application Guard
Application Guard has been created to target 3 types of enterprise systems:
Enterprise mobile laptops
Bring your own device (BYOD) mobile laptops.
This feature uses virtualization technology to open links clicked while browsing the Internet or checking the email in a sandboxed environment (an isolated environment to test or analyze software in a protected environment) to keep malicious script out of user’s network and devices.
In its very first avatar, Application Guard will only be available for Edge browser, since the majority of the attacks start in the browser. As such, this level of protection assumes much importance. This feature will become a part of Microsoft Edge and will be available on Windows 10 somewhere in 2017, and until then, it is will be tried and tested with members of the Windows Insiders program.
Th older systems may not be able to keep up with this development, and so possibly this is one of the reasons why Microsoft insists that the Silicon support policy for Windows 10 should back virtualization support in Windows Defender Application Guard.
From the above, it is clear that Edge browser might not necessarily be the most feature-rich browser, but that doesn’t dampen the spirit of its developers to make it the most secure browser.
Let us take a look at Windows Defender Application Guard and uncover some of its prominent features.
Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data.
Keeping in view the latest developments where many business establishments worldwide have come under direct security threat, this new layer of defense-in-depth protection offered by Windows Defender Application Guard is welcome.
It is an established fact that over 90% of attacks are initiated via a hyperlink, designed specifically to:
So, initially, a corrupt email often under the guise of legitimate authority in the company, may request the employee to click a link to read a supposedly important document.
The link is specially crafted to install malware on the user’s machine. Once a connection is established on that computer, the attackers can easily steal credentials and look for vulnerabilities in other computers on the same network.
With virtualization technology supported in Windows Defender Application Guard, such potential threats are not only identified and segregated from the network and the system but also removed completely when the container is closed.
Secondly, when an employee browses to a site that is not trusted by the network administrator, Application Guard jumps into action and silently removes the potential threat. As shown in the image below outlined in red, Application Guard creates a new instance of Windows at the hardware layer, with a completely different copy of the kernel. The underlying hardware (Windows Defender Application Guard) enforces that this separate copy of Windows has no access to the user’s normal operating environment which includes access to memory, local storage, other installed applications and corporate network endpoints.
In-depth defense for Enterprise
Windows Defender Application Guard is capable of offering its customers a trouble-free browsing experience by protecting enterprise systems from advanced attacks that try to seek an entry to the network and devices via the Internet. It even has a definite plan of action when malicious code manages to enter the network. The ingenious tool silently coordinates with Microsoft Edge to open that site in a temporary and isolated copy of Windows. In this case, even if the attacker’s code is successful in attempting to exploit the browser, the attacker finds their code running in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network. The attack thus loses its prominence and invariably gets disrupted.
Soon after the browsing session is complete, the temporary container is thrown away, alongside the malware. All this happens in a quick succession and the user does not even get a hint of attack having taken place. After deletion, a fresh new container is created for future browsing sessions.
Web developers and Application Guard
The news that brings much joy for the web developers is that they do not need to do anything different or new with their site code – Microsoft Edge renders sites in Application Guard fundamentally the same way it does in the host version of Windows. There is no essential requirement of detecting malicious code when Microsoft Edge is running in this mode, nor any need to account for behavior differences. Since this temporary container is destroyed when the user is done, there is no existence of cookies or local storage when the user is finished.
In addition to this, Microsoft made other security announcements like Windows Defender Advanced Threat Protection (WDATP) and Office 365 ATP now having the capacity to mutually share intelligence and assist IT professionals in investigating and responding to security threats across both Windows 10 and Office 365 in a timely manner.
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP since then. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.