With Device Guard, Credential Guard, and Application Guard, Windows uses virtualization to provide unprecedented protection from malware and advanced persistent threats.

Three years after its debut, Windows 10 is poised to overtake Windows 7 as the most popular version of the Windows operating system. Microsoft introduced virtualization-based security features – namely Device Guard and Credential Guard – in Windows 10, and in subsequent updates, has added other virtualization-based protections to the operating system.

Microsoft tackled the two biggest challenge for enterprises with Windows 10, password management and protecting the operating system from attackers. Windows Defender was renamed Windows Security in 2017 and now includes anti-malware and threat detection, firewall and network security, application and browser controls, device and account security, and device health. Windows Security shares status information between Microsoft 365 services and interoperates with Windows Defender Advanced Threat Protection, Microsoft’s cloud-based forensic analysis tool.

Device Guard and Credential Guard remain the two standout security features of Windows 10 – they protect the core kernel from malware and prevent attackers from remotely taking control of the machine. Microsoft has also grouped other virtualization-based protections such as Windows Defender Application Guard under the Windows Security umbrella. Windows Defender Advanced Threat Protection round out the analytics available to Windows 10 Enterprise customers.”Clearly, Microsoft thought a lot about the kind of attacks taking place against enterprise customers and is moving security forward by leaps and bounds,” said Ian Trump, a security lead at LogicNow.

Device Guard relies on Windows 10’s virtualization-based security to allow only trusted applications to run on devices. Credential Guard protects corporate identities by isolating them in a hardware-based virtual environment. Microsoft isolates critical Windows services in the virtual machine to block attackers from tampering with the kernel and other sensitive processes. With Application Guard, Microsoft Edge opens untrusted websites in an isolated Hyper-V enabled container, keeping the host operating system protected from potentially malicious sites. These features rely on the same hypervisor technology already used by Hyper-V.

Using hardware-based virtualization to extend whitelisting and protecting credentials was a “brilliant move” by Microsoft, said Chester Wisniewski, senior security strategist for Sophos Canada, an antivirus company.

Apps on lockdown

Device Guard relies on both hardware and software to lock down the machine so that it can run only trusted applications. Applications must have a valid cryptographic signature from specific software vendors — or from Microsoft if the application comes from the Windows Store. Device Guard assumes that all software is suspicious and relies on the enterprise to decide which is trusted.

Although there have been reports of malware code writers stealing certificates to sign malware, a significant majority of malware is unsigned code. The reliance of Device Guard on signed policies will block most malware attacks.

“It is a great way to protect against zero-day attacks that make it by anti-malware defenses,” Trump said.

Three years after its debut, Windows 10 is poised to overtake Windows 7 as the most popular version of the Windows operating system. Microsoft introduced virtualization-based security features – namely Device Guard and Credential Guard – in Windows 10, and in subsequent updates, has added other virtualization-based protections to the operating system.

Microsoft tackled the two biggest challenge for enterprises with Windows 10, password management and protecting the operating system from attackers. Windows Defender was renamed Windows Security in 2017 and now includes anti-malware and threat detection, firewall and network security, application and browser controls, device and account security, and device health. Windows Security shares status information between Microsoft 365 services and interoperates with Windows Defender Advanced Threat Protection, Microsoft’s cloud-based forensic analysis tool.

Device Guard and Credential Guard remain the two standout security features of Windows 10 – they protect the core kernel from malware and prevent attackers from remotely taking control of the machine. Microsoft has also grouped other virtualization-based protections such as Windows Defender Application Guard under the Windows Security umbrella. Windows Defender Advanced Threat Protection round out the analytics available to Windows 10 Enterprise customers.”Clearly, Microsoft thought a lot about the kind of attacks taking place against enterprise customers and is moving security forward by leaps and bounds,” said Ian Trump, a security lead at LogicNow.

Device Guard relies on Windows 10’s virtualization-based security to allow only trusted applications to run on devices. Credential Guard protects corporate identities by isolating them in a hardware-based virtual environment. Microsoft isolates critical Windows services in the virtual machine to block attackers from tampering with the kernel and other sensitive processes. With Application Guard, Microsoft Edge opens untrusted websites in an isolated Hyper-V enabled container, keeping the host operating system protected from potentially malicious sites. These features rely on the same hypervisor technology already used by Hyper-V.

Using hardware-based virtualization to extend whitelisting and protecting credentials was a “brilliant move” by Microsoft, said Chester Wisniewski, senior security strategist for Sophos Canada, an antivirus company.

Isolating secrets

Credential Guard may not be as exciting as Device Guard, but it addresses an important facet of enterprise security: It stores domain credentials within a virtual container, away from the kernel and user mode operating system. This way, even if the machine is compromised, the credentials are not available to the attacker.

Advanced persistent attacks rely on the ability to steal domain and user credentials to move around the network and access other computers. Typically, when users log into a computer, their hashed credentials are stored in the operating system’s memory. Previous ve