Making Microsoft Edge the most secure browser with Windows Defender Application Guard

Discussion in 'Microsoft' started by MalwareTips Bot, Oct 23, 2017.

  1. MalwareTips Bot

    MalwareTips Bot MT Robot
    Staff Member Content Creator

    Apr 21, 2016
    857
    3,085
    Updates
    MalwareTips
    Innovation in the attack space is constant as adversaries increase in both determination and sophistication. In response to increased investments in defense, attackers are adapting and improving tactics at breakneck speed. The good news is that defenders are also innovating and disrupting long reliable attack methods with new technologies. In Windows 10 we’re not just delivering tit for tat point solutions for the latest attacks; instead we’re looking closely at the root causes and are transforming the platform such that we can eradicate entire classes of attacks. Some of the most impactful improvements will come by way of attack surface area reduction and architectural change. One example of these kinds of disruptive approaches can be found in Windows Defender Application Guard (WDAG).

    [​IMG]

    WDAG introduces a slimmed down version of the Hyper-V virtualization technology to bring Azure cloud-grade isolation and security segmentation to Windows applications with Microsoft Edge. WDAG for Microsoft Edge is the strongest form of isolation today, and now with the recently released Windows 10 version 1709, also known as the Fall Creators Update, users of Windows 10 Enterprise can run the Microsoft Edge browser in a fully isolated hardware environment. Doing so provides the highest level of protection against zero-day exploits, unpatched vulnerabilities, and web-based malware. The WDAG container provides a temporary, contained environment for users to experience the Internet. The ability to refresh the container when a user logs off means malware does not have a place to persist.

    Threat landscape


    In recent years, software isolation of commonly attacked applications such as browsers and document readers have become ubiquitous. Software isolation seeks to contain the damage in the event an application is successfully compromised by an exploit. When sandboxes are in place, malicious code delivered by a successful application exploit is restricted from accessing data and resources on the host operating system, which prevents attacks from performing lateral movement or exfiltrating sensitive information.

    Attackers have adapted their tactics rapidly in response to widespread sandboxing by shifting their attention to kernel attacks. In most software sandboxes, the kernel attack surface is left unrestricted providing attackers who have achieved code execution within a sandboxed app the opportunity to "escape" and escalate the attack. This growing trend is evidenced by the data collected by Microsoft threat analysts on the number of known kernel exploits for Windows

    [​IMG]

    Number of kernel exploits by year collected by Microsoft

    The sharp increase in recent years is attributed to attackers leveraging kernel exploits to escape software sandboxes. Security-conscious enterprises can augment Microsoft Edge top level exploit mitigation and isolation features with an additional layer of kernel protection provided by Windows Defender Application Guard for Microsoft Edge.

    Virtualization-based isolation


    Microsoft has moved to counter the increase in kernel attacks through a major technological breakthrough in sandbox technology. Leveraging the power of hardware-supported virtualization technology, Windows Defender Application Guard creates what can be thought of as a "miniature" version of the parent Windows OS to host Microsoft Edge when browsing the untrusted internet. In the event that a user clicks a link or visits a site containing a full exploit chain, the container "guest" kernel is fully isolated from the host machine that contains the sensitive or enterprise data and enterprise credentials. This means even a zero-day kernel exploit will only result in a container compromise, which means that user data, apps, the organization's network, and the rest of the OS can remain secure. The container will be disposed of, removing all traces of the attack when the user logs off.

    This isolation breakthrough was achieved by creating a new form of container technology that safely shares resources between a guest container and the parent OS. Unlike a standard virtual machine, the WDAG container technology securely shares DLL, executables, and other operating system resources between the guest and host, minimizing the resources needed to create a WDAG VM. As result, the unique disk footprint of the WDAG container image is an incredible 18 megabytes! In addition, the Windows operating system has been "enlightened" with full support for WDAG container apps, which includes the ability to suspend or deprioritize the container when not in use, helping to preserve battery life and make the experience of using a container app comparable to a native app. Core operating system functions like language settings, accessibility, and many other features all work across the container, making the advanced security provided by WDAG nearly transparent to the user.

    [​IMG]

    Security is paramount to the value proposition for the WDAG container technology, so the Microsoft Offensive Security Research (OSR) and Windows Security Assurance (SA) partnered with the WDAG engineering team to build the technology securely from the ground up. The benefits of this partnership had a dramatic impact on WDDAG and the security promise we were ultimately able to make with it. The process we used will be detailed at the upcoming Microsoft BlueHat Conference as we think it represents a powerful model for future security-related research and development here at Microsoft. With WDAG now shipping, the effort to better secure it will continue; WDAG is continuously reviewed with a standing WDAG security bug bounty with payouts of up to $250K for discovery of issues effecting the hypervisor that it is built upon.

    So in a nutshell, WDAG offers VM-grade isolation at significantly lower system resources and user experience cost.

    WDAG management and Windows Defender ATP integration


    User experience and isolation customizations are some of the most commonly discussed topics when we talk about isolation based security solutions. Windows Defender Application Guard offers several policies to let organizations customize the user experience and security policies based on the enterprise risk profile and security posture.

    The most critical policy from a trust decision perspective is the network isolation policy that defines what URL or network locations are not managed or explicitly trusted by an enterprise and thus will open in the isolated container environment, versus those that will open on the native host browser. WDAG makes this simple to manage with options for IP- and host-based policy definitions. This policy is also shared across security features such as Windows Information Protection, where it is used to protect against enterprise data leakage

    Clipboard and print policies control user initiated data exchange between Windows 10 host and the WDAG container. Persistence policy determines whether WDAG should discard all user generated session data (cookies, downloaded files, temporary Internet files etc.) on container recycle or preserve it for later use in the container.

    For more details on the WDAG policies, please refer to product documentation.

    [​IMG]

    Windows Defender Application Guard Management Options

    For customers of Windows Defender ATP and Microsoft 365, WDAG offers deep integration with WDATP’s post-breach and EDR capabilities. This is an important integration point as it allows WDAG customers a view into any malicious attacks that have been prevented and isolated within the container and enables further remediation and defensive actions across the Windows multiple layers of security.

    The WDATP team has developed a full range of container specific indicators of attack (IOAs) that are capable of detecting browser and kernel compromises. We recently demonstrated some of these capabilities in a Microsoft mechanics session that highlights the power of WDAG + WDATP as the pre- and post-breach solutions in a synthetic zero-day attack scenario:

    [​IMG]

    Windows Defender ATP console showing WDAG container events

    Windows Defender ATP users benefit from an investigation experience that combines events from the container and host into unified timeline while still allowing container-specific investigation through visual cues and event filtering.

    The combination of the pre-breach isolation capability of WDAG and the deep investigation and analytics provided by Windows Defender ATP can provide customers with a robust defense even against the most sophisticated apex attackers.

    Conclusion


    Windows Defender Application Guard provides an additional hardware isolation-level capability on top of Microsoft Edge’s formidable exploit mitigation and sandbox features. This was enabled by engineering hardware container-based isolation capabilities into the Windows core. WDAG provides a near-native user experience with low resource consumption, deep OS enlightenment, and moderate hardware requirements. Enterprises deploying the Fall Creators Update can immediately deploy WDAG and enjoy the benefits of world-class hardware-rooted security that has enabled Microsoft Edge to become the most secure browser for enterprises.



    David Weston (@dwizzzleMSFT)

    Principal Group Manager, Windows & Devices Group, Security & Enterprise



    Learn more about Windows 10 Fall Creators Update


    Microsoft 365 Security and Management Features Available in Fall Creators Update

    Windows Defender Exploit Guard: Reducing the attack surface with next-generation host intrusion prevention

    Stopping ransomware where it counts: Protecting your data with Controlled folder access

    Making Microsoft Edge the most secure browser with Windows Defender Application Guard

    Introducing Windows Defender Application Control

    Hardening the system and maintaining integrity with Windows Defender System Guard

    Move away from passwords, deploy Windows Hello. Today!

    What’s new in Windows Defender ATP Fall Creators Update

    Antivirus evolved





    Talk to us


    Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

    Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

    Continue reading...
     
    GonzitoVir, upnorth, venustus and 9 others like this.
  2. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,232
    64,821
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
    I just cannot see myself using this in the near future. :cool:
     
  3. Deletedmessiah

    Deletedmessiah Level 15

    Jan 16, 2017
    711
    6,548
    SSD
    Windows 8.1
    Emsisoft
    Me too. And now with Firefox back in the game, Edge need to have a lot more improvements for me to consider.
    I wish they'd open source Edge engine.
     
  4. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    In case anyone is wondering, Microsoft Edge is better at preventing WebInject/form-grabber attacks (common technique in banking malware such as Carberp, Kronos, Zeus, SpyEye too if I recall, and other recent banking malware) compared to browsers like Internet Explorer, Google Chrome, Firefox, Opera and Safari (if it is even around anymore).

    Google Chrome has decent Anti-RCE (RCE stands for Remote Code Execution - attacks such as DLL injection) however they don't seem to verify the loaded DLLs at start-up thus making it more vulnerable. Microsoft Edge doesn't have this limitation with their Anti-RCE protection.

    I cannot see myself using Microsoft Edge any-time soon because I am a fan of Google Chrome/Firefox due to the speed differences.
     
    GonzitoVir, Jack, upnorth and 10 others like this.
  5. kev216

    kev216 Level 18
    Content Creator Trusted

    Aug 6, 2014
    896
    12,005
    Belgium
    Windows 10
    Sophos
    Nice addition to the browser in terms of security. However, the functionality of Edge is so behind other browsers. I mean still no decent extension catalog and customisation is almost not available... Although this is nice for the security fans, this update is again disappointing.
     
  6. XhenEd

    XhenEd Level 27
    Content Creator Trusted

    Mar 1, 2014
    1,606
    8,417
    Philippines
    Windows 10
    Default-Deny
    The feature is very tempting, but just like @frogboy and @Deletedmessiah, I don't see myself owning this Enterprise version of Windows 10 in the near future. ;)

    I have AppGuard's MemoryGuard, though, which is like that of Edge's isolation feature. AppGuard is system-wide and covers more applications, too! :cool::cool::cool:
     
    upnorth, Andy Ful, venustus and 7 others like this.
  7. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    Yeah, AppGuard is sufficient enough and it is stable/reliable. You are also a wise user anyway making you a harder target in the first place :)

    This stuff is only for large businesses I'd say, and even then the use probably won't be that prevalent IMO because it will require knowledge and experience to use all of these Enterprise security features... Resulting in people just using third-party software so they can make tweaks more easily, understand what is going on more and diagnose/resolve issues which may arise due to the protection configuration. That is just my opinion.
     
    upnorth, venustus, XhenEd and 3 others like this.
  8. valvaris

    valvaris Level 2

    Jul 26, 2015
    63
    200
    Germany
    The thing is that Windows Defender Advanced features are only available with a Windows 10 Ent. E5 License. -.-

    Would love to use it but Microsoft just thinks of Business costumers...

    With Applocker - Windows Defender ATP - Windows Defender Application Guard - life would be much easyer for the normal user. ^^

    Integrated Software with no extra install it is all there. :D

    Windows 10 Licensing | Microsoft Volume Licensing

    Best regards
    Val.
     
    upnorth, XhenEd and frogboy like this.
  9. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    I think you'll find that is not the case. A normal user wouldn't know where to start with using the features properly... And even if they did happen to manage to set it up alone, if they run into a problem caused by the configuration, they won't know how to diagnose/fix properly.

    It wasn't designed for normal users.
     
    upnorth, Weebarra, venustus and 5 others like this.
  10. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,699
    11,814
    AppGuard LLC Virginia, U.S.
    Tell that to the Admins that have to manage it. The honest ones will tell you it is an obnoxious, undocumented, atrocious mess.

    Ask @Opcode about Microsoft's "undocumented" stuff and what that means to anyone that needs the infos.
     
  11. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,699
    11,814
    AppGuard LLC Virginia, U.S.
    All Microsoft really wants out of home users is for them to buy stuff through the Windows Store and Xbox.

    That's the whole point of Windows 10. It's a conduit to software sales.
     
    upnorth, Weebarra, venustus and 4 others like this.
  12. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    #12 Opcode, Oct 28, 2017
    Last edited: Oct 28, 2017
    Sandboxie and AppContainer do not rely on virtualisation. That doesn't make them insufficient though, they're perfectly fine IMO.

    Windows Defender Application Guard utilises technology built-into the hardware on systems which support it (most systems using an Intel processor developed after 2006-2008 are likely to have some form of virtualisation support, and more or less the same boat for AMD) as leverage to create an "isolated" environment which cannot be accessed from within the Host OS. Think of it like running a Virtual Machine without having to install an entirely new Operating System or move into an entirely different environment with a brand new OS installation over the top; you just have the program running within WDAG "isolated" via real virtualisation.

    Since the programs running within WDAG are "isolated" via virtualisation (basically within a Guest environment, inaccessible to software running on the Host environment), external software running from within the main Host environment will be unable to perform data theft on programs protected under the isolated environment - the isolated programs will be inaccessible entirely.
     
    frogboy, XhenEd and upnorth like this.
Loading...