Preventing browser-based attacks with Windows Defender Application Guard


Coming up We take a look at Windows Defender Application Guard a new capability coming to
Windows 10 Creators update this fall to prevent browser-based attacks I’ll show you the
user experience in Microsoft Edge when navigating to untrusted and trusted sites how Windows Defender Application Guard
leverages virtualization and Hyper-V to isolate the
running processes from Windows and how you can deploy and
configure application guard in your organization With Windows 10, we’ve considered the
most common attacks against enterprises that we see today in the wild from pre-breach
defenses and close breach containment 90% of typical attacks come through phishing via links or malicious attachments in email as well as watering hole attacks from sites that drop malicious payloads onto your machine attackers are moving down the stack historically they focused
on application based attacks so as Microsoft has invested in built-in defenses such as application containers
to make user mode attacks more difficult attackers are now focusing more on the kernel kernel level exploits aim to gain
system level access and we want to stop those attacks in their tracks Windows Application Guard is a pre-breach defense that is part of the
Windows security stack threat resistance it’s designed to stop these attacks and prevent data theft espionage and ransomware
from affecting your organization let me walk you through a scenario of a typical attack where Application Guard is not present Here a user receives an email because it looks legitimate they click on it even though it’s from an untrusted source it’s still loaded and looks fine to the user the goal of the attacker is to exploit the
PC before the user realizes they are attacked and they are redirected to a legitimate website but in reality it contained a dangerous exploit you might not have noticed what happened but if we play the page load back in slow motion and focus on the address bar you’ll notice the URL redirecting
from the attacker website Now let me show you the same attack with Application Guard protecting the PC here the site opens with Microsoft Edge and you can see that Application Guard
is enabled here on the Left same as before the exploit runs but it’s isolated in a container and the host machine is protected that’s because Edge is running in a
Hyper-V based container that is isolated from the host kernel and user mode in the PC which neutralizes the exploit all the processes executing in Edge are located in a container that is not
connected to the host anything that runs in the container stays in the container the container is also blocked from
accessing internal network resources adding an additional layer of defense because we use container technology we can leverage a much smaller footprint than a full virtual machine there are two ways that
Application Guard can be launched the first way is for the user
to launch Application Guard from the Edge menu like you would do
for in private browsing once you see the orange Application Guard label in the upper left corner of the Edge browser you know that you’re browsing in isolation Users can access Edge features such as printing and clipboard in Application Guard just like you can do on the host all of which can be controlled using group policy the second way is what we call enterprise mode like we just saw this mode is where the administrator has configured management policy to automatically open untrusted sites
in Application Guard as we can see here the administrator has enabled
Application Guard in enterprise mode enterprise mode
is available in Windows 10 enterprise and with this enabled untrusted sites will always open
with Edge and Application Guard in the enterprise you
can enable enterprise mode via group policy, Configuration Manager or Intune each can configure the settings required to enable Application Guard
for your manage PCs here I have group policy editor open and you can see the policies
I need to configure under administrative templates Windows components here I can enable Application Guard and configure clipboard and print settings to configure what sites are allowed to open
an Edge on the host OS you add them an administrative templates
under network isolation policy from here you’ll configure the
following policies for trusted sites private network ranges for Apps domains categorized as both work and personal and enterprise resource
domains hosted in the cloud Application Guard is a
hardware based endpoint defense it’s the last the most powerful line of defense
to protect your business it complements technologies like Office 365 or Windows Advanced Threat Protection and detected exploits are passed to those services in addition Application Guard
has integration with Windows Defender ATP which allows the container
to send ATP events to Windows Defender Security Center to help detect current attacks as well as contain future attacks on other systems if an attack is detected the details will be reported in the Windows Defender
Security Center console as shown here So that was a quick tour of
Windows Defender Application Guard a new capability coming to
Windows 10 Creators Update this fall you can try for yourself
by enrolling in Windows Insiders Thanks for watching Microsoft Mechanics
www.microsoft.com/mechanics Microsoft