All the Guards–Part 9

This article is a part of a series. The previous article can be found here:

All the Guards – Part 8 DMA Guard

In this article I’m going to focus on the next component, which is:

Control Flow Guard

Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows.

An administrator or user cannot configure Control Flow Guard. It is something that a developer must do inside their code. It is however something they can take advantage of in Windows 10:

Control Flow Guard

Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG.

That bring us to the end of all the ‘Guards’ that I can find out there from Microsoft. I’ll provide a summary of all of this information in the final part of the series::

Summary of all the Guards

All the Guards–Part 8

This article is a part of a series. The previous article can be found here:

All the Guards – Part 7 Exploit Guard

In this article I’m going to focus on the next component, which is:

DMA Guard

In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots)


Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.


This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.

Kernel DMA Protection requires UEFI firmware support, however, it does not require Virtualization Based Security (VBS). Systems running Windows 10 version 1803 or above that do support Kernel DMA protection do have this security feature enabled automatically without the need for any configuration.

image

To verify DMA Guard is running on your system, look at the Windows System information. Locate the setting for Kernel DMA Protection as shown above.

In host cases, with a modern Windows 10 device DMA guard should be automatically enabled. You can use policies to further control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. However, this won;t be covered here.

Next up:

Control Flow Guard

Reflecting on crossing the 3,000 posts mark

image

I thought I’d take a moment and reflect on the fact that this blog, in its current incarnation, has just crossed a milestone of 3,000 posts.

First and foremost I’d like to thank those who do subscribe and follow this blog on a regular basis. It is always very satisfying to know that others see value in the work that you provide.

That said, I will say that the major reason I invest time writing this blog is for myself. For me it serves two major purposes. Firstly, it is a way for me to document things that I have done and reinforce my learning. Secondly, it is a communications practice. I consider that to be a:

Core Professional Skill

Another side benefit I believe of investing time in writing a blog is that it becomes a:

Living resume

That you can point to as your commitment to your profession.

Blogging for business

I have always admired the consistency of content that Seth Godin creates on his blog and I really like this recommendation he makes about blogging:

Seth Godin and Tom Peters on blogging

and I totally agree with the analysis of the value of blogging professionally and personally.

Although the earliest post here is from July 2007, in truth, this blog has been going for longer. If my memory serves me correctly, I started it back in the 2005 timeframe on a dedicated server box using dedicated software that published my musing to an internal web server that I made available to the world. Back then the whole blogging process was very complex to manage and maintain but I kept at it.

A little while down the track I shift the blog to an internal SharePoint server, which I again published to the world. After a while that too became hard to maintain and began to fill up with blog spam comments. Who’d though eh? At that point I shift the platform to Google Blogger where it remained for many years. That was until about 2 years ago when Google changed their API for Blogger and I could no longer post images on my blogs using Open Live Writer. I therefore migrated the blog to its current home here on WordPress and have been very happy with the platform.

Over the years I have experimented with monetising my content using ads but found that it largely distracted from the content I was creating. It also made the site look and feel ‘cheap’ to me. Thus, I no longer publish ads to the blog, although with more than 3,000 posts there might be some handy income available. The only ‘monetization’ I do have on my blog are crypto tip jars:

bitcoin:bc1qwgcr296c7rtjvlpkv9yy5033qjgwwrvttxhtm7

ethereum:0xD7cc991E1f84B625C3723D2965C9948238F5DFe8

and to my knowledge, I’ve never received a payment. That isn’t an issue because, as I said, I write this blog mainly for myself, however the tip jars are there as an experiment to see whether they in fact will get used. As yet, they haven’t, but they’ll stay there in the hope that one day they might because I like the concept of being able to quickly and easily ‘tip’ people for the content they create on the web via micropayments. Trying to monetise blog content is far to hard using traditional means, so that is why the crypto tip jars exist. However, I fully appreciate that until cryptocurrency becomes more wide spread that I’ll probably never see anything. That is fine, because everything you see here is an on going ‘experiment’.

I’ve always tried to be consistent with my blog and create content regularly. Of course, that has varied over time as work and life gets in the way. Sometime too, I will readily admit, that blogging can be a chore. Luckily, those situation haven’t lasted long and I feel I’ve been disciplined to continue to create content regularly, and as I said earlier, be able to create a growing body of work that demonstrates a commitment to my profession.

Apart from consistency, another important aspect of blogging is personality. I am not a fan of blogs that ‘re-purpose’ content to re-brand and claim as their own. As Seth’s video illustrates, you don’t have to be ‘good’ at it, you just keep doing it and you’ll get better at it. However, as with most things on the Internet, too many see it as a ‘short cut’ to fame fortune and getting rich quick. To me, your blog needs to come from you. It should be things that you learned, observed and desire to share with others. I cannot tell you the number of times I have read other blogs that have helped me trying to solve some curly challenge. If what I have worked out can help another, that is the way that I pay it forward. To me, that was the promise of the Internet that has unfortunately largely been lost in its drive to commercialism. Nostalgic? Maybe. Luckily, blogging is still going strong and one mechanism that anyone can use to express themselves to a world wide audience.

I have shared many of my thoughts and opinions on business and technology via this blog. The process of actually writing these makes you stop and think about them It makes you craft better arguments, given the audience could be anyone, anywhere. It is also fun to look back at such post, through the lens time and reflect on how they actually turned out as well whether the situation today is different. History can teach us many things, and having your own can be humbling as well as it can be uplifting.

I’ll finish off where I started, thanking those who make the time to read what I write here. I’m always keen to hear from those who do so and I’d encourage you to reach out and if nothing else, just say hi. Knowing that others are finding value from what you create always helps when sometimes you wonder why you bother doing what you do.

The plan is continue doing what I do here. The more I learn, the more I write and as you can see, over the past 3,000 posts, I have learned a lot thanks largely to the technology profession I am engage in. However, no matter who you are or what you do, I encourage you to start a blog and stick with it. I’m confident, that like me, if you stick with it, you too will see benefits like I have.

Power Platform Community Monthly Webinar – September 2021

image

Join us for our first Power Platform Community webinar. The idea behind these is to share the latest news and event about the Microsoft Power Platform as well as share some of the things that we have learned recently in the hope that it can help others.

There’ll be 3 major presenters:

Andrew Gallagher

Bill Mallet

Yeoman Yu

who’ll share their knowledge, answer any questions you may have and then provide a tutorial into using Microsoft Forms as a trigger for Power Automate.

Come and join us by registering here:

https://bit.ly/ppc0921

If you wish to join our community and be part of the regular discussion and participation on the Microsoft Power Platform you can join via:

CIAOPS Patron

(look for the Power Platform option here to join us).

We look forward to seeing you on the webinar.

All the Guards–Part 7

This article is a part of a series. The previous article can be found here:

All the Guards – Part 6 (Application Guard)

In this article I’m going to focus on the next component, which is:

Exploit Guard

The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviours commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements.

These four components are:

The four components of Windows Defender Exploit Guard are:

  • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
  • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
  • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
  • Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

More details can be found here:

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

Typically you use Microsoft Endpoint Manager to:

Create and deploy Exploit Guard policy

but there are other methods as I have detailed here for

Attack Surface Reduction (ASR)

Windows Defender Exploit Guard is one of the best ways that you can minimise the risk of malware infection on Windows 10 devices and as such, should be enabled across all such devices in your fleet.

The next article will look at:

DMA Guard

All the Guards–Part 6

This article is a part of a series. The previous article can be found here:

All the Guards – Part 5 (Credential Guard)

In this article I’m going to focus on the next component, which is:

Application Guard

For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.


For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can’t get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can’t get to your employee’s enterprise credentials.

Hardware isolation diagram

In essence, Application Guard provides an sandbox to use with your browser and Office. Untrusted web sites and documents are open in this sandbox to provide isolation from the rest of the system for security. You can implement Application Guard on both Windows 10 Pro and Enterprise out of the box as well as with Edge and other common browsers.

You can read about the specific:

System Requirements for Microsoft Defender Application Guard

but in essence you’ll need the

Virtualization Based Security (VBS)

configured prior.

There are various ways to enable Application Guard and you’ll find these here:

Prepare to install Microsoft Defender Application Guard

Windows Features, turning on Microsoft Defender Application Guard

However, the easiest way is to enable Application Guard is by adding the Microsoft Defender Application Guard feature to Windows from the Control Panel as shown above.

If you are an administrator then you will also want to take a look at:

Application Guard for admins

Remember there is Application Guard for Edge and for Office:

Application Guard for Office

However, to use the Office version you’ll currently need Microsoft 365 E5.

Getting Application Guard to work as expected can be a tricky endeavour because it relies on things like Network Boundaries to define trusted and untrusted sites, which are determined by policy configurations. For all this, I suggest you take a look at my earlier article:

Getting Windows Defender Application Guard (WDAG) working

That article will also show you how to use the:

Windows Defender Application Guard Companion

which is really handy if you want to run Application Guard manually, which you’ll typically have to do unless you are using Windows 10 Enterprise.

Another handy resource is:

Frequently asked questions – Microsoft Defender Application Guard

To test your environment see:

Application Guard testing scenarios

Finally, here is a nice overall summary guide:

Windows 10 – All things about Application Guard

which importantly, provides the following troubleshooting tips:

  • To reset (clean up) a container and clear persistent data inside the container:
    • 1.  Open a command-line program and navigate to Windows/System32.
      2. Type wdagtool.exe cleanup. The container environment is reset, retaining only the employee-generated data.
      3. Type wdagtool.exe cleanup RESET_PERSISTENCE_LAYER. The container environment is reset, including discarding all employee-generated data.

Window Defender Application Guard is a great way to provide a sandbox for your browser as well as Office documents. The main limitation is that many of the automated features are only available if you are using Windows 10 Enterprise but that doesn’t stop you adopting Application Guard for your environment I would suggest, as any impact can easily be minimised for Windows 10 Pro environments.

Next up will be:

Exploit Guard

Need to Know podcast–Episode 272

In this episode MVP Kirsty McGrath shares her best practices and tips and tricks around delivering successful online learning. Note, we did have some technical issues with this episode, so it might sound a little different from what it normally does but don’t let that stop you from listening along to all the great material. I also give a quick update at head of the show, for everything happening with the Microsoft Cloud.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

ake a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-272-kirsty-mcgrath/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Kirsty McGrath – MVP, Twitter, Linkedin, Web, Sydney UG, Melbourne UG, Instagram

New pricing for Microsoft 365

Securing your Windows 365 Cloud PCs

Get started with Universal Print and Windows 365 Cloud PC

Welcome to the brand new Windows 365 Community!

Get Ready to Do More with Teams Meeting Recordings in Microsoft 365!

Microsoft Security Technical Content Library

Super Duper Secure Mode

Whitepaper-Transitioning-Asia-to-a-New-Normal-of-Work.pdf (microsoft.com)

Adapting workplace learning in the time of coronavirus (mckinsey.com)

https://www.howspace.com/resources/hybrid-learning-model

https://news.griffith.edu.au/2020/10/28/hybrid-remote-learning-models-still-needed-post-pandemic/

Richard E. Mayer – Wikipedia

https://www.youtube.com/watch?v=VD4oJGAgoMQ

https://www.wgu.edu/blog/what-is-cognitive-learning2003.html#close

Why Webinar Attendees Leave Early – a 1080 Group, LLC survey brief (thevirtualpresenter.com)

Hybrid Learning Transition Approaches | Microsoft Education

Live Online Learning Facilitator – The LPI