The author of the article is Andrey Kaptelin, a member of the IT community.

Device Guard is a set of software and hardware protection technologies available for devices with Windows 10. The article is devoted to one of the components of Device Guard - the Code Integrity Policy (CI). Details of the configuration and application of CI can be found here .

Purpose of Device Guard

In the modern world, cyber threats develop very quickly. Protection technologies are no longer keeping pace with the development of malware, both in their number and in the expanding range of attacks.
')
Viruses from fun for singles developed into organized cybercrime. Automation and low cost of complex attacks leaves no chance even for small companies to go unnoticed.



The classic solution is based on three basic conditions: installed updates, updated antivirus, and lack of administrative privileges. This is a long-established approach. However, a program that is completely legal from the point of view of an antivirus can perform undesirable actions and not exploit software vulnerabilities. This view of security puts any program under suspicion. One can no longer rely on the list of anti-virus signatures, and analyzing the actions of all programs is rather difficult.

New threats require new security solutions, and in Windows 10 they already exist. One solution is to run only approved software. This approach has been successfully tested on Windows and Apple mobile platforms. Absolutely all of the software in them is checked and has a digital signature, on the basis of which the device allows its launch. On Windows, this feature is provided by a code integrity checking mechanism - Code Integrity (CI).



Already at the startup stage of the computer, you can control the launch of software signed with trusted certificates. Further, having a list of your software, you can prevent the launch of something else, and the security problem is solved. The list of trusted certificates used to sign executable files is a policy file that guides the operating system.

But the world of software on Windows is very diverse, and not all programs have digital signatures, and many will never get them. For this, the Code Integrity mechanism can use directories signed by your certificate — lists of program files and their hash codes.

As a result, to use the new mechanism, you need to create a policy containing a list of trusted certificates and hash codes of unsigned files and, if necessary, supplement it with directory files of allowed software.

The easiest use of Device Guard will be for new or existing jobs with a fixed list of software. It is enough to form a code integrity policy and activate the functionality; after that, nothing else can run on these computers.

There is also the possibility of creating policies based on several possible workplace options and merging them into a single policy, which is subsequently assigned to all workplaces.

For advanced users who choose and install programs themselves, an audit mode is sufficient. The log of running applications will be useful in the future to determine the necessary and unnecessary programs.

Note that Device Guard with Code Integrity and Virtualization Based Security (VBS) mechanisms is available only in the Windows 10 Enterprise edition.

Configure Code Integrity Policy

Configuring Device Guard in User Mode Code Integrity is closest to the usual tasks of restricting software launch.
In order to create a Code Integrity policy on a reference computer, you will need to create a shadow copy of the disk and run the file cmdlet. In this case, the shadow copy allows the scanning process to access all files, including those opened at the time of the scan.

#Create a ShadowCopy to avoid locks $s1 = (gwmi -List Win32_ShadowCopy).Create("C:\","ClientAccessible") $s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID } $d = $s2.DeviceObject + "\" cmd /c mklink /d C:\scpy "$d" 

You can scan the resulting disk snapshot mounted to the C: \ scpy folder with the following cmdlet:

 New-CIPolicy -Level PcaCertificate -Fallback Hash -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs 

This command will create a list of signatures (certificates) found on the reference computer, and count the hash codes of the unsigned executable files. The result will be an XML file containing the following parameters:

 <Rule><Option>Enabled:Audit Mode</Option></Rule> 

An option that includes the operation of the Code Integrity module in audit mode, in which all non-compliant executable policies are written to the audit log.

 <Signer Name="Microsoft Code Signing PCA" ID="ID_SIGNER_S_231"><CertRoot Value=" 4E80BE107C860DE896384B3EFF50504DC2D76AC7151DF3102A4450637A032146" Type="TBS"/></Signer> 

An example of a detected certificate. All executable files signed by it will be executed without restrictions.

 <Allow Hash=" 88A87238099A3B4BB392C82589CA099DC70629D6EA32CF79F9071011C5994CA2" FriendlyName="\\?\GLOBALROOT\Device\HarddiskVolume4\Distr\npp.6.8.3.Installer.exe Hash Page Sha256" ID="ID_ALLOW_A_8_1"/> 

An example of a detected file without a digital signature. If the hash code matches, this file will be launched.

The resulting XML file must be compiled into a binary format and placed in the system folder C: \ Windows \ System32 \ CodeIntegrity \ .

 ConvertFrom-CIPolicy C:\BasePolicy.xml C:\SIPolicy.bin cp C:\SIPolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b 

After the computer restarts, the Code Integrity mechanism will start working in audit mode. After checking the launch and operation of all necessary programs, you can supplement the policy with the data collected by the audit by executing the following command.

 New-CIPolicy -Level PcaCertificate -Fallback Hash C:\AuditPolicy.xml -Audit 

The -Audit switch indicates that you need to create a policy based on entries in the audit log.
The AuditPolicy.xml file is similar in structure to the BasePolicy.xml file that was previously created.
To combine the results of the initial scan and the information gathered in the audit mode, there is a command to combine policies.

 Merge-CIPolicy –OutputFilePath C:\Final.xml –PolicyPaths C:\ BasePolicy.xml,C:\AuditPolicy.xml 

To enable policy enforcement, disable audit mode in the resulting file.

 Set-RuleOption -Option 3 -FilePath C:\Final.xml -Delete 

As a result, the Enabled: Audit Mode entry is deleted from the XML file, and such a policy will block all unaccounted software.

Next, we compile the XML file into a binary format by running the command again.

 ConvertFrom-CIPolicy C:\Final.xml C:\SIPolicy.bin 

You can extend the policy to target computers either by copying the SIPolicy.bin file in a convenient way, or by using the Windows 10 group policy in Computer Configuration \ Administrative Templates \ System \ Device Guard .

Creating a catalog file

Code Integrity policy is a monolithic list of permitted software, which is not always convenient. To use new or updated programs, if they cannot be verified with an electronic signature, you can create a file directory.

For example, let's take the 7zip program, for which we will create a catalog file containing both distribution data and all executable files after installing the distribution.

To do this, run the PackageInspector monitoring utility (included in Windows 10 Enterprise) on the station without the active Device Guard, specifying the drive letter for monitoring and the program distribution file to start as parameters.

 .\PackageInspector.exe start C: -path c:\Distr\7z1508-x64.exe 

After the installation of 7zip is complete, we check its launch and operation and stop monitoring with the command

 .\PackageInspector.exe stop c: -name C:\Distr\7zip.cat -cdfpath c:\Distr\7zip.cdf 

The 7zip.cdf file will show all the monitored executables.
The 7zip.cat file contains compiled information for Device Guard.

To make the created directory file trusted for Device Guard, we will sign it with our digital signature.

If the administrator already has an imported certificate with a Code Sign assignment, you can use it to sign directly from PowerShell, specifying the SHA256 hashing algorithm required for Device Guard.

 Get-ChildItem cert:\CurrentUser\My -codesign Set-AuthenticodeSignature -HashAlgorithm SHA256 7zip-osnova.cat @(Get-ChildItem cert:\CurrentUser\My -codesign)[0] 

The certificate must be issued by a trusted certificate authority whose root certificate was imported to the reference computer before creating the policy.

Next, you need to place the generated and signed directory file on the computers you need by copying to the directory storage along the way
C: \ Windows \ System32 \ CatRoot \ {F750E6C3-38EE-11D1-8 anad-00C04FC295EE}

Unlike a policy, directory files are applied immediately and without rebooting. Now the installation and operation of 7zip on the computer is allowed.

More detailed documentation is available on TechNet at:
https://technet.microsoft.com/ru-ru/library/mt463091(v=vs.85).aspx