Join Pete Zerger for an in-depth discussion in this video What is virtualization-based security?, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Windows 10 and Windows Server 2016 include a feature called Virtualization Based Security, or VBS. The idea behind VBS is simple, if a process or data is virtualized, then it's isolated from the rest of the operating system and therefore it's more difficult to tamper with. Isolated user mode allows for a secure kernel and secure applications. There are two critical security enhancements made possible by VBS, Device Guard and Credential Guard.
Device Guard is a group of features designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run. Credential Guard is a specific feature not part of Device Guard that aims to isolate and harden key system and user secrets against compromise such as your Kerberos tickets and NTLM password hashes. Credential Guard encrypts the secrets in memory, which blocks a threat from moving laterally from system to system with credentials it captured from memory as would be common in pass-the-hash or pass-the-ticket attacks.
The first technology you'll need to understand before we can really dig in to either Device Guard or Credential Guard is Virtual Secure Mode, or VSM. VSM is a feature that leverages the virtualization extensions of CPU to provide added security of data in memory. We call this class of technology VBS, and any time we're using virtualization extension to provide security, we're essentially talking about a VBS feature. VSM leverages the on chip virtualization extensions of the CPU to sequester critical processes and their memory against tampering from malicious entities.
The way this works is the Hyper-V hypervisor is installed the same way it gets added when you install the Hyper-V role. Only the hypervisor itself is required. The Hyper-V services and the management tools aren't actually required, but are optional if you're using the machine for real Hyper-V duties. As part of the boot, the hypervisor loads and later calls the real guest OS loaders. Now this diagram illustrates the relationship of the hypervisor with the host operating system.
The difference between this and a traditional architecture is that the hypervisor sits directly on top of the hardware rather than the host OS directly interacting with the hardware layer. The hypervisor serves to abstract the host OS from the underlying hardware providing control and scheduling functions that allow the hardware to be shared. In VSM specific processes and their associated memory are tagged as actually belonging to a separate operating system creating a container of sorts sitting on top of the hypervisor where security sensitive operations can occur completely independent of the host OS.
In this way the VSM instance is segregated from the normal operating system functions and is protected by attempts to read information in that mode. The protections are hardware assisted since the hypervisor is requesting the hardware treat those memory pages differently. This is the same way two virtual machines on the same host cannot interact with each other. Their memory is independent and hardware regulated to ensure each VM can only access its own data. From here we now have a protected mode where we can run security sensitive operations.
Currently Microsoft supports the following capabilities that can reside here, the Local Security Authority in the case of Credential Guard which spawns an isolated LSA process called LSAISO.xe. Code integrity control functions in the form of kernel mode code integrity, or KMCI. This was actually available prior to Windows 10, and it protects kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016 user mode code integrity, KMCI's cousin, is also available to help protect against viruses and malware.
And finally, hypervisor code integrity moves KMCI and HVCI components into Virtual Secure Mode, which hardens them from attack. Finally, UEFI secure boot ensures the boot binaries and the UEFI firmware are signed and have not been tampered with.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure