Windows Defender Application Guard for Microsoft Edge is Microsoft’s latest attempt to improve the security of its browser and respectively Windows 10. The new addition will run Edge in a lightweight virtual machine. Shortly said, the application is powered by virtualization-based security technology, and it employs isolated containers built directly into the hardware. This is done to prevent malicious code from running on employee devices and the corporate network. This would be indeed the next major update to Windows 10 Enterprise.
Windows 10’s Virtualization Based Security (VBS) employs small virtual machines and the Hyper-V hypervisor to cut off specific critical data and processes from the system. CredentialGuard is the most important such element. It is designed to store network credentials and password hashes in an isolated virtual machine. The isolation serves against the MimiKazt tool which was part of an attack in Mr. Robot’s second season.
Mimikatz is a post-exploitation tool written by Benjamin Delpy. The tool is used by attackers who want further and deeper access to the computer or network. This would require many tools to be implemented, and Mimikatz tries to combine them.
Microsoft Edge Application Guard’s Virtual Machine
The virtual machine of Credential Guard is small and lightweight. The process it runs to manage credentials is somewhat straightforward and simple. Application Guard will make things more complex by running major parts of Edge on a virtual machine. However, the latter won’t need a full operating system – only a small portion of Windows features would be needed for the browser to run.
In addition, due to the virtual machine, Edge’s Application Guard will be fenced from the host platform. It won’t be able to see other processes, access local storage, or any other installed apps. Most importantly, Application Guard can’t attack the host system’s kernel.
The first iteration of the application is only available for Edge. Application Guard will only serve users of Windows 10 Enterprise, and administrative control through group policies will be provided. Administrators will be allowed to mark some sites as trusted, and those sites won’t use the virtual machine. Admins will also control whether untrusted sites can use the clipboard or print, ArsTechnica explains.
Application Guard was announced during Microsoft’s annual Ignite conference, along with other new products and services for IT pros. It will available in preview to Windows Insiders in early 2017.