はじめに
2015年のWindows 10のアップデートから,Device Guardという機能が追加されているそうだ.この機能は,管理者が指定したアプリケーションしか動作しなくなる.
一般ユーザが許可してないアプリを起動できなくなるし,許可してないマルウェアも実行できなくなるということかな.
ただし,動作させるためには諸条件をクリアする必要がある.
- Windows 10 EnterpriseやWindows 10 Education
- Windows 10は64bit版に限る
- Windows 10 1607以降
- BIOS UEFI 2.3.1
- TPM2.0
- BIOSロックダウン
- セキュアブート
これらはCredentilal Guardというセキュリティフレームワークの必要要件.Device GuardはCredential Guardが必要ということだそうです.
Credential GuardはMicrosoftの仮想化機能のHyper-Vを使って,認証情報を管理するだけの仮想マシンを作るそうだ.
今回は,Device Guard and Credential Guard hardware readiness toolというツールを使って,Device Guard(DG)やCredential Guard(CG)を有効にしてみる.
入手
以下のURLからダウンロードする.
Device Guard and Credential Guard hardware readiness tool https://www.microsoft.com/en-us/download/details.aspx?id=53337
ファイルを展開すると,次のようなディレクトリ&ファイル構成.
ツールはPowerShellで作成されていることがわかる.
Usageを確認
PowerShellを起動する. 入手したDG_Readiness_Toolそのまま実行すると,次のようになる.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1🆑 ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### How to read the output: 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG 2. Yellow Warnings: This device can be used to enable and use DG/CG, but additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr 3. Green Messages: This device is fully compliant with DG/CG requirements ########################################################################### Hardware requirements for enabling Device Guard and Credential Guard 1. Hardware: Recent hardware that supports virtualization extension with SLAT ########################################################################### Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path Log file with details is found here: C:\DGLogs To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b> To Enable only HVCI🈁 Usage: DG_Readiness.ps1 -Enable -HVCI To Enable only CG🈁 Usage: DG_Readiness.ps1 -Enable -CG To Verify if DG/CG is enabled🈁 Usage: DG_Readiness.ps1 -Ready To Disable DG/CG.🈁 Usage: DG_Readiness.ps1 -Disable To Verify if DG/CG is disabled🈁 Usage: DG_Readiness.ps1 -Ready To Verify if this device is DG/CG Capable Usage: DG_Readiness.ps1 -Capable To Verify if this device is HVCI Capable Usage: DG_Readiness.ps1 -Capable -HVCI To Auto reboot with each option Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot ########################################################################### Readiness Tool with '-capable' is run the following RegKey values are set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities CG_Capable DG_Capable HVCI_Capable Value 0 = not possible to enable DG/CG/HVCI on this device Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI Value 2 = fully compatible for DG/CG/HVCI ########################################################################### Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
Enable HVCI
Windows 10でハイパーバイザーで保護されているコード整合性 (HVCI) を有効にする.
HVCIには次ような機能がある.
- コード フロー ガード (CFG) ビットマップの変更を保護する
- Credential Guard などその他の Truslets に有効な証明書があることを確認する
- HVCI をサポートしたEV (拡張検証) 証明書が最新のデバイス ドライバにあることを確認できる.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -HVCI🆑 ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. ########################################################################### OS and Hardware requirements for enabling Device Guard and Credential Guard 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home 2. Hardware: Recent hardware that supports virtualization extension with SLAT To learn more please visit: https://aka.ms/dgwhcr ########################################################################### Enabling Device Guard and Credential Guard🈁 Setting RegKeys to enable DG/CG🈁 Enabling Hyper-V and IOMMU Enabling Hyper-V failed please check the log file Please reboot the machine, for settings to be applied.🈁 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
Device GuardとCredential Guardが有効になった模様.リブートが必要.
状態を確認
HVCIを有効にしたが,現在の状態を確認してみる.
PS C:\Users\ujpadmin> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑 ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### Not an Admin user, pls execute this script as an Admin user exiting...🈁 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
Admin権限のないユーザで実行した場合にエラーがでている. PowerShellを管理者権限で実行して,再度コマンドを投入する.
PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑 ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. ########################################################################### OS and Hardware requirements for enabling Device Guard and Credential Guard 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home 2. Hardware: Recent hardware that supports virtualization extension with SLAT To learn more please visit: https://aka.ms/dgwhcr ########################################################################### Credential-Guard is not running.🈁 HVCI is not running.🈁 Config-CI is not running. (Not Enabled) Not all services are running.🈁 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
動作してなかった模様...
Enable -CG
Enable -CGによって,Credential Guardのみ有効にしてみる.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -CG🆑 ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. ########################################################################### OS and Hardware requirements for enabling Device Guard and Credential Guard 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home 2. Hardware: Recent hardware that supports virtualization extension with SLAT To learn more please visit: https://aka.ms/dgwhcr ########################################################################### Enabling Device Guard and Credential Guard Setting RegKeys to enable DG/CG Enabling Hyper-V and IOMMU Enabling Hyper-V failed please check the log file Please reboot the machine, for settings to be applied.🈁 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
リブートすることで有効になる.
Enableを実行
DGおよびCGを有効にする.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -enable🆑 ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. ########################################################################### OS and Hardware requirements for enabling Device Guard and Credential Guard 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home 2. Hardware: Recent hardware that supports virtualization extension with SLAT To learn more please visit: https://aka.ms/dgwhcr ########################################################################### Enabling Device Guard and Credential Guard Setting RegKeys to enable DG/CG Enabling Hyper-V and IOMMU Enabling Hyper-V failed please check the log file Please reboot the machine, for settings to be applied. PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
確認してみる.
PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑 ########################################################################### Readiness Tool Version 3.4 Release. Tool to check if your device is capable to run Device Guard and Credential Guard. ########################################################################### Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. ########################################################################### OS and Hardware requirements for enabling Device Guard and Credential Guard 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home 2. Hardware: Recent hardware that supports virtualization extension with SLAT To learn more please visit: https://aka.ms/dgwhcr ########################################################################### Credential-Guard is not running. HVCI is not running. Config-CI is enabled and running. (Enforced mode)🈁 Not all services are running. PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
やっと動いた.