Signing in with one of these next-generation credentials "unlocks the Windows container" because Windows 10 is made up of multiple containers. Windows is in one container, but the security token from Active Directory that lets you access resources on your company network and the LSA authentication service that issues it are in another, running on top of Hyper-V virtualisation in what Microsoft calls a Virtual Secure Mode.
Those tokens are what many attackers have been targeting when they break into companies using a technique known as Pass the Hash. "Once attackers have that token they have your identity, it's as good as having your username and password. They gain admin privileges and run a tool to extract the token and take it, and then they can move around the network and access all these servers without ever being asked for a password," explains Hallum.
"We've taken these tokens which were being protected by Windows in a software store which was susceptible to malware or to applications with a high level of privilege and we're putting them inside a container. Even the kernel doesn't have access to take information out of that container if it's compromised."
That container is the VSM. "The VSM is basically a mini OS. Think of it as a Windows core OS – it's a very small OS that will require about 1GB of memory and has just enough capability to run the LSA service that's used for all our authentication brokering."
It won't affect the performance of your PC, he says, but you will need to have Windows 10 on your PC, a CPU that supports hardware virtualisation and the next version of Windows Server on your Active Directory domain controller.
That means even if you are infected by a rootkit or bootkit that takes over the Windows kernel, your tokens would still be safe.
No cast iron guarantee
However, Hallum warns: "We can't promise Pass the Hash is not possible, there could be bugs in our implementation. But it is an architectural solution designed to prevent [this threat] rather than what we've done in the past which was just a defence that made it a little bit harder. It is one of the strongest mitigations we can do.
"We think this will be very decisive in dealing with that threat. I don't want to say we've solved identity but this is so substantial compared to anything we've done in the past. Virtual smartcards in 8 were incremental; this is virtual smart cards for the entire world."
VSMs can be used for other security features – if you run Windows 10 in a virtual machine, it can use a VSM as a virtual TPM. And if PC makers adopt the Windows 10 Enterprise Lockdown idea, the Windows code integrity service will live in another container, so even a compromised kernel can't turn off checks on the code that's allowed to run. And that code will be limited to Windows and applications that have been signed by Microsoft, apps from the Windows Store and software signed by either software vendors vetted by Microsoft or your own business (using certificates from a Certificate Authority Microsoft will run itself).
Those signed applications can be distributed through the Windows Store and there will be a way for businesses to sign apps they trust but didn't write (so you can sign software if the vendor has gone out of business and you can't be forced to upgrade to a new, signed version if you're happy with the version you have).
Trusted app ecosystem
Hallum calls it an attempt to "create a trusted app ecosystem" for PCs that protects them the way the App Store protects iOS devices, but is more suited to the way enterprises work.
Enterprise lockdown will only work with Windows Enterprise and with PCs preconfigured to support it by locking their UEFI boot systems "because if you can configure Windows for signed only [software], malware can configure it to not require signing." Microsoft is recommending that OEMs make this an option for all their business PCs and suggesting the premium they charge for it should be low, but it remains to be seen how well they'll support it.
Hallum certainly believes it can be extremely effective: "Assuming the person who owns signing applications in your business is trustworthy, we think we can all but eliminate malware." He also suggests it would have stopped the kind of PoS breaches that have happened in the last year.
