Browser Isolation with Microsoft Windows Defender Application Guard (WDAG): What It Does, How It Works and What It Means
- Microsoft brings hardware isolation to the web browser
- Bromium and Microsoft have similar approaches to browser isolation using virtualization
- Microsoft protects only their own OS and proprietary Microsoft applications
- Bromium works with all Microsoft VBS technologies, and together we secure far more of the Windows attack surface than Microsoft does on its own
Creating momentum around virtualization-vased security.
With the October release of Windows 10 Fall Creators Update, Microsoft brings its own hardware isolation to web browsing with Microsoft Edge. Application Guard for Edge now joins Device Guard and Credential Guard in virtualizing additional aspects of the overall enterprise security experience.
Get the White Paper: Closing the 1% Gap that’s Costing You Millions
Windows 10 Enterprise edition is now supplementing detection with isolation on the endpoint in three specific areas:
- Around operating system components with Device Guard
- Around network credentials with Credential Guard
- Around their flagship web browser with Application Guard for Edge
How Edge Browser isolation works.
At a high level, Bromium and Microsoft have similar approaches to browser isolation using virtualization. That’s not surprising given our longstanding security partnership and frequent technical consultation between our development teams. But it’s important to note that the Windows purveyor has patented its own precise implementation methodology using its own internal hypervisor.
- Users must invoke a separate Application Guard window to initiate isolated browsing
- Hardware-enforced isolation uses Microsoft’s native Hyper-V hypervisor, leveraging the CPU chipset
- Untrusted websites are all virtualized inside a single disposable container holding a separate copy of Windows and just the minimum Windows Platform Services needed to run Microsoft Edge
- All untrusted websites share the same virtual machine, which persists until all untrusted browsing concludes
- Trusted sites run natively on the “host” Windows OS
- Visual distinction is evident between native/trusted browsing on the host and isolated/untrusted browsing in the VM
Edge Browser isolation is only a start.
Microsoft has done a lot of things right. But now let’s review some of the limitations:
- Browser isolation in WDAG for Microsoft Edge protects only against web-borne malware running within the browser itself. It does not protect against or isolate malicious file downloads that come through the browser.
- Microsoft does not permit any file downloads during isolated Edge browsing. Users can use the Print as PDF function to save sterile versions of web-rendered documents to the host device. This is a sub-optimal user experience that lies outside of the normal workflow for most users and makes document collaboration impossible.
- Microsoft is quite rightly focused on protecting their own OS and proprietary Microsoft applications. They are starting with Edge, which they hope will one day become the dominant enterprise browser. For now, the exclusive focus on protecting Microsoft content limits the number of vulnerable application attack surfaces that WDAG can protect.
- Microsoft VBS applies only to enterprise versions of Windows 10. If your organization has not yet made the leap to Windows 10—or continues to support mixed Microsoft OS environments and web browsers other than Edge—WDAG may not yet provide you with the coverage you need.
Empowering employee productivity.
Today, Chrome and Firefox hold nearly a 75% share of the desktop browser market, and Adobe Acrobat dominates the PDF rendering market. Such wildly popular applications are also frequent attack vectors. Criminals know that employee are easy targets because they are committed to getting their jobs done and they can’t tell what’s safe and what’s not until they click on it.
The Bromium Secure Platform removes the burden from employees with fully-isolated downloads for a variety of business productivity files and documents through Internet Explorer, Chrome, and Firefox—all in their native file formats. And the isolation protection stays with the files every time they are opened, allowing for normal user workflows and full-featured document collaboration.
Additionally, Bromium support all versions of Windows 7, 8.1, and 10, providing application isolation where Microsoft has no financial incentive to retrofit functionality.
Isolation backstops detection.
Microsoft is increasing its focus on security, steadily incorporating features directly into the Windows OS rather than relying on detection alone to protect endpoints. But Microsoft is heavily invested in detect-to-protect approach as evidence by their ubiquitous Windows Defender desktop anti-malware threat protection tool and new moves into detection, monitoring, and response solutions at the network level.
Finally, while Microsoft is just getting its feet wet with endpoint security isolation as a supplement to its primary detection-based tools, Bromium has gone “all in” with an isolation-first approach since the beginning.
We invented application isolation using micro-virtualization. We are the industry’s leading innovator and promoter, and we’ve never had a customer report a single confirmed malware escape from a Bromium micro-VM!
Bromium + Microsoft = Better Together
Security administrators: Go ahead and enable Device Guard, Credential Guard, and Application Guard for Edge. Bromium works with all Microsoft VBS technologies, and together we secure far more of the Windows attack surface than Microsoft does on its own.
If you’re concerned about running two hypervisors on the same endpoint, don’t worry … we’ve figured that out too! Learn how to isolate Edge browser downloads using Bromium in this blog, with sustained protection that persists whether on or off the network.
If you’re not yet a Bromium customer, reach out and we’ll show you more about security isolation through virtualization across all your Windows attack surfaces.