Microsoft has steadily improved security in Windows in recent years and ransomware has been one of the key threats addressed via built-in features such as User Account Control (UAC), Windows Defender Application Control, and Attack Surface Reduction (ASR) rules.
This blog explores whether the protection against ransomware built-in to Windows 10 is enough to keep you protected.
The State of Ransomware
Ransomware was big business in 2020. Organizations scrambled to extend remote access solutions as more employees than ever needed to work from home because of the global pandemic. Criminal gangs predictably exploited the proliferation of poorly secured endpoints and ill-prepared users.
According to various reports, there was a 62-150% increase in cyberattacks in 2020 compared to 2019, with some reports putting the increase in ransomware as high as 485%. While recent data puts the average ransom payout at $312,000, some cybercrime syndicates have achieved payouts from larger enterprises of well into the millions in U.S. dollars. 2020 also saw an increase in double extortion, where hackers not only demand a financial ransom, but they also threaten to leak or sell confidential data if the ransom is not met.
Attacks continue to increase in 2021. There has been a steep rise in zero-day attacks, where hackers exploit previously unknown vulnerabilities in software. Attackers are also increasing focus on mobile devices, while they continue to exploit poorly secure remote access pathways and unpatched endpoints.
3 Windows Security Protections against Ransomware
Let’s now evaluate three protections built into Windows 10 that you can use to help bolster your defenses against ransomware and other malware.
1. User Account Control: UAC is a collection of Windows features that helps users run without needing administrative privileges to the operating system. Protected Administrator Accounts let users run with standard user rights most of the time, but elevate to admin privileges when required.
UAC is a security control and not a security boundary. As such, it can be bypassed. Microsoft recommends that users should log into Windows with a standard user account whenever possible. UAC Protected Administrator Accounts are designed for use on consumer devices. And while they have helped to significantly improve security in Windows, they aren't intended to provide enterprise-level security.
2. Windows Defender Application Control: Using a technology called Continuous Integrity that was borrowed from Windows Mobile, Windows Defender Application Control (WDAC) is the latest application control technology in Windows. It is designed to let organizations create whitelists of applications, scripts, and other binaries that are permitted to run. Everything else, including ransomware, is blocked.
WDAC can be configured using Microsoft Endpoint Manager (MEM) or using Group Policy. Group Policy doesn't support multiple-policy format WDAC. The WDAC policy files are created using PowerShell cmdlets. The cmdlets generate one or more policy files, containing application whitelists and other rules, which you can deploy to clients to block unapproved binaries. For the highest level of security, WDAC policy files should be signed to prevent administrators deleting or changing application control rules.
3. Attack Surface Reduction Rules: Attack Surface Reduction (ASR) rules are part of Windows Defender Exploit Guard. The rules can be used to disable features that are often used by hackers to take over Windows and deploy malware. But ASR rules can also disable functionality that users rely on in your organization, so they should always be set up in audit mode initially so you can monitor whether a 'block' configuration might impact users.
ASR rules work in Windows 10 Pro and Enterprise SKUs, version 1709 and later. The rules can be configured using MEM, which is the preferred method, or using Intune, PowerShell, and Group Policy.
To get the full feature set, including advanced monitoring and analytics, you'll need a Windows 10 Enterprise E5 license. Otherwise, you'll be limited to monitoring the following events in the Windows Event Log:
- Audit – Windows Event ID 1122
- Block – Windows Event ID 1121
- Settings changed – Windows Event ID 5007
Built-In Windows Protections a Start, but Not Enough
While User Account Control, Application Control features, and Attack Surface Reduction rules provide some basic enhancements in protection when correctly configured, they simply aren't enough to protect users and devices against ransomware. More complete ransomware and malware protection demands that organizations adhere to best practices, like enforcing least privilege and using standard user accounts in place of administrators. Ideally, blended ransomware protections are also orchestrated through a single pane of glass.
Managing Windows security can be complex with the native tools. While built-in controls can help, you still need to ensure users are not logging onto endpoints with domain administrator credentials and users do not have standing admin rights on their devices. Once an attacker has admin privileges, most of the security controls in Windows can be sidestepped.
For complete ransomware protection, look at an Endpoint Privilege Management solution that includes both application control and privilege management capabilities. Managing security from a central console, and having deep insight into your infrastructure, enables IT to stop ransomware before it takes hold of a network, while also help mitigating any breach by impeding lateral movement.
If you’d like a deeper dive on this topic, check-out my on-demand webinar here.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.