Last year’s WannaCry and Petya malware outbreaks couldn’t breach Windows 10’s latest security defenses, but companies still running outdated and unpatched versions of Windows were vulnerable. In this blog post, I’ll look at the key new security features in Windows 10. For an even more in depth overview, check out my webinar on the subject here.
Windows 10 uses hardware virtualization to isolate critical parts of the operating system. Virtualization-based security (VBS) runs a secure kernel at a higher trust level (VTL-1) than the NT kernel (VTL-0). When Windows executes code and stores data at the higher trust level (VTL-1), the normal NT kernel and user-mode processes cannot directly access the protected code and data. Data is transferred between the two trust levels using a set of APIs.
The isolation VBS provides protects critical parts of the operating system--even if the NT kernel is compromised. For example, security features like Windows Defender Device Guard can continue to operate with integrity even if the NT kernel is compromised because it uses VBS to protect the processes that apply code integrity policies to the system. Windows 7 cannot provide the same security guarantee.
Windows Defender System Guard in the Windows 10 Fall Creators Update (version 1709) and later reorganizes critical system components to protect them using a hardware-based isolation container at boot time, and continues to provide protection when Windows is running.
Windows Defender Device Guard and Credential Guard
Two new security features in Windows 10 use VBS. Windows Device guard is a new application control feature that uses configurable code integrity policies to allow list both kernel-mode and user-mode code. It is more secure than AppLocker because it can be protected by VBS and cannot be easily disabled by local administrators.
Similarly, Credential Guard uses VBS to protect domain, NTLM, and Kerberos credentials from attack. If an attacker gets administrative access in Windows 7, it is easy to harvest credentials and credential derivatives from memory.
Windows Defender Exploit Guard
Exploit Guard replaces the Enhanced Mitigation Experience Toolkit (EMET) for Windows 7. Exploit Guard is built into Windows 10, provides the mitigation features that were available in (EMET), and adds many new security features. Exploit Guard consists of four main features.
- Exploit protection contains OS mitigation features, many of which were available in previous versions of Windows, such as Data Execution Prevention (DEP) and Control Flow Guard, which was first available in Windows 8.1.
- Attack Surface Reduction Rules are available to Windows 10 Enterprise customers. These rules provide extra mitigation techniques for attack vectors in Office, scripts, and email.
- Network protection expands Windows SmartScreen and blocks all outbound HTTP(S) traffic to low-repute domains. Previously SmartScreen only blocked traffic from Microsoft browsers.
- Finally, Controlled Folder Access is designed to stop ransomware encrypting files in common system folders, like Documents. Controlled Folder Access allows you to add folders to the default list and add trusted applications.
Windows Defender Advanced Threat Protection
Available to customers using Windows Enterprise E5, or purchased as a separate product, Advanced Threat Protection is built-in to Windows 10 and uses the Intelligent Security Graph to collect information from Windows Defender, providing an overview of your clients’ security posture. Next-generation protection technologies provide holistic preventative and post-breach protection, and can respond automatically to security incidents using machine learning and security analytics.
Microsoft Edge replaces Internet Explorer in Windows 10 as the default inbox browser. Edge runs in an app sandbox and includes other security mitigation, like 64-bit processes and Address Space Layout Randomization (ASLR).
If you need an especially secure environment, Windows Defender Application Guard starts Edge in a container that uses hardware virtualization to isolate the browser from the OS.
Windows Hello aims to rid the world of passwords. Windows Hello and Windows Hello for Business allow users to log in to Windows and other applications using gestures, which might be something as simple as a PIN code or biometric security, like face recognition or a fingerprint. Microsoft Edge integrates with Windows Hello, allowing users to sign in to websites and applications using a gesture.
Microsoft Store and MSIX Installer Technology
Finally, the Microsoft Store is a curated app store that includes touch-friendly UWP apps and legacy Win32 applications. The Microsoft Store for Business lets organizations create their own private stores, which can be used to manage the full lifecycle of applications.
In the next version of Windows 10, Microsoft is introducing an installer technology that promises to allow organizations to package any kind of application using a simple wizard. The new MSIX installer uses containers to make it easier to port legacy apps to the Microsoft Store, even in cases where you don’t have access to the source code.
If you’d like to find out more about the new security features in Windows 10, check out my on-demand webinar, What’s New in Windows 10 Security, where I go into more technical detail about the new security technologies in Windows 10.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.