New Windows 10 features are getting ink in the tech press, but it’s Windows 10 security that’s top of mind for most system administrators.
When we conducted a webcast called Under the Hood with Windows 10 Security, more than 2,300 sysadmins, IT managers and network administrators registered. We saw we had a live one, so we decided to distill the highlights of the webcast into this series of three blog posts on the main enhancements to Windows 10 security, focusing on what’s new for the enterprise.
In this first post, I’ll describe Windows 10 enhancements for endpoint security – preventing your desktops and servers from being infected by malware.
It’s a good sign that Microsoft is taking aim at malware because the endpoints are where the bad guys are winning the most. Windows 10 fights back through new hardware components and drivers because that’s what it takes to keep malicious code from running on your endpoints.
Untrusted font blocking (6:10 into the on-demand webcast)
Fonts are known as “complex data structures,” which translates to “big, juicy targets just waiting to be exploited.” Fonts are notorious for buffer overflows that allow privileges to be elevated and arbitrary code to run.
The biggest danger is that fonts can be embedded in documents and sent all over the place. That is an ideal way for bad guys to deliver malware to an endpoint, then get the endpoint to run it.
Untrusted font blocking, an option under Group Policy, is a new Windows 10 security feature. If you activate it, and if the dubious font is not already installed on the device, then Windows won’t use it. It helps limit damage from anything that uses fonts like email, Web content and document files.
Device Guard (7:40)
Device Guard is more than any single feature. It’s a comprehensive way to lock down the code that executes in the kernel. The more you’ve standardized on specific configurations of hardware and drivers in your company, the more you can take advantage of Device Guard, which is oriented toward enterprise devices and Windows versions rather than toward consumer and BYOD. Device Guard runs much deeper inside the OS than AppLocker does.
Secure Boot is a part of Device Guard that depends on UEFI, the new replacement for BIOS in hardware, which checks firmware and your boot files.
Windows 10 features a highly controlled boot process, integrated with the Trusted Platform Module (TPM) chip on the motherboard (if present). Before turning control over to boot loader, Windows hands boot files to TPM, which validates them to ensure that your system has not been compromised. After verification, Secure Boot allows the OS to boot.
That defends against rootkits and makes sure that Windows starts from trusted, un-tampered code. Secure Boot was supported in Windows 8 and Windows Server 2012; the biggest changes for Windows 10 are the new requirements for hardware manufacturers, like UEFI and TPM.
Code Integrity (17:50)
Code Integrity is part hardware, part software. In mobile terms, you can say that it makes Windows more like an un-jailbroken iOS system or an unrooted Android system, but with more freedom and control from the enterprise point of view.
Whereas AppLocker starts late in the boot process and runs in user mode, Code Integrity takes control as soon as the OS begins to boot and runs in kernel mode deep within the OS. You can customize the Code Integrity Policy for every OS and specify only the code that has been signed by someone you trust. Not even a local administrator can override it.
Code Integrity looks at the way every executable on your device has been signed and compares it to a golden system. For unsigned programs like line-of-business apps you’ve built, there is a Package Inspector. Code Integrity is a big step toward endpoint security for point-of-sale systems because you can implement it in kernel mode if administrators have control over the hardware, or user mode if they control only the installed apps. Even if you don’t have complete control, you can still use Code Integrity’s audit mode.
Virtualization-based security (29:30)
Virtualization-based security (VBS) enlists Hyper-V to protect sensitive parts of Windows even on endpoints. It inserts a hypervisor between the metal and the Windows 10 kernel, then moves local security authority (LSA) and kernel mode code integrity (KMCI) to quasi-virtual machines, or the secure world.
Before virtualization-based security, both LSA and KMCI ran in kernel mode. Normally, that’s a safe place to run, but device drivers run there too, and they come from all over and are not always secure. Once they’re in the secure world, LSA and KMCI are inaccessible to everything else including the kernel, the apps and any kernel mode malware.
To prevent code injection exploits, KMCI keeps memory pages in the kernel from being maliciously changed to execute mode. That means that even if an attack manages to inject malware to the kernel, KMCI will prevent it from running.
With Windows 10, Microsoft has acted to slow down attacks. Consider that the OS now has three different, overlapping technologies to let you control application usage:
- Software Restriction Policies go back a long way in Windows.
- AppLocker saw its debut in Windows Server 2008 R2 and Windows 7 as a way to help administrators control how users access executable files. Windows 10 enhances AppLocker with service white-listing, mobile device management and Windows Management Interface (WMI).
- Code Integrity now ties application control to both software and hardware.
If you’re really serious about taking advantage of Device Guard and the full spectrum of malware-defeating technologies built into Windows 10, you’ll discover that the hardware you buy really matters. You’ll want TPM and UEFI built into your endpoints.
Under the Hood with Windows 10 Security – On-demand webcast
Take a few minutes to listen to Randy Franklin Smith’s webcast, Under the Hood with Windows 10 Security. I’ve included the time stamps so you can fast-forward to the topics of most interest to you.