Windows is not known for its security protection; attackers mostly target Windows devices because of the large install base and lenient security practices. Most IT admins know the pain of trying to clean an infected Windows machine from a multitude of toolbars, ad programs, malware and viruses. In a large organization, this problem is compounded since a successful attack could give access to sensitive information that could compromise the company’s existence.
The average attack has access to an internal network for over 200 days — before it’s discovered. Attackers seek out these vulnerabilities to gain access to the internal network, gathering information and looking for weak spots to cause the most amount of damage. How can you protect from these types of attacks — especially now that your users and data are more mobile than ever? Windows 10 Enterprise has many new features that add many more layers of security besides traditional anti-virus.
One example is virtualization-based security (VBS), which isolates potential security threats and prevents them from accessing or infecting other parts of your computer. One of the downfalls of most security protections is that they are too intrusive. That isn’t the case with VBS; in most circumstances the user is unaware of the extra security.
Baked-In Security Features
Windows 10 has three VBS features that target specific potential vulnerabilities.
Device Guard locks down a device so it can only execute applications that are allowed using a combination of hardware and software features. The previous feature that was used to restrict applications, AppLocker, was limited in how it identified applications and required much more administration to make it work effectively. Device Guard is much more intelligent, since it uses the code signing of an application to determine the validity of the publisher and the executable. It is also easier to manage since entire publishers can be trusted, such as Microsoft, Adobe, etc.
Credential Guard goes a step deeper in protecting sensitive system processes so they can access credentials when needed. Common attacks look to gather credentials from machines in processes that are not protected. Credential Guard protects NTLM password hashes, Kerberos Ticket Granting Tickets and stored credentials so they can’t be used in attacks such as Pass-the-Hash or Pass-the-Ticket.
Application Guard, an upcoming feature scheduled for 2017, adds additional security for applications or files that are downloaded through Microsoft Edge. This is a valuable add-on since most viruses and malware are downloaded from the internet. Application Guard will download a file and run it within a virtual machine to determine if it is safe before allowing the user to access the file. If the file attempts to infect the machine, access will be denied, preventing the machine from being infected.
Supporting Windows 10 Security
These features using VBS rely on Hyper-V to isolate processes and files from the operating system and mass destruction. Hyper-V is not just for running virtual machines, it can be used for a variety of purposes. Though to get the most from these features the hardware should support UEFI, TPM, SLAT, AMD-V/VT-x and a 64-bit CPU. Most current hardware already has these features, but many users haven’t converted to using UEFI or a 6-bit OS, which may prevent adopting any of these features. If you are replacing hardware and upgrading to Windows 10, then make the switch now to use UEFI and enabled the required features in the system firmware.
Windows 10 is taking steps to provide the next generation of security protections. Utilizing Credential Guard, Device Guard and Application Guard provide extra layers of security beyond traditional legacy anti-virus and firewall. Virtualization-based security leverages the latest hardware to allow deep protection to system processes, applications and user data. Most of the features are easy to enable if you have the right hardware and security features enabled.