Introduction

Windows 10 security is arranged in an interesting way and is divided into 3 big parameters:

  • Identity and access management
  • Threat protection
  • Information security

It would take a book to fully describe the entire set of rules, settings, and security features of Windows 10. There are a lot of key points when configuring both “Windows Defender” and all its branches. Therefore, we will have to touch on specific cases of targeted attacks, and show the options and features that the developers of Windows 10 kindly provided us to help save time, money and nerves in such cases. Windows 7 and Windows 10 security At the time of the release of Windows 7, which is in 2009, security was built in such a way as required by the time of the release of the operating system and the circumstances of attacks.

Windows 7 and Windows 10 security

At the time of the release of Windows 7, which is 2009, security was built in such a way as required by the time of the release of the operating system and the circumstances of attacks. At the time of writing, it is still receiving service packs, which include patches for vulnerabilities, patches and so on. It is no longer changing dramatically and no new features are being added. And on January 14, 2020, Microsoft says that support for the operating system will end altogether. And, as hard as it is for many to accept this fact – Windows 7 is an obsolete product. For Windows 10, the approach with updates has changed – there is a new release every year. In other words, every six months with updates, not only code bug fixes and patches are installed, but also new security features are updated and added.

If you compare the difference in security between Windows 7 and 10, the built-in antivirus in “10” is not the whole spectrum of protection. Let’s take, for example, the storage of credentials in the memory of these operating systems, and compare.

In practice this is done very simply: there are many programs which can make a memory dump, for example Mimicatz.

Open it at the command line as administrator on both operating systems and type the sequence of commands:

mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords full

Figure 1. how the Mimikatz program works

With this utility we attack the process lsass.exe, which stores the user credentials. We get the Windows 7 user’s password in clear text, while for Windows 10 we get only the NTLM hash of the password. By comparison, passwords on newer operating systems are not stored in plaintext. It follows that the newer the software, the sharper its response to attacks. The faster organizations update their software fleets, the less vulnerable an organization’s information infrastructure is.

Defending against a fileless attack

Hackers often use spam campaigns to launch an attack. They are based on sending emails with malicious files, the launch of which promises to open the door to the network for attackers.

The files can be of different types and exploit different vulnerabilities of operating systems. However, if the system is protected by antivirus, the malicious actions are likely to be blocked and the file deleted. But there are attacks that anti-virus is unable to block. For example, MS Office documents with malicious macros. The document itself may be inherently harmless and have no suspicious signatures or strange behavior. But a macro can be written in such a way that it will download the payload from a remote server and execute it on the system. Neither Windows 10 nor any third-party antivirus will be able to react to such an attack, since the file has been checked before launching and it only executes the macro. And no one looks at what exactly the code does. And there is nothing much to fight against – all that remains is the code in memory. These attacks are called fileless or objectless attacks (there is no executable file) and are the most dangerous type of spam.

For those who do not use macros, it is easier to protect themselves by simply disabling them. But what measures should be taken when it is necessary to use them? After all, it’s a challenge to distinguish between macros that are necessary and those used by attackers. For this purpose, Windows 10 has developed Windows Defender Exploit Guard. This is a set of features that includes:

  • Exploit Guard;
  • attack surface reduction;
  • network protection;
  • controlled folder access.

You can find a more detailed description of all the features in Microsoft’s documentation. An important point: almost all components depend on the built-in anti-virus in Windows 10. That is, if a third-party antivirus is installed – then Windows Defender Exploit Guard will only be able to use the protection against exploits. The rest of the listed functions will only work when Windows Defender is enabled!

To protect against fileless attacks, you need the attack surface reduction feature. It contains about 14 rules. On this page you can find descriptions of the rules and their GUIDs. In this case you should enable the “Blocking creation of executable content by Office applications” rule with the GUID “3B576869-A4EC-4529-8536-B80A7769E899”. This rule blocks third-party applications from being launched directly by the macro.

To enable this rule, you should go to the Local Group Policy Editor and in the Computer Configuration tab go through the following: Administrative Templates → Windows Components → Windows Protector → Exploit Guard in Windows Protector → Reduce possible attack vectors. Next you need to open “Configure rules to reduce possible attack vectors”.

Enable the function by selecting the “Enabled” radio button and clicking the “Show” button. In the window that opens, enter the GUID of the rule and its value. The values take the form:

  • 0 – does not work
  • 1 – blocks
  • 2 – does not block, but logs.

Let’s turn the feature on, add a rule and try to execute the file with the malicious macro.

Figure 2: Malicious action blocking alert

At this point you will get a notification that the macro actions are blocked. But if you run a macro which, for example, calculates the price of a discount on an item inside a table, the Defender will not block it.

Windows 10 virtualization

Ideally, the information security protection policy in an organization is such that users should not have local administrator privileges on any workstation, but in practice it is hard to comply. In any case, one or two stations usually have such rights. And the example with Mimikatz showed how an NTLM hash of a user’s password can be retrieved from the dump of the lsass.exe process. It can still be used. More complicated, but still.

This step reveals a problem with the Windows operating system architecture. If a user has local administrator privileges – he can do everything on this machine. And this paradigm cannot be broken, as this is the basis for most Windows applications. The question has arisen: how to protect some data, so that no one can access it, no matter what their privileges are, and at the same time leave the local administrator? In Windows 10, the answer is found in the Windows 10 Virtualization-Based Security feature.

This feature allows you to run a virtual environment outside of the operating system, and inside that virtualization run data containers. And since the hypervisor is closer to the computer hardware than the operating system itself, the virtual environment itself determines the level of trust in the virtual containers.

Figure 3: Windows 10 Virtualization-Based Security Architecture   

The bottom line is that even if you have a local administrator working on the system, they can’t access the data in the virtual containers. And only some system requests can be sent to the container.

But you cannot store everything in virtual containers. They store specially designed so called Trustlets. One of them is Credential Guard. That is, you cannot dump the lsass.exe process with all the credentials present there. To be more precise: you can dump it, but the lsass process is split and the part that stores the “credentials” is located in a virtual container.

The disadvantages of this technology:

  • So far, only domain credentials can be protected this way (if other credentials have been entered, they will remain in memory).
  • Requires modern equipment, preferably with TM 1.2 or 2.0 crypto chips.
  • This technology can only be run on Windows Enterprise, which requires separate licensing and is quite expensive.

It is not reasonable to switch the entire infrastructure to this technology, but on two or three workstations, where local administrator credentials are used, it would not be superfluous.

You can download Device Guard and Credential Guard hardware readiness tool from Microsoft’s official site to check if the workstation is ready for this software to be enabled, as well as to enable it itself. This software is a PowerShell script. Running it normally will check for machine readiness, and the “-Eneble -CG” switches will start Windows Credential Guard with Windows 10 Virtualization-Based Security.

After starting and rebooting, another process will appear in Task Manager (if the computer is in the domain): lsalso.exe – this is the second part of lsass.exe, which is stored in the container along with the credentials. It is impossible to dump this process, and lsass contains an encrypted NTLM hash, which is unrealistic to use in practice.

To make sure that virtualization is running, you have to go to “System Information”, and the item “Virtualization-based security: configured services” should have a Credential Guard value next to it.

Protecting data from leakage

In a certain scenario, there is an assumption that a user may inadvertently (or not) share information with third parties. This data can be very valuable, and the reputation or work of a company may depend on it.

It is also possible that the data carrier has been lost or the device has been accessed without authorization. In such cases, obtaining data from devices is only a matter of time, and a very short one at that.

For example, take the situation when an intruder gains access to a workstation. It is enough to boot from the rescue media, and with the command line (Shift+F10) we have full access to the data on the hard drive: we can copy and delete them.

To avoid this situation and to protect hackers from the information on the disk, Windows 10 has developed the BitLocker data encryption function, although it only works on Windows 10 Pro, Enterprise and Education versions.

To enable disk encryption, you need to go through the Computer Configuration > Administrative Templates > Windows Component and select “Operating System Disks” in Group Policies. Next, select “This policy setting allows you to configure the requirement for additional authentication at startup.”

In the new window, select the Enabled check box, select the Allow BitLocker without a compatible trusted platform module check box, and click OK.

Now open “Control Panel” and go to “BitLocker disk encryption”, click “Enable BitLocker” and follow the instructions that appear on the screen. Once you encrypt the disk, you need to type in the password that you typed when you enabled the feature on boot up.

Figure 8: BitLocker prompts you to enter the password to boot the OS

If you do not enter the password within one minute, the computer will automatically shut down.

There are a couple of things to keep in mind when encrypting a disk:

  • You need to get hold of recovery keys – just in case you can’t access the encrypted drive. And within the company, you will want to keep these keys in the Active Directory.
  • You must have a copy of the data that is on the encrypted disk. If, for example, the disk was physically damaged and the data needs to be extracted from it, there is no guarantee that it will be possible to decrypt the data.

Conclusions

Microsoft developers have done a tremendous job in the direction of protecting Windows 10. This operating system is able to respond decently not only to a malicious exe-file (built-in anti-virus handles malware just as well as third-party anti-viruses with big names, the only pity is that database updates occur much less frequently), but also to repel many other sneaky attacks by hackers.

As implicitly mentioned, software updates are an essential link in an organization’s information security chain. Unfortunately, it is often a weak link, along with the lax vigilance of administrators and the negligence of users.

Based on all of the above, upgrading the operating system fleet to Windows 10 is not just a necessary but rather a necessary action that should be part of any organization’s information security strategy for the near future. But like any other software, Windows 10 protection should be performed by competent professionals who know their business. Useful Links:

Similar Posts