Best new Windows 10 security features: Biometric authentication, Edge browser

Here's what you need to know about each security update to Windows 10 as they roll out from Microsoft. Now updated for the 20H2 feature release.

1 2 3 4 5 Page 4
Page 4 of 5

Microsoft Edge will open the site in an isolated Hyper-V-enabled container. This is separate from the host operating system. If the untrusted site is malicious, then the host PC is protected. The isolated container is then anonymous, so an attacker can't get to your employee's enterprise credentials. Enabling Application Guard requires hardware that supports virtualization. Then go into the Control Panel, Programs and Features and turn Features on. Click to install Windows Defender Application Guard feature. In 1803 this major protection is now included in the pro SKU and is no longer limited to the Enterprise version.

Ransomware protection

First introduced in 1709, Controlled Folder Access, which protects local folders most often attacked by ransomware, has been moved to its own location in the Windows Security section. If you subscribe to Office 365, additional ransomware protections and detections have been included. If you are a personal subscriber or Home subscriber, Ransomware Detection now notifies you when the OneDrive files have been encrypted.

Kiosk mode

Often in Enterprises, you want to deploy what is termed “kiosk mode.” The deployment will be a locked down browser with a minimum amount of application support. With the release of 1803, Intune is now the preferred methodology to deploy a Windows 10 system in kiosk mode. As noted by Microsoft, the Kiosk Browser can be deployed from the Microsoft Store. Once deployed, you can configure a start URL, allowed URLs, and enable/disable navigation buttons through the deployment.

Windows S mode

The biggest change, and largest potential security gain, is the introduction of Windows S mode. It has the potential for a lock-down deployment methodology similar to how mobile phones can only install appls from the mobile phone vendor’s store. Applications are Microsoft-verified for security and performance and can only be deployed from the Microsoft store.

Security baseline draft released

Finally, Microsoft has released a draft of the recommended Security baseline. The differences between the draft for 1803 and the released baseline for 1709 include:

  1. Two scripts to apply settings to local policy: one for domain-joined systems and one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using Local Administrator Password Solution (LAPS)-managed accounts.
  2. Increased alignment with the Advanced Auditing recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document.
  3. Updated Windows Defender Exploit Guard Exploit Protection settings (a separate EP.xml file).
  4. New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations.
  5. Removal of numerous settings that no longer provide mitigations against contemporary security threats. The GPO differences are listed in a spreadsheet in the package’s Documentation folder.

Again, your organizations should upgrade to the 1803 release once it has tested and verified compatibility and checked with your vendors for compatibility. It’s expected to be declared semi-annual channel and thus ready for business in three to four months.

Windows 10 1709

The Windows 10 Fall Creators Edition release is, in my opinion, is the first release where Microsoft is vastly increasing and acknowledging the impact of ransomware. Key security features included in the 1709 release give IT professionals the ability to provide additional means to prevent and defend against ransomware. Here are the edition’s key features:

Window Defender Exploit Guard

Window Defender Exploit Guard is the name of four different feature sets that help to block and defend from attacks. The four features of Exploit Guard include Exploit Protection, Attack Surface Reduction tools, Network Protection, and Controlled Folder Access. Exploit Protection is the only feature that works if you use a third-party antivirus tool. The other three features require Windows Defender and will not work if you use third-party antivirus software. This prerequisite is unlikely to change due to the reliance on Windows Defender to provide the needed API and infrastructure to support the features.

Exploit Protection

This is the only one of the four Exploit Guard technologies that does not require Windows Defender to be your primary antivirus. Exploit Protection can be controlled via group policy or PowerShell. An additional cloud-based logging service called Windows Defender Advanced Threat Protection provides forensic tracking evidence of threats and attacks can be used to better track and investigate Exploit Guard events. It is not mandatory to enable this technology.

To enable Exploit Protection, begin by deploying the technology on test machines before deploying widely. Open Settings, go to Update and Security, open the Windows Defender app, and then open the Windows Defender Security Center. Then go into App and Browser Control and scroll down to Exploit Protection. Open Exploit Protection Settings.

By default, Windows 10 has the following settings:

  • Control Flow Guard (CFG) (on by default) is a mitigation that prevents redirecting control flow to an unexpected
  • Data Execution Prevention (DEP) (on by default) is a security feature that was introduced in Vista and later platforms. The feature helps to prevent damage to your computer from viruses and other security threats. DEP protects your computer by monitoring programs to make sure they use system memory safely. When DEP senses malware, it might trigger a blue screen of death to protect the operating system.
  • Force Randomization for Images (Mandatory ASLR) (off by default) is a technique to evade attackers by randomizing where the position of processes will be in memory. Address space layout randomization (ASLR) places address space targets in unpredictable locations. If an attacker attempts to launch an exploit, the target application will crash (blue screen), therefore stopping the attack.
  • Randomize Memory Allocations (Bottom-up ASLR) (on by default) enables bottom-up allocations (VirtualAlloc() VirtualAllocEx()) to be randomized. Attacks that use bypassed ASLR and DEP on Adobe Reader are prevented with this setting.
  • Validate Exception Chains (SEHOP) (on by default) prevents an attacker from using the Structured Exception Handler (SEH) overwrite exploitation technique. Since first being published in September 2003, this attack has often been in many hackers’ arsenal.
  • Validate Heap Integrity (on by default) protects against memory corruption attacks.

You can set both system settings and program settings and then export them in an XML file to then deploy them to other computers via PowerShell.

Attack Surface Reduction

Attack Surface Reduction is a new set of tools that block primarily Office, Java, and other zero-day-type attacks. With the addition of a Windows E5 license and Windows Advanced Threat Protection, you will receive a cloud-based alerting system when these rules are triggered. However, it’s not mandatory to have the E5 license to manage and defend systems. This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.    

To enable these protections, you can use group policy, registry keys, or mobile device management. To enable via group policy, go to Computer Configuration in the Group Policy Management Editor, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction. Double-click the Configure Attack surface reduction rules setting and set the option to Enabled. To enable Attack Surface Reduction using PowerShell, enter Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled.

Now you need to determine what you plan on blocking. It is recommended to begin in audit mode to evaluate the impact on your network and devices. The values you can set to enable Attack Surface Reduction are:

  • Block mode = 1
  • Disabled = 0
  • Audit mode = 2

Once you have determined that the protection will not impact productivity, you can set the value to Block Mode to fully enable the protections. Enter each rule on a new line as a name-value pair with a GUID code and then the value of 1 to enforce blocking, 0 to disable the rule, or 2 to set the rule to audit. When beginning to evaluate rules, set the value to 2 and monitor the results in the event log.

  • Name column: Enter a valid ASR rule ID or GUID
  • Value column: Enter the status ID that relates to state you want to specify for the associated rule

The following rules can be enabled to better protect your computer and your network.

Rule: Block executable content from email client and webmail. ASR Rule ID or GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

  • Blocks executable files (such as .exe, .dll, or .scr)
  • Blocks script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
  • Block script archive files

Rule: Block Office applications from creating child processes. ASR Rule ID or GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

This rule blocks Microsoft Office applications from creating child content. This is typical malware behavior, especially with macro-based attacks.

Rule: Block Office applications from creating executable content. ASR Rule ID or GUID: 3B576869-A4EC-4529-8536-B80A7769E899.

This rule blocks Office applications from creating executable content. This is typical malware behavior. Attacks often use Windows Scripting Host (.wsh files) to run scripts.

Rule: Block Office applications from injecting code into other processes. ASR Rule ID or GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84.

Office applications such as Word, Excel, and PowerPoint will not be able to inject code into other processes. Malware typically uses this to avoid antivirus detection.

Rule: Block JavaScript or VBScript from launching downloaded executable content. ASR Rule ID or GUID: D3E037E1-3EB8-44C8-A917-57927947596D

This rule blocks the use of JavaScript and VBScript to launch applications, thus preventing malicious use of scripts to launch malware.

Rule: Block execution of potentially obfuscated scripts. ASR Rule ID or GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

This rule prevents scripts that appear to be obfuscated from running. It uses the AntiMalware Scan Interface (AMSI) to determine if a script is malicious.

Rule: Block Win32 API calls from Office macro. ASR Rule ID or GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

Malware often uses macro code Office files to import and load Win32 DLLs, which then use API calls to further infect the system.  

Network Protection

Network Protection is designed to protect your computer and your network from domains that may host phishing scams, exploits, and other malicious content on the internet. It can be enabled either via PowerShell or Group Policy. In the Group Policy Management Editor go to Computer Configuration, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection. Double-click the Prevent Users and Apps from Accessing Dangerous Websites setting and set the option to Enabled.

To enable using PowerShell, enter Set-MpPreference -EnableNetworkProtection Enabled. To enable audit mode type in Set-MpPreference -EnableNetworkProtection AuditMode. To fully enable protection, you need to reboot the computer.

Once enabled you can test the feature by going to this website. The site should be blocked and you should see a notification indicating the site’s threat status in the system tray. The system now relies on Microsoft SmartScreen technology to block web sites. If a false positive is found, you must submit a request to whitelist a website using Microsoft’s submission page.

This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.        

Controlled Folder Access

Controlled Folder Access protection is designed to prevent and defend from typical ransomware attacks. It can be enabled using Windows Defender Security Center app via Group Policy, PowerShell or configuration service providers for mobile device management. All applications that access any executable file (including .exe, .scr, and .dll files) use the Windows Defender Antivirus interface to determine if the application is safe. If the application is malicious, it is blocked from making changes to files in protected folders.

Certain folders are protected by default and then the administrator can add folders they deem need additional protection. To enable controlled folder access via PowerShell type in the following command: Set-MpPreference -EnableControlledFolderAccess Enabled. To enable controlled folder access via group policy, Group Policy Management Editor, go to Computer Configuration, click Policies, then Administrative Templates, and then expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Double-click the Configure Controlled Folder Access setting and set the option to Enabled.

By default, the following folders are enabled for protection:

  • C:\Users\<user>\Documents
  • C:\Users\Public\Documents
  • C:\Users\<user>\Pictures
  • C:\Users\Public\Pictures
  • C:\Users\<user>Videos
  • C:\Users\Public\Videos
  • C:\Users\<user>\Music
  • C:\Users\Public\Music
  • C:\Users\<user>\Desktop
  • C:\Users\Public\Desktop
  • C:\Users\<user>\Favorites
1 2 3 4 5 Page 4
Page 4 of 5
Subscribe today! Get the best in cybersecurity, delivered to your inbox.