With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.
Below is a summary of all the new security features and options in Windows 10 version 1803, which I call the privacy edition. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.
Windows 10 1803: The privacy edition
This edition was slated to be released in March 2018. Due to quality and release issues including reported blue screens of death in some of the final testing releases, the feature release date was postponed to April 30. It is encouraging to see that Microsoft is putting an emphasis on quality and not just depending on shipping the feature update as a key milestone.
For best results, install your video driver and motherboard updates before installing any feature update. It’s also wise to reach out to your vendors, specifically for any third-party security software you depend on. Many have security software releases ready to go as Windows 1803 is released. Others might need time to revise their software to work with the new edition.
Windows 1803 is deemed to be in semi-annual targeted release. Enterprises should test and confirm that the update is acceptable to the business. In a few months when Microsoft declares the software is “semi-annual channel,” it’s deemed to be ready for businesses to fully deploy and for broader release. When Microsoft announces that release date, it will be re-released to the Windows Software Update Services channel and other enterprise patching platforms to allow for broader release.
The next feature release is expected in the September time frame. Windows is also aligning its feature release timetable with Office 365 releases. Even though there are only six months between feature releases, Microsoft supports each individual release for a reasonable about of time. Normally, Microsoft supports a Windows 10 edition with quality (security) updates for 18 months. Due to changes in Office, it added six months of support to 1607, 1703, and 1709 versions. Thus, you can choose to skip one version and jump over to the next in your deployment methodology.
Here are just a few reasons that you might want to deploy 1803 sooner versus later:
The European Union EU) is putting into place new rules to ensure privacy for EU citizens in the form of General Data Protection Regulations (GDPR). While not a requirement of GDPR, 1803 exposes what Microsoft is collecting from your system regarding telemetry.
Microsoft uses telemetry to track what features you use, the success or failure of updates, and various other settings. Enterprises in sensitive industries are often concerned that no information can be shared for any reason. Before the release of 1803, if you wanted to block all telemetry and still receive Windows updates, you needed to upgrade to the Windows Enterprise version to block telemetry and still receive updates.
To use and view the new Diagnostic Data Viewer you have to enable it in Settings. Then go to Privacy then go to Diagnostics & Feedback. Then click “Diagnostic Data Viewer” to download the tool from the Windows store.
You can now launch and review what is being sent to Microsoft. The data is geared toward developers, so you might find that the details are a bit elusive. You can’t make sense of many of the items being tracked unless you understand the details of the operating system. However, it’s a good sign of good faith going forward that these items are now being exposed and can the examined by third-party reviewers to help us all understand what is being tracked and sent to Microsoft.
Of related interest is the online privacy center where you can log in and review what Microsoft is collecting online regarding your browsing history and Cortana use. Review this site to determine what is currently being captured from your systems. Once there you can also remove data that was sent to Microsoft.
Windows update notifications
Microsoft is making small changes to Windows update notifications so that it is much more obvious that an update is going to take place and reboot your system. It has also added settings to assist with installing. When your computer is on, Windows Update will keep an inactive computer from going to sleep for two hours when installing an update.
Windows update changes
Administrators get more group policy and registry adjustments to better throttle Windows update bandwidth in a network setting. New features are located under Administrative Templates > Windows Components > Delivery Optimization. These new controls allow you to adjust bandwidth used by foreground downloads.
The amount of bandwidth can now be limited for both Windows Update and Microsoft Store updates. Previously, you could only limit the download bandwidth. Now you can specify Maximum Foreground Download Bandwidth (percentage) or Maximum Background Download Bandwidth (percentage). The process of installing feature updates has been designed to be faster to allow your machine to get back to functional access after the feature update has been triggered.
Administrators have been given the ability to customize the roll-back window. Before it was a set at 10 days that the system kept your old version, now the administrator has dism commands to customize the number of days the system will keep the prior version.
The following commands can be used to customize the roll-back window:
DISM /Online /Initiate-OSUninstall
Initiates an OS uninstall to take the computer back to the previous installation of windows.
DISM /Online /Remove-OSUninstall
Removes the OS uninstall capability from the computer.
DISM /Online /Get-OSUninstallWindow
Displays the number of days after upgrade during which uninstall can be performed.
DISM /Online /Set-OSUninstallWindow
Sets the number of days after upgrade during which uninstall can be performed.
Windows Hello is making significant investments in changes to password and password management. First, it supports FIDO 2.0 authentication for Azure AD-joined Windows 10 devices and has increased options and features for support for shared devices. Windows 10 S mode (more on this later) is taking passwords to the next level by placing the authentication process into your mobile device.
The Microsoft Authenticator app is available for Android and iPhone and can be the authentication software used to log in. It replaces the traditional password authentication process. The process to prompt you through setting up Windows Hello’s alternative password techniques is easier as well. You can now start the process from the main log-in screen and can choose Windows Hello Face, Fingerprint or PIN options.
Deployment and password options
Microsoft is encouraging original equipment manufacturers to use AutoPilot to deploy and provision computers in a secure fashion for enterprises. Surface, Lenovo, and Dell currently support AutoPilot, and in the coming months Microsoft expects support from more vendors including HP, Toshiba, Panasonic, and Fujitsu. Combined with Intune, AutoPilot ensures the machine is locked during the setup process and delivered to the end-user in a secure deployment fashion.
For standalone computers, Windows 10 1803 now allows setting up security questions to make it easier to reset a local account that has a forgotten password.
Windows Defender renamed to Windows Security
Microsoft has renamed and slightly redesigned Windows Defender and is now calling it Windows Security. Virus and threat, account protections, and firewall and network protections; app and browser control; device security; device performance; and health and family options are now subsets of the Security section. Controlled folder access, added in 1709, has moved to the Ransomware protection section.
Windows Security now shares status between Microsoft 365 services and interoperates with Windows Defender Advanced Threat Protection, Microsoft’s cloud-based forensic analysis tool. Windows Defender Exploit Guard includes virtualization (VBS) and Hypervisor-protected code integrity (HVCI). Windows Defender Application Guard has added support for Edge and now can be enabled on Windows Pro, and not just the previously supported Enterprise version. Application Guard has to be enabled using Intune, Group policy or Powershell in Enterprise, but it can be enabled for standalone computers.
Edge browser updates
The Edge browser now allows extensions when the browser is used in Private mode. In addition, Windows Defender Application Guard is now available for Edge and Internet Explorer for Pro versions with the new release of 1803. You can identify which sites are trusted and if a user surfs to an untrusted website through Microsoft Edge or Internet Explorer.
Microsoft Edge will open the site in an isolated Hyper-V-enabled container. This is separate from the host operating system. If the untrusted site is malicious, then the host PC is protected. The isolated container is then anonymous, so an attacker can't get to your employee's enterprise credentials. Enabling Application Guard requires hardware that supports virtualization. Then go into the Control Panel, Programs and Features and turn Features on. Click to install Windows Defender Application Guard feature. In 1803 this major protection is now included in the pro SKU and is no longer limited to the Enterprise version.
First introduced in 1709, Controlled Folder Access, which protects local folders most often attacked by ransomware, has been moved to its own location in the Windows Security section. If you subscribe to Office 365, additional ransomware protections and detections have been included. If you are a personal subscriber or Home subscriber, Ransomware Detection now notifies you when the OneDrive files have been encrypted.
Often in Enterprises, you want to deploy what is termed “kiosk mode.” The deployment will be a locked down browser with a minimum amount of application support. With the release of 1803, Intune is now the preferred methodology to deploy a Windows 10 system in kiosk mode. As noted by Microsoft, the Kiosk Browser can be deployed from the Microsoft Store. Once deployed, you can configure a start URL, allowed URLs, and enable/disable navigation buttons through the deployment.
Windows S mode
The biggest change, and largest potential security gain, is the introduction of Windows S mode. It has the potential for a lock-down deployment methodology similar to how mobile phones can only install appls from the mobile phone vendor’s store. Applications are Microsoft-verified for security and performance and can only be deployed from the Microsoft store.
Security baseline draft released
Finally, Microsoft has released a draft of the recommended Security baseline. The differences between the draft for 1803 and the released baseline for 1709 include:
- Two scripts to apply settings to local policy: one for domain-joined systems and one that removes the prohibitions on remote access for local accounts, which is particularly helpful for non-domain-joined systems, and for remote administration using Local Administrator Password Solution (LAPS)-managed accounts.
- Increased alignment with the Advanced Auditing recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document.
- Updated Windows Defender Exploit Guard Exploit Protection settings (a separate EP.xml file).
- New Windows Defender Exploit Guard Attack Surface Reduction (ASR) mitigations.
- Removal of numerous settings that no longer provide mitigations against contemporary security threats. The GPO differences are listed in a spreadsheet in the package’s Documentation folder.
Again, your organizations should upgrade to the 1803 release once it has tested and verified compatibility and checked with your vendors for compatibility. It’s expected to be declared semi-annual channel and thus ready for business in three to four months.
Windows 10 1709: The anti-ransomware edition
The Windows 10 Fall Creators Edition release is, in my opinion, is the first release where Microsoft is vastly increasing and acknowledging the impact of ransomware. Key security features included in the 1709 release give IT professionals the ability to provide additional means to prevent and defend against ransomware. Here are the edition’s key features:
Window Defender Exploit Guard
Window Defender Exploit Guard is the name of four different feature sets that help to block and defend from attacks. The four features of Exploit Guard include Exploit Protection, Attack Surface Reduction tools, Network Protection, and Controlled Folder Access. Exploit Protection is the only feature that works if you use a third-party antivirus tool. The other three features require Windows Defender and will not work if you use third-party antivirus software. This prerequisite is unlikely to change due to the reliance on Windows Defender to provide the needed API and infrastructure to support the features.
This is the only one of the four Exploit Guard technologies that does not require Windows Defender to be your primary antivirus. Exploit Protection can be controlled via group policy or PowerShell. An additional cloud-based logging service called Windows Defender Advanced Threat Protection provides forensic tracking evidence of threats and attacks can be used to better track and investigate Exploit Guard events. It is not mandatory to enable this technology.
To enable Exploit Protection, begin by deploying the technology on test machines before deploying widely. Open Settings, go to Update and Security, open the Windows Defender app, and then open the Windows Defender Security Center. Then go into App and Browser Control and scroll down to Exploit Protection. Open Exploit Protection Settings.
By default, Windows 10 has the following settings:
- Control Flow Guard (CFG) (on by default) is a mitigation that prevents redirecting control flow to an unexpected
- Data Execution Prevention (DEP) (on by default) is a security feature that was introduced in Vista and later platforms. The feature helps to prevent damage to your computer from viruses and other security threats. DEP protects your computer by monitoring programs to make sure they use system memory safely. When DEP senses malware, it might trigger a blue screen of death to protect the operating system.
- Force Randomization for Images (Mandatory ASLR) (off by default) is a technique to evade attackers by randomizing where the position of processes will be in memory. Address space layout randomization (ASLR) places address space targets in unpredictable locations. If an attacker attempts to launch an exploit, the target application will crash (blue screen), therefore stopping the attack.
- Randomize Memory Allocations (Bottom-up ASLR) (on by default) enables bottom-up allocations (VirtualAlloc() VirtualAllocEx()) to be randomized. Attacks that use bypassed ASLR and DEP on Adobe Reader are prevented with this setting.
- Validate Exception Chains (SEHOP) (on by default) prevents an attacker from using the Structured Exception Handler (SEH) overwrite exploitation technique. Since first being published in September 2003, this attack has often been in many hackers’ arsenal.
- Validate Heap Integrity (on by default) protects against memory corruption attacks.
You can set both system settings and program settings and then export them in an XML file to then deploy them to other computers via PowerShell.
Attack Surface Reduction
Attack Surface Reduction is a new set of tools that block primarily Office, Java, and other zero-day-type attacks. With the addition of a Windows E5 license and Windows Advanced Threat Protection, you will receive a cloud-based alerting system when these rules are triggered. However, it’s not mandatory to have the E5 license to manage and defend systems. This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.
To enable these protections, you can use group policy, registry keys, or mobile device management. To enable via group policy, go to Computer Configuration in the Group Policy Management Editor, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction. Double-click the Configure Attack surface reduction rules setting and set the option to Enabled. To enable Attack Surface Reduction using PowerShell, enter Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled.
Now you need to determine what you plan on blocking. It is recommended to begin in audit mode to evaluate the impact on your network and devices. The values you can set to enable Attack Surface Reduction are:
- Block mode = 1
- Disabled = 0
- Audit mode = 2
Once you have determined that the protection will not impact productivity, you can set the value to Block Mode to fully enable the protections. Enter each rule on a new line as a name-value pair with a GUID code and then the value of 1 to enforce blocking, 0 to disable the rule, or 2 to set the rule to audit. When beginning to evaluate rules, set the value to 2 and monitor the results in the event log.
- Name column: Enter a valid ASR rule ID or GUID
- Value column: Enter the status ID that relates to state you want to specify for the associated rule
The following rules can be enabled to better protect your computer and your network.
Rule: Block executable content from email client and webmail. ASR Rule ID or GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
- Blocks executable files (such as .exe, .dll, or .scr)
- Block script archive files
Rule: Block Office applications from creating child processes. ASR Rule ID or GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
This rule blocks Microsoft Office applications from creating child content. This is typical malware behavior, especially with macro-based attacks.
Rule: Block Office applications from creating executable content. ASR Rule ID or GUID: 3B576869-A4EC-4529-8536-B80A7769E899.
This rule blocks Office applications from creating executable content. This is typical malware behavior. Attacks often use Windows Scripting Host (.wsh files) to run scripts.
Rule: Block Office applications from injecting code into other processes. ASR Rule ID or GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84.
Office applications such as Word, Excel, and PowerPoint will not be able to inject code into other processes. Malware typically uses this to avoid antivirus detection.
Rule: Block execution of potentially obfuscated scripts. ASR Rule ID or GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
This rule prevents scripts that appear to be obfuscated from running. It uses the AntiMalware Scan Interface (AMSI) to determine if a script is malicious.
Rule: Block Win32 API calls from Office macro. ASR Rule ID or GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Malware often uses macro code Office files to import and load Win32 DLLs, which then use API calls to further infect the system.
Network Protection is designed to protect your computer and your network from domains that may host phishing scams, exploits, and other malicious content on the internet. It can be enabled either via PowerShell or Group Policy. In the Group Policy Management Editor go to Computer Configuration, then Policies, then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection. Double-click the Prevent Users and Apps from Accessing Dangerous Websites setting and set the option to Enabled.
To enable using PowerShell, enter Set-MpPreference -EnableNetworkProtection Enabled. To enable audit mode type in Set-MpPreference -EnableNetworkProtection AuditMode. To fully enable protection, you need to reboot the computer.
Once enabled you can test the feature by going to this website. The site should be blocked and you should see a notification indicating the site’s threat status in the system tray. The system now relies on Microsoft SmartScreen technology to block web sites. If a false positive is found, you must submit a request to whitelist a website using Microsoft’s submission page.
This is one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.
Controlled Folder Access
Controlled Folder Access protection is designed to prevent and defend from typical ransomware attacks. It can be enabled using Windows Defender Security Center app via Group Policy, PowerShell or configuration service providers for mobile device management. All applications that access any executable file (including .exe, .scr, and .dll files) use the Windows Defender Antivirus interface to determine if the application is safe. If the application is malicious, it is blocked from making changes to files in protected folders.
Certain folders are protected by default and then the administrator can add folders they deem need additional protection. To enable controlled folder access via PowerShell type in the following command: Set-MpPreference -EnableControlledFolderAccess Enabled. To enable controlled folder access via group policy, Group Policy Management Editor, go to Computer Configuration, click Policies, then Administrative Templates, and then expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Double-click the Configure Controlled Folder Access setting and set the option to Enabled.
By default, the following folders are enabled for protection:
You can then manually add folders as you see fit. If you have an application that is blocked by Controlled Folder Access, you can allow an application. To allow an override, go into Group Policy Management Editor and then go to Computer Configuration. Click on Policies and then Administrative Templates. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access. Double-click the Configure Allowed Applications setting and set the option to Enabled. Click Show and enter each app. To allow an application via PowerShell, enter Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>". You will want to test the settings before widespread deployment to note what adjustments you need to make for full application compatibility.
This is the final one of the three Windows Defender Exploit Guard features that will not work with third-party antivirus deployed. You must use Windows Defender to enable this protection.
Windows Security Baselines
Windows Security Baseline configurations have been updated to support Windows 10 1709. Security baselines are a set of recommended configurations to best secure systems in enterprises. Organizations can use the Security Compliance Toolkit to review recommended group policy settings. Microsoft certifies that they test updates against these configurations.
Windows Defender Advanced Threat Protection (ATP)
Windows Defender ATP is a cloud-based console that allows for forensic tracking of threats and attacks. It is enabled once you purchase a Windows E5 or Microsoft Office 365 E5 subscription. Once you purchase the subscription, you can enroll workstations via group policy or registry keys, which then upload telemetry to a cloud service. The service monitors for lateral attacks, ransomware, and other typical attacks. Release 1709 increases the analytics and security stack integration for better reports and integration.
On February 12, Microsoft announced that it is offering Windows Defender ATP down-level support for Windows 7 SP1 and Windows 8.1. In a blog post, the company said it is offering the service in recognition that many companies have a mix of Windows versions in place as they transition to Windows 10.
Windows Defender Application Guard
Application Guard ensures that enterprises can control Microsoft’s new Edge browser to best block and defend workstations from attacks. Application Guard must be deployed on 64-bit machines, and the machines must have Extended Page Tables, also called Second Level Address Translation (SLAT), as well as either Intel VT-x extensions or AMD-V. Windows 10 Enterprise version is also mandated.
Application guard can be controlled via group policy, Intune, or System Center. Application Guard can be deployed via features or PowerShell using Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard. Once enabled, you can limit websites to block outside content in Internet Explorer and Edge, limit printing, the use of clipboard, and isolate the browser to only use local network resources.
Windows Defender Device Guard
Device Guard is a new name for software restriction policies. Unless an application is trusted, it cannot be run on the system. Rather than the current model of software that we use now, where we trust software by default, Device Guard assumes all software is suspect and only allows software you trust to run on your system. Like Application guard, the requirements include virtualization technology.
Windows Information Protection (WIP)
WIP now works with Office and Azure Information Protection. WIP used to be called Enterprise Data Protection. Setting a WIP policy ensures that files downloaded from an Azure location will be encrypted. You can set a listing of apps that are allowed to access this protected data.
The minimum PIN length for BitLocker was changed in version 1709 from six to four, with six as the default.
Microsoft’s facial authentication system has been improved in version 1709 to use proximity settings to allow multifactor authentication in more sensitive deployments.
Windows Update for Business
The group policy settings that allow you to better control updating in Windows 10 now include the ability to control the use of Insider Edition on systems in your network. This allows you to enroll business systems in Microsoft’s beta testing process. Organizations may wish to opt into this program to better test and prepare for feature releases.
Security features prior to version 1709
Security changes and enhancements introduced in previous editions include the following:
Windows Defender Advanced Threat Protection
Windows 10 1703 introduced the ability to use the threat intelligence API to build custom alerts. Improvements were made in operating system memory and kernel sensors to better detect attacks deep into the operating system. It also allowed for six months of historical detection to better review for patterns. Antivirus detection and Device Guard events were placed in the Threat Protection portal. Windows 10 1607 originally introduced the online cloud forensic tool to the Windows 10 platform for the first time.
Windows Defender Antivirus
This was renamed from Windows Defender in Version 1703 and was integrated into the Windows Defender Security Center Application. In addition, updated behavior monitoring and real-time protection was enhanced. In Windows 10 1607, PowerShell cmdlets were introduced to configure options and run scans.
Windows Defender Credential Guard
Usernames and passwords are stolen on a regular basis to gain access into systems. An attacker gains access into one compromised system and then using attacks such as “Pass the hash” or “Pass the ticket” can harvest credentials saved in systems to perform lateral movement attacks across a network. Credential guard protects NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials from attackers. However, be aware that single sign-on applications may not work if credential guard is enabled.
Windows 10 1703 increased the hardware requirement to deploy Device Guard and Credential Guard to better protect from vulnerabilities in UEFI runtime scenarios:
- Support for virtualization-based security (required)
- Secure boot (required)
- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
If you want to enable credential guard on virtual machines where the risk of lateral movement may be higher, additional hardware requirements include:
- 64-bit CPU
- CPU virtualization extensions plus extended page tables
- Windows Hypervisor
Windows 10 1511 introduced the ability to enable Credential Guard by using the registry to allow you to disable Credential Guard remotely.
Group Policy Security
Windows 10 1703 introduced a new security policy specifically to make the username more private during sign in. Interactive logon: Don't display username at sign-in allows for more granular control over the sign in process.
Windows Hello for Business
Windows 10 1703 introduced the ability to reset a forgotten PIN without losing profile data. Windows 10 1607 combined the technologies of Microsoft Passport and Windows Hello.
Windows Update for Business
Feature update installation can be deferred by 365 days, increased from the prior 180 days allowed.
Virtual Private Network (VPN)
Windows 10 1607 allowed the VPN client to integrate with the Conditional Access Framework and can integrate with the Windows Information Protection policy for more security.
Windows 10 1507 introduced a new parameter that allows you to choose if executable and DLL rules will apply to non-interactive processes.
BitLocker received new features in Windows 10 1511 including enhancements in the XTS-AES encryption algorithm to better protect from attacks on encryption that utilize manipulating cipher texts. Windows 10 1507 introduced the ability to encrypt and recover a device with Azure Active Directory.
Windows 10 auditing
Windows 10 Version 1507 added more auditing events and increased fields to better track processes and events.