deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Folded in improvements to threat mitigtns and override topics

Browse Source
This commit is contained in:
JanKeller1
2017-02-07 18:56:07 -08:00
parent e6d5b74bf9
commit 882870e0cc
3 changed files with 31 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

2
windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md
View File

@ -26,7 +26,7 @@ The Group Policy settings in this topic are related to three types of process mi
- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention). - **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention).
- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. - **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](windows-10-security-guide.md#structured-exception-handling-overwrite-protection).
- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware thats designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization). - **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware thats designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization).

52
windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
View File

@ -2,14 +2,20 @@
This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats.
**Note**   If you are familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544) and want information about the many EMET mitigations built into Windows 10, and how to convert an EMET settings file into policies for Windows 10, see [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit), later in this topic.
| **Section** | **Contents** | | **Section** | **Contents** |
|--------------|-------------------------| |--------------|-------------------------|
| [The security threat landscape](#the-security-threat-landscape) | Describes the current nature of the security threat landscape, and outlines the basic ways that Windows 10 is designed to mitigate against software exploits and other similar threats. | | [The security threat landscape](#the-security-threat-landscape) | Describes the current nature of the security threat landscape, and outlines the basic ways that Windows 10 is designed to mitigate against software exploits and other similar threats. |
| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | | [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). |
| [Windows 10 mitigations that need no configuration](#windows-10-mitigations-that-need-no-configuration) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | | [Windows 10 mitigations that need no configuration](#windows-10-mitigations-that-need-no-configuration) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. |
| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | For IT professionals who in the past have used the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544), describes how the mitigations in EMET correspond to features built into Windows 10. It also describes how to convert an XML settings file created in EMET into mitigation policies for Windows 10. | | [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | For IT professionals who are familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544), describes how the mitigations in EMET correspond to features built into Windows 10. It also describes how to convert an XML settings file created in EMET into mitigation policies for Windows 10. |
This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration:
<img src="images/threat-mitigations-pre-breach-post-breach-conceptual.png" alt="Types of defenses in Windows 10" width="1052" height="241" />
**Figure 1.&nbsp;&nbsp;Device protection and threat resistance as part of the Windows 10 security defenses**
For links to other areas of protection offered by Windows and Office, see [Related topics](#related-topics).
## The security threat landscape ## The security threat landscape
@ -35,13 +41,13 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| Mitigation and corresponding threat | Description and links | | Mitigation and corresponding threat | Description and links |
|---|---| |---|---|
| **Device Guard**,<br>which helps keep a device free of<br>malware or other untrusted apps<br>(can be enhanced by Secure Boot, described in the next row) | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes virtualization-based security (VBS), which has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) | | **Device Guard**,<br>which helps keep a device free of<br>malware or other untrusted apps<br>(can be enhanced by Secure Boot, described in the next row) | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
| **UEFI Secure Boot**,<br>which mitigates against<br>bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot helps to protect the boot process and firmware from tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.<br><br>**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot)</a> | | **UEFI Secure Boot**,<br>which mitigates against<br>bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot helps to protect the boot process and firmware from tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.<br><br>**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot)</a> |
| **Credential Guard**,<br>which mitigates against<br>credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) | | **Credential Guard**,<br>which mitigates against<br>credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
| **Blocking of untrusted fonts**, <br>which mitigates against<br>elevation-of-privilege attacks from untrusted fonts | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local elevation-of-privilege attacks associated with the parsing of font files.<br><br>**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
| **OS key pinning**,<br>which mitigates against<br>man-in-the-middle attacks that leverage PKI | With OS key pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority (root or leaf). This provides validation for digitally signed certificates (SSL certificates) used while browsing, and mitigates against man-in the-middle attacks that involve these certificates.<br><br>**More information**: OS_KEY_PINNING_LINK | | **OS key pinning**,<br>which mitigates against<br>man-in-the-middle attacks that leverage PKI | With OS key pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority (root or leaf). This provides validation for digitally signed certificates (SSL certificates) used while browsing, and mitigates against man-in the-middle attacks that involve these certificates.<br><br>**More information**: OS_KEY_PINNING_LINK |
| **The SmartScreen Filter**,<br>which mitigates against<br>malicious applications that<br>a user might download | The SmartScreen Filter can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), the SmartScreen filter checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [The SmartScreen Filter](#the-smartscreen-filter), later in this topic | | **The SmartScreen filter**,<br>which mitigates against<br>malicious applications that<br>a user might download | The SmartScreen filter can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [The SmartScreen filter](#the-smartscreen-filter), later in this topic |
| **Windows Defender** (antimalware), which mitigates against<br>multiple threats | Windows 10 includes Windows Defender, a robust inbox antimalware solution. Windows Defender has been significantly improved since it was introduced in Windows 8.<br><br>**More information**: [Windows Defender](#windows-defender), later in this topic | | **Windows Defender** (antimalware), which mitigates against<br>multiple threats | Windows 10 includes Windows Defender, a robust inbox antimalware solution. Windows Defender has been significantly improved since it was introduced in Windows 8.<br><br>**More information**: [Windows Defender](#windows-defender), later in this topic |
| **Blocking of untrusted fonts**, <br>which mitigates against<br>elevation-of-privilege attacks from untrusted fonts | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate against elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
| **Memory protections** listed in [Table 2](#table-2),<br>which mitigate against<br>malware that uses memory<br>manipulation techniques such as<br>buffer overruns | This set of mitigations helps to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system. For example, malware might use buffer overruns to inject malicious executable code into memory.<br>A minority of trusted apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing needed apps to run correctly.<br><br>**More information**: [Table 2](#table-2), later in this topic | | **Memory protections** listed in [Table 2](#table-2),<br>which mitigate against<br>malware that uses memory<br>manipulation techniques such as<br>buffer overruns | This set of mitigations helps to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system. For example, malware might use buffer overruns to inject malicious executable code into memory.<br>A minority of trusted apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing needed apps to run correctly.<br><br>**More information**: [Table 2](#table-2), later in this topic |
Configurable Windows 10 mitigations oriented specifically toward memory manipulation are listed in the following table. Detailed understanding of these threats and mitigations requires knowledge of how the operating system and applications handle memory—knowledge used by developers but not necessarily by IT professionals. However, from an IT professionals perspective, the basic process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any needed applications. Then you can deploy settings that maximize protection while still allowing needed apps to run correctly. Configurable Windows 10 mitigations oriented specifically toward memory manipulation are listed in the following table. Detailed understanding of these threats and mitigations requires knowledge of how the operating system and applications handle memory—knowledge used by developers but not necessarily by IT professionals. However, from an IT professionals perspective, the basic process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any needed applications. Then you can deploy settings that maximize protection while still allowing needed apps to run correctly.
@ -53,7 +59,7 @@ Also, as an IT professional, you can ask application developers and software ven
| Mitigation and corresponding threat | Description | | Mitigation and corresponding threat | Description |
|---|---| |---|---|
| **Data Execution Prevention (DEP),** which mitigates against<br>exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature that has been available in Windows operating systems for over a decade. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.<br>DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.<br>For more information, see [Data Execution Prevention](#data-execution-prevention), later in this topic.<br><br>**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | | **Data Execution Prevention (DEP),** which mitigates against<br>exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature that has been available in Windows operating systems for over a decade. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.<br>DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.<br>For more information, see [Data Execution Prevention](#data-execution-prevention), later in this topic.<br><br>**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
| **SEHOP**,<br>which mitigates against<br>overwrites of the Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not.<br>For more information, see [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.<br><br>**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | | **SEHOP**,<br>which mitigates against<br>overwrites of the Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. Although some applications have compatibility problems with SEHOP, the vast majority of applications do not.<br>For more information, see [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.<br><br>**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
| **ASLR**,<br>which mitigates against<br>malware attacks based on expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This mitigates against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.<br>For more information, see [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.<br><br>**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | | **ASLR**,<br>which mitigates against<br>malware attacks based on expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This mitigates against malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.<br>For more information, see [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.<br><br>**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). |
### Data Execution Prevention ### Data Execution Prevention
@ -64,7 +70,7 @@ Data Execution Prevention (DEP) does exactly that, by substantially reducing the
Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP. Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP.
**To see which apps use DEP** **To use Task Manager to see which apps use DEP**
1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. 1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen.
@ -76,13 +82,13 @@ Because of the importance of DEP, users cannot install Windows 10 on a computer
5. Click **OK**. 5. Click **OK**.
You can now see which processes have DEP enabled. Figure 1 shows the processes running on a Windows 10 PC with a single process that does not support DEP. You can now see which processes have DEP enabled. Figure 2 shows the processes running on a Windows 10 PC with a single process that does not support DEP.
<!-- This might be a good place to mention the cmdlet that lets you see the same kind of output. --> <!-- This might be a good place to mention the cmdlet that lets you see the same kind of output. -->
![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png) ![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png)
**Figure 1. Processes on which DEP has been enabled in Windows 10** **Figure 2.&nbsp;&nbsp;Processes on which DEP has been enabled in Windows 10**
You can use Control Panel to view or change DEP settings. You can use Control Panel to view or change DEP settings.
@ -116,11 +122,11 @@ You can use the Group Policy setting called **Process Mitigation Options** to co
One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations. One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations.
Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 2 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
![ASLR at work](images/security-fig4-aslr.png) ![ASLR at work](images/security-fig4-aslr.png)
**Figure 2. ASLR at work** **Figure 3.&nbsp;&nbsp;ASLR at work**
Although the ASLR implementation in Windows 7 was effective, it wasnt applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasnt always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed, starting with Windows 8, Microsoft applied ASLR holistically across the system and increased the level of entropy many times. Although the ASLR implementation in Windows 7 was effective, it wasnt applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasnt always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed, starting with Windows 8, Microsoft applied ASLR holistically across the system and increased the level of entropy many times.
@ -128,29 +134,29 @@ The ASLR implementation in Windows 10 is greatly improved over Windows 7, espe
You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md).
### The SmartScreen Filter ### The SmartScreen filter
Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filters application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings. Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filters application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings.
For Windows 10, Microsoft further developed the SmartScreen Filter by integrating its app reputation abilities into the operating system itself, which allows the filter to protect users regardless of the web browser they are using or the path that the app uses to arrive on the device (for example, email, USB flash drive). The first time a user runs an app that originates from the Internet, even if the user copied it from another PC, the SmartScreen Filter checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, the SmartScreen Filter warns the user or blocks execution entirely, depending on how the administrator has configured Group Policy (see Figure 3). For Windows 10, Microsoft further developed SmartScreen by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to protect users regardless of the web browser they are using or the path that the app uses to arrive on the device (for example, email, USB flash drive). The first time a user runs an app that originates from the Internet, even if the user copied it from another PC, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Group Policy (see Figure 4).
![SmartScreen Filter at work in Windows 10](images/security-fig7-smartscreenfilter.png) ![SmartScreen Filter at work in Windows 10](images/security-fig7-smartscreenfilter.png)
**Figure 3. The SmartScreen Filter at work in Windows 10** **Figure 4.&nbsp;&nbsp;SmartScreen at work in Windows 10**
By default, users have the option to bypass SmartScreen Filter protection so that it will not prevent a user from running a legitimate app. You can use Control Panel or Group Policy settings to disable the SmartScreen Filter or to completely prevent users from running apps that the SmartScreen Filter does not recognize. The Control Panel settings are shown in Figure 4. By default, users have the option to bypass SmartScreen protection so that it will not prevent a user from running a legitimate app. You can use Control Panel or Group Policy settings to disable SmartScreen or to completely prevent users from running apps that SmartScreen does not recognize. The Control Panel settings are shown in Figure 5.
![SmartScreen configuration options](images/security-fig8-smartscreenconfig.png) ![SmartScreen configuration options](images/security-fig8-smartscreenconfig.png)
**Figure 4. The Windows SmartScreen configuration options in Control Panel** **Figure 5.&nbsp;&nbsp;The Windows SmartScreen configuration options in Control Panel**
If you want to try the SmartScreen Filter, use Windows 7 to download this simulated (but not dangerous) malware [file:freevideo.exe](https://go.microsoft.com/fwlink/p/?LinkId=626943). Save it to your computer, and then run it from Windows Explorer. As shown in Figure 5, Windows runs the app without much warning. In Windows 7, you might receive a warning message about the app not having a certificate, but you can easily bypass it. If you want to try SmartScreen, use Windows 7 to download this simulated (but not dangerous) malware [file:freevideo.exe](https://go.microsoft.com/fwlink/p/?LinkId=626943). Save it to your computer, and then run it from Windows Explorer. As shown in Figure 6, Windows 7 runs the app without much warning. In Windows 7, you might receive a warning message about the app not having a certificate, but you can easily bypass it.
![Windows 7 allows the app to run](images/security-fig9-windows7allow.png) ![Windows 7 allows the app to run](images/security-fig9-windows7allow.png)
**Figure 5. Windows 7 allows the app to run** **Figure 6.&nbsp;&nbsp;Windows 7 allows the app to run**
Now, repeat the test on a computer running Windows 10 by copying the file to a Windows 10 PC or by downloading the file again and saving it to your local computer. Run the file directly from File Explorer, and the SmartScreen Filter will warn you before it allows it to run. Microsofts data shows that for a vast majority of users, that extra warning is enough to save them from a malware infection. Now, repeat the test on a computer running Windows 10 by copying the file to a Windows 10 PC or by downloading the file again and saving it to your local computer. Run the file directly from File Explorer, and SmartScreen will warn you before it allows it to run. Microsofts data shows that for a vast majority of users, that extra warning is enough to save them from a malware infection.
### Windows Defender ### Windows Defender
@ -166,6 +172,8 @@ Windows included Windows Defender, a robust inbox antimalware solution, starting
For more information, see [Windows Defender in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). For more information, see [Windows Defender in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation).
## Windows 10 mitigations that need no configuration ## Windows 10 mitigations that need no configuration
Windows 10 provides many threat mitigations that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. Windows 10 provides many threat mitigations that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations.
@ -178,7 +186,7 @@ One of the mitigations, Control Flow Guard (CFG), needs no configuration within
|---|---| |---|---|
| **Heap protections**,<br>which mitigate against<br>exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.<br><br>**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | | **Heap protections**,<br>which mitigate against<br>exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.<br><br>**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
| **Kernel pool protections**,<br>which mitigate against<br>exploitation of pool memory used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.<br><br>**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | | **Kernel pool protections**,<br>which mitigate against<br>exploitation of pool memory used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.<br><br>**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
| **Control Flow Guard**,<br>which mitigates against<br>exploits based on flow between code locations in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when its compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. It can also be built into applications when theyre compiled. For example, it can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.<br>For such an application, CFG can detect an attackers attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled.<br><br>**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | | **Control Flow Guard**,<br>which mitigates against<br>exploits based on flow between code locations in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when its compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.<br>For such an application, CFG can detect an attackers attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled.<br><br>**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
| **Protected Processes**,<br>to mitigate against<br>one process tampering<br>with another process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.<br><br>**More information**: [Protected Processes](#protected-processes), later in this topic. | | **Protected Processes**,<br>to mitigate against<br>one process tampering<br>with another process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.<br><br>**More information**: [Protected Processes](#protected-processes), later in this topic. |
| **Universal Windows apps protections**,<br>which mitigate against<br>multiple threats | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.<br><br>**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | | **Universal Windows apps protections**,<br>which mitigate against<br>multiple threats | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.<br><br>**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
| **Protections built into Microsoft Edge** (the browser),<br>which mitigate against<br>multiple threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.<br><br>**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. | | **Protections built into Microsoft Edge** (the browser),<br>which mitigate against<br>multiple threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.<br><br>**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
@ -227,7 +235,7 @@ Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, an
Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on any malware that might be running. Protected Processes creates limits of this type. Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on any malware that might be running. Protected Processes creates limits of this type.
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and for the first time, you can put antimalware solutions into the protected process space, which helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
### Universal Windows apps protections ### Universal Windows apps protections