deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Folded in additions; tweaked title

Browse Source
This commit is contained in:
JanKeller1 2017-02-13 17:45:38 -08:00
parent b0b5635d82
commit aacc8ee7f3
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
View File

@ -44,8 +44,10 @@ Windows 10 mitigations that you can configure are listed in the following two ta
|---|---|
| **Device Guard**,<br>which helps keep a device free of<br>malware or other untrusted apps<br>(can be enhanced by Secure Boot, described in the next row) | Device Guard includes Code Integrity policies, a whitelist you create of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain entrance to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) |
| **UEFI Secure Boot**,<br>which mitigates against<br>bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot helps to protect the boot process and firmware from tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.<br><br>**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot)</a> |
| **Early Launch Antimalware (ELAM)**,<br>which mitigates against<br>rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.<br><br>**More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) |
| **Device Health Attestation**,<br>which mitigates against<br>compromised devices that<br>might access an<br>organizations assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a devices actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.<br><br>**More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) |
| **Credential Guard**,<br>which mitigates against<br>credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) |
| **OS key pinning**,<br>which mitigates against<br>man-in-the-middle attacks that leverage PKI | With OS key pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority (root or leaf). This provides validation for digitally signed certificates (SSL certificates) used while browsing, and mitigates against man-in the-middle attacks that involve these certificates.<br><br>**More information**: OS_KEY_PINNING_LINK |
| **Enterprise certificate pinning**,<br>which mitigates against<br>man-in-the-middle attacks that leverage PKI | With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its legitimate Certification Authority, either root or leaf. This helps protect your enterprises intranet sites (not external Internet sites) by providing validation for digitally signed certificates (SSL certificates) used while browsing. This feature mitigates against man-in the-middle attacks that involve these certificates.<br><br>**More information**: ENTERPRISE_CERTIFICATE_PINNING_LINK |
| **Windows Defender SmartScreen**,<br>which mitigates against<br>malicious applications that<br>a user might download | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Windows Defender Antivirus**, which mitigates against<br>multiple threats | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.<br><br>**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts**, <br>which mitigates against<br>elevation-of-privilege attacks from untrusted fonts | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate against elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |
@ -175,7 +177,7 @@ Windows included Windows Defender Antivirus, a robust inbox antimalware solution
<!-- Watch the link text for the following links - try to keep it in sync with the actual topic. -->
For more information, see [Windows Defender in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
For more information, see [Windows Defender in Windows 10](windows-defender-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation).
@ -193,6 +195,7 @@ One of the mitigations, Control Flow Guard (CFG), needs no configuration within
| **Kernel pool protections**,<br>which mitigate against<br>exploitation of pool memory used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations to create an attack.<br><br>**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
| **Control Flow Guard**,<br>which mitigates against<br>exploits based on flow between code locations in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead can be built into software when its compiled. It is built into Microsoft Edge, IE11, and other features in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.<br>For such an application, CFG can detect an attackers attempt to change the intended flow of code. If this occurs, CFG terminates the application. Administrators can request software vendors to deliver Windows applications compiled with CFG enabled.<br><br>**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
| **Protected Processes**,<br>to mitigate against<br>one process tampering<br>with another process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.<br><br>**More information**: [Protected Processes](#protected-processes), later in this topic. |
| **SMB hardening for SYSVOL and NETLOGON shares**,<br>which mitigates against<br>man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).<br><br>**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. |
| **Universal Windows apps protections**,<br>which mitigate against<br>multiple threats | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.<br><br>**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. |
| **Protections built into Microsoft Edge** (the browser),<br>which mitigate against<br>multiple threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.<br><br>**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
@ -242,6 +245,13 @@ Most security controls are designed to prevent the initial infection point. Howe
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system.
### SMB hardening improvements for SYSVOL and NETLOGON shares
In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 wont process domain-based Group Policy and scripts.
> [!NOTE]
> The registry values for these settings arent present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/).
### Universal Windows apps protections
When users download Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store, its highly unlikely that they will encounter malware, because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements.
@ -276,7 +286,8 @@ For sites that require IE11 compatibility, including those that require binary e
Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you are working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps.
**Note**   Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic.
> [!NOTE]
> Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic.
### Table 4   Functions available to developers for building mitigations into apps
@ -367,7 +378,7 @@ The Converter feature is currently available as a Windows PowerShell cmdlet, **S
- **Converting Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMETs Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMETs ASR protections.
- **Converting Certificate Trust settings to OS Key Pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an OS Key Pinning rules file. Then you can finish enabling that file as described in the OS Key Pinning documentation.
- **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in the Enterprise_certificate_pinning_documentation.
#### EMET-related products