May 13 2019

Windows 10 Security Tools Strengthen Protection for Vulnerable Networks

The array of powerful tools included in the new OS are a proven solution to prevent the introduction of malware at agencies.

In the nearly 10 years since Windows 7 arrived on the market, the security landscape has changed significantly. The most current version of the Windows operating system is designed to address the latest emerging threats.

 Microsoft’s Windows 10 empowers modern hardware to prevent ransomware and security breaches, such as “pass the hash” attacks, in which a single compromised device can lead to an attacker gaining access to an entire network.

The security improvements included with Windows 10 have already proved effective. For example, devices running Windows 10 were not infected with the WannaCry or NotPetya malware, which spread quickly and left a wake of destruction worldwide in 2017.

Here’s a look at the technologies included in Windows Defender, an anti-malware component built into Windows 10, that deliver superior protection:


System Guard Uses Containers to Protect the OS

Designed to protect and maintain the integrity of Windows upon startup and to validate system integrity through local and remote attestation, System Guard uses Secure Boot to ensure malicious bootloaders can’t run before Windows starts, and that only signed files and drivers are loaded. Ensuring that Windows isn’t compromised is vital for other security defenses to work properly.

Windows Defender System Guard Container uses virtualization-based security (VBS) to segregate critical parts of the OS using containers. Windows Defender features, such as Exploit Guard and Credential Guard, use VBS to provide the highest level of protection.

Device Health Attestation (DHA) allows System Guard to take integrity measurements — which are protected by a Trusted Platform Module to prevent tampering with the results — and then hand the data to Intune or System Center Configuration Manager. System administrators can block network access for devices that don’t pass DHA.

Credential Guard Defends Agencies' Password Hashes 

“Pass the hash” and “pass the token” attacks are commonly used to move laterally around networks and elevate privileges so that attackers can gain domain administrator access to Active Directory. Credential Guard uses VBS to protect password hashes and security tokens so that only privileged system processes can access them.

VBS stores Kerberos and NT Lan Manager credentials in a container that the Windows kernel cannot access directly, rendering ineffective many tools used to harvest hashes and tokens.

MORE FROM FEDTECH: Find out everything you need to know about Windows 7 End of Life. 

Exploit Guard Minimizes the Attack Surface 

The Enhanced Mitigation Experience Toolkit for Windows 7 is now integrated into Windows 10 as Exploit Guard. Attack Surface Reduction rules can be applied in audit mode, then later enforced to protect from attacks against Microsoft Office and other software.

Application Control Limits Access to Apps 

Windows 7 AppLocker, a basic application whitelisting solution, is still a part of Windows 10. But because of how it was originally designed, it’s easy to override AppLocker if you have administrative privileges on the device. The updated Application Control is more robust and can be used with Exploit Guard’s Memory Integrity.

Windows 10 timeline

Application Guard Boosts User's Security During Web Browsing 

Application Guard starts Microsoft Edge in a container that protects Windows from the user’s browser session. System administrators can configure Application Guard to automatically provide additional protection when visiting untrusted sites, or to allow or block file downloads and copy/paste operations between the protected session and Windows. Sadly, Favorites cannot be accessed in Application Guard.

Internet Explorer is included in Windows 10 for backward compatibility, but the Edge browser promises a more secure experience. It removes legacy technologies such as ActiveX Controls, and blocks Adobe Flash Player by default. 

Advanced Threat Protection Enhances Defenses

ATP, which is integrated into the Enterprise E5 edition of Windows 10, goes beyond the basic malware protection provided by Windows Defender. ATP can stop breaches before they take hold across a network by sharing information with the Microsoft Intelligent Security Graph. It monitors behavior, uses machine learning and analyzes security metrics.

MORE FROM FEDTECH: See how DOD intends to revamp its software acquisition and creation.

Windows 10 Is Loaded with Additional Security Features

Microsoft wants users to stop using passwords because they are not secure, and Windows Hello takes us one step closer to that reality. Using biometric authentication, such as facial recognition or a fingerprint, users can log in to Windows 10 without a password. Windows Hello for Business integrates with Azure Active Directory (AAD).

Controlled Folder Access protects local and network files by allowing only whitelisted processes to gain write access, preventing ransomware from encrypting files.

In addition, mobile device management is built into Windows 10, and unlike Windows 7, doesn’t require a separate agent. Windows 10 can join directly to AAD domains for agencies that want to use Microsoft’s modern management stack, which includes Intune, AAD and Windows Autopilot.

Security improvements such as these make a compelling case for the latest Windows OS, but users have less than a year to make the switch without penalty. Windows 7 reaches the end of extended support on Jan. 14, 2020, and after that, users must pay for security fixes.

Illustrations by Rob Dobi

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.