Windows 10 Security – What’s New and Improved?
Instructor Mike Danseglio
In this training video, security expert Mike Danseglio presents the enhanced security features of SmartScreen, Defender and BitLocker in Windows 10 and new features such as Biometric Identification, Microsoft Passport, Device Guard and more. For more, see our Windows 10 Blogs that Mike referenced in the video webinar
I’m Mike Danseglio. I’m going to be talking a little bit about Windows 10 in this Windows 10 first look. I’ll be talking pretty much about security. Couple of different topics. If this is the first video you’ve seen, wanted to make sure you knew that we’ve got some other folks going through this as well. We’ve got Steve Fullmer, who’s going to be doing an Introduction to Windows 10.
This is an overview, some of the big new features, the UI and manageability a bit. Then, Rick Trader is also talking a lot about Managing, Deploying and Configuring Windows 10 centrally managing with domains Active Directory, because that’s his big thing.
I’m going to be focusing specifically on security for this section. I’m going to be covering it in two very big chunks. I’ll be talking about ‑‑ first of all ‑‑ the security overview, breath of the different features ‑‑ and there’s a lot of new stuff in Windows 10 for security. Then, I’m going to be talking specifically Device Guard, one of the biggest new feature, which is really an umbrella.
In this video, I’m going to show you a little bit about Windows 10, specifically around a lot of the new features for security that are built into Windows 10. There are some brand‑new stuff, stuff that hasn’t been in Windows 10 before. There’s also some features that have been extended, enhanced, and pumped up a bit in Windows 10.
They were in previous versions of Windows, Windows 7, and then there’s a version after Windows 7, but before Windows 10 that we’re not supposed to talk about. There are some features like that in those previous operating systems. Specifically things like SmartScreen and Defender have been in previous versions of Windows.
They got a huge boost in Windows 10. There are almost completely different features to some degree. Talk out those a little bit. First, I think the context should be why do we have so many security features? Why was Windows 10, for the most part, designed around security, securing the users, securing the system, securing the enterprise?
It’s because the evolution of threats has really gone off the scale. We’re seeing more complicated threats, rootkits, and bootkits. We’re seeing malware that makes it easily, without very much effort at all through firewalls, through malware scanners.
We’re seeing malware do a lot of different things, not just to lead a file or two or send some junk mail or give you a pop‑up. We’re seeing malware that runs an extortion racket that steals data and pumps it to some unknown location.
It’s really a huge threat. Part of the concern that Microsoft had, around the Windows 10 design phase was, how do we design the operating system to itself just be built more resilient against these kinds of attacks?
Instead of trying to patch these or patch that, can we do something at a fundamental level that makes Windows 10 harder to attack and harder to compromise? That’s where a lot of these aspects in Windows 10 come from. It’s purely a design effort, to make Windows 10 more resilient against attacks.
Some of the more complicated attacks like pass the hash, they’re definitely difficult to mitigate. They require architectural changes, which is what we see in Windows 10. Some of the easier stuff, like accidentally clicking on malware or a bogus link that take you to some website that you’re not supposed to go to or don’t want to go to.
Those things are a little bit easier to mitigate. Windows 10 rolls all of that stuff up. It’s the change in landscape, the change in the attack space that really makes the big difference in how Windows was designed.
As well, Microsoft recognizes that this Windows 10 operating system is going to be used in stable environments, like on a corporate desktop with a monitor and a keyboard and a mouse, but also on mobile platforms, like laptops, ultrabooks, things like that, and as well phones, because Windows 10 runs on phones fairly easily and tablets that are super portable.
Being able to have that security and take it with the device, wherever the device goes, whatever network it’s on, is another important aspect that’s designed into Windows 10.
One of the biggest changes that happen to Windows 10 around filtering for malware and looking for bad things was SmartScreen. Windows SmartScreen was built into previous versions of Windows.
It was centered around Internet Explorer, making sure Internet Explorer didn’t take you to a link that would be a known bad website. Microsoft had this infrastructure in place, at least all known bad websites and malware locations.
What happened by default was Internet Explorer would check with Microsoft servers and say, “Hey, is this a bad site or a good site?”
If Microsoft didn’t know about it or if it said it’s a good site, great. Internet Explorer opens a web page. If not, if that’s a known bad site, Microsoft would actually say, “Hey Internet Explorer, block it.” Cool, but it only worked for IE. That’s the problem. Do people use other browsers? Of course they use other browsers, Chrome and Firefox, and Opera, and Safari, and all that stuff.
In Windows 10, Microsoft has taken SmartScreen and integrated it into the OS, where it doesn’t just block URLs from IE or Edge. They’re newer browser blocks. It has the ability rather, to block URLs from anything.
Any client that happens to be connecting to URL can pass it through SmartScreen, to check to make sure the site is legit or not, to make sure that it’s not a known malware or known malicious site.
That’s a huge difference, in terms of performance. It’s a much more performant filter, as well as holistic security if you will. Another big change in Windows 10 is Defender. Microsoft got a lot of flak for Windows Defender, in Windows 7, in Windows 8. It’s a half‑baked malware scanner. It doesn’t find everything. It doesn’t do a great job.
It doesn’t compare favorably the things, like Norton, McAfee, Kaspersky. There’s a lot of products out there that do a much, much, much, much, much, better job of finding and removing malware and that was true.
Defender was not designed, to compete with those products, until Windows 10. Windows 10, Defender is designed to be an Enterprise grade holly molly kind of malware scanner on par with Kaspersky and McAfee.
It’s really trying hard. The performance so far at the time we’re looking at this product is fairly favorable. It’s competing fairly well on the same space. It’s also now enterprise‑manageable, centrally manageable, where there were some basic configurations that we could do with group policy in Windows 7, and a little bit later for Defender.
Now, Windows 10, you can fully configure and manage centrally and monitor, and reconfigure Windows Defender. That’s a huge deal in Enterprises. Microsoft is very squarely and assertively going after the Enterprise anti‑malware market with Windows Defender in Windows 10. That’s a great thing.
In this lesson, I want to talk about Windows 10 security, but specifically around a couple of big, new features, Device Guard and its sister, configurable code integrity. It’s a misnomer, because Device Guard contains a bunch of stuff. There’s a bunch of little aspects and facets, but they work together real tightly.
This is a big, new deal in Windows 10 that I’m very, very excited about. When I first saw the architecture for Device Guard, and configurable code integrity, I was a little shocked because it was designed exactly the way I would envision design would happen, in order to protect Windows against a bunch of different attacks that are happening now.
What’s going on interestingly is, if a system meets the requirements for Device Guard, and the system is using the right operating system, it has to be Windows 10 Enterprise only. What happens is, Windows 10 during deployment doesn’t install the way it normally does. Unbind nodes to the user, it installs as a virtual machine.
The entire OS gets installed as a virtual machine, and then a second, kind of mini virtual machine or mini kernel gets installed alongside it. This is, this part here. The names on these unfortunately are completely wrong. However, the graphic is not so bad. In this graphic, you can see that Hyper‑V is running, so we’ve got a hypervise.
We’ve got an operating system running on top of that. We’ve got a virtual machine. This virtual machine is the Windows 10 right here, virtual machine running would you normally expect normally interact with. In a separate virtual machine, we’re running. It’s not called “Virtual Secure Mode.” It was called that in debate in certain release candidates.
It’s called “Virtualization‑Based Security” or VBS. Virtualization‑Based Security a little bit nicer and a little less absolute of a Word. At Microsoft, we tried to stay away from using absolutes, like perfectly secure.
Virtualization‑Based Security puts important stuff that needs to be kept secret, and protected over in this other virtual machine, and then highly restricts the interaction between these two.
This is really restricted. If some transaction goes between these two Windows by default, we’ll say, “Nope. You’re not getting over here because I’ve got some super secret stuff over here.” In particular usually, we have the local security authority, actually not usually.
We will have the local security authority keeping a lot of its secrets, password, hashes, credentials, stuff like that over here in this separate virtual machine. If a bad app is running over here in this space, no problem at all. It can’t get to those credentials. It can’t get to LSA, because of that narrow channel of protection.
It’s a brilliant solution. Absolutely love this solution. The design is elegant. The performance is negligible as far as deterioration and performance, because the hypervisor is very, very thin and very, very fast. You don’t even notice it. Users don’t notice it. Admins don’t notice it, unless they know where to look. If they know where to look, they can find it.
I’m going to show you where you would look, to see whether a system is running Device Guard and Virtualization‑Based Security. I’m going to show you on this machine here. We’re running Windows 10 Enterprise right here. I’ve taken the liberty of launching these apps before we start the demo, just to make sure it’s a little bit quicker.
I’ve got Windows 10 or Windows since the dawn of time. It’s at MSINFO32 that the system configuration or system information app. Right here, because we’ve got Windows 10 Enterprise, I can come down, and I can show you that we’ve got Device Guard. Virtualization Based Security not enabled.
You don’t see this, unless the capability is there, so Windows 10 with the right hardware, with preferably a Trusted Platform Module or TPM, but definitely with the capability to run Hyper‑V. If it’s got the capability, we see this, and then we’ll see whether there’s any of the stuff configured for Device Guard or not, if it’s on. How do we turn it on? You might ask.
If you ask, if in that tiny little pause you ask, I’ll show you. You turn it on through a group policy, which is sweet. I brought a group policy editor. Under computer configuration, under administrative templates, under system, we have a new node in Windows 10 called Device Guard. Here is where we turn it on. We enable it through turn on virtualization‑Based Security.
I’ll touch it over here, because touching it over there don’t work right. There we go. I have the ability to enable it and disable it. Then, we’ve got code integrity policy, whether to use code integrity. That’s the other part that I was mentioning a few moments ago, the code integrity part.
Code integrity lets us decide what code we’re going to run on Windows, and what code we’re not going to run on Windows.
Meaning, only digitally designed content, only digitally designed content from specific providers, stuff like that. We can make those kinds of decisions.
The tool to define those is a little rough. It takes text files or XML files. You’ll definitely need to look up the whitepapers that Microsoft has published on configurable code integrity, to be able to write XML, or text descriptors of what to allow or disallow.
Once it’s enabled, this stuff happens and different than App Locker or software restriction policies. It happens over here in the Virtualization‑Based Security node in a little micro kernel, totally separate from malware. Malware can’t droop force its way and convince Windows, “Hey, I’m OK to run.” Malware doesn’t have the ability to bridge that gap.
It doesn’t get over there, which is sweet. Planning for Device Guard really the most important thing you can do, if you’re going to deploy configurable code integrity or Device Guard is figure out what systems you have. Do they support Device Guard? In Windows 10, that’s going to be the biggest challenge.
The easy answer for that is, does the system…or easy answer to it is to ask yourself, “Do my systems support Hyper‑V? Do I have Intel systems that support VTX and VTD? Do I have IOMMU support on the chip?” All that kind of stuff. If I do, 9 times out of 10, you’ll be able to deploy it. You’ll need to look up the specs. Match them with your machines.
If you have a centralized system like systems under Config Manager that gathers up all of your inventory data, easy enough. You just query against that. Find out the machines that are capable, and then turn it on. How do you turn it on? Group policy. Don’t do it locally. Don’t do it went‑off. Technically, you can do this in the registry or at the command‑line with DISM. Don’t do that.
My strong advice is use group policy to centrally deploy this, because then you can centrally monitor this and manage it, much, much, much simpler in an enterprise. This isn’t for mom and pop. This isn’t for two computers. This is for big enterprises, lots of machines being deployed. We, funny enough, have two slides that say essentially the same thing in this tack.
Plan the deployment. Figure out the systems that you’re going to deploy this against. Test them to make sure it works, then deploy the policy, and monitor it. It’s a very standard deployment scheme, just happens before Device Guard. Worst case scenario, Device Guard won’t enable.
That’s typically the worst I’m starting to see. The worst looking at the model that should happen is that, it should not break systems, destroy your infrastructure, melt things down.
However, the worst thing that could happen is the system becomes unsecured or insecure based on, you expect the policy to run, and it didn’t run, which is why you need to make sure you enable enforcement and verify through auditing. Great. Thanks for watching.
Another important bit of Windows 10, is BitLocker. BitLocker, it’s been around for a while. It’s been around since, well a long time, and lots of previous versions of the operating system actually supported BitLocker.
But what’s different in Windows 10 is, if the system is configured properly, Windows 10, during installation and during first boot, will actually configure Bit Locker and deploy it properly, meaning you don’t have this gap, this security gap between when you install Windows 10, and when Windows 10 becomes secure and actually protects your data with BitLocker.
It can be directly out of the box. For devices that have instant on protection, they’ll just come up first boot and say, “Great, I can do this BitLocker thing, and as long as I have a place to store the recovery key, I’m good to go. I’ll turn on BitLocker.”
As well, we’ve got Enterprise deployment, where out of the box, Enterprises can actually configure BitLocker, so on first boot Windows 10 will deploy BitLocker, store the recovery key and Active Directory, preferably, and then encrypt the drives.
That’s fantastic as well. It provides this initial data security state as well as ongoing data security. That’s what we’re looking for in Windows 10.
Another bit that’s interesting in Windows 10 for security is Data Leakage Protection, DLP. It’s actually not called DLP anymore. It’s called EDP, Enterprise Data Protection. It changed names right before Windows 10 shipped. Although we’re using the old slide, you’ll want to think of it as EDP, or Enterprise Data Protection.
What this is, is the concept of extending data protection and data control to portable devices. We have a document that sits on a hard drive, on a laptop, and the laptop is out of your enterprise. You have a file that’s copied to a Thumb drive. The thumb drive goes home with the user and then gets inserted in their machine at home.
We want to make sure that the data retains the protection, retains the security. We do this through device management in Active Directory, as well as some centralized management configuration.
This feature set, called Enterprise Data Protection, has been greatly extended in Windows 10, a lot more options, a lot more configuration, that an administrator can do to actually meet regulatory compliance requirements, meet audit requirements, all that kind of stuff. It’s a fascinating feature.
It requires a significant amount of planning, so be aware that you don’t just turn on a bit, and all of a sudden, “Wow, my data’s secure, exactly the way I wanted. It seems to have read my mind.”
It doesn’t work that way. It takes PKI to be deployed. It takes configuration, of machines. It takes user education to actually make all of this stuff work.
The big point though is that it’s migrating into a simpler and more readily available form than in previous versions of Windows, where it was a lot harder and cumbersome to deploy.
Biometric identification is another important bit in Windows 10. Biometric identification, the concept of slipping your finger onto a machine or having a computer read some kind of facial pattern. That’s actually not a terribly new concept, but it hasn’t really been integrated into Windows in a very deep way, in a very complex way until Windows 10.
Windows 10 is making a big play for biometrics with Windows Hello, which integrates all of this stuff into a more trustworthy, more secure enterprise‑grade biometric reader so that you can have things like Intel RealSense cameras reading people’s faces using IR cameras. Not just regular light kind of cameras, and log them in through a fairly secure, fairly well‑managed component.
I do want to take a moment to actually fix something here, because this slide is, at the moment, kind of not right.
That’s better. Iris recognition does not exist in Windows Hello, in Windows 10, yet. It’s coming. It just didn’t make the cut for the first release of Windows 10, so if this is important to you, keep your eyes peeled, because it will come out, just not quite yet.
Another component of login besides biometrics is the concept of Microsoft Passport and having the ability to have the device identify itself, as well as the user.
If you have Active Directory, you realize you’ve got a machine account, the device authenticates, the user authenticates, everything is happy. However, this is tied much closer together, where the user, on certain devices, may have to provide multifactor authentication or another single factor auth, or depending on the credential, the credential may require multifactor auth, or single factor auth.
This concept of tying this all into some centrally managed component, as well as being able to lock down the hardware, as well as the user account, that’s where Microsoft Passport really comes in.
Microsoft Passport also allows you, depending on your infrastructure, and depending on whether you want to do it or not, to federate identities with Microsoft Passport servers, with the actual Microsoft live servers, if you will. They have a few different names.
That way you’re storing the identity, not on the machine or in a directory, but actually having Microsoft host all of that. You can also use Active Directory in Azure, Azure Active Directory. You can use a few different options here.
The point is in Windows 10 because you’ve got this federation built into the client, the client really doesn’t care where the credentials are stored or managed. What it cares about is, “Just tell me what servers I’m using, tell me what kind of federation I’m using, and I’ll go, figure it out.” You don’t have to install lengthy pieces of software or complex pieces of software in order to get that stuff working.
That’s really it for the summary of the big stuff in Windows 10 security.
Mike Danseglio teaches IT Security classes at Interface Technical Training. His security work has included protecting militaries, government agencies, and private industry around the world. He has developed and taught extensive security training on topics including cryptography, security technology, and attacks and countermeasures. Mike is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and Langevin Master Trainer.
Comments:
Upcoming Courses
Mike Danseglio Teaches
CEHv12 - CEHv12: Certified Ethical Hacker (CEH) v12
CISSP - CISSP: Certified Information Systems Security Professional
WIN600 - WIN600: Introduction to Windows Troubleshooting and Support
BITLOCK - BITLOCK: Planning and Deploying BitLocker Drive Encryption Training
AZ-500 - AZ-500: Microsoft Azure Security Technologies
WIN740 - WIN740: Advanced Windows Troubleshooting and Support
CISSP - CISSP: Certified Information Systems Security Professional
CEHv12 - CEHv12: Certified Ethical Hacker (CEH) v12
WIN600 - WIN600: Introduction to Windows Troubleshooting and Support
BITLOCK - BITLOCK: Planning and Deploying BitLocker Drive Encryption Training
WIN740 - WIN740: Advanced Windows Troubleshooting and Support
AZ-500 - AZ-500: Microsoft Azure Security Technologies
CISSP - CISSP: Certified Information Systems Security Professional
WIN740 - WIN740: Advanced Windows Troubleshooting and Support