First published on TechNet on Dec 11, 2017


Hello, Paul Bergson, back with some great new information regarding the recent release of Fall Creators Update (FCU) for Windows 10, Microsoft released some great new security features that can protect you from unwanted Malware. I have heard from customers on multiple occasions that their customers are doing just fine with their desktop operating system, one told me "their operating system is getting a bit old, but it still works so why should I upgrade?" That is a great question and it reminds me of a poster that was hung at a railroad switchyard I worked at while going through college. The poster had a general getting his men ready for battle, they were all outfitted with medieval armor as well as swords and bow & arrows. A young scientist was trying to get the generals attention on newly developed battlefield equipment, a machine gun. The general was dismissing him, telling him he was too busy to be bothered and to leave him alone. I sometimes worry this is occurring and, so I try evangelizing the latest tools Microsoft provides to help protect our customers. Just try and keep the following in mind, you can't expect to beat security threats of the present with tools from the past. The FCU security updates I would like to discuss are:

  • Exploit Guard
    • Exploit Protection
    • Attack Surface Reduction
    • Controlled Folder Access
    • Network Protection
  • Application Guard

Exploit Protection

If you are a current Enhanced Mitigation Experience Toolkit (EMET) user, you will be happy to know that features that are available within EMET have been migrated to Windows Defender Exploit Guard (WDEG) Exploit Protection (EP). EMET is a great tool but it is being sunset and what is great about WDEG, the fixes are built into the operating system whereas EMET's were shimmed in. These newly built-in, mitigations are even more comprehensive than EMET. " As such, with the Windows 10 Fall Creators Update, you can now audit, configure, and manage Windows system and application exploit mitigations right from the Windows Defender Security Center (WDSC). You do not need to deploy or install Windows Defender Antivirus or any other additional software to take advantage of these settings, and WDEG will be available on every Windows 10 PC running the Fall Creators Update." *1 If you are a current EMET user we don't expect you to have to go back and recreate all the configuration settings for WDEG EP, we have provided our users with several PowerShell commands to convert your EMET XML settings to WDEG EP mitigation settings. *2 Not only does WDEG EP protect your enterprise from memory attacks it provides a new "Audit" feature (Similar to AppLocker's audit feature) that allows the administrator to audit the new controls to ensure that as you roll WDEG EP there are no Application compatibility issues. "You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what would have happened if you had enabled the feature. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. " *3

System mitigation settings are:

  • Control Flow Guard (CFG) [on by default]
    • Ensures control flow integrity for indirect calls
  • Data Execution Prevention (DEP) [on by default]
    • Prevents code from being run from data-only memory pages
  • Force randomization for images (Mandatory ASLR) [off by default]
    • Force relocation of images not compiled with /DYNAMICBASE
  • Randomize memory allocations (Bottom-up ASLR) [on by default]
    • Randomize locations for virtual memory allocations
  • Validate exception chains (SEHOP) [on by default]
    • Ensures the integrity of an exception chain during dispatch
  • Validate heap integrity [on by default]
    • Terminates a process when heap corruption is detected

Per Application mitigation settings are:

  • Arbitrary Code Guard (ACG)
    • Prevents non-image backed executable code and code page modification
  • Block low integrity images
    • Prevents loading of images marked with low-integrity
  • Block remote images
    • Prevents loading of images from remote devices
  • Block untrusted fonts
    • Prevents loading any GDI-based fonts not installed in the system Fonts directory
  • Code integrity guard
    • Only allow the loading of images to those signed by Microsoft
  • Control flow guard (CFG)
    • Ensures control flow integrity for indirect calls
  • Data execution prevention (DEP)
    • Prevents code from being run from data-only memory pages
  • Disable extension points
    • Disables various extensibility mechanisms that allow DLL injection into all processes such as Windows hooks
  • Disable Win32k system calls
    • Stops programs from using the Win32k system call table
  • Do not allow child processes
    • Prevents programs from creating child processes
  • Export address filtering (EAF)
    • Detects dangerous exported functions being resolved by malicious code
  • Force randomization for images (Mandatory ASLR)
    • Force relocation of images not compiled with /DYNAMICBASE
  • Import address filtering (IAF)
    • Detects dangerous imported functions being resolved by malicious code
  • Randomize memory allocations (Bottom-up ASLR)
    • Randomize locations for virtual memory allocations
  • Simulate execution (SimExec)
    • Ensures that calls to sensitive functions return to legitimate callers
  • Validate API invocation (CallerCheck)
    • Ensures that sensitive API's are invoked by legitimate callers
  • Validate exception chains (SEHOP)
    • Ensure the integrity of an exception chain during dispatch
  • Validate handle usage
    • Raises an exception on any invalid handle references
  • Validate heap integrity
    • Terminates a process when heap corruption is detected
  • Validate image dependence integrity
    • Enforces code signing for Windows image dependency loading
  • Validate stack integrity
    • Ensures that the stack has not been redirected for sensitive functions

WDEG EP is manageable with Windows Defender Security Center, Group Policy or PowerShell with all events recorded in the Event Logs for analysis. Thereby allowing a measured rollout of rules.

Attack Surface Reduction

" Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines." *7 These settings are easily manageable from PowerShell, Group Policy, Mobile Device Manager (MDM), Intune or System Center Configuration Manager (SCCM) interfaces. This is all integrated with both the Advanced Threat Protection (ATP) console and Windows Defender Security Center online. Any events generated from either "Audit" or "Block" mode flow into the console for a single pane of glass monitoring, as events occur actions can be taken from the console to apply against the clients. There are 7 Attack Surface Reduction (ASR) rules that are available for management:

  • Office Rules
    • Block Office apps from creating executable content
      • GUID - 3B576869-A4EC-4529-8536-B80A7769E899
    • Block Office apps from launching child processes
      • GUID - D4F940AB-401B-4EFC-AADC-AD5F3C50688A
    • Block Office apps from injecting into a process
      • GUID - 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
    • Block Win32 imports from macro code in Office
      • GUID - 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
  • Script Rules
    • Block obfuscated JS/VBS/PS/Macro code
      • GUID - 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
    • Block JS/VBS from executing payload downloaded from the internet
      • GUID - D3E037E1-3EB8-44C8-A917-57927947596D
  • E-Mail Rule
    • Block execution of executable content from e-mail (webmail/mail-client)
      • GUID - BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

To manage ASR rules from PowerShell each rule (ID) above is assigned a GUID that is used to "Enable" or "Audit" the rule. Example, auditing can be enabled as follows: Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode Microsoft has provided a tool to help engineers evaluate how "Attack Surface Reduction" rules work. *8 The tool allows the engineer to initiate various actions that would trigger the protection of the system. The tests can be configured for either "Block" or "Audit" mode.

Controlled Folder Access

Ransomware has become one of the biggest security threats facing our customers today. Attackers attempt to encrypt your user's data and won't provide the decrypt key without being paid a ransom with a cryptocurrency. Controlled Folder Access (CFA) which is a part of WDEG can block applications from updating pre-defined folders. Enabling CFA can be managed locally, configuring locally requires the user to manage the settings within Windows Defender Security Center. The folder and application configuration settings can also be managed by your desktop administrator with Group Policy. *9 Prior to rolling out CFA, Microsoft has created a demo tool that allows the administrator to trial the impact of an application that has not been granted permission to update an authorized location. The tool "FileCreator" attempted to update a folder that generated the error as seen below. This error is what users would see if this protective feature was enabled. *10 CFA also provides the ability to audit impact prior to enabling this feature, thereby providing the administrator the ability to find any application compatibility issues. *10

Network Protection

End users are the weakest link in the chain. All the protections can be put in place but if a user clicks on a link that might result in them going to a location that will attack them. If an end user unknowingly clicks on a Phishing e-mail, or browses to a malicious site, etc… the end result could be downloading malicious content and/or control by a Command and Control server. Stop these threats by "Blocking Outbound Connections" to untrustworthy sites locally. Windows Defender Exploit Guard's Network Protection utilizes industry leading Windows Defender SmartScreen protection in the phishing, exploits and malware space to protect ALL outbound connections not just Windows Edge. This will protect any browser loaded on the device as well as any application, such as a malicious app attempting to contact a command and control server residing on the internet. Network Protection is built-in natively to the Pro and Enterprise SKU's, it examines all outbound internet connections from the device. Specifically reviewing HTTP, TCP and IP from this it communicates with the cloud to review the integrity of the URL the device is wanting to connect too. There is nothing to configure it is all built into the product. The looks up are all cached so once a site has been visited it isn't required to be rechecked. When the reputation is reviewed if the reputation is "Low" the site will be blocked. "Low" could mean it is a site known for things such as phising or malware activities. So how do we know if a site is untrustworthy? Microsoft has telemetry for almost 500,000,000 devices with Smart Screen running but in an effort to not make a mistake that could have significant negative results there is also human ranking to ensure a legitimate site isn't accidentally given a bad reputation. To enable Network Protection, it is a single setting configurable from either the Security Center or PowerShell. The options to configure can be set to either "Warn" the user but allow them to override and still visit the site to outright "Block" the site.

Application Guard

To help protect your users from getting compromised while browsing the internet, we have introduced Windows Defender Application Guard (WDAG). If your users browse to a web site you haven't listed as trusted, WDAG will hatch a new virtualized Windows "Container" which is abstracted at the hardware layer thereby isolating the user's browser to a different workspace (This means a completely separate kernel!). Everything should work the same for the user, but any corruptive changes made to the operating system are dropped once the virtualized session has been shut down. For example: "An attacker sends a well-crafted email to an innocent employee of the company enticing them to visit a link on a site under the attacker's control. The innocent user, not noticing anything suspicious about the mail, clicks on the link to an untrusted location. In order to proactively keep the user and enterprise resources safe, Application Guard coordinates with Microsoft Edge to open that site in a temporary and isolated copy of Windows. In this case, even if the attacker's code is successful in attempting to exploit the browser, the attacker finds their code running in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network. The attack is completely disrupted. As soon as the user is done, whether or not they are even aware of the attack having taken place, this temporary container is thrown away, and any malware is discarded along with it. There is no way for the attacker to persist on that local machine, and even a compromised browser instance has no foothold to mount further attacks against the company's network. After deletion, a fresh new container is created for future browsing sessions." *4 To manage the enterprise, we do provide new Group Policy settings, so the desktop administrator can ensure security and conformity for all of the enterprises users. *5 Since WDAG is utilizing Hyper-V containers it does require more robust hardware. *6 Well there you have it, some great new security features and they are provided as free updates. Look through the links and try out some of the demos. If you are already convinced that you need to get off the older operating system but need help justifying, hopefully this will help you convince the decision makers to move forward. After all you don't want to be like the young scientist in the story above as we all battle against the continuing cyber assaults that are a part of business today.