Advancing Security for Consumers and Enterprises at Every Layer of the Windows 10 Stack


Extraordinary Robot
News Feed
We are truly in the midst of a revolution of cyber threats and, to everyone’s frustration, attackers have had the advantage for quite some time. The adversaries that enterprises face today are increasingly well-funded and they are experts at breaching well-fortified environments and deriving economic value from the attack. The reality is that the tactics adversaries use against enterprises are regularly exceeding what the platforms and security infrastructure were designed to defend against, leaving organizations in what effectively is a “breach at will” state. Even organizations with the largest security budgets are getting breached, regularly.

Meanwhile, the economic impact and incentives for attackers are no longer hypothetical, with media now frequently reporting on the quantifiable impact of these breaches in terms of actual monetary impact and disruption. The explosive growth by those who seek to steal intellectual property, extort, and disrupt is only increasing as adversaries develop greater sophistication in their attack strategies, scale them out across organizations of all sizes, and increase the rate at which successful attacks can be launched.

Addressing today’s threat landscape requires a completely new approach: One where the very architecture of the platform has been designed to protect you from the inside out, rather than just protecting with a series of perimeter defenses that will eventually get circumvented. From the very earliest days of planning and design, we’ve built Windows 10 to harden against attacks from every direction and at every layer of the stack.

Platform Architecture

Hardware based isolation, with Virtualization Based Security (VBS), is one of the key ways we’ve hardened against attacks with Windows 10. VBS uses the processors’ virtualization extensions to create a hardware-based security boundary between sensitive Windows components and data and the rest of the operating system. With Windows 10, this secure execution environment powered some of our most impactful security features, including Virtual TPM, Device Guard and Credential Guard. Credential Guard has proven so impactful that customers have told us that it’s their top-priority security feature and a benefit that is so compelling that it justifies the Windows 10 deployment all by itself. It’s no wonder, since it combats one of the most prolific and critical tactics being used against organizations today: Pass the Hash (PtH).

Hardware based isolation and protection of sensitive operations and information is another of the key improvements in Windows 10, and virtualization extensions (e.g.: Intel VT) on the devices system processor and Trusted Platform Module (TPM) are an instrumental part of the story. TPM 2.0 has recently been ratified as an international standard and this paves the way for Windows OEMs to include TPM 2.0 as standard equipment across their entire PC lines, opening the door for full volume encryption, strong multi-factor authentication, and other security capabilities.

Now with the Windows 10 Anniversary Update, Windows Hello’s biometrics validation components and the user’s biometric data will be moved into this environment to help further ensure this data remains secure from the most advanced threats. Learn more in the Devices and Architecture blog here.

Pre-Breach Defense

Making the platform resistant to malware and advanced threats is one of our top priorities. With pre-breach defense, our goal is to help prevent Windows devices from ever coming in contact with threats. Our SmartScreen technology provides world-class, cloud-based App and URL reputation services that help prevent Windows devices and users from encountering such threats. For instance, if a user uses Microsoft Edge or Internet Explorer to go to a site that we know is malicious, SmartScreen will alert the user and help prevent the browser from going there. New for the Anniversary Update, SmartScreen is now powered by the Microsoft Intelligent Security Graph giving it broader reach and faster reputation classification for emerging threats.

We’ve also made substantial improvements to Microsoft Edge’s security with Windows 10:

  • The use of our AppContainer sandboxing technology enables us to isolate the browser from the rest of the OS, apps and user data.
  • A new plug-in model prevents plug-ins implemented with insecure designs from running.
  • New mitigations in ASLR and Control Flow Guard harden the browser from code injection and memory corruption attacks to help defeat common exploit techniques, such as heap spraying and ROP.
  • Untrusted and malicious fonts that were served by web pages and embedded in docs are now blocked and the font parsing code has been sandboxed.

The impacts of these improvements has been profound. At this point we have no evidence of vulnerabilities that have been discovered in Microsoft Edge being successfully exploited in the wild which is due in part because of new improvements above.

That’s great news for our users, but we’re not stopping there. With the Anniversary Update, we’re adding some great new capabilities that further raise the bar for attackers. First, we’re isolating Flash outside of the browser so that attacks that target Flash vulnerabilities can be contained and are less likely to impact the browser and the rest of the system. Second, we’ve dramatically limited the surface area of attack within Microsoft Edge and Internet Explorer by restricting its access to non-critical Windows subsystems.

When customers think about threat resistance, one of the first things that often comes to mind is an antimalware solution designed to detect viruses and spyware. To address these types of threats, Windows 10 includes Windows Defender, a robust enterprise-grade antimalware solution, which has been improved substantially in the Windows 10 Anniversary Update to address a threat landscape that has increased in both volume and effectiveness. The fruits of this ongoing multi-year effort are now becoming visible within the industry AV comparison tests where we’ve seen Windows Defender scores improve substantially over the last 12 months improving to 99.8% detection in prevalence testing in April 2016 – a more than 11 percent improvement year over year.

Identity Protection

Windows Hello is our inbox solution to multi-factor authentication and for the Anniversary Update, we are delivering two major improvements that will make these technologies easier for IT and users, and more capable for the broadest range of industry scenarios. We have fully integrated Windows Hello into one seamless stack. The integrated code base in Windows Hello will support the full range of biometric authentication factors and manage user credentials used for authentication.

Today, Windows Hello requires enrollment of the user’s identity on each and every device they want to use. However, some organizations have requirements that prevent the enrolment of user credentials onto a PC or mobile device. Those users can now take advantage of Windows Hello Companion Devices and Apps, which enable the Windows Hello factors of authentication and the credentials themselves to be distributed across devices in nearly any possible configuration. For instance, a user can now set up Windows Hello on a PC that isn’t equipped with a biometric sensor, and unlock it with biometrics enabled in wearables or enterprise-authorized companion devices, like phones or employee badges. Windows Hello Companion Device and App framework enables companion devices to be built that can meet nearly any possible consumer or commercial scenario, and they can offer varying ranges of flexibility, enterprise security, and cost. Learn more about Identity Protection here.

Post-Breach Defense

With the Anniversary Update, we will launch a new service – Windows Defender Advanced Threat Protection – that will help enterprises detect, investigate, and respond to advanced attacks on their networks. Building on the existing security defenses Windows 10 offers today, WDATP provides a new post-breach layer of protection to the Windows 10 security stack. With a combination of client technology built into Windows 10 and a robust cloud service, it will help detect threats that have made it past other defenses, providing enterprises with information they need to investigate breaches across endpoints, and offer response recommendations. Learn more about Post-Breach Defense here.

Information Protection

Information protection is a top concern for organizations and with Windows 10 we’ve made some big investments. BitLocker provides customers with a full volume encryption solution that protects data even when devices are lost, stolen, or improperly disposed of. With Windows 10, BitLocker meets the requirements customers have been asking for, especially when it comes to enterprise management and single sign-on. As you plan your migration to Windows 10, take another look at BitLocker features for enterprises.

We’re also focused on delivering data leak prevention capabilities in the platform, and we’re excited to share that Windows Information Protection, formerly referred to as enterprise data protection, is shipping in the Anniversary Update. WIP will provide our customers with a solution that is easy to deploy and use that separates business and personal information, provides containment to help prevent accidental leaks and unauthorized access by users and applications, and enables organizations to wipe business data on demand. Unlike other solutions, there’s no need for mode-switching, as Windows Information Protection is fully integrated into the platform with minimal user disruption. Other Microsoft products like Office ProPlus and our new Azure Information Protection service also take advantage of Windows Information Protection to help protect your business information and give you a more holistic solution. Learn more about Information Protection here.

Compliance and Certification

Microsoft has had a long history pursuing security certifications for our products, especially for Windows. Two certifications that we always seek independent review of are Common Criteria (CC) and the Federal Information Processing Standards (FIPS) for the United States. Securing these help ensure quick review and processing of regional certifications in other countries. Windows 10 has secured certifications for all previous releases and the upcoming Anniversary Update certification process will proceed immediately upon release. Learn more about Common Criteria and FIPS compliance and certification and process here.

So there you have it. With the Windows 10 Anniversary Update, we’ve added even more innovations to the existing security capabilities in Windows 10. As always, many of these innovations were based on the feedback from you and our many other Windows Insiders, but we are also continually pushing the envelope when it comes to internal planning on how to keep our customers safe. It starts with a thoughtful end-to-end approach that builds bottom-up from the architecture, thinks side-to-side across attack scenarios and critical assets, and is holistic and programmatic about the realities of our modern hostile landscape. This allows us to both address success attacks when they happen and to help us rapidly innovate for better security in the future.

We encourage you and your organizations to upgrade to Windows 10 to take advantage of all of the security capabilities that are offered today.

Continue reading...