Since Windows 10 1709 Microsoft have added new features to improve the security of Windows 10 hugely and continued with these in the 1809 release and beyond. Windows 10 now has a secure linked chain of trust from power on right the way through to code execution in Windows, at each step up the chain the previously loaded code ensures the next piece is trusted and secure thus forming a securing chain which is very difficult to break into. For environments where security is very important such as Government, Healthcare and Banks, Microsoft recommend configuring these features to achieve a Secured-core PC setup.
These are hardware and software-based security features used to achieve a secure computing chain. The various sections are detailed below.
Create a hardware backed root of trust:
- Trusted platform module (TPM) 2.0 – To securely store encryption keys, certificates and passwords.
- Dynamic Root of Trust for Measurement (DRTM) achieved by enabling Secure launch (not supported with TPM 1.2) – This protects against bootkits or rootkits from allowing malicious code to load.
- System Management Mode (SMM) via System guard.
- Secure Boot – To ensure a trusted operating system bootloader is run.
- Memory Access protection (Kernel DMA protection) – This prevents the DMA-capable device from accessing other regions of memory and to steal the data contained in them. If a device’s driver supports memory isolation, Windows will allow the device to start and perform DMA to their isolated regions of memory.
Ensure strong code integrity:
- Enable HVCI (Hypervisor based code integrity).
Provide advanced identity verification and protection
- Enable Windows Hello.
Protect critical data if a device is lost, stolen or confiscated
- Enable BitLocker full disk encryption
- Enforce BitLocker encryption on removable media.
In addition to these settings to meet the Secured-Core standards, Microsoft introduced Virtualisation based security (VBS), Credential Guard and Device Guard, which later became the overarching name for two further technologies: Windows Defender Exploit Guard (HVCI) and Windows Defender Application Control (WDAC).
This utilises hardware-based virtualisation features to effectively run Windows as a VM and has a separate VM that runs a secure kernel to run authentication checks for Windows, so even if Windows is compromised, the authentication mechanisms and credentials aren’t. It is the underlying virtualisation platform on which Credential Guard and Device Guard rely. From 1903 this will be enabled by default on certain supported hardware.
Device Guard (DG)\WDAC
Uses Code Integrity to make sure only trusted applications are allowed to run. See it as an alternative or enhancement to run alongside AppLocker. It is more aligned to where hardware models, drivers and applications are relatively static and straightforward, and your rules can apply to all. AppLocker has much more manageability but I’m sure this will come to WDAC. You create a signed snapshot file that contains details of all the drivers and applications you allow to run. All others will be blocked (or logged, if enabled in logging mode). It requires Intel VT-x or AMD-V to be enabled to allow VBS to then be configured as well as UEFI mode and secure boot enabled.
Credential Guard (CG)
Protects against credential theft by using virtualisation-based security to isolate secrets so that only privileged system software can access them. Unauthorised access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential guard protects NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. Credential Guard requires TPM, VBS, UEFI and Secure boot.
Below are some useful links that will allow you to understand how these features work in depth and what they give you from an enhanced security standpoint. These features make Windows 10 hugely more secure in an era where security breaches are so commonplace.
The technologies above will not all run on all hardware, so you should check with your manufacturer for any limitations, ensure the latest firmware and drivers are used to make sure the most up to date features are available where possible.
Keep posted for part two for details on implementation guidance.