Security Highlights of Windows 10

On November 20, 2015 the Department of Defense (DoD) Chief Information To take full advantage of the security enhancements Officer (CIO) published a memo on the subject of “Migration provided by Windows 10, there are to Microsoft Windows 10 Secure Host Baseline”[1]. This memo certain software, hardware, and firmware requirements serves as notification that the DoD CIO will direct Combatant Commands, that must be met. Services, Agencies, and Field Activities to rapidly deploy Windows 10 in their organizations, beginning in January 2016. The DoD The operation system must be the 64-bit Enterprise Edition CIO has requested that senior technology leaders across the DoD of Windows 10. examine the costs and benefits of moving to Windows 10, and target The hardware must support memory virtualization(Intel completing the deployment by January 2017. VT-x/AMD-V) and Second Formal product evaluations and operational guidance efforts also support this move. Level Address Translation (Intel EPT/AMD-RVI) In February 2016, Windows 10 completed a Common Criteria (CC) evaluation or SLAT. against the NIAP General Purpose Operating System Protection Profile[2]. This evaluation provides assurance that Windows 10 includes security features Device virtualization(IOMMU/Intel Vt-d/AMD-Vi) that address the most serious network threats, and that these features are should be supported by the hardware. properly implemented. NIST FIPS 140-2 validation of the cryptographic modules in Windows 10 is currently expected to complete in March 2016. Deployment The firmware must be based on the Unified Extensible resources such as the Secure Host Baseline (SHB)[3] provide a hardened Firmware Interface (UEFI), rather than operational configuration for Windows 10 and common application software. This allows for deployments that are already compliant with common security legacy Basic Input Output System (BIOS). baselines. IEFO must also be running in native UEFI mode instead of legacy compatibility mode.

This document provides a high-level description of new security features The firmware must support Secure Boot and in Windows 10 for senior technology leaders. It describes how be enabled. these features disrupt attacker tools, techniques, and procedures used against National Security Systems today. A version 1.2 or later Trusted Platform Module (TPM) should be enabled. Security Highlights of Windows 10:

Virtualization-Based Security (VBS): Through the use of Hyper-V and hardware protections, Windows 10 protects critical operating system security components from attacks by compromised processes. VBS requires the features outlined in the figure at the top right of this factsheet. Credential Guard employs VBS to protect memory access of the Local Security Authority Subsystem Service (LSASS). where certain types of credentials used by Windows authentication mechanisms are stored. This feature addresses credential theft from memory, which is a common techniques used in attacks such as Pass-the-Hash or Pass-the-Ticket.

Device Guard expands the use of cryptographic code integrity, first introduced in Windows Vista, through the enforcement of policies where all executed code is cryptographically verified and integrity checked to determine what is and is not allowed to run. Device Guard is an ideal solution for enforcing policy of a hardened administrator workstation.

Control Flow Guard (CFG): CFG mitigates exploits that use certain types of Return-Oriented-Programming (ROP) code from abusing indirect function calls at runtime by verifying the target address is indeed a valid function. Windows 10 and the latest versions of Windows applications from Microsoft have been compiled to take advantage of CFG. Third party application developers should enable CFG protections to take advantage of this new anti-exploitation protection.

U/00/800406-16 Security Highlights of Windows 10

MicrosoftMicroso Edge:ft Edg eAs: Aas replacementa replacemen fort fo Internetr Intern etExplorer Explor er(IE), (IE )Windows, Window s10 10 ships ships with with a a new new defaultdefault webweb browser,browser, Microsoft Edge. EdgeMicr containsosoft Edg moste. Edg functionalitye contains m ofo stIE, fu butnctio withnali aty significantly of IE, but with reduced a sign ifiattackcantly surface. reduced Edge attac kruns surfa ince. a more Edge restrictedruns in a sandbox, greatly limiting what an attacker can do in the event of a compromise. Microsoft Edge also supports HTTP more restricted sandbox, greatly limiting what an attacker can do in the event of a compromise. Microsoft Edge also Strict Transport Security (HSTS), which protects against TLS downgrade attacks and cookie hijacking. supports HTTP Strict Transport Security (HSTS), which protects against TLS downgrade attacks and cookie hijacking.

EnhancedEnhanced WWindowsindows Def Defender:ender: W iWindowsndows Def enDefenderder now r unowns as runs a pro astect aed protected process, p rprocess,oviding pr oprovidingtection fro mprotection other from otherpote npotentiallytially comp rocompromisedmised system c osystemmponents components and will con andsult awill Mi croconsultsoft clo au Microsoftd reputatio cloudn serv icreputatione for unkno wnservice files. forAd unknownditionally, Dfiles.efen dAdditionally,er analyzes ne Defendertwork traffi canalyzes for malicio networkus behav iotrafficr. for malicious behavior.

ImprovedImproved Event Event LoLogging:gging: W Windowsindows 10 i n10tro introducesduces a num baer number of new e ofven newts an eventsd impro vandes e ximprovesisting even tsexisting to inclu deventse more to includeinformati moreon, pinformation,roviding better providing documentati betteron o fdocumentation actions taken on thofe actionssystem. takenThis increas on thees an system. administr Thisator increases’s ability to anid administrator’sentify malicious activ abilityity. to identify malicious activity. Untrusted Font Blocking: Windows 10 added a new Group Policy option that allows administrators to control Untrusted Font Blocking: Windows 10 added a new Group Policy option that allows administrators to control loading of loadinguntrusted of untrustedfonts. When fonts. enab ledWhen, thi senabled, policy ensu thisres policy that on ensuresly fonts fr thatom a only prote fontscted lofromcatio an protectedcan be load locationed by the canop eratinbe loadedg syste mby an thed its operating applicatio nsystems. Additi andonall yits, Win applications.dows 10 inclu Additionally,des the Userm Windowsode Font D ri10ver includes Host, which the m oves a Usermodesignificant aFontmou nDrivert of fon Host,t parsi nwhichg code moves to a low aer significant privileged sanamountdboxed of co fontntex tparsing reducin gcode the u toseful a nloweress of privilegedmalicious sandboxedfonts for pr icontextvilege esc reducingalation attacks. the usefulness of malicious fonts for privilege escalation attacks.

ImprovedImprov eHealthd He aAttestationlth Attes Service:tation S Windowservice: W8.1in introduceddows 8.1 ithentr Healthoduced Attestation the Heal Service,th Attes buttati Windowson Servi ce,10 hasbut greatlyWindo improvedws 10 ha it.s This service allows the operating system to do a system health check (including status of features such as Secure Boot, DEP, BitLocker, AV status, andgreatly patches) imp withrov edthe it. cloud This before serv icgaininge allo wsaccess the otop internalerating resources. system to do a system health check (including status of features such as Secure Boot, DEP, BitLocker, AV status, and patches) with the cloud before gaining access to internal resources.

MicrosoftMicroso ftPassport: Passpor t:Microsoft Microso Passportft Passpo r(alsot (also called calle dNext Nex tGeneration Generation Credentials), Credentials), isis aa newnew aauthenticationuthentication schemescheme meant tom replaceeant to therepl standardace the stan userdard name user and nam passworde and pass combination.word combin atiIn oWindowsn. In Win dPassport,ows Passport a user, a uenrollsser enr theirolls th deviceeir de vwithice awith TPM a to T PstoreM to a st cryptographicore a cryptog credential,raphic credenti and al,uses an ad PINuses or a biometricPIN or bio mforet authentication.ric for authenti DoDcatio configurationn. DoD config guidanceuration allowsguidan force the allo usews f ofor Windows the use o fPassport Windows with Passp a 6o rdigitt with PIN. a 6 This digit is P INa .first This step is a toward first ste replacingp toward traditional replacing tradpasswordsitional within the DoD. passwords within the DoD.

AntimalwareAntimalwa Scanre Sca Interfacen Interfac (AMSI):e (AMSI )The: T AMSIhe AM isS Ia is vendor a vend agnosticor agnosti interfacec interfac thate th aallowst allow thes th operatinge operatin systemg system to t interacto with installedinteract antimalware with installed products antimalwar throughe p aro universalducts thro mechanism.ugh a unive rsalFor mexample,echanism Powershell,. For exam pVBSript,le, Powe andrshell JScript, VBSrip enginest, and nowJScri automaticallypt engines n osubmitw auto scriptmaticall contenty subm toit AMSIscript priorconte tont execution,to AMSI pri whichor to ex providesecution ,antimalware which provid productses antimal theware ability pro ducts to thescan ab unobfuscatedility to scan un versionsobfuscate ofd code.versio nMicrosofts of code. Office Micro alsosoft Officeleverages also lAMSIeverag toe sscan AMSI documents to scan docu form embeddedents for em malwarebedded and malicious macros. By default, Windows Defender is the AMSI provider on Windows 10. malware and malicious macros. By default, Windows Defender is the AMSI provider on Windows 10.

WindowsWindow ass a as aService: Service :With W Windowsith Windo 10,ws 1Microsoft0, Micros ointroducedft introduced a new a ne updatew upda strategy,te strategy focusing, focusin ong o nsignificantly significantl yreducing the amountreducin ofg time the abeforemount new of time security befo rfeaturese new sec areuri released.ty features In previousare releas versionsed. In prev of iWindowsous versio securityns of Wi featuresndows securi werety often onlyfeatures released were with oft ennew o nreleasesly release ord withservice new packs, release a sprocess or service that pac couldks, a spanproces multiples that co years.uld spa Now,n mu whenltiple yfeaturesears. No arew, readywhen for fea release,tures are they read mayy fo ber releas includede, th eyin mpatches,ay be in ensuringcluded in thepatche operatings, ensu rinsystemg the oisp alwayserating susingystem the is alatestlways advancementsusing the in exploit mitigation and adversarial detection. latest advancements in exploit mitigation and adversarial detection.

[1] "DoD CIO Memo - Migration to Microsoft Windows 10 Secure Host Baseline” [Online]. Available: http://www.esi.mil/contentview.aspx?id=658 [1] “DoD CIO Memo – Migration to Microsoft Windows 10 Secure Host Baseline” [Online]. Available: http://www.esi.mil/contentview.aspx?id=658 [2] ["NIAP2] “NIA GeneralP Gene Purposeral Pur Operatingpose Ope Systemrating Protection System Profile"Protec [Online].tion Pr oAvailable:file” [Onl https://www.niap-ccevs.org/pp/PP_OS_v4.0ine]. Available: https://www.niap-ccevs.org/pp/PP_OS_v4.0 [3] “Secure[3] “Sec urHoste HosBaselinet Bas (SHB)”eline ([Online].SHB)” [Available:Online]. https://disa.deps.mil/ext/cop/iase/dod-images/Pages/index.aspxAvailable: https://disa.deps.mil/ext/cop/iase/dod-images/Pages/index.aspx NSA InformationNSA Infor mAssuranceation Assur anMissionce Mission 98009800 Savage Savage Rd, Rd ,Ft. Ft .Meade, Meade, MD MD 20755-6704 20755-6704 https://www.iad.govhttps://www.iad.gov