By: Andy Sherman on July 11th, 2016
Windows 10 Security: The Good, the Bad, & the Ugly
There’s a lot of buzz around Windows 10 security. For example, Infoworld dubs Windows 10 as “the most secure Windows ever.” Although that sounds like the hype cycle at work, in fact, some of the new security features in Windows 10 are game changers that will help change the balance of power between enterprise customers and the perpetrators of Advanced Persistent Threats (APT). There’s also at least one monstrously bad idea baked into Windows 10, and the usual collection of features where we think the default behavior is too open and should be modified.
Note that many of the new features in Windows 10 require hardware support, such as virtualization support, the Trusted Platform Module (TPM), and the Unified Extensible Firmware Interface (UEFI). That could impose a cost on enterprise upgrades, although the required hardware features have been in business class machines for some time.
1. Device Guard
It is almost a truism of security these days that the best way to protect a system from malware is to ensure that only authorized executables can be started by the operating system. However, application whitelisting can be cumbersome and a nightmare to manage.
Enter the security model that has been so successful at keeping malware out of Apple’s iOS mobile and OSX desktop operating systems: executable signing. While Windows already required signed code for installing drivers in the kernel, a new technology, Device Guard, allows the enterprise to specify code integrity polices for both kernel and user code. In simplest terms, the enterprise can require that both kernel mode code (drivers) and user mode code (applications) be signed with certificates trusted by the Enterprise.
Best of all, Device Guard uses virtualization based security (VBS) to ensure that the security decision is not executed by either user mode or kernel mode code, but rather in a separate virtual container dedicated to Device Guard. This means that the security policies behind Device Guard cannot be compromised by either kernel or user mode code, since the separation is enforced by the hypervisor.
By configuring your system to only run trusted code, you have raised the bar for malware writers. By and large, their code is not signed, and they don’t have access to the kind of credentials required to sign trusted code. Device Guard will go a long way towards keeping most zero-day attacks from succeeding, and it has the potential to reduce the overhead required for whitelisting.
2. Credentials Guard
Ordinarily, user secrets, such as keys, passwords, and derived security objects (such as Kerberos tickets), are stored in a process called the Local Security Authority (LSA). Compromise of the LSA by threat actors can expose user and system credentials, allowing for impersonation of the user through Pass-the-Hash or Pass-the-Ticket attacks. A new technology in Windows 10, Credentials Guard, uses VBS to isolate the LSA’s credentials container in a separate virtual container managed by the hypervisor. There is no direct user or kernel mode access to the isolated LSA container (LSAiso), only remote procedure calls. The LSAiso container has no device drivers, just the small collection of operating system binaries required to service the RPC calls. Those binaries must be signed with certificate trusted by VBS or they won’t run. As an additional security improvement, LSAiso blocks the use of older insecure versions of security objects, such as NTLMv1, MS-CHAPv2, or Kerberos tickets using weak ciphers such as DES. It has been notoriously difficult to drive some of these broken protocols out of the environment; Credentials Guard can block their use with hardware enforcement of the rules even if domain controllers are still configured to issue them.
3. Hardware and Software Requirements
Device Guard and Credentials Guard will not run on your legacy hardware, as significant support is required. In addition to requiring Windows 10 enterprise, the following support is required:
- UEFI firmware version 2.3.2 or higher and Secure Boot
- Virtualization extensions
- Intel VT-x or AMD-V
- Second Level Address Translation
- Firmware lock
- X64 architecture
- A VT -- or AMD -- vi IOMMU (input/output memory management unit)
- Trusted Platform Module (TPM) version 1.2 or 2.0
- Secure firmware update process
- Physical PC (for Credentials Guard)
Device Guard and Credentials Guard can be enabled and managed by Group Policy and System Center Configuration Manager.
The feature you really need to disable is Wi-Fi Sense, which was part of Windows Phone 8 and is now active for all Windows 10. We suggest turning it off with a GPO. Wi-Fi Sense basically crowd-sources Wi-Fi credentials among social networks and automatically uses them (if you enable every option). It does require the user to be logged in with a Microsoft account. Note that even though your enterprise machines will be joined to a domain, users might still log into their Microsoft account for a variety of reasons. If a user is logged in to Microsoft and has Wi-Fi Sense enabled, then every time they log into a Wi-Fi access point for the first time and enter a password, Wi-Fi Sense will ask them if they want to share it with their contacts. If they answer yes, then any of their contacts on Outlook.Com, Skype, or (optionally) Facebook will be able to log into that access point.
There are two options for using Wi-Fi Sense shared credentials. The first is whether or not to automatically join suggested open hotspots, meaning hotspots with no password. The other is whether or not to automatically join Wi-Fi networks shared by their contacts.
This is a terrible security model. Do you really want to have your corporate devices (not to mention your personal ones) automatically join a Wi-Fi network just because somebody in your social graph once did? Do you trust their judgment that you are not going to get hacked, eavesdropped on, or worse to join the network without even asking? Or do you want your corporate devices to automatically join an open network? While circumstances may force a user to do so, it should be a conscious choice, not something that happens automatically.
We recommend that you turn off Wi-Fi Sense. On personal devices, turn it off and leave it off. On corporate devices, lock it off with Group Policy.
From the standpoint of the owners of access points, the Wi-Fi Sense security model is infuriating. When you let somebody join your network, that is a privilege extended to one person, not their entire social network. The access point owner is, by default, not given a choice about whether or not their credentials will be shared. There is an opt-out mechanism, but it’s not pretty. You have to rename your network’s SSID to include the string “_optout” anywhere in the name. We recommend that you do that. On company networks, you would actually be better off using 802.1x to use individual credentials, such as a certificate, to authenticate users and log them into the network. That would protect you against Wi-Fi Sense since it only shares pre-shared keys, not individual logins. As an added benefit, you don’t have to agonize about whether or not to change the Wi-Fi password when somebody leaves the firm – you just revoke that user’s credentials as part of your termination process.
The Ugly (Well, not really, but I couldn't resist.)
Like every Windows release, or every OS release for that matter, Windows 10 has a number of features and default settings that you should consider changing. In making these recommendations, we are assuming that all of your endpoints are being built from an enterprise image and additional software is managed with a systems management package such as SCCM, SMC, or something similar. We also assume that the settings you decide to use will be locked down with group policy objects.
1. Microsoft Store
App Stores are a great idea for consumer devices. Assuming they are properly curated, they give users a trustworthy place from which to download and install applications. For enterprise devices, though, an external App Store, no matter how secure, represents a loss of control of what software is authorized to be used in your enterprise. We recommend that you disable the Store by group policy. This will force your users to follow your established procedures for having new applications installed on their devices.
Note that future releases may allow for enterprise stores. If so, you can revisit this decision then.
Cortana is Microsoft’s personal digital assistant, competing with Apple’s Siri and Google Now. Cortana is slick, but its continuous improvement in speech recognition and personalization stores a lot of information about you and your history in the cloud. (Note that this requires the user to be signed in with a Microsoft ID to work.) Your enterprise needs to decide if Cortana is useful to your business, and useful enough to be worth the risk. If the answer is no, disable it with group policy. If the answer is no, except for a subset of users, disable it by default and enable it for a particular security group.
3. Input Personalization
In addition to the personalization data that Microsoft maintains for voice input to Cortana, it also can learn about your typing and mistyping habits to personalize your experience. The problem is that while Windows 10 doesn’t have a keylogger per se, a lot of what you type ends up going across the network and being analyzed and stored in the cloud. Some authors suggest that this is a problem if the data you handle (and type) is in scope for the Health Insurance Portability and Accountability Act (HIPAA), or other privacy-related laws and regulations (e.g., Gramm-Leach Bliley, Sarbanes-Oxley, attorney-client privilege, etc.). It is not at all clear whether identifying information is scrubbed from what Microsoft stores or whether it is done locally or in the cloud. If you are regulated, you would be safest to turn off all personalization, even though that is implicitly a decision to disable Cortana.
4. Edge Browser
The default browser in Windows 10 is Microsoft’s new Edge browser. The good news is that Microsoft has finally developed a successor to Internet Explorer. Reviews suggest that it is extremely fast and more standards compliant than IE. On the downside, it does not yet support browser extensions, so you might want to use another default browser until Edge is more ready for prime time. As with any browser in your environment, you should set policy for things like “Do Not Track,” cookie acceptance, predictive browsing, and the like. In addition, Edge has Cortana personalization built in. For the same reasons as above, if you are turning off personalization for privacy reasons, be sure to turn it off for Edge as well.
5. Diagnostic Tracking
To their credit, Microsoft works hard to improve their product. When things go wrong, like an application or system hang or crash, Windows (and Office) default behavior is to send a lot of diagnostic information back to Microsoft. The problem is that the diagnostic dump can include information that should never leave your enterprise. For example, if an Office application crashes, the diagnostics can include the documents or spreadsheets you had open. If you are turning off other forms of tracking or personalization, turn this one off too. Set “Feedback Frequency” to “never” and the Diagnostic and Usage data to “basic."
6. Non-Enterprise Apps
Windows 10 (like Windows 8 before it) contains a lot of “modern” apps that are installed and enabled by default. These apps are attached to tiles on the screen, which means that a lot of compute and network resources will be consumed in keeping them up to date. You should decide which you won’t be using and uninstall them (using PowerShell commands) from your golden master image. Some of these apps are:
- 3D Builder
- Mail, Calendar, and People
- Windows "Get Started"
- Zune Music and Video apps
- Bing News, Finance, Weather, and Sports apps
- Windows Phone management app
- Microsoft Solitaire Collection
- Microsoft Photos
7. Settings and More Settings
There are a lot of articles out there on how to secure Windows 10. A few that are of interest are:
- The Windows 10 Security Settings You Need to Know
- How to Secure Windows 10: The Paranoid's Guide
- Microsoft Windows 10: Three Security Features to Know About
Windows 10 has some exciting new security features that will help protect your enterprise from serious risks, such as zero-day attacks and Advanced Persistent Threats. Both Device Guard and Credentials Guard offer a tremendous reduction in attack surface. The Edge browser gives a glimpse of a future without all of the legacy of IE. But a lot of the slick new features in Windows 10 have default settings that are probably not appropriate in an enterprise environment. You need to be vigilant and balance the benefits of those behaviors against the risks as appropriate for your business and regulatory environment.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.