Presentation is loading. Please wait.

Presentation is loading. Please wait.

Halt Hackers: Do these tricks still work in Windows 10?

Similar presentations


Presentation on theme: "Halt Hackers: Do these tricks still work in Windows 10?"— Presentation transcript:

1 Halt Hackers: Do these tricks still work in Windows 10?
9/12/ :25 PM BRK3072 Halt Hackers: Do these tricks still work in Windows 10? Erdal Ozkaya Raymond Comvalius © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 9/12/ :25 PM Warning! This Presentation Contains Occasional Bad Language & Subject Matter that some May find Disturbing and some information which you should not use in live environments without permissions. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Tweet to WIN @Erdal_Ozkaya @nextxpert #MSignite 9/12/2018 11:25 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Erdal Ozkaya - Microsoft
9/12/ :25 PM Erdal Ozkaya - Microsoft Cybersecurity Architect Australian Charles Sturt University PhD Candidate Master of IT Security & Master of Computing research MCT, MCSE, MCP… ISO27001, ISO30000, ISO20000 CEH, C|CISO , LPT, ENSA Author of many Security Certifications Courseware © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Cybersecurity: Attack and Defense Strategies
9/12/ :25 PM Cybersecurity: Attack and Defense Strategies Yuri Diogenes Erdal Ozkaya Enhance your organization’s secure posture by improving your attack and defense strategies For more details click here © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Raymond Comvalius - www.nextxpert.com
9/12/ :25 PM Raymond Comvalius - Independent trainer/architect since 1998 Most Valued Professional (MVP) Microsoft Certified Trainer (MCT) Author of “Windows 7 for XP Professionals” © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 https://haveibeenpwned.com/
9/12/ :25 PM Last Year © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Last Week Last week 9/12/2018 11:25 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Just watch the news.. 9/12/2018 11:25 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Too much to deal with Multi-factor authentication Data encryption
9/12/ :25 PM Multi-factor authentication Data encryption User accounts Device log-ins Malware Unauthorized data access Attacks Too much to deal with User log-ins Phishing Denial of service Spam System updates Enterprise security © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 You can't defeat the threats of the present with tools from past
Photo credit: Wikimedia Cannon from Galera Forte

12 ANATOMY OF A RANSOMEWARE ATTACK
9/12/2018 ANATOMY OF A RANSOMEWARE ATTACK ` SOFTWARE VENDOR Attackers compromised software update infrastructure for MEDoc financial application PREPARE DEVICE Trojan MEDoc update installed launching malicious code ENTER Multiple techniques used to spread rapidly: MS Vulnerability (released March 2017) Credential theft and impersonation NETWORK & IDENTITY TRAVERSE EXECUTE ENCRYPTED MFT MADE SYSTEMS UNBOOTABLE CLEARED WINDOWS EVENT LOGS OTHER POTENTIAL ACTIONS? © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

13 Observations & Challenges
Threats increasing in volume and sophistication Attacker business models evolve to maximize attacker return on investment (ROI) Attack automation and evasion techniques evolving along multiple dimensions Can’t Stop All Attacks Must balance investments across prevention, detection, and response Prevention investments must be focused on real world attacks Integration is required, but complex and costly Threat Detection requires context from a diverse signal sources and high volumes of data Efficient operations requires integration of tools and technology like machine learning Requires Blend of Human Expertise and Technology Need human expertise, adaptability, and creativity to combat on human threat actors Difficult to hire people deep expertise, growing skillset takes a long time Variations - to avoid traditional defenses Deep host detection is critical Manage challenges with normalizing, prioritizing, and staleness Integration into monitoring tools consumes valuable resources to integrate into different toolsets Requires Blend of Human Expertise and Technology Effectiveness requires expertise on threat actors, platforms, and technology Difficult to hire people deep expertise, growing skillset takes a long time

14 Measuring Security Success by measuring cost of attack
Difficult to influence attacker monetization of your data Return: Successful Attacks Defender Return: Ruin Attacker ROI Deters opportunistic attacks Slows or stops determined attacks Investment: Cost of Attack Security Return on Investment (SROI) Prioritizing defense can rapidly raise attacker costs Defender Investment: Security Budget Team Time/Attention

15 Threat Protection Lifecycle
1 2 2 Threat Prevention Threat Detection Response 3 Lessons Learned Goal: Increase attacker cost as rapidly and efficiently as possible Strategic Imperatives: 1 Prevent as many threats as possible (Best Security ROI when available) 2 Rapidly Detect and Respond (highest coverage of assets/scenarios) 3 Continually apply learnings (continuous attack cost increase) Committed to your success Accelerate your ability to manage threats by providing secure platforms and products, security capabilities, services, and recommendations

16 1. Prevent as many threats as possible
Prevention raises attacker costs without 24x7 monitoring Prevention Detection & Response …but it can’t block all attacks Recommended Strategy Preventive controls for each attack phase Enable TPM hardware assurances when available Adopt containment strategies extensively (network, host, app, data, & identity) Integrate context and intelligence Key Lessons Learned: Leverage your “home field” advantage Attackers have a limited “key hole” view of your environment Security Hygiene is Critical Unpatched software and vulnerable configurations can undermine the value of many other investments

17 Increase attacker cost at each phase
Threat Prevention Datacenter Enforce Compliance (Patches, AV, configuration, Network) Ransomware Resistant Backups Shielded Virtual Machines (VMs) SQL Data Database and Column Encryption Data Masking Software as a Service Discover App Usage Assess App Risk Automatically block Oversharing Documents Persistent Encryption Tracking and Revocation Endpoints Separation of Corporate and Personal Data/Apps TPM Hardware Protection for OS and Applications Credentials Browser Storage Productivity Protection Multiple AV engines Time of Click Protection Attachment Detonation Identity Systems Multi-Factor Authentication Conditional Access to resources by Host Health/Integrity Normal date/time/place

18 Legacy Windows Windows 10 Security WINDOWS ADVANCED THREAT PROTECTION
ENDPOINT DETECTION & RESPONSE (EDR) ENDPOINT DETECTION & RESPONSE (EDR) 3rd PARTY WINDOWS DEFENDER WINDOWS DEFENDER ANTI-MALWARE ANTI-MALWARE EXPLOIT GUARD EXPLOIT MITIGATIONS Add-on Tool (EMET) EXPLOIT MITIGATIONS WINDOWS INFORMATION PROTECTION DATA ISOLATION DATA ISOLATION 3rd PARTY APPLOCKER APPLICATION WHITELISTING APPLICATION WHITELISTING APPLOCKER DEVICE GUARD BROWSER ISOLATION APPLICATION GUARD BROWSER ISOLATION 3rd PARTY VOLUME ENCRYPTION VOLUME ENCRYPTION BITLOCKER BITLOCKER CREDENTIAL GUARD CREDENTIAL ISOLATION CREDENTIAL ISOLATION N/A VIRTUALIZATION-BASED SECURITY TPM HARDWARE TPM HARDWARE

19 2. Rapidly Detect and Respond
Attacker Decision Cycle Observe Orient Decide Act

20 Attack timeline Attacks not detected Target AD and identities
Microsoft Ignite 2015 9/12/ :25 PM Attack timeline Attacker undetected (data exfiltration) Research and preparation More than 200 days* (varies by industry) 24–48 hours First host compromised Domain admin compromised Attack discovered Attacks not detected Current detection tools miss most attacks You may be under attack (or compromised) Target AD and identities Active Directory controls access to business assets Attackers commonly target AD and IT Admins Response and recovery Response requires advanced expertise and tools Expensive and challenging to successfully recover Attack sophistication Attack operators exploit any weakness Target information on any device or service © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Threat Resistance and Identity Protection
9/12/2018 Threat Resistance and Identity Protection Threat Overview Windows 10 Threat Resistance Windows 10 Identity Protection Supporting Technologies on Premises and in the Cloud Overview Exploit Guard OS Vulnerability Mitigations Windows 10 Identity Goal Windows Hello for Business Security Guidelines Capabilities and Mitigations Microsoft Edge Windows Defender Application Guard Credential Guard Local Administrator Password Solution (LAPS) Privileged Access Workstations Windows Defender AV Device Guard Remote Credential Guard Azure Active Directory Identity Protection Windows Defender Advanced Threat Protection Cloud App Security and Microsoft 365 Advanced Security Management `

22 Windows 7 security features
9/12/2018 BitLocker Smart Screen BitLocker to Go Device protection Threat resistance Identity protection Information protection Breach detection investigation & response PRE-BREACH POST-BREACH © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

23 Windows 10 security features
9/12/2018 Application Guard Exploit Guard Microsoft Edge Windows Defender Advanced Threat Protection POST-BREACH PRE-BREACH Breach detection investigation & response Device protection Identity protection Information protection BitLocker BitLocker to Go Threat resistance Smart Screen Device Guard Windows Information Protection Trusted Signals UEFI Secure Boot SmartScreen Windows Trusted Boot Windows Defender Windows Hello :) Conditional Access Credential Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

24 Threat Overview Does your situation look like this? Threat Scenarios 1
9/12/2018 Threat Overview Does your situation look like this? The users use , open attachments and click links without caution. The employees run applications, and even unsigned apps. We want to stop malicious code running on devices. We want to stop stolen password abuses. It is hard to keep up with current threat landscape and the latest OS security features. We do not want the threat actor to propagate compromise across member servers and workstations, but we are not sure how to start. Threat Scenarios Threat Actor targets employee(s) through phishing campaigns 1 5 Threat Actor abuses stolen password Users open attack s, often being navigated to malicious sites to download codes Any 2 Threat Actor propagates compromise across member servers and workstations 6 Users run malicious codes and the OS is compromised. 3 Threat Actor accesses cloud resources in Software as a Service (SaaS) applications with stolen user identity 7 4 Threat Actor extracts credentials

25 End to End Protection OFF MACHINE ON MACHINE OFF MACHINE PRE-BREACH
POST-BREACH OFF MACHINE ON MACHINE OFF MACHINE Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against exploits Network Protection Blocking outbound calls to low rep sources Locked down device (Hardened platform) Windows 10S Device Guard Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections O365 ( ) Reducing attack vector Advanced sandbox detonation Exploit mitigation One Drive (Cloud Storage) Windows Defender Antivirus behavioral engine (Behavior Analysis) Windows Defender ATP (Advanced Threat Protection) Reliable versioned file storage in the cloud Point in time file recovery Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Memory scanning capabilities Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine App Guard (Virtualized base security) App isolation AntiMalware Scan Interface (Script based detection) Improved detection script based attacks AMSI for VBS/JS script runtime Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads Application Control (Whitelist Executables) Only allowed apps can run

26 The most secure environments follow the “least privilege” principle
9/12/ :25 PM Old rules still apply The most secure environments follow the “least privilege” principle © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Identity Protection 9/12/2018 11:25 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Credential Guard and VBS
9/12/2018 Credential Guard and VBS Credential Guard uses VBS to isolate Windows authentication from Windows operating system. Protects LSA Service (LSASS) and derived credentials (Kerberos Ticket; NTLM Hash). Fundamentally breaks delivered credential theft using tool as MimiKatz. Apps Credential Guard Trustlet #2 Trustlet #3 Windows Platform Services Kernel Kernel SystemContainer Device Hardware Hypervisor

29 Deployment Considerations
9/12/2018 Deployment Considerations Requirements Windows 10 Enterprise x64 Edition UEFI or higher firmware and Secure Boot TPM 2.0 (Note: TPM 1.2 can be used but is not recommended.) Virtualization capable hardware Physical device The firmware is updated for Secure MOR implementation. Optionally, A VT-d or AMD-Vi IOMMU (Input/output memory management unit) Impacts Credential Guard does not allow: Unconstrained Kerberos delegation NTLMv1, MS-CHAPv2, Digest, CredSSP, Kerberos DES encryption Saved password in remote desktop Some hardware and drivers may not work—The investigation and the tests should be conducted. Deployment Check IT environment: typically start with new environment of standard users or Administrator workstation, for example. Credential Guard policies are ignored on incompatible hardware.

30 Implementing Credential Guard
9/12/ :25 PM Implementing Credential Guard © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Multifactor Authentication
9/12/ :25 PM Multifactor Authentication One authentictor is not always enough Based on Windows Hello for Business we have: PIN Fingerprint Face Recognition Trusted Signals (e.g. Phone proximity and Network Location) Create your N-Factor Logon Policy Must at least contain the PIN © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 N-Factor Logon Policy Example: Group 1: PIN
9/12/ :25 PM N-Factor Logon Policy Example: Group 1: PIN Group 2: Trusted Signal (Phone) Result: PIN AND Phone Group 1: PIN, Fingerprint Group 2: Trusted signal (Phone), Fingerprint Result: (PIN AND BT Phone) OR (FP AND BT Phone) OR (FP + PIN) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 Implementing N-Factor Logon
9/12/ :25 PM Implementing N-Factor Logon Credential Provider GUID PIN {D D2F-4EB2-B FA96B} Fingerprint {BEC09223-B D-A0AC B639F5} Face Recognition {8AF662BF-65A0-4D0A-A540-A338A999D36F} Trusted Signals {27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD} © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 N-Factor Login Logging
9/12/ :25 PM N-Factor Login Logging © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 N-Factor Unlock on Windows 10
9/12/ :25 PM N-Factor Unlock on Windows 10 Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 9/12/ :25 PM Device Lock down © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 End to End Protection OFF MACHINE ON MACHINE OFF MACHINE PRE-BREACH
POST-BREACH OFF MACHINE ON MACHINE OFF MACHINE Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against exploits Network Protection Blocking outbound calls to low rep sources Locked down device (Hardened platform) Windows 10S Device Guard Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections O365 ( ) Reducing attack vector Advanced sandbox detonation Exploit mitigation One Drive (Cloud Storage) Windows Defender Antivirus behavioral engine (Behavior Analysis) Windows Defender ATP (Advanced Threat Protection) Reliable versioned file storage in the cloud Point in time file recovery Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Memory scanning capabilities Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine App Guard (Virtualized base security) App isolation AntiMalware Scan Interface (Script based detection) Improved detection script based attacks AMSI for VBS/JS script runtime Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads Application Control (Whitelist Executables) Only allowed apps can run

38 Device Guard in the Windows Security Stack
9/12/ :25 PM Device Guard in the Windows Security Stack Secure Boot Includes Secure Firmware Updates and Platform Secure Boot Code Integrity Kernel Mode User Mode AppLocker ROM/Fuses Bootloaders Native UEFI Windows OS Loader Windows Kernel and Drivers 3rd Party Drivers User mode code (apps, etc.) KMCI UEFI Secure Boot UMCI Platform Secure Boot AppLocker © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 Device Guard vs AppLocker
9/12/ :25 PM Device Guard vs AppLocker Functionally they look alike – a little bit Device Guard AppLocker User Mode & Kernel Mode User Mode System-wide User/Group addressable Admin cannot circumvent Admin can circumvent Admin cannot always disable Admin can always disable Requires specific hardware Runs on all Windows hardware © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 Code Integrity Protects against unsigned code and new malware
9/12/ :25 PM Code Integrity Protects against unsigned code and new malware Two primary components: Kernel Mode Code Integrity (KMCI) As in previous versions of Windows User Mode Code Integrity (UMCI) New in Windows 10 v1607 and Windows Server 2016 No security related hardware required Catalog Files Use Catalog Files when you have unsigned applications Sign your own applications with the Catalog File © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 Device Guard with Virtualization Based Security
9/12/2018 Device Guard with Virtualization Based Security Kernel Windows Platform Services Apps SystemContainer DEVICE GUARD Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

42 Planning for Device Guard
9/12/ :25 PM Planning for Device Guard Kernel Mode CI is the default Code Integrity in User Mode? Virtualization Based Security Virtualization and IOMMU Microsoft Hyper-V hypervisor Driver compatibility Signing the CI Policy © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 Device Guard Logging Can be used as input for a new CI Policy
9/12/ :25 PM Device Guard Logging Can be used as input for a new CI Policy © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 9/12/ :25 PM App Guard © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45   Microsoft Edge: Designed for Secure Browsing 9/12/2018
Microsoft Edge is the most secure browser Microsoft has ever shipped Tactics Objective Strategy Eliminate vulnerabilities before attackers can find them Keep our customers safe when browsing the web Make it difficult and costly for attackers to find and exploit vulnerabilities in Microsoft Edge Break exploitation techniques used by attackers Contain the damage when vulnerabilities are discovered Prevent navigation to known exploit sites © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

46 Microsoft Edge SECURITY Improvements
9/12/2018 Microsoft Edge SECURITY Improvements Win32k.sys Flash Host Process Edge Content Process Before – Full access to Win32.sys Microsoft Edge Browser Windows Kernel Microsoft Edge and Flash no longer have full access to win32k.sys—API calls are filtered Only 40% of interfaces are available to Flash and Edge reducing attack surface Flash player move into its own AppContainer Working directly with Adobe to harden Flash player to be resistant to vulnerability exploits Blocked Win32k.sys interfaces Allowed Win32k.sys interfaces Flash Host Process Edge Content Process Today – 60% less surface area of attack on a highly targeted library Microsoft Edge Browser Windows Kernel © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

47 Hardware isolation with Windows Defender application Guard
9/12/2018 Hardware isolation with Windows Defender application Guard Microsoft Edge Apps Windows Platform Services Windows Platform Services Critical System Processes Kernel Kernel Kernel Windows Defender Application Guard Container Windows Operating System System Container Hyper-V Hyper-V Device Hardware Hypervisor © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

48 9/12/ :25 PM App Guard Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49 Requirements for Application Guard
9/12/ :25 PM Requirements for Application Guard Windows 10 Enterprise RS3 Hardware requirements: Hardware Description CPU 64-bits Intel VT-x or AMD-V support Memory 8 GB minimum, 16 GB recommended Hard Disk 5 GB Free space, SSD recommended Input/Output Memory Management Unit (IOMMU) support Highly recommended © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50 Planning Windows Defender App Guard
9/12/ :25 PM Planning Windows Defender App Guard Standalone Mode Users manually execute App Guard Enterprise-managed Mode Automatically executes App Guard for non-Trusted sites Policy defined lists of trusted boundaries: Private network ranges Enterprise resource domains in the cloud Other trusted domains © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51 Installing Windows Defender App Guard
9/12/ :25 PM Installing Windows Defender App Guard Turn on the Windows Feature in the UI Or use PowerShell Enable-WindowsOptionalFeature -online -FeatureName Windows- Defender-ApplicationGuard © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52 Configure App Guard Enterprise-managed Mode
9/12/ :25 PM Configure App Guard Enterprise-managed Mode Use Group Policy or MDM Network Isolation Settings: Private network ranges for apps Enterprise resource domains hosted in the cloud Domains categorized as both work and personal © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

53 Configure App Guard Enterprise-managed Mode
9/12/ :25 PM Configure App Guard Enterprise-managed Mode Application Specific Settings: Clipboard Settings Print Settings Block enterprise websites to load non-enterprise content in IE and Edge Allow Persistence Turn On/Off Windows Defender Application Guard (WDAG) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54 WDAG: What running in a container means
9/12/ :25 PM WDAG: What running in a container means You are super secure! Separate Favorites List No File Download No Extensions No Copy/Paste by default Configure to allow text and/or image copy No Printing by default Configure to allow local/remote printing or PDF/XPS © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

55 Windows Defender Exploit Guard
9/12/ :25 PM Windows Defender Exploit Guard © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

56 End to End Protection OFF MACHINE ON MACHINE OFF MACHINE PRE-BREACH
POST-BREACH OFF MACHINE ON MACHINE OFF MACHINE Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against exploits Network Protection Blocking outbound calls to low rep sources Locked down device (Hardened platform) Windows 10S Device Guard Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections O365 ( ) Reducing attack vector Advanced sandbox detonation Exploit mitigation One Drive (Cloud Storage) Windows Defender Antivirus behavioral engine (Behavior Analysis) Windows Defender ATP (Advanced Threat Protection) Reliable versioned file storage in the cloud Point in time file recovery Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Memory scanning capabilities Enhanced behavioral and machine learning detection library Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine App Guard (Virtualized base security) App isolation AntiMalware Scan Interface (Script based detection) Improved detection script based attacks AMSI for VBS/JS script runtime Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads Application Control (Whitelist Executables) Only allowed apps can run

57 Windows Defender Network Protection
9/12/ :25 PM Windows Defender Network Protection Like Smartscreen beyond IE and Edge Blocks applications from accessing suspicious locations over http and https Runs on all Windows 10 SKUs Requires Windows Defender AV © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

58 Configure Windows Defender Network Protection
9/12/ :25 PM Configure Windows Defender Network Protection Enable Network Protection with: PowerShell Set-MpPreference -EnableNetworkProtection Enabled MDM CSPs ./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection Group Policy Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection Prevent users and apps from accessing dangerous websites © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

59 Logging Network Protection
9/12/ :25 PM Logging Network Protection Event ID Description 5007 Event when settings are changed 1125 Event when rule fires in Audit-mode 1126 Event when rule fires in Block-mode © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

60 Windows Defender Network Protection
9/12/ :25 PM Windows Defender Network Protection Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

61 Defending against vuln exploits with EMET
9/12/2018 Defending against vuln exploits with EMET EMET provides tactical mitigations against vulnerabilities for Windows 7, 8, and 10 Standalone version end of life scheduled for July 31, 2018 EMET’s functionality is now integrated into Windows 10 Fall Creator Update (RS3) Functional party with EMET features that provide durable security benefits and don’t have known bypasses Includes PowerShell management and Windows Defender ATP integration

62 Process Mitigations from EMET to Windows 10
9/12/ :25 PM Process Mitigations from EMET to Windows 10 Control Flow Guard (CFG) Arbitrary Code Guard (ACG) Disable Extension Points Do Not Allow Child Processes Data Execution Prevention (DEP) Block Low Integrity Images Validate Image Dependency Integrity Validate Stack Integrity Validate Exception Chain (SEHOP) Block Untrusted Fonts Export Address Filtering (EAF and EAF+) Import Address Filtering (IAF) Validate Heap Integrity Code Integrity Guard Validate API Invocation (CallerCheck) Simulate Execution (SimExec) Force Randomization for Images (Mandatory ASLR) Randomize Memory Allocations (Bottom-Up ASLR) Disable Win32k System Calls Validate Handle Usage © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63 Configuring Process Mitigations
9/12/ :25 PM Configuring Process Mitigations Windows Defender is not required! Windows Defender Security Center UI PowerShell Option to import EMET settings Export to XML for: Group Policy Mobile Device Management Configuration Manager © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

64 Logging Process Mitigation
9/12/ :25 PM Logging Process Mitigation Each mitigation triggers an event Events occur both in audit and enforcement mode © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

65 Process Mitigation Ecosystem
9/12/ :25 PM Process Mitigation Ecosystem WDSC UI PS MDM/GP XML and Middleware app.exe hits mitigation WDATP RecommendedSettings.xml Event Log © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

66 Process Mitigations Demo 9/12/2018 11:25 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

67 Controlled Folder Access
9/12/ :25 PM Controlled Folder Access Very useful to protect from ransomware Blocks suspicious programs from writing in protected folders Runs in all Windows 10 SKUs Requires Windows Defender AV Works best with Windows Defender ATP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

68 Configuring Controlled Folder Access
9/12/ :25 PM Configuring Controlled Folder Access Configure from: Windows Defender Security Center app Group Policy Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access Configure Controlled Folder Access PowerShell Set-MpPreference -EnableControlledFolderAccess Enabled © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

69 Logging Controlled Folder Access
9/12/ :25 PM Logging Controlled Folder Access Event ID Description 5007 Event when settings are changed 1124 Audited Controlled Folder Access event 1123 Blocked Controlled Folder Access event © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

70 Controlled Folder Access
9/12/ :25 PM Controlled Folder Access Demo © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

71 To Make You Feel Secure Windows “Defender” is Always There 
9/12/ :25 PM To Make You Feel Secure Windows “Defender” is Always There  © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

72 Mitigation Strategy – Key Components
Exploit mitigation – Mitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment Business Continuity / Disaster Recovery (BC/DR) – Rapidly resume business operations after a destructive attack Lateral Traversal / Securing Privileged Access - Mitigate ability to traverse (spread) using impersonation and credential theft attacks Attack Surface Reduction – Reduce critical risk factors across all attack stages (prepare, enter, traverse, execute)

73 Summary Follow the basic Security Principles
9/12/ :25 PM Summary Follow the basic Security Principles Make sure to enable the Security Features in Windows 10 Download the Exploit Guard Evaluation Package Use Windows Event Forwarding to help with intrusion detection Keep in mind everyone can get hacked even “small businesses “ Keep in mind we can help proactively or reactively via “Microsoft Cybersecurity Services” © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

74 Everyone who tweets will win
9/12/ :25 PM Everyone who tweets will win @Erdal_Ozkaya @nextxpert #MSignite © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

75 Please evaluate this session
Tech Ready 15 9/12/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

76 9/12/ :25 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Halt Hackers: Do these tricks still work in Windows 10?"

Similar presentations


Ads by Google