Windows Security Overview

-

In terms of security, we've come a long way since the days of Windows XP. Even compared to your typical Windows 7 Enterprise install just a few years ago there have been huge security advancements in the industry and specifically within Windows. Here is an overview of some of those improvements, and if this series is popular enough, I may do a deep-dive on some of the individual features in the future.

Secure Boot

Before ransomware became the go-to malware for bad actors, one of the popular, more sophisticated pieces of malware was the rootkit. This allowed code to be run in kernel mode within Windows effectively bypassing most antivirus software installed on the system. This also meant being capable of performing almost anything on the system without issue.

To mitigate this issue something was needed to verify that the bootloader run before Windows was legitimate. This is where Secure Boot fits into the Windows Security picture (though Secure Boot works with macOS and Linux computers as well). For more details, Microsoft has an interesting write-up directed to OEMs as the audience regarding Secure Boot.

The bootloader is signed using a trusted certificate. When this signature is checked during the startup process, if valid, the operating system is subsequently allowed to boot. The baton is then handed over to Trusted Boot.

Trusted Boot

Trusted Boot relies on a similar concept as Secure Boot in regards to digital signatures, but instead of the bootloader being signed, the signature is for the Windows kernel. This is verified as legitimate and the boot process continues.

Windows then verifies the subsequent steps in the boot-up process such as drivers.

Windows Security App

The Windows Security app was introduced in Windows 10. It consolidates management of several components in prior versions of Windows and adds additional features as well. 


Specifically, in the Windows Security app you can manage Windows Defender (Virus & Threat Protection), your Microsoft account (Account Protection), Windows Firewall (Firewall & Network Protection), and new features such as App & Browser Control and those found under Device Security.

Windows Defender

Windows Defender (renamed Microsoft Defender, but I'm sticking with the Windows Defender title for now) has been around for a while now, but Windows 10 gave it the kick it needed to be a full-fledged antivirus product. It can perform active protection against executables, downloads, etc., scheduled scans, and of course manual scans on the entire system or just individual files.

It's not as good as many of the third party applications available, but it's far better than nothing.

Note that this is not the same as Microsoft Defender for Endpoint. Microsoft Defender for Endpoint is an enterprise antivirus application with additional features (and of course licensing costs).

Windows Firewall

Much like other areas of Windows 10 though (and Windows 11 as of this writing), configuring elements such as Windows Firewall are performed using the older interfaces. Depending on your opinion about the new applications and interfaces within Windows, that may be a good thing. 😀 

Because of this, Windows Firewall largely works the same as it has for years. Rule creation is relatively straight-forward with options to enable/disable based on the network type your system is connected to. 

App Control

App Control (Windows Defender Application Control / WDAC) is Microsoft's latest protection against running malicious software, or for enterprises, software a company simply doesn't want run without permission from the IT departments. It is an improvement on AppLocker.

Rules for software can be based on code-signing certificates (similar idea to Secure Boot and Trusted Boot), file hash, file name, file reputation, and more.

On personal systems the reputation checks alone are a great, free additional layer of security.

Device Security

Under Device Security you can confirm that Secure Boot is enabled, but this section also allows you to enable features such as Memory Integrity and verify your system has a Trusted Platform Module (TPM) and it is in use. More information on these topics can be found on Microsoft's website.



BitLocker

BitLocker provides drive encryption to secure your system given you are running Windows 10/11 Pro, Enterprise, or Education. 

Sadly, that means BitLocker will not work on Windows Home versions of the OS. This is one thing personally I was hoping to see change with Windows 11, but I guess it is still generally more of an enterprise requirement. Maybe one day. In my opinion, this is the strongest argument for Home users to upgrade to Pro if the system in question is a laptop. Even more so if you travel frequently.

BitLocker supports a variety of methods for authentication, encrypts the drive using AES 128 by default though AES 256 is available, integrates well with Domain environments for enterprises looking for a drive encryption solution, and supports several secure options for recovery.

Details on BitLocker deployment can be found on Microsoft's site.

Conclusion

Some honorable mentions I didn't get into here are things like Windows Hello, Credential Guard, and recovery options available in the Windows Recovery Environment.

Microsoft Windows in 2022 includes a large number of security features "out-of-the-box" even for Home users. I'd expect this trend to continue as Windows 11 is further developed and OS changes are made with a focus on security moving forward.

Comments

Post a Comment

Popular Posts

Hashcat - Cracking MD5 and NTLM Hashes

-
Image
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes. I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now ( besides, Hashcat does a pretty good job of that themselves ): Crack MD5 hashes using the rockyou.txt wordlist. Crack NTLM hashes using the rockyou.txt wordlist. Crack NTLM hashes using a mask attack (modified brute force). I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well. As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along. Cracking MD5 Hashes Using rockyou.txt Wordl
Read more

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot
Read more