AppLocker, Windows Information Protection, Device Guard, WDAG - there are many ways to secure Windows 10. Not all ways are compatible with enterprise requirements. In the session, we look at what we are able to do and discuss experiences from the field around what works well and what doesn’t. In addition, we check how Configuration Manager can support us. https://youtu.be/zqUwgLDmCqY

2. Alexander Benoit
Senior Consultant / Head of Competence Center Microsoft
„Future Workplace“, Security
SCCM, Intune, Windows 10, Defender Framework,…
Alexander.Benoit@sepago.de
@ITPirate
http://it-pirate.com/

3. We have a firewall
We can‘t get
hacked!

4. The threat landscape
No-brainers to secure Windows 10
Latest & greatest mitigation features in Windows 10

5. The discussion is always about tools!

6. Phishing
Keylogger
Ransomware Spyware
Worm Compromised accounts

7. How to secure Windows 10 ?

8. Good to
know
Exploit:
Computercode that takes advantage of a vulnerability in a software system.
Payload:
Payloads carry the functionality for the greater access into the target.

9. Attack
PayloadExploit
Common way‘s to share payloads:
• Fake Hyperlink
• PowerPoint Macro
• as „JPG“ File

10. Create
Metasploit
payload and
configure
listener port
and host IP.

11. Hide
payload
behind fake
link

12. Block at first
sight
support in
Microsoft
Edge

13. • The Windows Defender SmartScreen provides an early warning system to notify users of suspicious
websites that could be engaging in phishing attacks or distributing malware through a socially
engineered attack.
• Windows Defender SmartScreen is one of the multiple layers of defense in the anti-phishing and
malware protection strategies
Check
downloaded
files Windows Defender
Cloud Protection
Click!
Attacker
Generate new
malware file
Send file
metadata
Evaluate
metadata
Verdict: Malware – Block!
Malware Block!
Including Machine Learning,
proximity, lookup heuristics
Command & Control
User

14. Call
managed
and
unmanaged
homepages

15. • Windows Defender Application Guard protects the device from advanced attacks launched against
Microsoft Edge.
• Malware and vulnerability exploits targeting the browser, including zero days, are unable to impact the
operating system, apps, data and network.
• Application Guard uses virtualization based security to hardware to isolate Microsoft Edge and any
browsing activity away from the rest of the system.
• Closing Microsoft Edge wipes all traces of attacks that may been encountered while online.
Call
managed
and
unmanaged
homepages

16. Call
managed
and
unmanaged
homepages

17. Call
managed
and
unmanaged
homepages

18. Call
managed
and
unmanaged
homepages

19. Hide
payload
behind fake
“jpg”

20. Run hidden
payload and
establish
connection

21. • User Account Control (UAC) helps prevent malware from damaging PCs and
helps organizations deploy a better-managed desktop.
• Apps and tasks always run in the security context of a standard user account,
unless an administrator specifically authorizes elevated access to the system
Protect
clients from
unwanted
software

22. Device Guard Kernel Mode Code Integrity
• Protects kernel mode processes and drivers from “zero day” attacks and vulnerabilities by
using HVCI.
• Drivers will must signed.
Device Guard User Mode Code Integrity
• Enterprise-grade application white-listing that achieves PC lockdown for enterprise that runs only
trusted apps.
• Untrusted apps and executables, such as malware, are unable to run.
driver and
application
white-listing

23. driver and
application
white-listing

24. Compromise
the client

25. stops the
attacker from
manipulating
processes
• Windows Defender Exploit Guard helps you audit, configure, and manage Windows system and
application exploit mitigations .
• In addition Exploit Guard delivers a new class of capabilities for intrusion prevention.
While it provides legacy app protections including:
• Arbitrary Code Guard
• Block Low Integrity Images
• Block Remote Images
• Block Untrusted Fonts
• Code Integrity Guard
• Disable Win32k system calls
• Validate Stack Integrity
• Do Not Allow Child Processes
• Export Address Filtering
• Import Address Filtering
• Simulate Execution
• Validate API Invocation (CallerCheck)
• Validate Image Dependency Integrity

26. Secure Windows 10 – No Brainers

27. Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments

28. • Full drive encryption solution provided natively with Windows 10 Professional and Enterprise
• Used to protect the operating system drive, secondary data drives and removable devices
• System Center Configuration Manager, MDT and Intune can be used to deploy BitLocker
Overview

29. Overview
• Credential Guard isolates secrets that previous versions of Windows stored in the Local Security
Authority (LSA) by using virtualization-based security.
• The LSA process in the operating system talks to the isolated LSA by using remote procedure calls.
• Data stored by using VBS is not accessible to the rest of the operating system.

30. Breach detection
investigation &
response
Device
protection
Identity
protection
Information
protection
Threat
resistance

31. Educate your users!

32. https://aka.ms/ignite.mobileapp
https://myignite.microsoft.com/evaluations