AppLocker, Windows Information Protection, Device Guard, Windows Defender Application Guard- there are many ways to secure Windows 10. Not all ways are compatible with Enterprise requirements. In the session, we will have a look at what we are able to do and I will add some experiences from the field about what works well and what doesn’t. In addition, we will check how ConfigMgr can support us.
How to Troubleshoot Apps for the Modern Connected Worker
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already included features
1. Best Practices to secure
Windows 10 with already
included features
Alexander Benoit
Head of Competence Center Microsoft @sepago
@ITPirate
2. Alexander Benoit
Senior Consultant / Head of Competence Center Microsoft
„Future Workplace“, Security
SCCM, Intune, Windows 10, Defender Framework,…
Alexander.Benoit@sepago.de
@ITPirate
http://it-pirate.com/
7. Analysis: High-level vulnerability & exploit trends
Vulnerabilities are increasing while evidence of actual exploits is decreasing due to mitigation investments
9. Windows 10 Security on Modern Devices
Breach detection
investigation &
response
Device
protection
Identity
protection
Information
protection
Threat
resistance
10. No-Brainer: Microsoft BitLocker
• Full drive encryption solution provided natively with Windows 10 Professional and Enterprise
• Used to protect the operating system drive, secondary data drives and removable devices
• System Center Configuration Manager, MDT and Intune can be used to deploy BitLocker
Overview
12. Windows Defender Credential Guard
• Uses virtualization-based security to isolate secrets in the Local Security Authority (LSA) .
• Only privileged system software can access secrets when stored locally.
• Mitigates credential theft attacks, such as Pass-the-Hash (PtH) or Pass-The-Ticket (PtT).
Overview
13. Windows Defender Credential Guard
Overview
• Credential Guard isolates secrets that previous versions of Windows stored in the Local Security
Authority (LSA) by using virtualization-based security.
• The LSA process in the operating system talks to the isolated LSA by using remote procedure calls.
• Data stored by using VBS is not accessible to the rest of the operating system.
14. Get deeper into attack scenarios
Good to
know
Exploit:
Computercode that takes advantage of a vulnerability in a software system.
Payload:
Payloads carry the functionality for the greater access into the target.
19. Windows Defender SmartScreen
• The Windows Defender SmartScreen provides an early warning system to notify users of
suspicious websites that could be engaging in phishing attacks or distributing malware through a
socially engineered attack.
• Windows Defender SmartScreen is one of the multiple layers of defense in the anti-phishing and
malware protection strategies
Check
downloaded
files Windows Defender
Cloud Protection
Click!
Attacker
Generate new
malware file
Send file
metadata
Evaluate
metadata
Verdict: Malware – Block!
Malware Block!
Including Machine Learning,
proximity, lookup heuristics
Command & Control
User
21. Windows Defender Application Guard
• Windows Defender Application Guard protects the device from advanced attacks launched against
Microsoft Edge.
• Malware and vulnerability exploits targeting the browser, including zero days, are unable to impact
the operating system, apps, data and network.
• Application Guard uses virtualization based security to hardware to isolate Microsoft Edge and any
browsing activity away from the rest of the system.
• Closing Microsoft Edge wipes all traces of attacks that may been encountered while online.
Call
managed
and
unmanaged
hompages
27. User Account Control
• User Account Control (UAC) helps prevent malware from damaging PCs
and helps organizations deploy a better-managed desktop.
• Apps and tasks always run in the security context of a standard user
account, unless an administrator specifically authorizes elevated access to
the system
Protect
clients from
unwanted
software
28. Windows Defender Device Guard
Device Guard Kernel Mode Code Integrity
• Protects kernel mode processes and drivers from “zero day” attacks and
vulnerabilities by using HVCI.
• Drivers will must signed.
Device Guard User Mode Code Integrity
• Enterprise-grade application white-listing that achieves PC lockdown for enterprise that runs only
trusted apps.
• Untrusted apps and executables, such as malware, are unable to run.
driver and
application
white-listing