Configuring Threat Protection

A Windows 10 computer is more vulnerable to threats that originate from the network than from any other location. This is because network attacks can target a significant number of computers, while other forms of attacks require physical access to the computer. In this section, you will understand what malware and threat protection is. Furthermore, you will learn about the advanced protection methods that you can use to reduce threat protection.

Understanding malware and threat protection

Malicious software, or malware, is software that attackers design to harm computer systems. Malware can do many things, from causing damage to the computer to allowing unauthorized parties remote access to the computer, to collecting and transmitting sensitive information to unauthorized third parties. There are several types of malware, including the following:

• Computer viruses
• Computer worms
• Trojan horses
• Ransomware
• Spyware

To protect you against malware infections, you need to ensure that all your software and OS updates are installed. Of course, you need to ensure that you have installed and activated anti-malware software on all your devices and that the anti-malware software is up to date with the latest virus definitions.

As well as protecting your computer, you need to ensure you teach your end users to avoid installing pirated software or media, browsing suspicious websites, and opening suspicious email attachments, even if they are from senders that you trust.

Malware can infect the devices of even the most diligent people. For example, users with good malware avoidance habits might visit a reputable website that has been compromised, and that leverages an undisclosed exploit in popular software. This could be because the software vendor has not fixed that software because they are unaware that the exploit exists. These users' devices could then become infected.

Additionally, no anti-malware solution has a perfect detection rate. It is possible to take all the necessary precautions and still have your devices become infected. Taking precautions only reduces the probability that a person's equipment will be compromised by malware, though it does not eliminate the possibility.

We'll learn about phishing next.

Learning about phishing scams

Phishing is a form of online identity theft. Phishing uses emails, phone calls, texts, and malicious websites designed to steal your personal data or information such as credit card numbers, passwords, account details, or other information.

Cybercriminals are skilled at tricking you into providing your personal information to them, which can lead to identity theft and loss of data. Phishing is particularly dangerous because cybercriminals mask messages and calls as legitimate, using logos and acronyms that appear to be real.

Phishing threats cannot be stopped by merely configuring a setting in Windows. Phishing scams involve exposing login credentials or other secure data when the user is tricked into exposing them to the attacker. Therefore, teaching your end users about this is necessary in order to minimize threats from phishing.

The tricks that cybercriminals use for phishing are as follows:

• Fake websites: If you receive a suspicious email message and it prompts you to click on a link, then you must hover over that link. If the link does not match the name or descriptive text in your email, you could have received a phishing email. If the link points to a website or company you've never heard of or visited before, this could be a phishing attempt.
• Threats: Emails that threaten account closure could be from a cybercriminal. If you receive an email that impulses you to take action by threatening that your account will be closed, be careful. Cybercriminals use a variety of methods to steal your information and gain access to your data through threats and misinformation.
• Spoofing companies or people you know: Scammers use graphics in email that appear to be connected to legitimate websites but take you to pretentious scam sites or legitimate-looking pop-up windows. Spoofing can also occur when a scammer impersonates someone you know by mimicking their email address. Always check that the address you're replying to is the correct one.

There are also a few options you can use to confirm that an email is legitimate:

• Uncover the URL: We can test a URL before clicking on it by placing the mouse pointer over it. Often, incorrect links are inserted into an email as a means of tricking the reader.
• Poor grammar and spelling: Companies rarely send messages without the text being proofread, so numerous spelling and grammar errors can signify a scam message.
• Company contact information and brand accuracy: Most companies have a recognizable brand identity in their emails. Look for logos, brand colors, and the message that contains their contact information.

Now that you know about the different types of phishing scams and what you can do to protect yourself against them, let's move on and understand the built-in Windows Security features we can use.

Understanding Windows Security

Devices and users need to be protected while they are online. To do this, they rely on the built-in defense features of Windows Security, which provide resilience against ever-increasing threats. The Windows Security feature is an app that is accessible from within the Settings app. The Windows Security app is a single portal for users to control and view their device's security, health, and online safety.

You can open the Windows Security app by following these steps:

1. Click on Start.
2. Browse to Windows Security.
3. The Windows Security app will open. This app contains an overview of the status of the Windows Security features, as well as links to other settings and support, as shown in the following screenshot:

Figure 7.5 - The Windows Security feature

This Windows Security page, as shown in the previous screenshot, provides a status report covering the seven areas of security. From this page, you can review the various color-coded status icons that are available, which indicate the level of safety for that area. The three color codes are as follows:

• Green: This is used to indicate that the device is sufficiently protected and that there aren't any recommendations to follow up.
• Yellow: This is used to indicate that there is a safety recommendation that should be reviewed.
• Red: This is used to indicate a warning, meaning that something needs immediate action.

The Windows Security app collects the statuses of each of the included security features and allows you to perform some configuration.

From the Windows Security feature inside the Settings app, you can open the standalone Windows Security app by clicking the Open Windows Security button, as shown in the following screenshot:

Figure 7.6 - The Windows Security standalone app

When a Windows Security item requires action from the end user, for example, to update the virus and threat protection definitions, the shield icon in the notification area of the taskbar will show a red cross to indicate that an action is required.

The previous screenshot provides you with seven security areas. These are explained as follows:

• Virus & threat protection: This is used to monitor threats to your device, run scans, and gather updates to help protect you against the latest threats.
• Account protection: This is used to access sign-in options and account settings, including features such as Windows Hello and Dynamic Lock.
• Firewall & network protection: This is used to manage firewall settings and monitor network and internet connections.
• App & browser control: This is used to review and update settings for Windows Defender SmartScreen and configure exploit protection settings.
• Device security: This is used to review built-in security options that use virtualization-based security to help protect your device from attacks that may be performed by malicious software.
• Device performance & health: This is used to view the status of your device's performance health.
• Family options: This is used for features such as Parental control, which allows you to keep track of your kids' online activity.

In this section, you learned the basics of the Windows Security app, what malware is, and its different types. In the next section, you will learn about some of the advanced protection methods available in Windows 10.

Understanding advanced protection methods

One important part of protecting Windows 10 is to take a defense-in-depth approach. Threats come in many forms and can target a variety of specific services or applications. You, as an administrator, should assume that no single solution will be able to mitigate all threats, and you should be familiar with the tools and settings available that can help you secure devices. We are going to look at such tools and settings that are helpful for securing devices available with/for Windows 10 in the following sections.

Learning about the Security Compliance Toolkit

The Microsoft Security Compliance Toolkit helps an organization's security administrators effectively manage the Group Policy Objects (GPOs) of their enterprise. Administrators may compare their current GPOs with Microsoft GPO baselines or other baselines using the toolkit, then edit them, save them in GPO backup file format, and apply them to test their effects via a domain controller or directly inject them into test hosts.

In the following sections, you will learn about a few security features that you can implement in your environment.

Windows Security baselines

Microsoft does have recommended configuration settings, also known as security baselines, that explain their security impact. These security baselines are a huge benefit to customers because they bring expert knowledge from Microsoft and their partners.

You can use a security baseline to ensure that the user and device configuration settings are compliant with the baseline. You can set these configuration settings according to a baseline via Group Policy or Microsoft Intune.

Windows Device Health Attestation

Windows Device Health Attestation ensures that the Windows 10 OS has not been tampered with or compromised and helps verify the overall health of the system. Certain services (such as Exchange email, SharePoint, or Azure Active Directory (Azure AD) membership) take advantage of this service and can disallow access until a Windows 10 Enterprise edition Personal Computer (PC) meets specific qualifications.

For example, when a user tries to join a new Windows 10 PC to the Azure Active Directory, conditional access can verify the integrity of the PC using Windows Device Health Attestation and then ensure that BitLocker, Secure Boot, or Virtualization-Based Security features such as Credential Guard are enabled. If a user elects not to allow these settings to be configured, access to the requested resource is denied.

Let's quickly understand Secure Boot in brief. Secure Boot is a security standard created to make sure that your PC boots up using specific software trusted by the PC manufacturers. Secure Boot support was started in Windows 8, and Windows 10 still supports it.

First, when starting the PC, the firmware tests the signature of each piece of booted software, including firmware drivers (Read Only Memory (ROMs) are optional), EFI programs, and the OS. If the signatures are found to be authentic and correct, the PC boots and the firmware gives control to the OS.

Secure boot prevents a dangerous and sophisticated form of malware — called a Rootkit — from loading on your computer when it starts. Rootkits have the same rights as the OS and can start even before the OS boots. Rootkits are also a part of a whole malware package that can bypass local logins, record passwords and keystrokes, switch private files, and capture cryptographic data.

Windows Device Health Attestation requires the use of modern authentication. Modern authentication is the name Microsoft uses to describe the Azure Active Directory Authentication Library (ADAL) for clients and other technologies that implement authentication using the OAuth 2.0 and Open ID Connect protocols. Microsoft has built these technologies natively into Windows 10 and Office 2016 and Microsoft-hosted services such as Office 365.

Windows Information Protection

Windows Information Protection (WIP) is a feature of Windows 10 Pro and Enterprise. This feature is intended to keep organizational data secure, regardless of the actions of end users.

When enabled, WIP watches for content that is downloaded from SharePoint, Office 365, and corporate web servers and file servers. It offers a range of controls, such as blocking content from being downloaded, warning users, or auditing their access to prevent data from being shared outside the organization.

WIP automatically protects the content that is downloaded to the device, and only approved applications can access it. An organization can also choose to securely wipe data from the device using Microsoft Intune or third-party Mobile Device Management (MDM).

WIP will provide encryption at rest using Microsoft's Encrypting File System (EFS) and will also utilize the Microsoft-hosted Azure Rights Management Services functionality, which is included with Office 365, to protect the data when the data egresses outside of the corporate network boundary or when it arrives on non-Windows platforms, such as iOS and Android.

Understanding Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) is a platform that is designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Unlike Windows Defender, which is available on each Windows 10 computer and managed by Group Policy or Intune, Windows Defender ATP is a whole new platform that helps administrators enhance security, as well as to establish centralized security control over both cloud and on-premises resources.

Important Note

Even though Windows Defender ATP shares the same name with Windows Defender in Windows 10, these are not the same products.

Windows Defender ATP can be used to monitor Windows Defender functionalities on local Windows 10 devices to maintain consistent configuration and an acceptable security level. Windows Defender ATP can also integrate with Office 365 Threat Intelligence and Microsoft Intune.

Windows Defender ATP uses the following combination of technologies, all of which are included in Windows 10 and the cloud service offered by Microsoft:

• Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process OS behavioral signals and send the sensor data to your private, isolated Windows Defender ATP cloud instance.
• Cloud security analytics: Big data, machine learning, and special Microsoft Optics across the integrated Windows ecosystem are transformed from observations, detections, and suggested responses into advanced threats.
• Threat intelligence: Created by Microsoft hunters, security teams, and strengthened by partners' intelligence on threats, threat intelligence enables Windows Defender ATP to identify intruder devices, tactics, procedures, and produce warnings when data is detected in the sensor.

The aforementioned technologies, when combined, provide very efficient, proactive monitoring regarding what happens on your client machines, servers, and network. They perform automated investigations on well-known incidents and provide some actions, before an administrator is even alerted.

Understanding Windows Defender Application Control

With thousands of new malicious files being created every day, using traditional methods such as antivirus solutions provides an inadequate defense against further attacks.

When an end-user runs a process, that process has to access the data that the user has. This can cause sensitive information to be quickly deleted or transmitted out of the organization.

This could happen when an end-user knowingly or unknowingly runs malicious software. Application control can help mitigate these types of security threats by restricting the applications that your end users are allowed to run.

Learning about Windows Defender Device Guard

Windows Defender Device Guard is broken down into two functions: Windows Defender Exploit Guard and Windows Defender Application Control. Such features are a combination of business-related hardware and software security features that will lock down a system when installed together so that it can only run trusted applications that are specified in the code integrity policies of an enterprise. If the device is not trusted, it will not be able to run for a period of time.

This also means that even if an attacker manages to get control of the Windows kernel, they will be much less likely to be able to run malicious executable code with hardware that meets basic requirements.

Understanding Windows Defender Credential Guard

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Credential thefts, such as Pass-the-Hash, can lead to unauthorized access to your systems.

This is where Windows Defender Credential Guard will prevent these attacks by protecting the New Technology LAN Manager (NTLM) password hashes, Kerberos Granting Tickets, and credentials that are stored in applications. This is done by removing these credentials from the Local Security Authority (LSA).

Learning about Windows Defender Application Guard

Windows Defender Application Guard is designed for Windows 10 and the Microsoft Edge browser. It also helps isolate untrusted websites while your end users browse the internet. As an administrator, you need to define what the trusted sites are, which cloud resources you can trust, and, of course, you need to identify your internal networks. Everything not on your list is considered to be untrusted.

In the following screenshot, you can see how Defender Application Guard works on a device:

Figure 7.7 - Hardware isolation with Defender Application Guard

If an employee goes to an untrusted site through the Microsoft Edge browser, the browser opens the site in an isolated Hyper-V-enabled container, which is separate from the host OS. If the site turns out to be malicious, the host PC is protected.

Understanding Windows Defender Exploit Guard

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10. It allows administrators to define and manage policies for reducing surface attacks and exploits, network protection, and protecting suspicious apps from accessing folders that are typically targeted.

Now, you know about most of the different built-in features in Windows 10 that you can use to secure your OS. You know what you can do with Windows Information Protection and how you can implement the Windows Security baselines. All these Windows Defender features have been provided in this section.

Now, you need to know what the differences are between these Windows Defender features and what they do. Next, we'll learn how to implement encryption on disk or at the file level.