The new Windows as a Service model of Microsoft has helped Microsoft implement new threat mitigations and protection against threats faster than in the previous model that saw new releases happen every three years.
Windows as a Service evolves the operating system constantly, or more precisely, twice a year with feature updates around March and September of each year.
A new blog post on Technet compares the old release model to the new in regards to threat mitigation, and highlights improvements and advancements that Microsoft made since the release of Windows 10.
Windows 10 Threat Mitigation advancements
The author compares exploitation a decade ago to exploitation techniques that are used today. Microsoft’s take away from that was that the faster release of Windows 10 feature updates would reduce the impact that new exploitation techniques had on the Windows population.
The graphic that you see above shows new threat mitigation techniques that Microsoft added to the first four versions of Windows 10.
The blog article highlights important mitigations afterwards:
- User Mode Font Driver (UMFD) — A feature implemented in the original release version of Windows 10. It moved font processing into an App Container in user mode. Additionally, administrators may disable the processing of untrusted fonts for a process using the Process Font Disable policy. (see Block programs from loading untrusted fonts in Windows 10)
- Win32k Syscall Filtering — The Win32k subystem is the number one target to escape the sandbox because of its large attack surface and its 1200 APIs. The feature limits the list if APIs that can be targeted.
- Less Privileged App Container (LPAC) — LPAC is a restricted version of App Container that denies access by default.
- Structured Exception Handling Overwrite Protection (SEHOP) — Designed to block exploit techniques that use the Structured Exception Handler (SEH) overwrite technique.
- Address Space Layout Randomization (ASLR) — This technique loads dynamic link libraries into random memory address space to mitigate attacks that target specific memory locations.
- Heap protections — Windows 10 protects the heap in various ways, for instance by using heap metadata hardening, and through heap guard pages.
- Kernel pool protections — Protects the memory that is used by the kernel.
- Control Flow Guard — Needs to be compiled into software programs. Microsoft added this to Edge, Internet Explorer 11 and other Windows 10 features. Control Flow Guard detects if an attack changes the “intended flow of code”.
- Protected Processes — Protected processes are important or system critical processes. Windows 10 prevents untrusted processes from tampering with protected processes. In Windows 10, security applications may be put into the protected process space.
- Universal Windows apps protections — Windows Store apps — UWP and converted Win32 programs — are vetted before they are made available.
- No Child Proc — Designed to block code execution by launching child processes.
Read also: Windows 10 Build 14986 ships
Microsoft mentions the main objectives when implementing threat mitigations into Windows 10 afterwards:
Reducing the attack surface of Windows Platform
Takes soft target out of the picture
Eliminates existing exploitation techniques so that new techniques need to be found.
Reducing impact of vulnerability by isolation.
Make overall exploitation harder and expensive
Closing Words
Windows as a Service guarantees faster deployment of exploit mitigation techniques according to Microsoft. While that is probably true for some techniques, others may have also been added to previous versions of Windows as updates.
Now Read: Windows Defender Exploit Guard – Native EMET in Windows 10 (via Born)