Many businesses rely on corporate-owned Windows 10 devices for securing corporate endpoints. In an attempt to keep cyberattackers at bay, they may try to lock down Windows 10 with a variety of security features, such as Windows Defender (or a third-party EPP/EDR/NGAV solution), Credential Guard (to prevent pass-the-hash attacks), Device Guard (to enforce code signing and app whitelisting) and App Guard (to sandbox the Edge browser in a virtual machine). However, in the real world, these security measures are sometimes impractical to apply and only cover a subset of the attack surface.
In this post, we’ll examine 3 perspectives on how sophisticated attackers, as well as users and IT administrators, view this strategy.
A Win10 endpoint in which all of these security features are turned on does present some challenges for the attacker. It can definitely prevent common pass-the-hash attacks, in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network. Other basic attacks that leverage known malware or explicit malicious behavior can be thwarted by using EPP/EDR/NGAV solutions.
However, Win10 still leaves an enormous attack surface to prod and vulnerabilities to exploit. The attacker is likely to target unpatched vulnerabilities or leverage legitimate apps with design flaws that live on the Win10 operating system (OS). Just think of an attacker who fools a user into silently installing a legitimate remote control application like Webex on the user’s laptop. From that point on, the attacker sees everything the user sees and has full control over all of his apps.
End users are very familiar with the standard Windows OS and are comfortable with a local Win10 experience. The end-user runs into problems, however, when the security features have false positives and block the user from getting things done, generating user irritation and downtime.
Additionally, if you use the App Guard feature to sandbox the Edge browser in a VM, you would run into all kinds of website compatibility issues, plugin issues, and potential performance issues. This means that users at companies that implement this type of sandboxing can find their browsers don’t reliably work. Finally, if IT turns on code integrity and whitelisting apps, users can’t use any third-party apps or scripts, which is not practical for real-world knowledge workers.
IT admins like that, since the new Win10 security features are built directly into the OS, there’s less management overhead with fewer consoles to manage and better integration with the OS. However, they can be distracted and overwhelmed by the high volume of alerts that Win10 security features may generate on a regular basis. There are multiple agents to monitor and constant decisions to make about what should be allowed vs. blocked.
In addition, to really make sure Win10 stays safe, IT teams must keep on patching the OS, middleware, and applications on an ongoing basis. This can be an impossible task or a patching nightmare. On top of this, IT teams still need to worry about older operating systems like Win7, Linux and macOS.
THE BOTTOM LINE
Win10 can significantly increase security if you have users that can be limited and locked down at work. For this type of user (e.g., call center users), leveraging the latest Win10 security features to limit what apps they use, prevent access to certain website categories, restrict external USB devices, and force them to always be under the network restrictions of the corporate network can help improve security.
However, this isn’t a practical solution for enterprise knowledge workers, researchers, developers, road warriors and the like. Those users need local admin rights, full internet access, access to cloud services, third-party apps and plugins, home printers, etc. You simply can’t lock them down or you’ll significantly degrade their productivity. In addition, real-world enterprise desktops have legacy software that potentially won’t be compatible with the latest Win10 security features, making them impractical to adopt.
We’d love to hear your thoughts on Win10 as a security solution. What do you view as the pros and cons?