Windows 10 Security Internals 6/10/2018 12:37 PM Windows 10 Security Internals Chris Jackson Sr. Architect, Cybersecurity © Microsoft Corporation. All rights reserved.

Isolate and Containerize Security principles Known Good Reduce Actors Trust Software by Exception Whitelist Validate Constrain Execution Assume Breach Minimize Impact Isolate and Containerize Isolation Sandboxes Contain Damage © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Isolate and Containerize

Isolate and Containerize 6/10/2018 Isolate and Containerize SAP Outlook Edge Visual Studio Word © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Microsoft Edge app Container Isolation 6/10/2018 Microsoft Edge app Container Isolation Isolation improvements with MS Edge + AppContainer MS Edge Multi-AC Isolation Model Addresses all previous limitations of Internet Explorer sandbox Significant attack surface reduction Flash running out-of-content process (starting in Windows 10 Anniversary Update) Edge Manager Process (AppContainer) Elevation Broker (MediumIL) Trust Boundary IPC Trust Boundary IPC Trust Boundary Edge Tab (AppContainer) Flash Content Process IPC The Microsoft Edge isolation model addresses all previously known “by-design” sandbox attacks © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

traditional platform stack 6/10/2018 traditional platform stack Device Hardware Kernel Windows Platform Services Apps © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

VIRTUALIZATION BASED SECURITY Windows 10 6/10/2018 VIRTUALIZATION BASED SECURITY Windows 10 Kernel Windows Platform Services Apps SystemContainer Trustlet #1 Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Trust Code by Exception

APPS Today’s challenge: Trusted by default until defined as threat 6/10/2018 Today’s challenge: Trusted by default until defined as threat Detection based methods alone can’t keep up APPS © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Device guard in vbs environment 6/10/2018 Device guard in vbs environment decisive mitigation Kernel Windows Platform Services Apps SystemContainer DEVICE GUARD Trustlet #2 Trustlet #3 Hypervisor Device Hardware Windows Operating System Hyper-V © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Blacklist User Writeable Areas 6/10/2018 Blacklist User Writeable Areas Program Files Windows Windows System © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Post-Compile Mitigations 6/10/2018 Post-Compile Mitigations Administrative Templates\System\Mitigation Options\Process Mitigation Options 3 2 1 9 8 7 6 5 4 F E D C B A A Enable DEP B Enable ATL Thunk emulation for DEP C Enable SEHOP D Enable ASLR E Enable Bottom-Up ASLR Always On F Enable Bottom-Up ASLR Always Off © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Control Flow Guard Valid jump locations 6/10/2018 Y YY © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

6/10/2018 12:37 PM © Microsoft Corporation. All rights reserved.